<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Wed, Mar 16, 2016 at 5:25 PM, Ladar Levison <span dir="ltr"><<a href="mailto:ladar@lavabitllc.com" target="_blank">ladar@lavabitllc.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<br>
As the sysop I feel qualified to </div></blockquote><div>.... </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><div bgcolor="#FFFFFF" text="#000000">P.S. I haven't run this email by my lawyers, but I think everything
I said is unsealed and public already. </div></blockquote><div><div bgcolor="#FFFFFF" text="#000000">
<br>
</div></div><div bgcolor="#FFFFFF" text="#000000"><br></div><div bgcolor="#FFFFFF" text="#000000">A slight divergence, but a sysop perspective question</div><div bgcolor="#FFFFFF" text="#000000">related to internet services in general. <br><br>Many systems run iptables with rate limiting to manage DOS attacks.<br>Many systems run CFS & LFD, fail2ban, denyhosts, <span style="color:rgb(37,37,37);font-family:sans-serif;font-size:14px;line-height:22.4px">OSSEC,...</span> to protect from brute <br>force attacks.</div><div bgcolor="#FFFFFF" text="#000000">Many systems subscribe to a bad boy list of IP addresses to block as found</div><div bgcolor="#FFFFFF" text="#000000">by many honeypot systems.<br>Other individuals run ad blockers or a version of MVPS HOSTS to limit the risk from </div><div bgcolor="#FFFFFF" text="#000000">snooping html/javascript.</div><div bgcolor="#FFFFFF" text="#000000"><br></div><div bgcolor="#FFFFFF" text="#000000">Q: What if the request was to disable all such shields and allow an armada of systems to</div><div bgcolor="#FFFFFF" text="#000000">challenge one or more accounts or services with relentless coordinated login attacks?<br><br>What would be the impact be on the community services?<br>Would colateral damage to such a system be allowed by law?<br>Would the demand switch from access to surveillance (requires speculation)?<br><br>Routing tables.. can all traffic into and out of a company like lavabit be forced</div><div bgcolor="#FFFFFF" text="#000000">through routing resources with packet snooping abilities owned/controlled by </div><div bgcolor="#FFFFFF" text="#000000">the FBI even if the bandwidth was maintained. <br><br>Side channel attacks? Remove all equal time code for crypto functions. Remove</div><div bgcolor="#FFFFFF" text="#000000">all manner of bugs not related to the crypto but to the implementation framework. Remove time</div><div bgcolor="#FFFFFF" text="#000000">consuming functions that slow access testing. Compile O0?</div><div bgcolor="#FFFFFF" text="#000000"><br></div><div bgcolor="#FFFFFF" text="#000000"><br></div><div bgcolor="#FFFFFF" text="#000000"><br></div><div bgcolor="#FFFFFF" text="#000000"><br></div><div bgcolor="#FFFFFF" text="#000000"><br><br><br></div><div bgcolor="#FFFFFF" text="#000000"><br><br> </div></div><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr"> T o m M i t c h e l l</div></div>
</div></div>