Re: [liberationtech] Viber is secure?
On 09/20/2012 08:36 PM, Amin Sabeti wrote: At this time, Viber (http://www.viber.com/) is so popular amongst the Iranian people and it is one of the popular communication ways in Iran. I was wondering to know this app is secure or not? The data is encrypted or not? (I have cc'd Viber's privacy email on this not. Perhaps they will chime in!) We have not done an audit of this app yet, but here's what some quick research (http://www.viber.com/privacypolicy.html) turned up some not very encouraging information. In short, it should be considered as secure as a normal telephone call, aka NOT SECURE. In addition, they make no mention of any security capabilities in their client software or protocol. I would consider Skype a safer option than Viber, which is saying a lot. We can only hope that they at least use SSL/TLS for their authentication and messaging API access from their client to their servers. It is extremely doubtful they are doing any kind of voice encryption. More detail below from their privacy policy text: 1) They store a copy of all names and phone numbers in your phone's address book on their servers. When you install the Viber App and register on the Site, you will be asked to provide us with your phone number and to allow us access to your mobile device's address book (collectively, Personal Information). A copy of the phone numbers and names in your address book (but not emails, notes or any other personal information in your address book) will be stored on our servers and will only be used to 2) They maintain a record of every call for 30 months: Viber also maintains a Call Detail Record (CDR - see http://en.wikipedia.org/wiki/Call_detail_record) for each call conducted on the system. These are industry standard records used by all phone companies. snip All log analysis is done in an anonymous, aggregate, non-personally identifiable manner. We may look into a specific Call Detail Record in response to a customer support request. We maintain CDRs for a period of no more than 30 months. 3) Calls go direct from phone to phone if possible, meaning its clear to network operators who is calling/talking to each other. Audio calls by users are transmitted either directly from user to user or, if direct transmission is not possible (due to, for example, firewalls), Viber servers are used to transmit the call. In the latter scenario, the information transmitted is stored briefly in volatile memory (RAM) solely to enable the transmission of the call to the other user. WE DO NOT RECORD ANY PART OF YOUR CALL. 4) They make no statement about notifying you if your personal data is given to law enforcement or other authorities. Does this mean they would respond to a Iranian gov't request? Who knows, but legally they could. We may disclose information about you if we determine that for national security, law enforcement, or other issues of public importance that disclosure of information is necessary. 5) It seems like some countries/operators are blocking Viber, which means they must be using an easy to fingerprint VoIP port/protocol. This means it is easy to identify who is using Viber. (Skype, for example, does not use a standard port/protocol which makes it very hard to block, though probably still easy to identify) http://helpme.viber.com/index.php?/Knowledgebase/Article/View/87/0/blocked-countries--regions-providers Hope that's helpful. If I can find time for someone to run Viber through wireshark, I am sure we can provide more concrete details on their protoocl security. +n -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Viber is secure?
Cormac, care to chime in? On Sep 20, 2012 1:53 PM, Collin Anderson col...@averysmallbird.com wrote: Hi Amin, BBG and Freedom House's report 'Safety on the Line' included some evaluation of the security of Viber. While I was disappointed in the lack of specific details overall in the publication, it did not appear that they thought too highly of the application. [PDF] http://www.freedomhouse.org/sites/default/files/Safety%20on%20the%20Line.pdf I'm not sure if Callanan and Dries-Ziekenheiner are on this list, but perhaps if someone could reach out to them, we could get clarifications. Cordially, Collin On Thu, Sep 20, 2012 at 1:28 PM, Nathan of Guardian nat...@guardianproject.info wrote: On 09/20/2012 08:36 PM, Amin Sabeti wrote: At this time, Viber (http://www.viber.com/) is so popular amongst the Iranian people and it is one of the popular communication ways in Iran. I was wondering to know this app is secure or not? The data is encrypted or not? (I have cc'd Viber's privacy email on this not. Perhaps they will chime in!) We have not done an audit of this app yet, but here's what some quick research (http://www.viber.com/privacypolicy.html) turned up some not very encouraging information. In short, it should be considered as secure as a normal telephone call, aka NOT SECURE. In addition, they make no mention of any security capabilities in their client software or protocol. I would consider Skype a safer option than Viber, which is saying a lot. We can only hope that they at least use SSL/TLS for their authentication and messaging API access from their client to their servers. It is extremely doubtful they are doing any kind of voice encryption. More detail below from their privacy policy text: 1) They store a copy of all names and phone numbers in your phone's address book on their servers. When you install the Viber App and register on the Site, you will be asked to provide us with your phone number and to allow us access to your mobile device's address book (collectively, Personal Information). A copy of the phone numbers and names in your address book (but not emails, notes or any other personal information in your address book) will be stored on our servers and will only be used to 2) They maintain a record of every call for 30 months: Viber also maintains a Call Detail Record (CDR - see http://en.wikipedia.org/wiki/Call_detail_record) for each call conducted on the system. These are industry standard records used by all phone companies. snip All log analysis is done in an anonymous, aggregate, non-personally identifiable manner. We may look into a specific Call Detail Record in response to a customer support request. We maintain CDRs for a period of no more than 30 months. 3) Calls go direct from phone to phone if possible, meaning its clear to network operators who is calling/talking to each other. Audio calls by users are transmitted either directly from user to user or, if direct transmission is not possible (due to, for example, firewalls), Viber servers are used to transmit the call. In the latter scenario, the information transmitted is stored briefly in volatile memory (RAM) solely to enable the transmission of the call to the other user. WE DO NOT RECORD ANY PART OF YOUR CALL. 4) They make no statement about notifying you if your personal data is given to law enforcement or other authorities. Does this mean they would respond to a Iranian gov't request? Who knows, but legally they could. We may disclose information about you if we determine that for national security, law enforcement, or other issues of public importance that disclosure of information is necessary. 5) It seems like some countries/operators are blocking Viber, which means they must be using an easy to fingerprint VoIP port/protocol. This means it is easy to identify who is using Viber. (Skype, for example, does not use a standard port/protocol which makes it very hard to block, though probably still easy to identify) http://helpme.viber.com/index.php?/Knowledgebase/Article/View/87/0/blocked-countries--regions-providers Hope that's helpful. If I can find time for someone to run Viber through wireshark, I am sure we can provide more concrete details on their protoocl security. +n -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- *Collin David Anderson* averysmallbird.com | @cda | Washington, D.C. -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] [ZS] ZS reboot seed
- Forwarded message from Bryce Lynch virtualad...@gmail.com - From: Bryce Lynch virtualad...@gmail.com Date: Thu, 20 Sep 2012 12:49:35 -0400 To: doctrinez...@googlegroups.com Subject: Re: [ZS] ZS reboot seed Reply-To: doctrinez...@googlegroups.com On Thu, Sep 20, 2012 at 11:59 AM, Dirk Bruere dirk.bru...@gmail.com wrote: Given that you know vastly more about it than most of us, including me, could you put together some suggestions as to how we proceed, with recommendations? I'll take a crack at it: A lot of the Zero State notes and docs are online in Google Pages. That's pretty much a wiki. The usual wiki software (MediaWiki, Trac, MoinMoin, et cetera) is nice, but not distributed. One server, one database, one wiki. While it's possible to cluster the databases not all software plays nicely that way, and in fact a lot of database software we're likely to get hold of has serious hardcoded limitations on the number of nodes (MySQL, I'm looking at you). There are alternative wiki implementations that do the same thing but make it possible to share the whole shebang across arbitrary numbers of nodes, potentially more one per member of the Zero State, potentially more than one per member. The first thing that comes to mind is Ward Cunningham's Smallest Federated Wiki (https://github.com/WardCunningham/Smallest-Federated-Wiki). It's a web application (Ruby/Sinatra/JavaScript) which runs on a machine and is accessible through a web browser. It's designed such that multiple instances of the server can connect to one another over a network and synch up, so it's really one wiki spread across lots of machines at the same time. Multiple people can browse the wiki, create and edit pages. I dont' see why we can't have instances communicating over a darknet. The one that I keep coming back to (and not just because I suck at Ruby apps) is called Fossil (https://www.fossil-scm.org/index.html/doc/trunk/www/index.wiki), which is a distributed revision control system, bug/ticket tracker, blog, and wiki. It uses many of the same techniques as (and in fact is compatible with) the revision control system Git (http://git-scm.org/). Again, it's accessed with a web browser, everything is versioned, and multiple instances can synch up with one another in a by-any-means-necessary approach. Revision control is good for more than just source code - a lot of us use it to help manage our configuration files as well as things we write. We can check stuff we're working on into revision control if we wanted to. We could definitely use the wiki and blog. The ticket tracker could be used to assign and keep track of tasks (ticket #31337: Create Friendly AGI) that we're working on. Fossil can automatically synch off of a single server, or instances can synch off of each other and merge the data. It's cross platform. And, if something does happen, all it takes is a single instance of Fossil to re-bootstrap because every node has... well.. everything. We could import everything important into one of these systems and others could set up and synch their own copies of the whole Zero State superstructure. Chat isn't particularly difficult: While we could set up our own servers we could also just as easily take advantage of any and all XMPP services out there. There are skillions of them, and most of them can cross-chat between one another. I do that a lot with friends aorund the world: My jabber.ccc.de account can talk to the endno.de folks, the Blackbird folks, and so on. If we really wanted to we could set up our own XMPP servers. But there are other ways. Lately I've been experimenting with Litter (https://github.com/ptony82/litter), a distributed microblogging system written in Python. Unpack it, run it, and it does pretty much what you'd expect of Twitter.. save that it automatically seeks out and finds other instances of Litter on the network using IP multicasting and exchanges messages with them. It's pretty nifty and very lightweight. I haven't tested it with Tor or I2P yet, though. Torchat (https://github.com/prof7bit/TorChat) is actually implemented in a number of languages, but they all do pretty much the same thing: If you're running Tor on your laptop or workstation it'll set up a hidden service that is uniquely yours. Other Torchat users can, if they know the address, add you as a friend and you can IM over the Tor network. It's a pretty nice IM client. Tahoe-LAFS (https://tahoe-lafs.org/trac/tahoe-lafs) is a massively distributed file storage and sharing grid. The idea is that you install it and join a grid, and you donate a portion of your disk space to the grid that people can use to share and back up files. If some number of members built a grid we could put Zero State related materials into it for us to access - Fossil trees, documents, videos, audio recordings, whatever we needed to replicate and make available, we could. The next question is how to network all this stuff
[liberationtech] Face recognition software prefers unsmiling humans
A little poetry for the watchdogs. PoliceOne.com (Sep 20) - "[New Jersey] driver license face-recognition technology prohibits smiles": http://www.policeone.com/police-technology/articles/5990244-N-J-driver-license-face-recognition-technology-prohibits-smiles/ HT @PoliceOne, gf -- Gregory Foster || gfos...@entersection.org @gregoryfoster http://entersection.com/ -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
[liberationtech] Use of Blue Coat filtering at the USPTO
James Love stumbled into Blue Coat filtering of his site at the USPTO. http://keionline.org/node/1549 Best, André -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
[liberationtech] Facebook wants you to snitch?
I've been following a story on twitter and wondered if anyone knew the background - and in particular, whether it's true! The story suggests that Facebook is experimenting with asking people to confirm whether their friends are who they say they are: here's a tweet about it. https://mobile.twitter.com/chapeaudefee/status/248599349481836544?photo=1 The implications are obvious - but quite important. Facebook has had a 'real names' policy for a while, but they haven't to my knowledge been using this kind of way of verifying/enforcing it before. A German online magazine has suggested it's being trialled - I wondered if anyone had any information or confirmation that it's been happening, or that my reading of t is correct? Help would be much appreciated Paul Bernal Sent from my iPhone -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
[liberationtech] Arab Spring Class This Fall at Stanford University
From: Emad Mekay eme...@stanford.edu Dear All, Please excuse the group email, but I just wanted to share with you information about my new class this fall at Stanford University. Please feel free to share it with students, faculty, researchers and anyone with interest in the Middle East. After a year as a Knight Fellow at Stanford, I will be teaching a new class this year about the Arab Spring. The course will serve as an introduction to the events of the Arab Spring. One of the reasons many Western institutions, including the media, may have failed to predict the Arab Spring in time is that they are hampered by many stereotypes and clichés about the Middle East generated in part by -well yes - my fellow media professionals. In this class, students will draw lessons on how not to approach international relations with pre-conceived ideas and find their own sources to understand the events that are re-shaping the Middle East. I will draw on my extensive coverage of those events. We'll talk about issues such as how the Arab media is resisting revolutions, the future of Islamist movements, street protest tactics against police states, the role played by women in the wave of revolutions, business and economy under Islamist government and the myth of the Arab Spring being invented by Facebook among other issues. Students will learn to take more advanced investigations into the Arab region and U.S. institutions working there. The lectures will be both a place for student to get some exposure to first-hand information on what really happened before and after the wave of revolutions that swept new political players to power in the Middle East. Students will be introduced to major political players in countries of the Arab Spring through guest speaker events, conversations with people who took part in the events as well as class discussions and research. The goal is to instill confidence in students in their ability to find their own sources and information about the region to prepare them to offer authoritative explanation and understanding of the future of the Arab Spring countries. We’ll be meeting Mondays and Wednesdays. 10:00AM-11:50AM. Encina West Rm 106. Course starts Sept. 24-Dec. 7, 2012 I am also attaching a flyer.* Let me know if you have any questions. Best, Emad * Flyer below: International Relations, Fall 2012 course, Stanford University. Mon, Wed 10:00AM-11:50AM at Encina West 106 (Sept. 24--Dec. 7, 2012) DECODING THE ARAB SPRING AND THE FUTURE OF THE MIDDLE EAST INTNLREL151 (with Emad Mekay) The course will explore themes such as: the issues that forged the identity of the Arab Spring; common features among the Arab Spring countries; mechanisms of street protests against police states, history and current relationship between the military and new political powers; secularists Vs. Islamists; why the Islamists are winning in public polls and scenarios for the Middle East. All students at all levels are welcome. -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech