Warrant Canary

 

Existing and proposed laws, especially as those related to the US Patriot Act, dictate the authority to issue secret warrants, searches and seizures of data from online users. These laws can cause criminal penalties for revealing the warrant, search or seizure, disallowing disclosure related to these events that would negatively affect both the users of a VPN service and Newsdemon.com. The principals and employees of Newsdemon must comply with such warrants and their provisions for secrecy.

Due to these circumstances, Newsdemon stands prepared and will make available, on a monthly basis, a “warrant canary” in the form of a cryptographically signed message containing the following:

A declaration that states, up to the stated point of time, no warrants have been served, nor have any searches or seizures taken place. This will also include a pasted headline from a selected major news source, establishing and as a verification on the true date of issue. Special note should be taken if these messages ever cease being updated or are unchanged for more than thirty (30) days, or are removed from this page.

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

As of August 31st, 2018, Newsdemon.com, Newsdemon Networks, Inc., Newsdemon Network, LTD., (“Newsdemon”) has not received any National Security Letters or FISA court orders, and we have not been subject to any gag order(s) by a FISA court, or any other similar court(s) of any government. Newsdemon has never placed any backdoors in our hardware or software and has not received any requests to do so. Newsdemon has never disclosed any user communications to any third party. No searches or seizures of any kind have ever been performed on Newsdemon assets.

Recent headlines:

Astronauts tackle air leak on International Space Station - https://www.bbc.com/news/science-environment-45364155

Clock changes: EU backs ending daylight saving time - https://www.bbc.com/news/world-europe-45366390

—–BEGIN PGP SIGNATURE—–
Version: GnuPG v2.0.22 (GNU/Linux)

iQEcBAEBAgAGBQJXiR/xAAoJEAc4rNq6Hq6wp2YH/3uzFDM8Fi6uRTz3F+tBNG3H
5oL1CmFZJO1l7s8h+uGYeFxvLfjw21XQe1uUmUmrx3nSk7gDb5y7iqi0JPB7vJML
ZBJWDiV6HXavszcYz1su3c29r9pOHOZ6Dl1PmVzAK627ZpZ2P4zrFlRevvdlfwRP
ACVqflzbm+NOhVGYspvjLeOvGguKZcXR5xBC8TUJ1qMG3G6gk9Uha/l9/bLv7lay
AIyuWXK1JzjxRYYxm/hXWDoI312YGgKfdREFtiK13L7HpiQslvo38oWd5eGiDCeE
PsOTAt7FVyI9WpkssMctLNBvWdXDrzdDOhqw1hc4+8coXL7VknzretDwrpYIMdk=
=UfPV
—–END PGP SIGNATURE—–

Verification:

Warning: this process is pretty technical, it requires familiarity with OpenPGP and the command-line. It assumes you have the program gpg installed.

Import Newsdemon’s OpenPGP key

On the terminal, import Newsdemon’s public OpenPGP key from a keyserver:

$ gpg --keyserver keys.gnupg.net --recv-key BA1EAEB0 $ gpg2 --fingerprint BA1EAEB0

The first line will import the key into your keyring, but there is no guarantee that you actually imported the right key. The ” –fingerprint” command allows you to see the fingerprint of the key and actually confirm you imported the correct key. You should see an output that contains the following information:

Key fingerprint = 74FA 4FB8 3586 6246 6827 7F72 0738 ACDA BA1E AEB0

There is no particular reason that you should trust this key on its own. Instead, you can verify and authenticate the key by those who have confirmed and verified the key:

gpg --list-sigs BA1EAEB0

Verify Newsdemon’s Certificate

Now that you have imported Newsdemon’s public key, you can verify that the fingerprints listed on this page are really from Newsdemon.com.

Copy and paste the above statement and save it to a text file named:  Newsdemon_Canary_message.asc

Then run this command in a terminal:

gpg --verify Newsdemon_Canary_message.asc

 

You should get output that says:

gpg: Good signature from "Newsdemon Team"

You should make sure that it says “Good signature” in the output! If this text has been altered, then this information should not be trusted. Unless you have taken explicit steps to build a trust path to the Newsdemon Collective key, you will see a warning message similar to:

gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.

However, you still should see the “Good signature”.

Compare the fingerprints

Now that you verified that the above message contains the fingerprints for our certificate, you can compare this value to the value provided by your browser. In most browsers, to find the fingerprint of the certificate your browser sees you can click on the lock icon located in the location bar. This should bring up details about the certificate being used, including the fingerprint.

If the values match, and you trust the Newsdemon public OpenPGP key, then you can be confident you are really communicating with Newsdemon.com servers.