I didn't know Australia outlawed warrant canaries. Luckily, it looks like that actually only outlawed journalist warrant canaries (so a company couldn't use a warrant canary to say that a journalist was investigating one of their customers).
Yishan just posted this a followup that I think is quite interesting[1].
Excerpt: "If you get an NSL, you're gagged. You can't talk about it. I can say that during my time we did not receive any National Security Letters. /r/ekjp was able to say in her Transparency Report for 2014 that they never got any. Apparently in this 2015 report they are not saying that."
I thought this was well known already? if you send your data to someone else's server (even if you are renting it), there is no way you can be reasonably sure it will remain untouched.
Based on spez's language, is it safe to assume that a NSL has indeed been received? That's my interpretation (and it seems that of other reddit commentors too).
CEO of Reddit Steve Huffman, username "spez", writes:
"I've been advised not to say anything one way or the other." [1]
when asked whether he withdrew the canary voluntarily. The comment directly beneath sums it up:
"In case anyone is still confused or in disbelief, this is where he confirmed it. He really can't say it any more clearly without teasing the law to go after him."
If you decide to put in a canary and then at any time after remove the canary, the only way to interpret that is that the canary died. There's no point in debating any nuance in his comment. The canary died.
The more important part is that in a country that supposedly has very strong free speech laws, the government can issue a gag order, for any reason they deem, without using normal courts.
I think there are basically two plausible scenarios, either they received a NSL or they do no longer believe that a canary is necessary and misjudged the interpretation. (In the second case, they could of course clarify in the comments.)
Is this the first warrant canary that we have a reasonably high degree of certainty was actually tripped? I remember a couple of other warrant canary cases that could be more parsimoniously attributed to user error but none this clearcut.
According to Wikipedia, Apple's warrant canary was removed in the July-December 2013 transparency report (and remained absent in the following transparency report in 2014).
If you don't assume compromise when a canary is tripped, then it defeats the entire purpose of a canary. At the very least, someone could ask the site owners about it, and they could deny it. If thu don't respond at all then they definitely have been ordered not to talk about it. Either way you can get the truth with certainty.
- Have you been served an NSL?
- No, I have not.
- Have you been served an NSL?
- No, I have not.
- Have you been served an NSL?
- On the advice of counsel, I decline to answer.
This sounds like the most logical explanation and basic legal standing of the situation. Not saying what has been said in the past is as clear an indicator as possible, given the circumstances.
I have never understood what value I personally would derive from a warrant canary. For the sake of discussion let's assume that reddit's warrant canary was intentionally removed and but for an NSL it would have continued to appear on reddit. How do my actions differ in this universe compared to one where the canary was present in the report?
What terrifies me is not the potential data leak, but that the NSA may be obtaining their TLS certificates, bypassing the threat (to them) of "https everywhere".
It's amazing that it lasted this long. Given how I assumed the government was handing these things out like candy I would have thought just about every major tech organisation was getting dozens at least every year. In a weird way, it almost increases my faith in the system. Or it decreases my faith even further in the competence of the security agencies .. I'm not sure which. (after Facebook and Google, Reddit is probably one of the most obvious and valuable places to hit they could go to ... how did it take them this long?).
The only plausible NSL served on Reddit is for subscriber information related to a national security investigation. Reddit was compelled to provide the records they already had on some username's real name, billing details, and similar---and maybe a list of who they exchanged messages with.
There are a number of English-speaking, self-identifying ISIS members who post regularly in /r/JihadInFocus. /u/thelord4444 is one and /u/AnsarAlKhilafah is another. I wouldn't be the least surprised to find out it was about them.
If I was a national security agency with the ability to perform man in the middle attacks, I'd ask for their keys / certificates and crack encrypted communication, and insert my own targeted payload.
This reminds me of when people asked Linus Torvalds if the NSA had approached him about putting in backdoors. To which he answered "No" while shaking his head yes...
This is incredibly disheartening to hear, but I have to say I'm glad to see the currently top-voted comment is about this, and most of the thread has turned to focus on this.
I wonder how big of an issue this NSL will become for Reddit, or whether it will be forgotten about in a week.
I also wonder what it means for me as a Redditor. "If you have nothing to hide" arguments aside, does this mean it is safe to assume that the NSA got full access to all of Reddit's data and hoovered it all up? Or are these NSLs only able to target individuals? Not sure you can really make that distinction from a data mining standpoint I guess.
Turns out this was intended to be a April Fools joke; not by Reddit, but the FBI. Pretty sick taste in jokes; FBI already had all of Reddit's data because they're hosted on AWS; Amazon already gives all AWS data to the FBI.
Isn't all communication on HN public? (I thought the only additional info on the servers was the votes. Or are IP addresses and timestamps stored for visitors?)
I found myself just now wondering whether a court case has been fought over whether the government can force someone to keep up a canary. It's sad that we can't even know this kind of information.
[+] [-] rsync|10 years ago|reply
I was hoping that it would be irrelevant after all of these years...
[1] https://www.rsync.net/resources/notices/canary.txt
[2] https://en.wikipedia.org/wiki/Warrant_canary#Usage
[+] [-] cyphar|10 years ago|reply
[+] [-] gizmo385|10 years ago|reply
Excerpt: "If you get an NSL, you're gagged. You can't talk about it. I can say that during my time we did not receive any National Security Letters. /r/ekjp was able to say in her Transparency Report for 2014 that they never got any. Apparently in this 2015 report they are not saying that."
[1] https://www.reddit.com/r/yishan/comments/4cub02/transparency...
[+] [-] hardlianotion|10 years ago|reply
https://www.reddit.com/r/yishan/comments/4cub02/transparency...
Does that inform anyone's choice of cloud infrastructure?
[+] [-] regularfry|10 years ago|reply
[+] [-] CaptSpify|10 years ago|reply
[+] [-] jat850|10 years ago|reply
[+] [-] abetusk|10 years ago|reply
"I've been advised not to say anything one way or the other." [1]
when asked whether he withdrew the canary voluntarily. The comment directly beneath sums it up:
"In case anyone is still confused or in disbelief, this is where he confirmed it. He really can't say it any more clearly without teasing the law to go after him."
[1] https://www.reddit.com/r/announcements/comments/4cqyia/for_y...
[+] [-] jessaustin|10 years ago|reply
[+] [-] shmerl|10 years ago|reply
[+] [-] freehunter|10 years ago|reply
[+] [-] grecy|10 years ago|reply
Surely that's a very, very bad thing.
[+] [-] Aelinsaar|10 years ago|reply
[+] [-] yk|10 years ago|reply
[+] [-] 794CD01|10 years ago|reply
[+] [-] shalmanese|10 years ago|reply
Any other warrant canaries trip before?
[+] [-] jat850|10 years ago|reply
[+] [-] Houshalter|10 years ago|reply
[+] [-] ikeboy|10 years ago|reply
[+] [-] wesleyd|10 years ago|reply
[+] [-] 6stringmerc|10 years ago|reply
[+] [-] dfc|10 years ago|reply
[+] [-] coldcode|10 years ago|reply
[+] [-] acqq|10 years ago|reply
https://www.reddit.com/wiki/transparency/2014#wiki_national_...
The 2015 report:
https://www.reddit.com/wiki/transparency/2015
[+] [-] sloppycee|10 years ago|reply
[+] [-] zmmmmm|10 years ago|reply
[+] [-] brians|10 years ago|reply
[+] [-] chrissnell|10 years ago|reply
[+] [-] chippy|10 years ago|reply
[+] [-] arca_vorago|10 years ago|reply
Red Hat and Systemd anyone?
[+] [-] shostack|10 years ago|reply
I wonder how big of an issue this NSL will become for Reddit, or whether it will be forgotten about in a week.
I also wonder what it means for me as a Redditor. "If you have nothing to hide" arguments aside, does this mean it is safe to assume that the NSA got full access to all of Reddit's data and hoovered it all up? Or are these NSLs only able to target individuals? Not sure you can really make that distinction from a data mining standpoint I guess.
[+] [-] hxegon|10 years ago|reply
[+] [-] thrillgore|10 years ago|reply
[+] [-] nxzero|10 years ago|reply
[+] [-] wamatt|10 years ago|reply
[+] [-] p4wnc6|10 years ago|reply
[+] [-] alphydan|10 years ago|reply
[+] [-] foota|10 years ago|reply
[+] [-] unknown|10 years ago|reply
[deleted]
[+] [-] gpvos|10 years ago|reply
[+] [-] CaptSpify|10 years ago|reply
[+] [-] hatsunearu|10 years ago|reply