LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Advisory Watch: August 15th, 2014
Linux Advisory Watch: August 8th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Italian Police 1 / Privacy 0 Print E-mail
User Rating:      How can I rate this item?
Source: Phillip Bailey - Posted by Benjamin D. Thomas   
Privacy The cryptographic services offered by the Autistici/Inventati server, housed in the Aruba web farm, have been compromised on 15th June 2004. We discovered the fact on 21st June 2005. One year later.

One year ago the authorities (i.e. the postal police), during the investigation that led to the suspension of an email account (croceneraanarchica-at-inventati.org), shut down our server without any notice, and copied the keys necessary for the decryption of the webmail. Since then, they potentially had access to all the data on the disks, including sensible information about our users. This happened with the collaboration of Aruba, our provider.

When we noticed that the server was unreachable we repeatedly called the Aruba web farm, asking for an explanation. They made up silly excuses about technical problems, deciding that their clients, their contracts and the rights of our users weren't worth a single phone call to the server legal owners. They lied and totally disrespected even the most basic rights and the privacy of those utilising their services..

Our presence and that of our lawyers would have been a guarantee that they could obtain the information they needed without violating the privacy of all the people who use our cryptographic services. We could and we would have been able to warn and protect our users.

We always suspected that they weren't trustworthy, both on a personal and technical basis. The very low level of the service they offered sadly accustomed us to the silly excuses they made up for technical problems. Unfortunately at that time we had no alternatives. The server had to be housed and none of the possible solution we found offered more guarantees neither on user privacy respect nor even on fulfillment of their own contractual duties. We relied on Aruba and we made a mistake.

What happened is very serious and we don't want to hide behind unlikely perspectives of revenge. It will be a hard struggle. A battle that we will fight on every possibile level, including the halls of justice.

Our constant paranoia in dealing with personal data, aiming to protect our users data, wasn't enough. We lacked resources and an we incautiously and unreasonably trusted the laws protecting privacy.

We shut down our safe cryptography services since they cannot be considered safe any more. We will shortly stop the mail service too. We will, as soon as possible, reactivate all the services on a new server, cleaned and sanitized, hosted by a different provider.

But this won't, of course, be enough. It's clear that against such an enduring effort aiming at the systematic violation of Internet users' privacy we must reconsider the meaning and the strategies of our project.

Aware of our potential weaknesses, we've been working on a completely new version of our whole infrastructure, trying to rise the level of protection of our users' privacy. Soon, we hope before summer's end, we will disclose all the technical details, hoping that they will clarify the effort required to build infrastructures wh ich could protect what should be considered - at least in theory - as a part of the basic rights.

What we hope everyone will learn from what happened is that privacy can't be appointed to anyone but ourselves. There's no political structure or technical instrument that can guarantee your privacy.

We are, one more time, asking and suggesting everyone to use strong encryption instruments (i.e. pgp/gpg) for the protection of both mail and data on personal computers. And to use common sense for everything else. We can only guarantee that we will continue to do everything we can to protect the privacy of your and our communications and your and our freedom of speech.

June 22, 2005. Autistici/Inventati Collective

Only registered users can write comments.
Please login or register.

Powered by AkoComment!

 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Moving toward smart and secure continuous software delivery
Stealthy, Razor Thin ATM Insert Skimmers
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.