[liberationtech] Stop promoting Skype
Hi, Top secret PRISM program claims direct access to servers of firms including Google, Facebook and Apple and others. Some of the world's largest internet brands are claimed to be part of the information-sharing program since its introduction in 2007. Microsoft – which is currently running an advertising campaign with the slogan Your privacy is our priority – was the first, with collection beginning in December 2007. It was followed by Yahoo in 2008; Google, Facebook and PalTalk in 2009; YouTube in 2010; Skype and AOL in 2011; and finally Apple, which joined the program in 2012. The program is continuing to expand, with other providers due to come online. Collectively, the companies cover the vast majority of online email, search, video and communications networks. Read about it here: http://www.guardian.co.uk/world/2013/jun/06/us-tech-giants-nsa-data http://static.guim.co.uk/sys-images/Guardian/Pix/audio/video/2013/6/6/1370553948414/Prism-001.jpg http://static.guim.co.uk/sys-images/Guardian/Pix/pictures/2013/6/6/1370554726437/PRISM-slide-crop-001.jpg The next person that recommends Skype to human rights activists is completely discredited. Stop it and stop it now. Ta ta, Jake -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Stop promoting Skype
Stop promoting google hangout and hotmail, yahoo, gmail, outlook.com... =) On Fri, Jun 7, 2013 at 8:17 AM, Jacob Appelbaum ja...@appelbaum.net wrote: Hi, Top secret PRISM program claims direct access to servers of firms including Google, Facebook and Apple and others. Some of the world's largest internet brands are claimed to be part of the information-sharing program since its introduction in 2007. Microsoft – which is currently running an advertising campaign with the slogan Your privacy is our priority – was the first, with collection beginning in December 2007. It was followed by Yahoo in 2008; Google, Facebook and PalTalk in 2009; YouTube in 2010; Skype and AOL in 2011; and finally Apple, which joined the program in 2012. The program is continuing to expand, with other providers due to come online. Collectively, the companies cover the vast majority of online email, search, video and communications networks. Read about it here: http://www.guardian.co.uk/world/2013/jun/06/us-tech-giants-nsa-data http://static.guim.co.uk/sys-images/Guardian/Pix/audio/video/2013/6/6/1370553948414/Prism-001.jpg http://static.guim.co.uk/sys-images/Guardian/Pix/pictures/2013/6/6/1370554726437/PRISM-slide-crop-001.jpg The next person that recommends Skype to human rights activists is completely discredited. Stop it and stop it now. Ta ta, Jake -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Eduardo -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] NSA, FBI, Verizon caught red handed spying on US citizens in the US
Anthony Papillion writes: It's up to us to protect ourselves and, thankfully, we have the technology to do just that. (As I suggested in a previous message, I strongly support greater use of privacy-enhancing technologies, and finding tactics to increase the demand for them.) I think it's become clear that traffic and location data is much harder to protect technologically than content. Advocates for privacy-enhancing technology sometimes don't appreciate or don't effectively communicate the scope of this problem. I've seen a lot of people in the last day or so referring to the need to encrypt everything. Encrypting everything is surely of tremendous benefit for privacy, but in low-latency packet-switched networks, it has no effect at all on the ability to perform traffic analysis. In order to get networks that we don't control to deliver our communications to the parties we choose, we have to tell the intermediaries who run the networks where to send the communications, affixing identifiers like IP addresses and PSTN numbers. Then the network operators can record and disclose all of that information. And the implications of that information are significant, especially when it includes or implies location data. We just recently had a discussion here that touched on how difficult it might be to make a mobile phone that doesn't allow location tracking. I think it's possible with a significant engineering effort, but the easiest ways to design and deploy mobile communications networks all automatically make users' locations trackable. The best widely-used tool to defend against traffic analysis is Tor, but Tor's developers readily concede that it has a lot of important limitations and that there's no obvious path around many of them. Two of these important limitations (not the only ones) are: ① Anonymization adds latency to communications. Better anonymization usually adds more latency. Everywhere else, communications engineers are struggling to take the latency out of people's communications. At least in some systems, anonymity engineers are struggling to put it in. ② Network adversaries can notice that things coming out of a system correspond to things going in. Here's one of many statements of these two issues as they relate to systems like Tor: Furthermore, Onion Routing makes no attempt to stop timing attacks using traffic analysis at the network endpoints. They assume that the routing infrastructure is uniformly busy, thus making passive intra-network timing difficult. However, the network might not be statistically uniformly busy, and attackers can tell if two parties are communicating via increased traffic at their respective endpoints. This endpoint-linkable timing attack remains a difficulty for all low-latency networks. http://www.freehaven.net/src/related-comm.thtml These issues are less severe if people are using e-mail or (maybe better yet) forum posting, over an encrypted channel to a popular service that many people use. But they're quite serious for voice calls, video conferencing, and even instant messaging. -- Seth Schoen sch...@eff.org Senior Staff Technologist https://www.eff.org/ Electronic Frontier Foundation https://www.eff.org/join 815 Eddy Street, San Francisco, CA 94109 +1 415 436 9333 x107 -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Stop promoting Skype
STOP PROMOTING THE INTERNET NK On 2013-06-07, at 3:16 AM, Eduardo Robles Elvira edu...@gmail.com wrote: Stop promoting google hangout and hotmail, yahoo, gmail, outlook.com... =) On Fri, Jun 7, 2013 at 8:17 AM, Jacob Appelbaum ja...@appelbaum.net wrote: Hi, Top secret PRISM program claims direct access to servers of firms including Google, Facebook and Apple and others. Some of the world's largest internet brands are claimed to be part of the information-sharing program since its introduction in 2007. Microsoft – which is currently running an advertising campaign with the slogan Your privacy is our priority – was the first, with collection beginning in December 2007. It was followed by Yahoo in 2008; Google, Facebook and PalTalk in 2009; YouTube in 2010; Skype and AOL in 2011; and finally Apple, which joined the program in 2012. The program is continuing to expand, with other providers due to come online. Collectively, the companies cover the vast majority of online email, search, video and communications networks. Read about it here: http://www.guardian.co.uk/world/2013/jun/06/us-tech-giants-nsa-data http://static.guim.co.uk/sys-images/Guardian/Pix/audio/video/2013/6/6/1370553948414/Prism-001.jpg http://static.guim.co.uk/sys-images/Guardian/Pix/pictures/2013/6/6/1370554726437/PRISM-slide-crop-001.jpg The next person that recommends Skype to human rights activists is completely discredited. Stop it and stop it now. Ta ta, Jake -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Eduardo -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Stop promoting Skype
On Fri, Jun 7, 2013 at 9:23 AM, Nadim Kobeissi na...@nadim.cc wrote: STOP PROMOTING THE INTERNET Stop promoting 'murica. And help me test and develop my project escapetools that is meant for taking out your data from services like GMail and saving them in a way that can be used in infrastructure coorporatives like fripost.org. http://github.com/jchillerup/escapetools JC PS: This email was (sadly) brought to you all by GMail. -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
[liberationtech] Top secret PRISM program claims direct access to servers of firms including Google, Facebook and Apple
http://www.guardian.co.uk/world/2013/jun/06/us-tech-giants-nsa-data NSA taps in to internet giants' systems to mine user data, secret files reveal • Top secret PRISM program claims direct access to servers of firms including Google, Facebook and Apple • Companies deny any knowledge of program in operation since 2007 Glenn Greenwald and Ewen MacAskill The Guardian, Thursday 6 June 2013 23.05 BST A slide depicting the top-secret PRISM program The National Security Agency has obtained direct access to the systems of Google, Facebook, Apple and other US internet giants, according to a top secret document obtained by the Guardian. The NSA access is part of a previously undisclosed program called PRISM, which allows officials to collect material including search history, the content of emails, file transfers and live chats, the document says. The Guardian has verified the authenticity of the document, a 41-slide PowerPoint presentation – classified as top secret with no distribution to foreign allies – which was apparently used to train intelligence operatives on the capabilities of the program. The document claims collection directly from the servers of major US service providers. Although the presentation claims the program is run with the assistance of the companies, all those who responded to a Guardian request for comment on Thursday denied knowledge of any such program. In a statement, Google said: Google cares deeply about the security of our users' data. We disclose user data to government in accordance with the law, and we review all such requests carefully. From time to time, people allege that we have created a government 'back door' into our systems, but Google does not have a back door for the government to access private user data. Several senior tech executives insisted that they had no knowledge of PRISM or of any similar scheme. They said they would never have been involved in such a program. If they are doing this, they are doing it without our knowledge, one said. An Apple spokesman said it had never heard of PRISM. The NSA access was enabled by changes to US surveillance law introduced under President Bush and renewed under Obama in December 2012. The program facilitates extensive, in-depth surveillance on live communications and stored information. The law allows for the targeting of any customers of participating firms who live outside the US, or those Americans whose communications include people outside the US. It also opens the possibility of communications made entirely within the US being collected without warrants. Disclosure of the PRISM program follows a leak to the Guardian on Wednesday of a top-secret court order compelling telecoms provider Verizon to turn over the telephone records of millions of US customers. The participation of the internet companies in PRISM will add to the debate, ignited by the Verizon revelation, about the scale of surveillance by the intelligence services. Unlike the collection of those call records, this surveillance can include the content of communications and not just the metadata. Some of the world's largest internet brands are claimed to be part of the information-sharing program since its introduction in 2007. Microsoft – which is currently running an advertising campaign with the slogan Your privacy is our priority – was the first, with collection beginning in December 2007. It was followed by Yahoo in 2008; Google, Facebook and PalTalk in 2009; YouTube in 2010; Skype and AOL in 2011; and finally Apple, which joined the program in 2012. The program is continuing to expand, with other providers due to come online. Collectively, the companies cover the vast majority of online email, search, video and communications networks. The extent and nature of the data collected from each company varies. Companies are legally obliged to comply with requests for users' communications under US law, but the PRISM program allows the intelligence services direct access to the companies' servers. The NSA document notes the operations have assistance of communications providers in the US. The revelation also supports concerns raised by several US senators during the renewal of the Fisa Amendments Act in December 2012, who warned about the scale of surveillance the law might enable, and shortcomings in the safeguards it introduces. When the FAA was first enacted, defenders of the statute argued that a significant check on abuse would be the NSA's inability to obtain electronic communications without the consent of the telecom and internet companies that control the data. But the PRISM program renders that consent unnecessary, as it allows the agency to directly and unilaterally seize the communications off the companies' servers. A chart prepared by the NSA, contained within the top-secret document obtained by the Guardian, underscores the breadth of the data it is able to obtain: email, video and voice chat, videos, photos,
Re: [liberationtech] NSA has direct access to tech giants' systems for user data, secret ppt reveals
Hi, NSA just $20M of budget? The same NSA that is building a data center (for processing what? =) for 869 million USD$ in Maryland? From http://www.democracynow.org/2012/4/20/exclusive_national_security_agency_whistleblower_william WILLIAM BINNEY: Well, it was called Thin Thread. I mean, Thin Thread was our—a test program that we set up to do that. By the way, I viewed it as we never had enough data, OK? We never got enough. It was never enough for us to work at, because I looked at velocity, variety and volume as all positive things. Volume meant you got more about your target. Velocity meant you got it faster. Variety meant you got more aspects. These were all positive things. All we had to do was to devise a way to use and utilize all of those inputs and be able to make sense of them, which is what we did. JUAN GONZALEZ: And when they didn’t use your system, they—the NSA developed another or attempted to develop another system to do the same? WILLIAM BINNEY: Well, that one failed. They didn’t produce anything with that one. AMY GOODMAN: And that one was called? WILLIAM BINNEY: Trailblazer, yeah. AMY GOODMAN: Trailblazer, and— WILLIAM BINNEY: I called it—I called it five-year plan number one. Five-year plan number two was Turbulence. Five-year plan number three is— AMY GOODMAN: And Trailblazer cost how much money? WILLIAM BINNEY: That was, I think, in my—my sense, was a little over $4 billion. AMY GOODMAN: Four billion dollars. WILLIAM BINNEY: Right. AMY GOODMAN: But it was scuttled. It was done away with in 2006? WILLIAM BINNEY: Yes, '05, I think it was. But yes, that's right. And we developed our program with $3 million, roughly. -- Katana -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Top secret PRISM program claims direct access to servers of firms including Google, Facebook and Apple
This law does not allow the targeting of any US citizen or of any person located within the United States. Note the wording of this denial: the *target* of collection may not be a US citizen or a person located in the US. But if the *target* is, say, Al Qaeda and affiliated organisations, does the law prevent data about US citizens and persons located in the US from being collected and retained? Cheers, Michael Eugen Leitl eu...@leitl.org wrote: http://www.guardian.co.uk/world/2013/jun/06/us-tech-giants-nsa-data NSA taps in to internet giants' systems to mine user data, secret files reveal • Top secret PRISM program claims direct access to servers of firms including Google, Facebook and Apple • Companies deny any knowledge of program in operation since 2007 Glenn Greenwald and Ewen MacAskill The Guardian, Thursday 6 June 2013 23.05 BST A slide depicting the top-secret PRISM program The National Security Agency has obtained direct access to the systems of Google, Facebook, Apple and other US internet giants, according to a top secret document obtained by the Guardian. The NSA access is part of a previously undisclosed program called PRISM, which allows officials to collect material including search history, the content of emails, file transfers and live chats, the document says. The Guardian has verified the authenticity of the document, a 41-slide PowerPoint presentation – classified as top secret with no distribution to foreign allies – which was apparently used to train intelligence operatives on the capabilities of the program. The document claims collection directly from the servers of major US service providers. Although the presentation claims the program is run with the assistance of the companies, all those who responded to a Guardian request for comment on Thursday denied knowledge of any such program. In a statement, Google said: Google cares deeply about the security of our users' data. We disclose user data to government in accordance with the law, and we review all such requests carefully. From time to time, people allege that we have created a government 'back door' into our systems, but Google does not have a back door for the government to access private user data. Several senior tech executives insisted that they had no knowledge of PRISM or of any similar scheme. They said they would never have been involved in such a program. If they are doing this, they are doing it without our knowledge, one said. An Apple spokesman said it had never heard of PRISM. The NSA access was enabled by changes to US surveillance law introduced under President Bush and renewed under Obama in December 2012. The program facilitates extensive, in-depth surveillance on live communications and stored information. The law allows for the targeting of any customers of participating firms who live outside the US, or those Americans whose communications include people outside the US. It also opens the possibility of communications made entirely within the US being collected without warrants. Disclosure of the PRISM program follows a leak to the Guardian on Wednesday of a top-secret court order compelling telecoms provider Verizon to turn over the telephone records of millions of US customers. The participation of the internet companies in PRISM will add to the debate, ignited by the Verizon revelation, about the scale of surveillance by the intelligence services. Unlike the collection of those call records, this surveillance can include the content of communications and not just the metadata. Some of the world's largest internet brands are claimed to be part of the information-sharing program since its introduction in 2007. Microsoft – which is currently running an advertising campaign with the slogan Your privacy is our priority – was the first, with collection beginning in December 2007. It was followed by Yahoo in 2008; Google, Facebook and PalTalk in 2009; YouTube in 2010; Skype and AOL in 2011; and finally Apple, which joined the program in 2012. The program is continuing to expand, with other providers due to come online. Collectively, the companies cover the vast majority of online email, search, video and communications networks. The extent and nature of the data collected from each company varies. Companies are legally obliged to comply with requests for users' communications under US law, but the PRISM program allows the intelligence services direct access to the companies' servers. The NSA document notes the operations have assistance of communications providers in the US. The revelation also supports concerns raised by several US senators during the renewal of the Fisa Amendments Act in December 2012, who warned about the scale of surveillance the law might enable, and shortcomings in the safeguards it introduces. When the FAA was first enacted, defenders of the statute argued that a significant check on abuse would be the NSA's inability to obtain electronic
Re: [liberationtech] NSA has direct access to tech giants' systems for user data, secret ppt reveals
On Fri, Jun 07, 2013 at 12:32:10PM +1200, Andrew Lewis wrote: PRISM isn't really even that illegal, as long as they discard communications considered to be American. So, as long as every TLA world wide does, and they all share the information, everything is all right? Not so fast. The NSA has been listening to radio signals from all over the world for years, from military bases strategically positioned to pickup radio signals of interest, amongst other types of communication data. This is really just the extension of similar ideas, to a new form of communications, the novel part of the whole thing is that it leverages the fact that so many tech companies are located in the US and that a ton of the internet backbone is run through America. Why does the NSA operate these dedicated fiber splice subs, you think? -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Stop promoting Skype
On Fri, 07 Jun 2013 06:17:56 + Jacob Appelbaum ja...@appelbaum.net wrote: The next person that recommends Skype to human rights activists is completely discredited. Stop it and stop it now. s/Skype/third party services/ Fixed that for you. -- Andrew http://tpo.is/contact pgp 0x6B4D6475 -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] PRISM: NSA/FBI Internet data mining project
- Forwarded message from Leo Bicknell bickn...@ufp.org - Date: Thu, 6 Jun 2013 20:28:18 -0500 From: Leo Bicknell bickn...@ufp.org To: jim deleskie deles...@gmail.com Cc: goe...@anime.net, NANOG na...@nanog.org Subject: Re: PRISM: NSA/FBI Internet data mining project X-Mailer: Apple Mail (2.1508) On Jun 6, 2013, at 8:06 PM, jim deleskie deles...@gmail.com wrote: Knowing its going on, knowing nothing online is secret != OK with it, it mealy understand the way things are. While there's a whole political aspect of electing people who pass better laws, NANOG is not a political action forum. However many of the people on NANOG are in positions to affect positive change at their respective employers. - Implement HTTPS for all services. - Implement PGP for e-mail. - Implement S/MIME for e-mail. - Build cloud services that encrypt on the client machine, using a key that is only kept on the client machine. - Create better UI frameworks for managing keys and identities. - Align data retention policies with the law. - Scrutinize and reject defective government legal requests. - When allowed by law, charge law enforcement for access to data. - Lobby for more sane laws applied to your area of business. The high tech industry has often made the government's job easy, not by intention but by laziness. Keeping your customer's data secure should be a proud marketing point. -- Leo Bicknell - bickn...@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ - End forwarded message - -- Eugen* Leitl a href=http://leitl.org;leitl/a http://leitl.org __ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Stop promoting Skype
If all this already exists, why isn’t everybody doing it? Well, simply because there is *no integration at all among all those objects*. No. we don't need no software bundles. we don't need no sleek installers. How long does it take me to set up a gmail account? facebook account? flickr account? 20 seconds. how much does it cost me to set up? how much does it cost me to maintain? (ok, skype is an exception, I do need to install). See that's the standard you're competing with. Most users don't own server space, physical or virtual, and would not in a million years be convinced to buy any. Yishay ___ http://www.yishaymor.org () ascii ribbon campaign - against html e-mail /\www.asciiribbon.org - against proprietary attachments On 7 June 2013 09:47, M. Fioretti mfiore...@nexaima.net wrote: On Fri, Jun 07, 2013 09:16:32 AM +0200, Eduardo Robles Elvira wrote: Stop promoting google hangout and hotmail, yahoo, gmail, outlook.com... =) and start promoting their replacement via user-friendly bundling of Free Software that already exist and may run in a portable way on any cheap VPS: http://stop.zona-m.net/2013/01/the-alternatives-to-apple-facebook-c-already-exist-shall-we-package-them/ -- M. Fioretti http://mfioretti.com http://stop.zona-m.net Your own civil rights and the quality of your life heavily depend on how software is used *around* you -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Top secret PRISM program claims direct access to servers of firms including Google, Facebook and Apple
On Fri, Jun 7, 2013 at 6:52 AM, Michael Rogers mich...@briarproject.orgwrote: This law does not allow the targeting of any US citizen or of any person located within the United States. Note the wording of this denial: the *target* of collection may not be a US citizen or a person located in the US. But if the *target* is, say, Al Qaeda and affiliated organisations, does the law prevent data about US citizens and persons located in the US from being collected and retained? Cheers, Michael And in case one draws any comfort at all from these apparent limitations: there is no chance that intelligence community representatives would take advantage of very technical details of the wording of laws to, e.g., share information on the citizens of other countries with whom it has formal information sharing agreements but whom it is not supposed to directly surveil, right? Because that would be kind of dishonest, and we know the intelligence community is first and foremost dedicated to being truthful in public. http://opencanada.org/features/the-think-tank/essays/canada-and-the-five-eyes-intelligence-community/ http://en.wikipedia.org/wiki/UKUSA_Agreement -- David Golumbia dgolum...@gmail.com -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Stop promoting Skype
These revelations constitute an existence proof that the number of backdoors in various services is nonzero. There's no reason to believe that this nonzero value is 1. After, if the NSA could backdoor them (with or without their cooperation) then why couldn't MI6? Or Mossad? Or some other entity, which may or may not be a national intelligence service? There's also no reason to believe that this practice is limited to the US. ---rsk -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Top secret PRISM program claims direct access to servers of firms including Google, Facebook and Apple
Michael Well I feel much better as Australian Citizen living out side of US. Andrew Clark andrewrcl...@mac.com On 07/06/2013, at 10:32 PM, David Golumbia dgolum...@gmail.com wrote: On Fri, Jun 7, 2013 at 6:52 AM, Michael Rogers mich...@briarproject.org wrote: This law does not allow the targeting of any US citizen or of any person located within the United States. Note the wording of this denial: the *target* of collection may not be a US citizen or a person located in the US. But if the *target* is, say, Al Qaeda and affiliated organisations, does the law prevent data about US citizens and persons located in the US from being collected and retained? Cheers, Michael And in case one draws any comfort at all from these apparent limitations: there is no chance that intelligence community representatives would take advantage of very technical details of the wording of laws to, e.g., share information on the citizens of other countries with whom it has formal information sharing agreements but whom it is not supposed to directly surveil, right? Because that would be kind of dishonest, and we know the intelligence community is first and foremost dedicated to being truthful in public. http://opencanada.org/features/the-think-tank/essays/canada-and-the-five-eyes-intelligence-community/ http://en.wikipedia.org/wiki/UKUSA_Agreement -- David Golumbia dgolum...@gmail.com -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Stop promoting Skype
On 2013-06-07, at 8:31 AM, Yishay Mor yish...@gmail.com wrote: If all this already exists, why isn’t everybody doing it? Well, simply because there is no integration at all among all those objects. No. we don't need no software bundles. we don't need no sleek installers. How long does it take me to set up a gmail account? facebook account? flickr account? 20 seconds. how much does it cost me to set up? how much does it cost me to maintain? (ok, skype is an exception, I do need to install). Interestingly, we've been getting some emails since the NSA/PRISM story regarding people switching to Cryptocat. It's a really encouraging and awesome trend to see people care about privacy-enabling technologies that are accessible and easy to use. To an extent, we've succeeded here because we've made it as easy as Facebook or Skype to have private conversations using free and open source software. So if someone is switching from Facebook or Skype to Cryptocat, it's a really positive thing. The big challenge, though, so far is delineating the use cases and threat models. I have no problem seeing a lot of regular people flock to Cryptocat just for common-sense privacy concerns. But catering to that, and catering to activists/human rights workers in Mission Impossible situations, are two different stories. Concerning the latter, considering the outrageous nature of the PRISM story, I may have not been joking when I said STOP PROMOTING THE INTERNET to activists after all. :P NK See that's the standard you're competing with. Most users don't own server space, physical or virtual, and would not in a million years be convinced to buy any. Yishay ___ http://www.yishaymor.org () ascii ribbon campaign - against html e-mail /\www.asciiribbon.org - against proprietary attachments On 7 June 2013 09:47, M. Fioretti mfiore...@nexaima.net wrote: On Fri, Jun 07, 2013 09:16:32 AM +0200, Eduardo Robles Elvira wrote: Stop promoting google hangout and hotmail, yahoo, gmail, outlook.com... =) and start promoting their replacement via user-friendly bundling of Free Software that already exist and may run in a portable way on any cheap VPS: http://stop.zona-m.net/2013/01/the-alternatives-to-apple-facebook-c-already-exist-shall-we-package-them/ -- M. Fioretti http://mfioretti.com http://stop.zona-m.net Your own civil rights and the quality of your life heavily depend on how software is used *around* you -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Stop promoting Skype
Apropos backdooring where do think the Palestinian authority gets its bandwidth from/through under the Oslo Accords? Not to mention the large NSA installation next door to the center of Israeli military intelligence... On Jun 7, 2013 3:38 PM, Nadim Kobeissi na...@nadim.cc wrote: On 2013-06-07, at 8:31 AM, Yishay Mor yish...@gmail.com wrote: If all this already exists, why isn’t everybody doing it? Well, simply because there is no integration at all among all those objects. No. we don't need no software bundles. we don't need no sleek installers. How long does it take me to set up a gmail account? facebook account? flickr account? 20 seconds. how much does it cost me to set up? how much does it cost me to maintain? (ok, skype is an exception, I do need to install). Interestingly, we've been getting some emails since the NSA/PRISM story regarding people switching to Cryptocat. It's a really encouraging and awesome trend to see people care about privacy-enabling technologies that are accessible and easy to use. To an extent, we've succeeded here because we've made it as easy as Facebook or Skype to have private conversations using free and open source software. So if someone is switching from Facebook or Skype to Cryptocat, it's a really positive thing. The big challenge, though, so far is delineating the use cases and threat models. I have no problem seeing a lot of regular people flock to Cryptocat just for common-sense privacy concerns. But catering to that, and catering to activists/human rights workers in Mission Impossible situations, are two different stories. Concerning the latter, considering the outrageous nature of the PRISM story, I may have not been joking when I said STOP PROMOTING THE INTERNET to activists after all. :P NK See that's the standard you're competing with. Most users don't own server space, physical or virtual, and would not in a million years be convinced to buy any. Yishay ___ http://www.yishaymor.org () ascii ribbon campaign - against html e-mail /\www.asciiribbon.org - against proprietary attachments On 7 June 2013 09:47, M. Fioretti mfiore...@nexaima.net wrote: On Fri, Jun 07, 2013 09:16:32 AM +0200, Eduardo Robles Elvira wrote: Stop promoting google hangout and hotmail, yahoo, gmail, outlook.com... =) and start promoting their replacement via user-friendly bundling of Free Software that already exist and may run in a portable way on any cheap VPS: http://stop.zona-m.net/2013/01/the-alternatives-to-apple-facebook-c-already-exist-shall-we-package-them/ -- M. Fioretti http://mfioretti.com http://stop.zona-m.net Your own civil rights and the quality of your life heavily depend on how software is used *around* you -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Stop promoting Skype
On Fri, Jun 07, 2013 at 08:32:36AM -0400, Rich Kulawiec wrote: These revelations constitute an existence proof that the number of backdoors in various services is nonzero. There's no reason to believe that this nonzero value is 1. It is prudent to believe that the value is exactly one. This particular disclosure is a merely another data point. We didn't need it in order to assume the value is exactly one. After, if the NSA could backdoor them (with or without their cooperation) then why couldn't MI6? Or Mossad? Or some other entity, which may or We expect that each intelligence agency attempts to tap and monitor according to their abilities and budget. It's obvious that UKUSA members are special in the extent of space they monitor and the budget they command, and how many vassals they've browbeat into co-operation (e.g. almost the entire Europe is basically a puppet regime with no sovereignity in key matters). may not be a national intelligence service? Why, we must assume that everything that goes over the wire will be analyzed in realtime, and a fair fraction (in some cases, all of it) will be stored indefinitely, and data-mined. We also know that the CA trust model is broken, so unless you roll your own certs all that traffic is only a few computations away from being cleartext. There's also no reason to believe that this practice is limited to the US. Of course not. It's funny how USians always think it's everything always just about them. There are 7 gigamonkeys on this planet. Tracking 7 Gentities in realtime is not that hard of a job. Does anyone think that intelligence services are not doing their job? -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] NSA has direct access to tech giants' systems for user data, secret ppt reveals
On Thu, Jun 06, 2013 at 09:23:03PM -0700, x z wrote: What surprised me is how Guardian and Washington Post cover this story. The Power Point slides looks laughable to me. Maybe I should interpret direct access to servers of firms as like when I'm typing this email I am also having *a direct access* to Gmail's servers. It's a little more direct than that. Approaches like http://en.wikipedia.org/wiki/Room_641A are really rather expensive, so it makes sense to move the intercept capabilities to the providers themselves, on a need-to-know basis, and serve them with a gagging order. If you think this is a laughing matter, you have a pretty strange sense of humor. This either a ploy by some pro-privacy extremist or a prank by somebody who's tired of these hyperbole privacy outcries. You must realize that placating pabulum doesn't really fly here, so I would reexamine why you are reading this list. -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Stop promoting Skype
On Fri, Jun 07, 2013 at 02:48:58PM +0200, Eugen Leitl wrote: On Fri, Jun 07, 2013 at 08:32:36AM -0400, Rich Kulawiec wrote: These revelations constitute an existence proof that the number of backdoors in various services is nonzero. There's no reason to believe that this nonzero value is 1. It is prudent to believe that the value is exactly one. This particular disclosure is a merely another data point. We didn't need it in order to assume the value is exactly one. I'm not following you -- maybe I need more coffee this morning, but I don't understand the reasoning behind your statement. Mine is something like this: if one day, the folks from the NSA showed up at X's door with a van full of equipment and asked nicely if they could please bring it in, then why wouldn't their counterparts in every other country do the same to X's sites there? And since X wants to do business in those countries, why would it say no? If on the other hand this was done by the NSA without X's knowledge, then their counterparts in other countries could try that approach as well. So would you mind explaining yours? (My apologies if it's completely obvious and I'm just being dense.) And a side point/adjunct to this: so far, I haven't noticed Amazon or Rackspace or Softlayer or similar on these lists. (Again, maybe more coffee is badly needed.) I can't believe for a moment that the NSA overlooked any of the major cloud computing providers. ---rsk -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Why Metadata Matters
Eugen Leitl eu...@leitl.org wrote: A ZByte facility (e.g. like the one in Utah) can store about 10^10 years worth of audio (2 kByte/s with a modern codec), or about 1.4 year worth of audio for every human currently on the planet. So forget the metadata, of course they store it along with everything else. For me, it's less about Verizon as a specific example, and more about the fact that all mobile carriers store this data. In fact, they frequently retain it for years, so if three years from now someone subpoenas your ATT metadata, they have a realistic idea of where you were and who you were with. (Or at least that is the case for most people). In the age of National Security Letters and other warrantless warrants, it's even more concerning. ~Griffin -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Stop promoting Skype
You misunderstand. Signing up to these services is generally easy, and there are a number of instances up and running for each. However, there is as far as I know, no integrated service running an XMPP service, a mail server, an OStatus instance, all connected and having the same user database, reasonable connections between them etc etc. It is certainly doable to install all of these, but currently it is hard, in the sense that you need some rather in-depth knowledge to properly glue everything together. Making it easy to set up a server with a multitude of useful services will not make each and every person set such a server up, but it may mean that a much larger group of people _know_ someone who can set up such a server. Incidentally, I have been thinking, writing (one or two) blog posts on, but due to time constraints not actually implementing or promoting such a project. Best /P On 07 June, 2013 - Yishay Mor wrote: If all this already exists, why isn’t everybody doing it? Well, simply because there is *no integration at all among all those objects*. No. we don't need no software bundles. we don't need no sleek installers. How long does it take me to set up a gmail account? facebook account? flickr account? 20 seconds. how much does it cost me to set up? how much does it cost me to maintain? (ok, skype is an exception, I do need to install). See that's the standard you're competing with. Most users don't own server space, physical or virtual, and would not in a million years be convinced to buy any. Yishay ___ http://www.yishaymor.org () ascii ribbon campaign - against html e-mail /\www.asciiribbon.org - against proprietary attachments On 7 June 2013 09:47, M. Fioretti mfiore...@nexaima.net wrote: On Fri, Jun 07, 2013 09:16:32 AM +0200, Eduardo Robles Elvira wrote: Stop promoting google hangout and hotmail, yahoo, gmail, outlook.com... =) and start promoting their replacement via user-friendly bundling of Free Software that already exist and may run in a portable way on any cheap VPS: http://stop.zona-m.net/2013/01/the-alternatives-to-apple-facebook-c-already-exist-shall-we-package-them/ -- M. Fioretti http://mfioretti.com http://stop.zona-m.net Your own civil rights and the quality of your life heavily depend on how software is used *around* you -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Petter Ericson (pett...@acc.umu.se) -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Stop promoting Skype
On Fri, Jun 07, 2013 at 09:15:32AM -0400, Rich Kulawiec wrote: Mine is something like this: if one day, the folks from the NSA showed up at X's door with a van full of equipment and asked nicely if they could please bring it in, then why wouldn't their counterparts in every other country do the same to X's sites there? And since X wants to do business in those countries, why would it say no? Why, I believe this is exactly how it goes down, your honor. And UKUSA is effectively one compartment, and there are probably looser co-operation programs existing in other countries. If on the other hand this was done by the NSA without X's knowledge, then their counterparts in other countries could try that approach as well. I expect that they're collecting data everywhere they can, some of which doesn't require cooperation (tapping submarine fiber) and some requires partial cooperation (central tap facilities at Tier 1 and 2) but also forcing major operators under strict secrecy (need-to-know limited to few individuals, some of them arguably also intelligence officers) and unmder gagging orders so that officially disclosing the information would bear severe penalties, and leaking would be risky since the numbers of possible whistleblowers is very low. So would you mind explaining yours? (My apologies if it's completely obvious and I'm just being dense.) I doubt you are, we're probably in violent agreement without realizing it. And a side point/adjunct to this: so far, I haven't noticed Amazon or Rackspace or Softlayer or similar on these lists. (Again, maybe more coffee is badly needed.) I can't believe for a moment that the NSA overlooked any of the major cloud computing providers. I would also expect that anyone relevant would be on that list. I would be very interested to know how the intercept and processing is happening in so-called friendly countries, which do not have the technical wherewithal and expertise to conduct the intercepts themselves. -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] PRISM: NSA/FBI Internet data mining project
- Forwarded message from Mark Seiden m...@seiden.com - Date: Thu, 6 Jun 2013 22:57:07 -0700 From: Mark Seiden m...@seiden.com To: jamie rishaw j...@arpa.com Cc: goe...@anime.net, NANOG na...@nanog.org Subject: Re: PRISM: NSA/FBI Internet data mining project X-Mailer: Apple Mail (2.1508) On Jun 6, 2013, at 10:25 PM, jamie rishaw j...@arpa.com wrote: tinfoilhat Just wait until we find out dark and lit private fiber is getting vampired. /tinfoilhat well, that's exactly and the only thing what would not surprise me, given the eff suit and mark klein's testimony about room 421a full of narus taps. mark klein is an utterly convincing and credible guy on this subject of tapping transit traffic. but the ability to assemble intelligence out of taps on providers' internal connections would require reverse engineering the ever changing protocols of all of those providers. and at least at one of the providers named, where i worked on security and abuse, it was hard for us, ourselves, to quickly mash up data from various internal services and lines of business that were almost completely siloed -- data typically wasn't exposed widely and stayed within a particular server or data center absent a logged in session by the user. were these guys scraping the screens of non-ssl sessions of interest in real time? with asymmetric routing, it's hard to reassemble both sides of a conversation, say in IM. one side might come in via a vip and the other side go out through the default route, shortest path. only *on* a specific internal server might you see the entire conversation. typically only the engineers who worked on that application would log on or even know what to look for. and also, only $20m/year? in my experience, the govt cannot do anything like this addressing even a single provider for that little money. and pretty much denials all around. so at the moment, i don't believe it. (and i hope it's not true, or i might have to leave this industry in utter disgust because i didn't notice this going on in about 8 years at that provider and it was utterly contrary to the expressed culture. take up beekeeping, or alcohol, or something.). -- Jamie Rishaw // .com.arpa@j - reverse it. ish. arpa / arpa labs - End forwarded message - -- Eugen* Leitl a href=http://leitl.org;leitl/a http://leitl.org __ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
[liberationtech] Secure tools for communications - Is there a wiki ..?
The frequent mention of tools for secure communications, leads me to ask - is there an updated wiki that this community (and perhaps others) can maintain. It serve as a resource for not only listing tools, but also a place to aggregate the analysis and comments from security experts If such a list doesn't exist, then I would like to encourage such a resource to be setup. regards Robert -- R. Guerra Phone/Cell: +1 202-905-2081 Twitter: twitter.com/netfreedom Email: rgue...@privaterra.org -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Stop promoting Skype
On Fri, Jun 07, 2013 13:31:07 PM +0100, Yishay Mor wrote: If all this already exists, why isn t everybody doing it? Well, simply because there is no integration at all among all those objects. No. we don't need no software bundles. we don't need no sleek installers. How long does it take me to set up a gmail account? facebook account? flickr account? 20 seconds. how much does it cost me to set up? how much does it cost me to maintain? (ok, skype is an exception, I do need to install). See that's the standard you're competing with. Most users don't own server space, physical or virtual, and would not in a million years be convinced to buy any. Yishay, just out of curiosity: did you even bother to read what I actually wrote? Like, you know, the parts about service businesses? Or the fact that the proposal itself is about bundling existing software **exactly** to make it a 20 seconds set up? -- M. Fioretti http://mfioretti.com http://stop.zona-m.net Your own civil rights and the quality of your life heavily depend on how software is used *around* you -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] NSA has direct access to tech giants' systems for user data, secret ppt reveals
I tend to agree with this. Here are some things that look fishy about this leak * The $20 million budget seems paltry. Nothing gets done in government for that small amount. * The Powerpoint is amateurish (then again with no budget.) * Everybody implicated is denying it (though I suspect they would say the same if it were true) * The Guardian says it verified the authenticity of the presentation but it doesn't say how, nor does it appear they have any corroborating evidence. Hopefully their will be some further investigation that will provide additional evidence about the program's existence. Jason On 6/7/2013 12:23 AM, x z wrote: What surprised me is how Guardian and Washington Post cover this story. The Power Point slides looks laughable to me. Maybe I should interpret direct access to servers of firms as like when I'm typing this email I am also having /a direct access/ to Gmail's servers. This either a ploy by some pro-privacy extremist or a prank by somebody who's tired of these hyperbole privacy outcries. 2013/6/6 Peter Eckersley peter.eckers...@gmail.com mailto:peter.eckers...@gmail.com Of course, I was reading to fast and leaning to heavily on control+f. Anyway, 20 million annually seems like a very low number by the usual standards of efficiency in Department of Defense programs. But the NSA might already have a data storage, processing and query architecture in place that is either not included in this budget or only included on a marginal cost basis. On 6 June 2013 16:45, Peter Eckersley peter.eckers...@gmail.com mailto:peter.eckers...@gmail.com wrote: Where did you get the $20m budget number from? I can't find it in any of the stories or attached materials. But I could be missing something. On 6 June 2013 16:14, x z xhzh...@gmail.com mailto:xhzh...@gmail.com wrote: doesn't seem real to me. especially the part *direct access to servers* of firms ..., and with an annual budget of measly $20m. 2013/6/6 Michael Carbone mich...@accessnow.org mailto:mich...@accessnow.org -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Guardian: http://www.guardian.co.uk/world/2013/jun/06/us-tech-giants-nsa-data WaPo: http://www.washingtonpost.com/investigations/us-intelligence-mining-data-from-nine-us-internet-companies-in-broad-secret-program/2013/06/06/3a0c0da8-cebf-11e2-8845-d970ccb04497_story_1.html some of the slides (haven't seen the full ppt drop): http://www.washingtonpost.com/wp-srv/special/politics/prism-collection-documents/ Participating companies in chronological order: Microsoft, Yahoo, Google, Facebook, PalTalk, YouTube, Skype, AOL, Apple. Dropbox apparently next up. - -- Michael Carbone Manager of Tech Policy Programs Access | https://www.accessnow.org mich...@accessnow.org mailto:mich...@accessnow.org | PGP: 0x81B7A13E PGP Fingerprint: 25EC 1D0F 2D44 C4F4 5BEF EF83 C471 AD94 81B7 A13E -BEGIN PGP SIGNATURE- iQIcBAEBAgAGBQJRsQujAAoJEDH9usG3Jz33lFoP/1vRZ6qTJhlvShNtfktlSB9x qxlHoFJBu4DV6YzEGPNnshb+hRiTk4iC+bksmBIIvZ5WZVVUUR3japU7QtOMhKtr +YAkxlStumySUBPEyx2t83VDv2d2yYhKxPDELVhs4lxeY+IS1pxN7wv3SulkI5qM 1UciTdL1ok4t9jerWQf/g9wxmWm5GNF7hVHMQu3uI7lYgCIIupoWggj43nGu2dYR CUQ6j+e6H7KpusabNx8DlDujCw1/Pfxb/kkvz5tT9tJfZucZ26sMpjJZTDKWHCfs TITJAUQg0g7eAoh5ehzxGBamjiPwKwXdfomg2QP9f6Rq4WCh2EBsBL0grbMA6K2e Y83J+2oInCdnpxDTvQfk41uFdh2awg7QPrndt9s9XwOY5ShUj+BH4L/6dkGtZG4r iadK/JD7YU5cgI+m4HQab7+b/CSB2P4a+57XP4Hfz7aNYfe+jPjBJbEl46Srnbg2 5xCcgYGJQSoGGvxCDJYLwjZdFo/t7XFspCrfcuIMvKr9njVJgffeW+5qS0czqC9D vaNhS5TQ4O6pXsA2jTpbDyqNN/HbLXCupgLyUq9Kh+dYYUeaavwGQj/CwsMD0SKe CRykJUW1VTtu0BXbT86et47yAldsdYc/fuhnoONWDCP5WOu9he/SXDfQELeyH/KG FRpkJRX7ijLlTySwbbpD =NvtB -END PGP SIGNATURE- -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu mailto:compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu mailto:compa...@stanford.edu or changing your settings at
Re: [liberationtech] Stop promoting Skype
Agreed http://i.eatliver.com/2013/10627.jpg Jason On 6/7/2013 3:23 AM, Nadim Kobeissi wrote: STOP PROMOTING THE INTERNET NK On 2013-06-07, at 3:16 AM, Eduardo Robles Elvira edu...@gmail.com wrote: Stop promoting google hangout and hotmail, yahoo, gmail, outlook.com... =) On Fri, Jun 7, 2013 at 8:17 AM, Jacob Appelbaum ja...@appelbaum.net wrote: Hi, Top secret PRISM program claims direct access to servers of firms including Google, Facebook and Apple and others. Some of the world's largest internet brands are claimed to be part of the information-sharing program since its introduction in 2007. Microsoft – which is currently running an advertising campaign with the slogan Your privacy is our priority – was the first, with collection beginning in December 2007. It was followed by Yahoo in 2008; Google, Facebook and PalTalk in 2009; YouTube in 2010; Skype and AOL in 2011; and finally Apple, which joined the program in 2012. The program is continuing to expand, with other providers due to come online. Collectively, the companies cover the vast majority of online email, search, video and communications networks. Read about it here: http://www.guardian.co.uk/world/2013/jun/06/us-tech-giants-nsa-data http://static.guim.co.uk/sys-images/Guardian/Pix/audio/video/2013/6/6/1370553948414/Prism-001.jpg http://static.guim.co.uk/sys-images/Guardian/Pix/pictures/2013/6/6/1370554726437/PRISM-slide-crop-001.jpg The next person that recommends Skype to human rights activists is completely discredited. Stop it and stop it now. Ta ta, Jake -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Eduardo -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech *R. Jason Cronk, Esq., CIPP/US* /Privacy Engineering Consultant/, *Enterprivacy Consulting Group* enterprivacy.com * phone: (828) 4RJCESQ * twitter: @privacymaverick.com * blog: http://blog.privacymaverick.com -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Stop promoting Skype
liberationt...@lewman.us wrote: Jacob Appelbaum ja...@appelbaum.net wrote: The next person that recommends Skype to human rights activists is completely discredited. Stop it and stop it now. s/Skype/third party services/ Fixed that for you. I'll keep that in mind the next time someone from Tor promotes Riseup ;-) But seriously, average users need to have basic services that are (unfortunately) run by third parties. At a minimum, diversification of services used. If every activist uses Riseup or May First, those services become just as high a priority for warrants as Gmail or Hotmail. If you have your own domain, that's awesome. This is not a realistic expectation for most people -- either because they lack the knowledge to install and upkeep their hosting, class stratification, or complete absence of time to do it. What would be fantastic is if more people who *did* have the knowledge/money took the time to set up their own accounts on their own domains. And if you're a developer or an advanced user, help others do it too! It's far better to have a domain for your group of friends than have everyone use riseup/gmail/etc. If you want gmail-like features, there are lots of open-source avenues, like MailPile [1]. I'm also going to go against the grain and say that most services don't *need* to be integrated with each other. ~Griffin [1] https://github.com/pagekite/Mailpile -- Just another hacker in the City of Spies. #Foucault / PGP: 0xAE792C97 / OTR: sa...@jabber.ccc.de My posts, while frequently amusing, are not representative of the thoughts of my employer. -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] NSA, FBI, Verizon caught red handed spying on US citizens in the US
On 06/07/2013 03:23 AM, Seth David Schoen wrote: The best widely-used tool to defend against traffic analysis is Tor, but Tor's developers readily concede that it has a lot of important limitations and that there's no obvious path around many of them. Two of these important limitations (not the only ones) are: ① Anonymization adds latency to communications. Better anonymization usually adds more latency. Everywhere else, communications engineers are struggling to take the latency out of people's communications. At least in some systems, anonymity engineers are struggling to put it in. ② Network adversaries can notice that things coming out of a system correspond to things going in. Here's one of many statements of these two issues as they relate to systems like Tor: Furthermore, Onion Routing makes no attempt to stop timing attacks using traffic analysis at the network endpoints. They assume that the routing infrastructure is uniformly busy, thus making passive intra-network timing difficult. However, the network might not be statistically uniformly busy, and attackers can tell if two parties are communicating via increased traffic at their respective endpoints. This endpoint-linkable timing attack remains a difficulty for all low-latency networks. http://www.freehaven.net/src/related-comm.thtml These issues are less severe if people are using e-mail or (maybe better yet) forum posting, over an encrypted channel to a popular service that many people use. But they're quite serious for voice calls, video conferencing, and even instant messaging. We were able to do our timing side-channel approach on Tor very successfully on a private Tor instance in our lab. When we tried it on the global net, we found the jitter inherent to Tor made it practically impossible. Have not tried it specifically on VOIP traffic, but the latency/jitter seems to me to do a pretty good job of making timing attacks unreliable for now. -RRB -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Stop promoting Skype
On Fri, Jun 07, 2013 10:18:25 AM -0400, Griffin Boyce wrote: average users need to have basic services that are (unfortunately) run by third parties. The proposal in that post of mine that I already cited would also solve this. It would be a way for non-geeks to get all their basic services offered/managed by third parties, if you can't don't want to do it yourself, but as ONE bundle (domain name included) that can be moved in any moment from hosting provider to hosting provider without loss of data/disruption of service, with two direct consequences: - better resilience - no way to get private data of X millions users by talking only to a handful of corporations, because those data would be scattered across many thousands of independently managed servers, worldwide. BTW, since I'm getting offlist questions about this: in case you were thinking what you want is the FreedomBox, NO, what I'm talking about is NOT the FreedomBox. What I'm suggesting is compatible with the FreedomBox, but it's something else, much more concrete. See the details in the comments to that same post. Marco -- M. Fioretti http://mfioretti.com http://stop.zona-m.net Your own civil rights and the quality of your life heavily depend on how software is used *around* you -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Stop promoting Skype
On Fri, Jun 07, 2013 at 10:18:25AM -0400, Griffin Boyce wrote: I'll keep that in mind the next time someone from Tor promotes Riseup ;-) But seriously, average users need to have basic services that are (unfortunately) run by third parties. At a minimum, diversification of services used. If every activist uses Riseup or May First, those services become just as high a priority for warrants as Gmail or Hotmail. If you have your own domain, that's awesome. This is not a If your system is tied to a DNS FQDN resolution for operability, your system should not be tied to a DNS FQDN resolution. You'll notice that systems like Tor, i2p, Bitmessage or cjdns all do not rely on DNS resolution (which is centralist, seizable, a source of potential leaks, etc). realistic expectation for most people -- either because they lack the knowledge to install and upkeep their hosting, class stratification, or complete absence of time to do it. This is exactly what the Freedombox project is trying to address. What would be fantastic is if more people who *did* have the knowledge/money took the time to set up their own accounts on their own domains. And if you're a developer or an advanced user, help others do it too! It's far better to have a domain for your group of friends than have everyone use riseup/gmail/etc. If you want gmail-like features, there are lots of open-source avenues, like MailPile [1]. I'm also going to go against the grain and say that most services don't *need* to be integrated with each other. ~Griffin [1] https://github.com/pagekite/Mailpile -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
[liberationtech] James Clapper (Director of USA National Intelligence) said in a statement
James Clapper (Director of USA National Intelligence) said in a statement, per USA Today--the program (PRISM) has clear limits: It cannot be used to intentionally target any US citizen, any other US person, or anyone located within the United States. Reassuring I guess, unless you don't happen to be among the 6.7 billion or so who don't happen to fall within those categories. M -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Stop promoting Skype
On Fri, Jun 07, 2013 at 04:28:31PM +0200, M. Fioretti wrote: BTW, since I'm getting offlist questions about this: in case you were thinking what you want is the FreedomBox, NO, what I'm talking about is NOT the FreedomBox. What I'm suggesting is compatible with the FreedomBox, but it's something else, much more concrete. See the details in the comments to that same post. Your model of what FBX is trying to achieve is faulty. I suggest you connect with the community at http://lists.alioth.debian.org/mailman/listinfo/freedombox-discuss and see how you can contribute. As to much more concrete, there's the 0.1 image out http://freedomboxfoundation.org/ I am pleased to announce our first FreedomBox software release. The FreedomBox 0.1 image is available here (.torrent) (sha512sum: 867f5bf462102daef82a34165017b9e67ed8e09116fe46edd67730541bbfb731083850ab5e28ee40bdbc5054cb64e4d0e46a201797f27e0b8f0d2881ef083b40). This 0.1 version is primarily a developer release, which means that it focuses on architecture and infrastructure rather than finish work. The exception to this is privoxy-freedombox, the web proxy discussed in previous updates, which people can begin using right now to make their web browsing more secure and private and which will very soon be available on non-FreedomBox systems. More information on that tool at the end of this post. What have we accomplished? This first release completes a number of important milestones for the project. Full hardware support in Debian A big part of the vision for the FreedomBox project revolves around the Boxs, tiny plug servers that are capable of running full size computing loads cheaply and with little use of electricity. In many respects these are wireless routers given the brains of a smart phone. If you want to change the software on a router or smart phone today you normally need to worry about bootloader images, custom roms, and a whole collection of specialized build and install tools. We wanted to the FreedomBox to move beyond this fragmented environment and, with the help of some embedded device experts, we have managed to make our development hardware into a fully supported Debian platform. That means that anyone with a device can install Debian on it just like a laptop or desktop computer. This support is very important for ensuring that the work we do on the FreedomBox is as portable and reusable as possible. Basic software tools selected There is a lot of great free software out there to choose from and we put a lot of thought into which elements would be included in our basic tool kit. This includes the user interface system plinth that I outlined in a recent kickstarter update as well as basic cryptography tools like gpg and a one named monkeysphere that leverages gpg as an authentication tool. All of these are now bundled together and installed on the release image. This common working environment will simplify development going forward. Box-to-box communication design Some goals of the FreedomBox can be accomplished with one user and one FreedomBox but many, like helping someone route around repressive government firewalls, will require groups of people and groups of boxes working together. One of our greatest architectural challenges has been finding a way for boxes to communicate securely without so slowing down or breaking network access as to make the system unpleasant to use. We have now outlined and built the first version of our proposed solution: Freedom-buddy. Freedom-buddy uses the world class TOR network so that boxes can find each other regardless of location or restrictive firewall and then allows the boxes to negotiate secure direct connections to each other for actually sending large or time sensitive data. We believe this blended approach will be most effective at improving the security and usability of personal-server communications and all the services we plan to build into those servers. Web cleaning Our first service, a piece of software you can use today to start making your web browsing more secure and private, is called privoxy-freedombox. This software combines the functionality of the Adblock Plus ad blocker, the Easy Privacy filtering list, and the (HTTPS Everywhere](https://www.eff.org/https-everywhere) website redirection plugin into a single piece of software to run on your FreedomBox. Combining these different plugins into software for your FreedomBox means that you can use them with almost any browser or mobile device using a standard web proxy connection. Because of our focus on building the FreedomBox as part of Debian this software will soon be available to anyone running a Debian system regardless of whether you are using our target DreamPlug hardware, a laptop, or a large rack server somewhere. As you read this packages should already be available in the Raspbian repositories, which is the optimized version of Debian used on the Raspberry P i
[liberationtech] Torservers.net: Professional Global Tor infrastructure
Hi, I think the timing is right to inform libtech about the development of Torservers.net. What started as a German non-profit has now grown into a network of non-profit organizations in several countries. All member organizations benefit from tight collaboration and knowledge exchange about running crucial Tor infrastructure (mostly Tor exits and Tor bridges), whereas the diversity of operators helps the stability and anonymity of the whole network. The current members are listed at https://www.torservers.net/partners.html . My goal is to acquire funding from various sources, and oversee the distribution and intelligent use of it. If you hear about potential grants we can apply to, for example to ramp up additional hundreds of bridges and Tor relay bandwidth, I am more than happy to hear about it. You are also invited as an individual to donate to the Torservers.net umbrella, or to one of our member organizations directly: https://www.torservers.net/donate.html Within Europe, your donations to Torservers.net are tax deductible. In the USA, you can donate to our partner NoiseTor, a registered 501c3, for these purposes. If your organization wants to join Torservers as a partner, or become an official sponsor of one of our relays, contact me. -- Moritz Bartl https://www.torservers.net/ -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Stop promoting Skype
On Fri, Jun 07, 2013 16:45:53 PM +0200, Eugen Leitl wrote: On Fri, Jun 07, 2013 at 04:28:31PM +0200, M. Fioretti wrote: BTW, since I'm getting offlist questions about this: in case you were thinking what you want is the FreedomBox, NO, what I'm talking about is NOT the FreedomBox. What I'm suggesting is compatible with the FreedomBox, but it's something else, much more concrete. See the details in the comments to that same post. Your model of what FBX is trying to achieve is faulty. (what follows, with the exception of the last paragraph I added right now, is the answer I had just sent to Eugen when he pointed out the same thing off list) it's the model that Moglen was announcing around with Diaspora in 2010. FBX is not about hardware, but about a number of FOSS (Debian) packages see above. - it is a fact that this is the first time somebody points out this difference so clearly. Nobody, including members of the debian/software Freedombox ever pointed this out to me (that there was, that is, a software freedombox separated by Moglen's hw/project). Even if I've been posting for months on twitter, lists, etc.. that link every time it was on topic. - I'm almost sure I never came across that project myself earlier, in spite of: - me reading FOSS-related feeds daily for a living - having already presented my idea on several other mailing lists, forums, etc (INCLUDING the one on which you saw the link today...) Even the people who commented on my blog, they knew nothing of this other FreedomBox. Except, indirectly Hans, who said it in such a vague form that back then I didn't realize at all what you just told me. Ah, well. Now: what I'm suggesting in my posts is equivalent to the Leaving the Cloud part of that project http://wiki.debian.org/FreedomBox/LeavingTheCloud with the important difference that in my own mind it's a bundle you could/should be able to install on any Gnu/Linux system. This is essential to make it popular. Even, say, independent hosting providers who run Centos or whatever, should really be able to offer the bundle as a managed service on their CURRENT systems, to capture as many users as possible. When they have it, they can always migrate later to a fully self-managed debian-based box. I have two deadlines this week, and another the next one. I see you've subscribed to the debian freedombox list. You're welcome to forward this email to that list, to gather feedback. If there is any, I'll subscribe and join the discussion later. Thanks, Marco ADDITION: As to much more concrete, there's the 0.1 image out ... This 0.1 version is primarily a developer release, which means that it focuses on architecture and infrastructure rather than finish work. this, that is the timetable and priorities may be the main difference between my proposal and the debian freedombox. I am suggesting something that may be used outside debian, on any distribution, for the reasons explained above. Later, Marco -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Stop promoting Skype
Griffin Boyce griffinbo...@gmail.com writes: liberationt...@lewman.us wrote: Jacob Appelbaum ja...@appelbaum.net wrote: The next person that recommends Skype to human rights activists is completely discredited. Stop it and stop it now. s/Skype/third party services/ Fixed that for you. I'll keep that in mind the next time someone from Tor promotes Riseup ;-) What about when someone from Riseup promotes Riseup services? :o But seriously, average users need to have basic services that are (unfortunately) run by third parties. At a minimum, diversification of services used. If every activist uses Riseup or May First, those services become just as high a priority for warrants as Gmail or Hotmail. But seriously, riseup has always wanted more people to do what we do, not to become more a more centralized data silo. I spent many years being a documentation activist to encourage others by walking them how we did it. We've switched our strategy a little bit now that we are able to document our infrastructure in code and can collaborate with others in doing so. It only has been recent that companies such as google and twitter have been doing something more interesting than just handing over things when the police ask, that was nice to see, we felt very alone out there... but now I'm not sure what to think when I see those companies involved in the dragnet, I guess we feel alone again because I didn't notice Riseup or Mayfirst's logo in that Prism powerpoint! micah -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] NSA has direct access to tech giants' systems for user data, secret ppt reveals
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Well the Director of National Intelligence James Clapper has defended the program, not denied it: http://www.bbc.co.uk/news/world-us-canada-22809541 http://www.dni.gov/index.php/newsroom/press-releases/191-press-releases-2013/869-dni-statement-on-activities-authorized-under-section-702-of-fisa And UK has access: http://www.guardian.co.uk/technology/2013/jun/07/uk-gathering-secret-intelligence-nsa-prism Most likely Australia, NZ, and Canada have as well, per: https://en.wikipedia.org/wiki/UKUSA_Agreement Michael On 06/07/2013 10:13 AM, R. Jason Cronk wrote: I tend to agree with this. Here are some things that look fishy about this leak * The $20 million budget seems paltry. Nothing gets done in government for that small amount. * The Powerpoint is amateurish (then again with no budget.) * Everybody implicated is denying it (though I suspect they would say the same if it were true) * The Guardian says it verified the authenticity of the presentation but it doesn't say how, nor does it appear they have any corroborating evidence. Hopefully their will be some further investigation that will provide additional evidence about the program's existence. Jason On 6/7/2013 12:23 AM, x z wrote: What surprised me is how Guardian and Washington Post cover this story. The Power Point slides looks laughable to me. Maybe I should interpret direct access to servers of firms as like when I'm typing this email I am also having /a direct access/ to Gmail's servers. This either a ploy by some pro-privacy extremist or a prank by somebody who's tired of these hyperbole privacy outcries. 2013/6/6 Peter Eckersley peter.eckers...@gmail.com mailto:peter.eckers...@gmail.com Of course, I was reading to fast and leaning to heavily on control+f. Anyway, 20 million annually seems like a very low number by the usual standards of efficiency in Department of Defense programs. But the NSA might already have a data storage, processing and query architecture in place that is either not included in this budget or only included on a marginal cost basis. On 6 June 2013 16:45, Peter Eckersley peter.eckers...@gmail.com mailto:peter.eckers...@gmail.com wrote: Where did you get the $20m budget number from? I can't find it in any of the stories or attached materials. But I could be missing something. On 6 June 2013 16:14, x z xhzh...@gmail.com mailto:xhzh...@gmail.com wrote: doesn't seem real to me. especially the part *direct access to servers* of firms ..., and with an annual budget of measly $20m. 2013/6/6 Michael Carbone mich...@accessnow.org mailto:mich...@accessnow.org Guardian: http://www.guardian.co.uk/world/2013/jun/06/us-tech-giants-nsa-data WaPo: http://www.washingtonpost.com/investigations/us-intelligence-mining-data-from-nine-us-internet-companies-in-broad-secret-program/2013/06/06/3a0c0da8-cebf-11e2-8845-d970ccb04497_story_1.html some of the slides (haven't seen the full ppt drop): http://www.washingtonpost.com/wp-srv/special/politics/prism-collection-documents/ Participating companies in chronological order: Microsoft, Yahoo, Google, Facebook, PalTalk, YouTube, Skype, AOL, Apple. Dropbox apparently next up. -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu mailto:compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu mailto:compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Peter -- Peter -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu mailto:compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech *R. Jason Cronk, Esq., CIPP/US* /Privacy Engineering Consultant/, *Enterprivacy Consulting Group* enterprivacy.com * phone: (828) 4RJCESQ * twitter: @privacymaverick.com * blog: http://blog.privacymaverick.com -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech - -- Michael Carbone Manager of Tech Policy Programs Access | https://www.accessnow.org mich...@accessnow.org | PGP: 0x81B7A13E PGP Fingerprint: 25EC 1D0F 2D44 C4F4 5BEF EF83 C471 AD94 81B7 A13E -BEGIN PGP SIGNATURE-
Re: [liberationtech] Stop promoting Skype
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 06/07/2013 03:23 AM, Nadim Kobeissi wrote: STOP PROMOTING THE INTERNET Internet? I've been posting to this mailing list with a bottle of ink, a hamster, and a tarot deck! - -- The Doctor [412/724/301/703] [ZS] Developer, Project Byzantium: http://project-byzantium.org/ PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F DD89 3BD8 FF2B 807B 17C1 WWW: https://drwho.virtadpt.net/ Rhythm compensates. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.20 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlGyCxsACgkQO9j/K4B7F8E2IACgjBEiuN3wtnfO1SksTZANMtlI in8AoMbSPww6yR4ERSS9/SDRZwi0shdn =Vcy9 -END PGP SIGNATURE- -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
[liberationtech] Collusion Alleged between HP and Iran (reflets.info)
See: *Hewlett Packard, transparency and the brand valuation bubble*http://reflets.info/hewlett-packard-transparency-and-the-brand-valuation-bubble/ *Paris – june 7th 2013 -* Last tuesday, as part of an ongoing investigation exploring internet censorship and monitoring in Iran and in Syria, Reflets.info uncovered Hewlett Packard’s collaboration with TCIhttp://reflets.info/zte-et-hp-unis-pour-un-halalternet-au-pays-des-mollahs/, Iran’s state-own ISP – controling all Iranian internet traffic -, in order to update its filtering and surveillance capabilities, paired with Chinese ZTE appliances... Could Iran have done this without HP's knowledge, using this equipment? Is this really a collaboration smoking gun? I don't understand the code presented as evidence, but the presentation of the presence of application layer content filtering and application specific packet filter (HEV) (see the ) on the routers doesn't seem to fall fall short of proving active participation of HP itself (especially if the equipment was procured from a 3rd country). Also the article's sensationalism casts doubts on the aptitude of its writers. Take the quote (translated by Google translate) zxss10b200 is a rather beautiful beast that promises love joy and eternal bliss to the Mullah thanks to features that make dream (blacklists, QoS, Web caching. -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] PRISM: NSA/FBI Internet data mining project
- Forwarded message from Matthew Petach mpet...@netflight.com - Date: Fri, 7 Jun 2013 09:32:53 -0700 From: Matthew Petach mpet...@netflight.com Cc: NANOG na...@nanog.org Subject: Re: PRISM: NSA/FBI Internet data mining project On Thu, Jun 6, 2013 at 5:04 PM, Matthew Petach mpet...@netflight.comwrote: On Thu, Jun 6, 2013 at 4:35 PM, Jay Ashworth j...@baylink.com wrote: Has fingers directly in servers of top Internet content companies, dates to 2007. Happily, none of the companies listed are transport networks: http://www.washingtonpost.com/investigations/us-intelligence-mining-data-from-nine-us-internet-companies-in-broad-secret-program/2013/06/06/3a0c0da8-cebf-11e2-8845-d970ccb04497_story.html Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274 I've always just assumed that if it's in electronic form, someone else is either reading it now, has already read it, or will read it as soon as I walk away from the screen. Much less stress in life that way. ^_^ Matt When I posted this yesterday, I was speaking somewhat tongue-in-cheek, because we hadn't yet made a formal statement to the press. Now that we've made our official reply, I can echo it, and note that whatever fluffed up powerpoint was passed around to the washington post, it does not reflect reality. There are no optical taps in our datacenters funneling information out, there are no sooper-seekret backdoors in the software that funnel information to the government. As our formal reply stated: Yahoo does not provide the government with direct access to its servers, systems, or network. I believe the other major players supposedly listed in the document have released similar statements, all indicating a similar lack of super-cheap government listening capabilities. Speaking just for myself, and if you quote me on this as speaking on anyone else's behalf, you're a complete fool, if the government was able to build infrastructure that could listen to all the traffic from a major provider for a fraction of what it costs them to handle that traffic in the first place, I'd be truly amazed--and I'd probably wonder why the company didn't outsource their infrastruture to the government, if they can build and run it so much more cheaply than the commercial providers. ;P 7 companies were listed; if we assume the burden was split roughly evenly between them, that's 20M/7, about $2.85M per company per year to tap in, or about $238,000/month per company listed, to supposedly snoop on hundreds of gigs per second of data. Two ways to handle it: tap in, and funnel copies of all traffic back to distant monitoring posts, or have local servers digesting and filtering, just extracting the few nuggets they want, and sending just those back. Let's take the first case; doing optical taps, or other form of direct traffic mirroring, carrying it untouched offsite to process; that's going to mean the ability to siphon off hundreds of Gbps per datacenter and carry it offsite for $238k/month; let's figure a major player has data split across at least 3 datacenters, so about $75K/month per datacenter to carry say 300Gbps of traffic. It's pretty clearly going to have to be DWDM on dark fiber at that traffic volume; most recent quotes I've seen for dark fiber put it at $325/mile for already-laid-in-ground (new builds are considerably more, of course). If we figure the three datacenters are split around just the US, on average you're going to need to run about 1500 miles to reach their central listening post; that's $49K/month just to carry the bitstream, which leaves you just about $25K/month to run the servers to digest that data; at 5c/kwhr, a typical server pulling 300 watts is gonna cost you $11/month to run; let's assume each server can process 2Gbps of traffic, constantly; 150 servers for the stream of 300Gbps means we're down to $22K for the rest of our support costs; figure two sysadmins getting paid $10k/month to run the servers (120k annual salary), and you've got just $2k for GA overhead. That's a heck of an efficient operation they'd have to be running to listen in on all the traffic for the supposed budget number claimed. I'm late for work; I'll follow up with a runthrough of the other model, doing on-site digestion and processing later, but I think you can see the point--it's not realistic to think they can handle the volumes of data being claimed at the price numbers listed. If they could, the major providers would already be doing it for much cheaper than they are today. I mean, the Utah datacenter they're building is costing them $2B to build; does anyone really think if they're overpaying that much for datacenter space, they could really snoop on
Re: [liberationtech] Stop promoting Skype
Hi, See that's the standard you're competing with. Most users don't own server space, physical or virtual, and would not in a million years be convinced to buy any. and if you have your own server (not at home), they can go after you with legal assistence regimes like in the cybercrime convention (Art. 19 and 32)* or informal deals with your hosting provider or like UKUSA. Do you or anybody really think, that a normal, sold server in a remote location protect you, if you are a target? Only in a locations outside these eg. all legal regimes. I believe, that a broad adoption of a 2nd infrastructure/layer as with I2P, Freenet or Tor is more needed as the usual user recognize... perhaps now ;) * http://conventions.coe.int/Treaty/en/Treaties/Html/185.htm -- Katana -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] PRISM: NSA/FBI Internet data mining project
So what if it was a one character typo? m substituted for b... happens all the time in these kinds of presentations... M -Original Message- From: liberationtech-boun...@lists.stanford.edu [mailto:liberationtech-boun...@lists.stanford.edu] On Behalf Of Eugen Leitl Sent: Friday, June 07, 2013 12:42 PM To: Liberation Technologies; cypherpu...@al-qaeda.net; i...@postbiota.org; zs-...@googlegroups.com Subject: Re: [liberationtech] PRISM: NSA/FBI Internet data mining project - Forwarded message from Matthew Petach mpet...@netflight.com - Date: Fri, 7 Jun 2013 09:32:53 -0700 From: Matthew Petach mpet...@netflight.com Cc: NANOG na...@nanog.org Subject: Re: PRISM: NSA/FBI Internet data mining project On Thu, Jun 6, 2013 at 5:04 PM, Matthew Petach mpet...@netflight.comwrote: On Thu, Jun 6, 2013 at 4:35 PM, Jay Ashworth j...@baylink.com wrote: Has fingers directly in servers of top Internet content companies, dates to 2007. Happily, none of the companies listed are transport networks: http://www.washingtonpost.com/investigations/us-intelligence-mining-d ata-from-nine-us-internet-companies-in-broad-secret-program/2013/06/0 6/3a0c0da8-cebf-11e2-8845-d970ccb04497_story.html Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274 I've always just assumed that if it's in electronic form, someone else is either reading it now, has already read it, or will read it as soon as I walk away from the screen. Much less stress in life that way. ^_^ Matt When I posted this yesterday, I was speaking somewhat tongue-in-cheek, because we hadn't yet made a formal statement to the press. Now that we've made our official reply, I can echo it, and note that whatever fluffed up powerpoint was passed around to the washington post, it does not reflect reality. There are no optical taps in our datacenters funneling information out, there are no sooper-seekret backdoors in the software that funnel information to the government. As our formal reply stated: Yahoo does not provide the government with direct access to its servers, systems, or network. I believe the other major players supposedly listed in the document have released similar statements, all indicating a similar lack of super-cheap government listening capabilities. Speaking just for myself, and if you quote me on this as speaking on anyone else's behalf, you're a complete fool, if the government was able to build infrastructure that could listen to all the traffic from a major provider for a fraction of what it costs them to handle that traffic in the first place, I'd be truly amazed--and I'd probably wonder why the company didn't outsource their infrastruture to the government, if they can build and run it so much more cheaply than the commercial providers. ;P 7 companies were listed; if we assume the burden was split roughly evenly between them, that's 20M/7, about $2.85M per company per year to tap in, or about $238,000/month per company listed, to supposedly snoop on hundreds of gigs per second of data. Two ways to handle it: tap in, and funnel copies of all traffic back to distant monitoring posts, or have local servers digesting and filtering, just extracting the few nuggets they want, and sending just those back. Let's take the first case; doing optical taps, or other form of direct traffic mirroring, carrying it untouched offsite to process; that's going to mean the ability to siphon off hundreds of Gbps per datacenter and carry it offsite for $238k/month; let's figure a major player has data split across at least 3 datacenters, so about $75K/month per datacenter to carry say 300Gbps of traffic. It's pretty clearly going to have to be DWDM on dark fiber at that traffic volume; most recent quotes I've seen for dark fiber put it at $325/mile for already-laid-in-ground (new builds are considerably more, of course). If we figure the three datacenters are split around just the US, on average you're going to need to run about 1500 miles to reach their central listening post; that's $49K/month just to carry the bitstream, which leaves you just about $25K/month to run the servers to digest that data; at 5c/kwhr, a typical server pulling 300 watts is gonna cost you $11/month to run; let's assume each server can process 2Gbps of traffic, constantly; 150 servers for the stream of 300Gbps means we're down to $22K for the rest of our support costs; figure two sysadmins getting paid $10k/month to run the servers (120k annual salary), and you've got just $2k for GA overhead. That's a heck of an efficient operation they'd have to be running to listen in on all the traffic for the supposed budget number claimed. I'm late for work; I'll follow up with a runthrough of
Re: [liberationtech] PRISM: NSA/FBI Internet data mining project
Speaking just for myself, and if you quote me on this as speaking on anyone else's behalf, you're a complete fool, if the government was able to build infrastructure that could listen to all the traffic from a major provider for a fraction of what it costs them to handle that traffic in the first place, I'd be truly amazed--and I'd probably wonder why the company didn't outsource their infrastruture to the government, if they can build and run it so much more cheaply than the commercial providers. ;P We already know the NSA gets a copy of the traffic by tapping the backbone, so all it needs from the service providers is the keys to decrypt the traffic. Cheers, Michael -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Question about otr.js
On 2013-06-07, at 1:09 PM, Anthony Papillion anth...@cajuntechie.org wrote: On 06/06/2013 07:00 PM, Nadim Kobeissi wrote: Speaking as the lead developer for Cryptocat: OTR.js actually has had some vetting. We're keeping it experimental simply due to the experimental nature of web cryptography as a whole. It's a handy library that has had a lot of consideration put into it, but it really depends on your use case and threat model. If you want to use it to keep conversations private in moderate situations, go ahead. If you want to use it to keep conversations private against an authoritarian regime/sprawling surveillance mechanism, think twice. Overall I find it really hard to tell whether it's safe enough without knowing your threat model. For example, if your threat model includes a likelihood of someone backdooring your hardware, pretty much nothing can help you. If you're considering building your own app and using OTR.js as a library, I beseech you to be careful regarding code delivery mechanisms and XSS considerations. Specifically, please use signed browser plugins as a code delivery mechanism and make sure the rest of your app, including outside of OTR.js, is audited against XSS, code injection, and so on. Those kind of threats tend to be far more common than library bugs. NK Thank you for the excellent feedback on OTR.js. It really clears some stuff up and makes me much more confident in the library. I'm considering using OTR.js as a basis for an OTR plugin for Thunderbird chat. I suppose, in theory, people *could* decide to use it in life and death situations under sprawling surveillance regimes, I'd try to make it clear how unwise this is and provide alternatives. For example, I'd point them to Pidgin with its OTR instead. I would never suggest Pidgin — Pidgin has never received an audit and is full of vulnerabilities that the development team is reluctant to fix. Cryptocat has actually received far more audits than Pidgin, although I'm not sure how to compare the two since the platforms are totally different. NK Thanks again! Anthony -- Anthony Papillion Phone: 1.918.533.9699 SIP: sip:cajuntec...@iptel.org iNum:+883510008360912 XMPP:cypherpun...@jit.si www.cajuntechie.org -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] NSA has direct access to tech giants' systems for user data, secret ppt reveals
This is just circumstantial speculation but read http://talkingpointsmemo.com/archives/2013/06/is_this_who_runs_prism.php Given Palantir's rapid expansion and aggressive recruitment, I think this guy might be onto something. I suspect that what is being described in the slides is not direct backdoor access to the live systems, but rather regularly aggregated data being sent to a central location to be contextualized using Palantir's analytics. From the perspective of the analyst working with Palantir's software, he can do lookups and cross references between the databases seemingly live. At tech talks, Palantir employees will often stress the fact that their analytic software comes with built-in privacy controls, i.e. fine-grained user permission control so that analysts are given only the specific subset of data points or data columns that they need to do their job. Perhaps the so-called EULA described in the Washington Post article is really just part of the analytics software as opposed to some live Google backdoor API. Certainly this would seem a more plausible scenario than direct access given the cited budget and denial from the major tech companies of direct access. Raven On 7 June 2013 10:15, David Miller da...@deadpansincerity.com wrote: On 7 June 2013 15:13, R. Jason Cronk r...@privacymaverick.com wrote: - The Powerpoint is amateurish (then again with no budget.) These powerpoint slides are too amateurish to be real Poe's Law of Powerpoint states: A fundamental constraint of the known universe is that once your organisation grows to more than 100 people, it is impossible to create a parodic Powerpoint deck more amateurish than a Powerpoint deck being genuinely used within said organisation. -- Love regards etc David Miller http://www.deadpansincerity.com 07854 880 883 -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Question about otr.js
Pidgin is a terrible client. It has quite a bit of issues. Their SSL handling is terrible and possible to mitm, I audited the Windows build last August and found known vulnerabilities since 2006 in 2012.. only recently in february that the Pidgin team released a security update.. Avoid using Pidgin at all costs. Over at https://useotrproject.org/ we are busy extending Adam langley's xmpp-client in Go. Creating a security, privacy and aonimity client by default. We hope to have a beta before ohm2013. Op 7 jun. 2013 19:19 schreef Nadim Kobeissi na...@nadim.cc het volgende: On 2013-06-07, at 1:09 PM, Anthony Papillion anth...@cajuntechie.org wrote: On 06/06/2013 07:00 PM, Nadim Kobeissi wrote: Speaking as the lead developer for Cryptocat: OTR.js actually has had some vetting. We're keeping it experimental simply due to the experimental nature of web cryptography as a whole. It's a handy library that has had a lot of consideration put into it, but it really depends on your use case and threat model. If you want to use it to keep conversations private in moderate situations, go ahead. If you want to use it to keep conversations private against an authoritarian regime/sprawling surveillance mechanism, think twice. Overall I find it really hard to tell whether it's safe enough without knowing your threat model. For example, if your threat model includes a likelihood of someone backdooring your hardware, pretty much nothing can help you. If you're considering building your own app and using OTR.js as a library, I beseech you to be careful regarding code delivery mechanisms and XSS considerations. Specifically, please use signed browser plugins as a code delivery mechanism and make sure the rest of your app, including outside of OTR.js, is audited against XSS, code injection, and so on. Those kind of threats tend to be far more common than library bugs. NK Thank you for the excellent feedback on OTR.js. It really clears some stuff up and makes me much more confident in the library. I'm considering using OTR.js as a basis for an OTR plugin for Thunderbird chat. I suppose, in theory, people *could* decide to use it in life and death situations under sprawling surveillance regimes, I'd try to make it clear how unwise this is and provide alternatives. For example, I'd point them to Pidgin with its OTR instead. I would never suggest Pidgin — Pidgin has never received an audit and is full of vulnerabilities that the development team is reluctant to fix. Cryptocat has actually received far more audits than Pidgin, although I'm not sure how to compare the two since the platforms are totally different. NK Thanks again! Anthony -- Anthony Papillion Phone: 1.918.533.9699 SIP: sip:cajuntec...@iptel.org iNum:+883510008360912 XMPP:cypherpun...@jit.si www.cajuntechie.org -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] [FoRK] [info] Top secret PRISM program claims direct access to servers of firms including Google, Facebook and Apple
An Apple spokesman said it had never heard of PRISM. And probably none of the vendors heard it called that. This doesn't mean anything. Nor does it say they aren't or haven't been participating in this sort of thing. Which they wouldn't if the order compelled them not to reveal it. -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Question about otr.js
On 06/07/2013 12:18 PM, Nadim Kobeissi wrote: I would never suggest Pidgin — Pidgin has never received an audit and is full of vulnerabilities that the development team is reluctant to fix. Cryptocat has actually received far more audits than Pidgin, although I'm not sure how to compare the two since the platforms are totally different. Oh, OK. So, aside from CryptoCat, what would you suggest? How well audited is Jitsi? -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Question about otr.js
Nadim's reply is much better just linking to the otr.js author's own warning. I'd like to reiterate the importance of code delivery. I've seen a couple dozen of attempts to do crypto via server-hosted Javascript. All of these reduced to trusting whomever is serving the code. This issues have been covered many times, most prominently by Matasano Security: http://www.matasano.com/articles/javascript-cryptography/ Anthony, it sounds like you're aware of the issues and planning to develop code that will be installed and executed on the client, i.e. a plugin for Thunderbird chat. On Thu, Jun 6, 2013 at 5:00 PM, Nadim Kobeissi na...@nadim.cc wrote: Speaking as the lead developer for Cryptocat: OTR.js actually has had some vetting. We're keeping it experimental simply due to the experimental nature of web cryptography as a whole. It's a handy library that has had a lot of consideration put into it, but it really depends on your use case and threat model. If you want to use it to keep conversations private in moderate situations, go ahead. If you want to use it to keep conversations private against an authoritarian regime/sprawling surveillance mechanism, think twice. Overall I find it really hard to tell whether it's safe enough without knowing your threat model. For example, if your threat model includes a likelihood of someone backdooring your hardware, pretty much nothing can help you. If you're considering building your own app and using OTR.js as a library, I beseech you to be careful regarding code delivery mechanisms and XSS considerations. Specifically, please use signed browser plugins as a code delivery mechanism and make sure the rest of your app, including outside of OTR.js, is audited against XSS, code injection, and so on. Those kind of threats tend to be far more common than library bugs. NK On 2013-06-06, at 7:49 PM, Steve Weis stevew...@gmail.com wrote: The status is: [otr.js] hasn't been properly vetted by security researchers. Do not use in life and death situations! https://github.com/arlolra/otr#warning On Thu, Jun 6, 2013 at 3:14 PM, Anthony Papillion anth...@cajuntechie.org wrote: I'm thinking about working on a web app that would use otr.js to enable OTR chat via the way (probably similar to Cryptocat). Does anyone know what the security status of otr.js is? Has it been vetted? If not, what is the recommended (vetted) Javascript way of doing OTR? -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Question about otr.js
On Fri, Jun 7, 2013 at 7:59 PM, Steve Weis stevew...@gmail.com wrote: I'd like to reiterate the importance of code delivery. I've seen a couple dozen of attempts to do crypto via server-hosted Javascript. All of these reduced to trusting whomever is serving the code. This issues have been covered many times, most prominently by Matasano Security: http://www.matasano.com/articles/javascript-cryptography/ Hello everyone: This is what I call the server in the middle problem. I actually did my final career project about this [1]. Basically, we need the equivalent of SSL in the sense of standarization for end-to-end web security, or this problem will get worse and worse. Regards, -- [1] http://edulix.wordpress.com/2012/01/08/the-server-in-the-middle-problem-and-solution/ -- Eduardo -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
[liberationtech] Email Volume Digest Option
Hi all, We realize that the liberationtech list's email volume has grown over the past few days. Just a reminder that you can switch your account to digest mode by following the instructions at the end of this email or simply by asking a list moderator like me to do it for you. Best, Yosem -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Stop promoting Skype
micah mi...@riseup.net wrote: What about when someone from Riseup promotes Riseup services? :o Riseup isn't evil, I'm just amused by people who say no third-party services! and then launch into why people should use their third-party provider of choice. If one wants to say no corporate-owned services, that's a bit of a different argument =) It only has been recent that companies such as google and twitter have been doing something more interesting than just handing over things when the police ask, that was nice to see, we felt very alone out there... but now I'm not sure what to think when I see those companies involved in the dragnet, I guess we feel alone again because I didn't notice Riseup or Mayfirst's logo in that Prism powerpoint! You should be really proud! =D Being a pain in the ass is underrated. best, Griffin -- Just another hacker in the City of Spies. #Foucault / PGP: 0xAE792C97 / OTR: sa...@jabber.ccc.de My posts, while frequently amusing, are not representative of the thoughts of my employer. -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Cryptocat Seeking Estonian, Tibetan, Uighur and Latvian Translations
We now only have Uighur left to go! If you know anyone who can contribute, please do. This is the only translation remaining before we can push a big update. You can contribute to the Uighur translation here: https://www.transifex.com/projects/p/Cryptocat/language/ug/ NK On 2013-06-05, at 3:39 PM, Nadim Kobeissi na...@nadim.cc wrote: Dear LibTech, We're on the verge of releasing a major update to Cryptocat, but we still need four translations finished. All four translations are very much complete but only lack one or two sentences each. You can contribute towards the translations here: Estonian: https://www.transifex.com/projects/p/Cryptocat/language/et/ Tibetan: https://www.transifex.com/projects/p/Cryptocat/language/bo/ Uighur: https://www.transifex.com/projects/p/Cryptocat/language/ug/ Latvian: https://www.transifex.com/projects/p/Cryptocat/language/lv/ Your help with this is immensely appreciated. Thank you, NK -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Question about otr.js
On Fri, Jun 07, 2013 at 07:44:35PM +0200, Jurre andmore wrote: Pidgin is a terrible client. It has quite a bit of issues. Their SSL handling is terrible and possible to mitm, I audited the Windows build last August and found known vulnerabilities since 2006 in 2012.. only recently in february that the Pidgin team released a security update.. Avoid using Pidgin at all costs. BTW, I use mcabber with OTR/PGP support http://mcabber.com/ Any security opinion? -- ___ [wil...@trip.sk] [http://trip.sk/wilder/] [talker: ttt.sk 5678] -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Email Volume Digest Option
Apologies for adding to the list volume. Darn reply to list! Teresa On Fri, Jun 7, 2013 at 2:21 PM, Teresa Crawford ter...@speakeasy.netwrote: Thanks for the offer. Can you switch me to digest? Thanks! Teresa On Fri, Jun 7, 2013 at 2:04 PM, Yosem Companys compa...@stanford.eduwrote: Hi all, We realize that the liberationtech list's email volume has grown over the past few days. Just a reminder that you can switch your account to digest mode by following the instructions at the end of this email or simply by asking a list moderator like me to do it for you. Best, Yosem -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Teresa Crawford | skype: crawte00 | cell: +1 917-873-6397 | e-mail: ter...@speakeasy.net -- Teresa Crawford | skype: crawte00 | cell: +1 917-873-6397 | e-mail: ter...@speakeasy.net -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] NSA has direct access to tech giants' systems for user data, secret ppt reveals
Hi all, I have the same feeling with Raven's. It appears that the PRISM program does exist, and that amateurish Power Point training material is real (so I take back my ploy or prank remark). However, none of this proves Guardian's headline claim NSA taps in to internet giants' systems to mine user data, or direct access to servers of firms including Google, Facebook and Apple. From reading the four pages of the slides, what is actually in place, is likely just a data mining system that analyzes information NSA gathered from these firms via the usual means (which should be of no surprise to any of us). It's likely that NSA stores information from different providers on different databases and servers (say, one for Facebook, one for Apple), and the PRISM system can collect directly from these servers. And yes, a $20M annual budget can handle that, probably half of that if it's not the government. Guardian and Washington Post grossly misreported this and misled their readers. After all, most journalists do not have much clue about technology. I have hoped people on this mailing list understand better how much it takes to implement a real direct access to servers from firms like Google, Facebook and Apple, and the ability to do in-depth surveillance on live communication. This is a gargantuan task, even for these firms to build an internal tool like this themselves. And all these firms participate in this (direct tapping) program, and all denying it? That's enough of conspiracy theory. Get real. In a previous email Eugen asked he would reexamine why you are reading this list. Yes I read this list because I care for internet freedom and privacy. But we need to have basic sense, in order to fight the good fight. We do need to limit NSA's power for what they are actually doing, not this surreal direct tapping thing. It's in our responsibility to stop this Guardian/PRISM junk, and I am very disappointed that many people on this mailing list do the exact opposite, i.e. jumping the Guardian bandwagon to promote their own products. (It is not that I'm against your product or your promoting it, but please do not use the Guardian story for it). 2013/6/7 Raven Jiang CX j...@stanford.edu This is just circumstantial speculation but read http://talkingpointsmemo.com/archives/2013/06/is_this_who_runs_prism.php Given Palantir's rapid expansion and aggressive recruitment, I think this guy might be onto something. I suspect that what is being described in the slides is not direct backdoor access to the live systems, but rather regularly aggregated data being sent to a central location to be contextualized using Palantir's analytics. From the perspective of the analyst working with Palantir's software, he can do lookups and cross references between the databases seemingly live. At tech talks, Palantir employees will often stress the fact that their analytic software comes with built-in privacy controls, i.e. fine-grained user permission control so that analysts are given only the specific subset of data points or data columns that they need to do their job. Perhaps the so-called EULA described in the Washington Post article is really just part of the analytics software as opposed to some live Google backdoor API. Certainly this would seem a more plausible scenario than direct access given the cited budget and denial from the major tech companies of direct access. Raven On 7 June 2013 10:15, David Miller da...@deadpansincerity.com wrote: On 7 June 2013 15:13, R. Jason Cronk r...@privacymaverick.com wrote: - The Powerpoint is amateurish (then again with no budget.) These powerpoint slides are too amateurish to be real Poe's Law of Powerpoint states: A fundamental constraint of the known universe is that once your organisation grows to more than 100 people, it is impossible to create a parodic Powerpoint deck more amateurish than a Powerpoint deck being genuinely used within said organisation. -- Love regards etc David Miller http://www.deadpansincerity.com 07854 880 883 -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Time to ask again: why are you logging?
On 06/07/2013 01:51 PM, micah wrote: The default syslog in Debian, rsyslog just announced that they've added log anonymization capabilities[0]! Almost 12 years now after riseup wrote the initial patches to syslog-ng[1] (a few years ago syslog-ng added this capability, so we no longer needed to carry that patch around) it is nice to see that this has been added to rsyslog! This is an *excellent* post Micah! Thank you for writing it. It really doesn't take a lot to turn off logging when you're setting everything up. Not doing so is just lazy. Thank you for the post! Anthony -- Anthony Papillion Phone: 1.918.533.9699 SIP: sip:cajuntec...@iptel.org iNum:+883510008360912 XMPP:cypherpun...@jit.si www.cajuntechie.org -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Time to ask again: why are you logging?
+1 On Jun 7, 2013 11:57 AM, Anthony Papillion anth...@cajuntechie.org wrote: On 06/07/2013 01:51 PM, micah wrote: The default syslog in Debian, rsyslog just announced that they've added log anonymization capabilities[0]! Almost 12 years now after riseup wrote the initial patches to syslog-ng[1] (a few years ago syslog-ng added this capability, so we no longer needed to carry that patch around) it is nice to see that this has been added to rsyslog! This is an *excellent* post Micah! Thank you for writing it. It really doesn't take a lot to turn off logging when you're setting everything up. Not doing so is just lazy. Thank you for the post! Anthony -- Anthony Papillion Phone: 1.918.533.9699 SIP: sip:cajuntec...@iptel.org iNum:+883510008360912 XMPP:cypherpun...@jit.si www.cajuntechie.org -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
[liberationtech] US NSA's Snoop Factor Is Shocking
http://www.calgaryherald.com/opinion/columnists/Kotarski+snoop+factor+shocking/8377821/story.html MAY 13, 2013 Kotarski: The snoop factor is shocking BY KRIS KOTARSKI, CALGARY HERALD In October 2008, a 39-year-old former U.S. navy linguist who worked at a National Security Agency (NSA) centre in Georgia went on ABC News and blew the whistle on himself and his fellow NSA operators for listening in on the private conversations of hundreds of American aid workers and soldiers calling home to the United States from Iraq. “Hey, check this out,” David Murfee Faulk says he would be told. “There’s good phone sex or there’s some pillow talk, pull up this call, it’s really funny, go check it out.” Another linguist, 31-year-old Adrienne Kinne, told ABC that the NSA would listen to calls made by military officers, journalists and aid workers from organizations such as the International Red Cross and Doctors Without Borders, listening to “personal, private things with Americans who are not in any way, shape or form associated with anything to do with terrorism.” “We knew they were working for these aid organizations. They were identified in our systems as ‘belongs to the International Red Cross’ and all these other organizations,” Kinne told ABC News. “And yet, instead of blocking these phone numbers, we continued to collect on them.” How far has this spread since then? Earlier this month, Tim Clemente, a former FBI counterterrorism agent, revealed on CNN that details from a private telephone conversation between one of the Boston bombing suspects and his wife could be retrieved at will. “We certainly have ways in national security investigations to find out exactly what was said in that conversation,” he said. “It’s not necessarily something that the FBI is going to want to present in court, but it may help lead the investigation and/or lead to questioning of her. We certainly can find that out.” When pressed by the shocked news anchor whether “they can actually get that,” Clemente was adamant. “Welcome to America,” he answered. “All of that stuff is being captured as we speak, whether we know it or like it or not.” What has happened to our American cousins? And what has happened to the rest of us? This is not North Korea, Saudi Arabia or Soviet Russia. This is the United States, where according to the constitution, “the right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated.” This is also Canada’s biggest and most important security partner, our closest military and intelligence ally, and the country where our government continues to strive for “harmonization,” even as the U.S. is revealed again and again to have abandoned the American citizen’s right to basic privacy. Just last week, the New York Times’s Charlie Savage reported that the Obama administration is on the verge of backing an FBI plan for new surveillance laws that would force companies like Facebook and Google to build a capacity to comply with wiretap orders into their instant-messaging systems. In an April 2012 interview with Democracy Now, another NSA whistleblower, William Binney, estimated the NSA assembled 20 trillion “transactions,” which likely included copies of almost all e-mails sent and received by those living in the United States. What does this mean for Canadians? Once upon a time, it was obvious that we would not tolerate our governments trawling through everyone’s mail or installing a tape recorder or a video camera in every room of every home. So why are we so complacent about our electronic data, our phone calls and our e-mails? Almost all of us use some kind of American-based online infrastructure to communicate with each other, but privacy concerns do not seem to interest our government very much. The old “if you’ve got nothing to hide, you’ve got nothing to fear” trope is nonsense. We all have something to hide. There are intimate thoughts shared between spouses and lovers. Family quarrels, fears, hopes, family photos and business ideas. These are all things that can be used to intimidate and abuse us, and government analysis should not be listening to them, even if they say that it’s for our own good. Kris Kotarski’s column appears every second Monday. © Copyright (c) The Calgary Herald -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] PRISM: NSA/FBI Internet data mining project
Apologies for replying out of thread and the wide CC list. On Fri, Jun 07, 2013 at 06:41:32PM +0200, Eugen Leitl wrote: - Forwarded message from Matthew Petach mpet...@netflight.com - Date: Fri, 7 Jun 2013 09:32:53 -0700 From: Matthew Petach mpet...@netflight.com Cc: NANOG na...@nanog.org Subject: Re: PRISM: NSA/FBI Internet data mining project Speaking just for myself, and if you quote me on this as speaking on anyone else's behalf, you're a complete fool, if the government was able to build infrastructure that could listen to all the traffic from a major provider for a fraction of what it costs them to handle that traffic in the first place, I'd be truly amazed--and I'd probably wonder why the company didn't outsource their infrastruture to the government, if they can build and run it so much more cheaply than the commercial providers. ;P 7 companies were listed; if we assume the burden was split roughly evenly between them, that's 20M/7, about $2.85M per company per year to tap in, or about $238,000/month per company listed, to supposedly snoop on hundreds of gigs per second of data. Two ways to handle it: tap in, and funnel copies of all traffic back to distant monitoring posts, or have local servers digesting and filtering, just extracting the few nuggets they want, and sending just those back. That's not what PRISM is claimed to do, in the WaPo/Gu slide deck. The deck claims that PRISM provides a way for an analyst at NSA to request access to a specific target (gmail account, Skype account, Y! messenger, etc) and get a dump of data in that account, plus realtime access to the activity on the account. The volume is quoted to be on the order of 10k-100k of requests annually. The implication is that data production is nearly immediate (measured in minutes or hours at most), not enough time for a rubber-stamp FISA warrant, implying a fully automated system. At these volumes we're talking one, or a few, boxes at each provider; plus the necessary backdoors in the provider's storage systems (easy, since the provider already has those backdoors in place for their own maintenance/legal/abuse systems); and trusted personnel on staff at the providers to build and maintain the systems. Add a VPN link back to Fort Meade and you're done. That's obviously a much easier system (compared to your 200 GBps sniffer) to build at the $2M/yr budget, and given that $2M is just the government's part -- the company engineering time to do it is accounted separately -- it seems like a reasonable ballpark for an efficient government project. (There are plenty such, and the existence of inefficient government projects doesn't change that fact.) It's even possible that executive/legal at the providers actually aren't aware that their systems are compromised in this manner. NatSec claims will open many doors, especially with alumni of the DoD who have reentered the civilian workforce: https://financialcryptography.com/mt/archives/001431.html -andy -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] PRISM: NSA/FBI Internet data mining project
FWIW, Google has issued a similar blanket (and kinda funny) denial. http://googleblog.blogspot.com/2013/06/what.html On Fri, Jun 7, 2013 at 2:20 PM, Andy Isaacson a...@hexapodia.org wrote: Apologies for replying out of thread and the wide CC list. On Fri, Jun 07, 2013 at 06:41:32PM +0200, Eugen Leitl wrote: - Forwarded message from Matthew Petach mpet...@netflight.com - Date: Fri, 7 Jun 2013 09:32:53 -0700 From: Matthew Petach mpet...@netflight.com Cc: NANOG na...@nanog.org Subject: Re: PRISM: NSA/FBI Internet data mining project Speaking just for myself, and if you quote me on this as speaking on anyone else's behalf, you're a complete fool, if the government was able to build infrastructure that could listen to all the traffic from a major provider for a fraction of what it costs them to handle that traffic in the first place, I'd be truly amazed--and I'd probably wonder why the company didn't outsource their infrastruture to the government, if they can build and run it so much more cheaply than the commercial providers. ;P 7 companies were listed; if we assume the burden was split roughly evenly between them, that's 20M/7, about $2.85M per company per year to tap in, or about $238,000/month per company listed, to supposedly snoop on hundreds of gigs per second of data. Two ways to handle it: tap in, and funnel copies of all traffic back to distant monitoring posts, or have local servers digesting and filtering, just extracting the few nuggets they want, and sending just those back. That's not what PRISM is claimed to do, in the WaPo/Gu slide deck. The deck claims that PRISM provides a way for an analyst at NSA to request access to a specific target (gmail account, Skype account, Y! messenger, etc) and get a dump of data in that account, plus realtime access to the activity on the account. The volume is quoted to be on the order of 10k-100k of requests annually. The implication is that data production is nearly immediate (measured in minutes or hours at most), not enough time for a rubber-stamp FISA warrant, implying a fully automated system. At these volumes we're talking one, or a few, boxes at each provider; plus the necessary backdoors in the provider's storage systems (easy, since the provider already has those backdoors in place for their own maintenance/legal/abuse systems); and trusted personnel on staff at the providers to build and maintain the systems. Add a VPN link back to Fort Meade and you're done. That's obviously a much easier system (compared to your 200 GBps sniffer) to build at the $2M/yr budget, and given that $2M is just the government's part -- the company engineering time to do it is accounted separately -- it seems like a reasonable ballpark for an efficient government project. (There are plenty such, and the existence of inefficient government projects doesn't change that fact.) It's even possible that executive/legal at the providers actually aren't aware that their systems are compromised in this manner. NatSec claims will open many doors, especially with alumni of the DoD who have reentered the civilian workforce: https://financialcryptography.com/mt/archives/001431.html -andy -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
[liberationtech] Who Runs Prism...
It might be good to elevate this to it's own thread... so I forward it here.. -- Forwarded message -- From: Raven Jiang CX j...@stanford.edu Date: Fri, Jun 7, 2013 at 10:30 AM Subject: Re: [liberationtech] NSA has direct access to tech giants' systems for user data, secret ppt reveals This is just circumstantial speculation but read http://talkingpointsmemo.com/archives/2013/06/is_this_who_runs_prism.php Given Palantir's rapid expansion and aggressive recruitment, I think this guy might be onto something. -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
[liberationtech] Google Denies PRISM Involvement
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 http://googleblog.blogspot.com/2013/06/what.html I do believe them, but I have no proof to back that up. You would assume they wouldn't make a bold faced lie, they would just not talk about it. -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.19 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCgAGBQJRsmQGAAoJEES9cOv0A0l0vZgH/ArXy3Emx5PbaB5FgUDxvBdc XkzI+C9E57ZNkhC7IOb1FmihMkTBEsbr3WlFre3ECZ3aMDikdMY2zq3cpCUh5tms M28SPkoSE+4MV/bxmKPJuq4M5TopCDKGaDpQbZ1swj5nxCqomImIf3BVX7vfcJzf m8jLe5c6ePScBiG6sNmog18F2eHZabRohfIBAbVUhHYmE/aQy4QfyUGZxCqtyDxO 6gv+RUctTGbM/A99KCjvn9/H3h5DmOI5ynEs0p+2IZsHhopoDwFjnvFMDVsetk0l Sd6bSF8FiVWbFZo4c8hZQ5+ov3ukCcyqvubnrlXlkk51uwxc4rAOq7gpJ9fl7zk= =4usx -END PGP SIGNATURE- -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Google Denies PRISM Involvement
Washington Post Backtracks on Claims of Tech Giants Giving US Govt Direct Access to Their Servers http://www.businessinsider.com/washington-post-updates-spying-story-2013-6 On Fri, Jun 7, 2013 at 3:51 PM, Travis McCrea m...@travismccrea.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 http://googleblog.blogspot.com/2013/06/what.html I do believe them, but I have no proof to back that up. You would assume they wouldn't make a bold faced lie, they would just not talk about it. -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.19 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCgAGBQJRsmQGAAoJEES9cOv0A0l0vZgH/ArXy3Emx5PbaB5FgUDxvBdc XkzI+C9E57ZNkhC7IOb1FmihMkTBEsbr3WlFre3ECZ3aMDikdMY2zq3cpCUh5tms M28SPkoSE+4MV/bxmKPJuq4M5TopCDKGaDpQbZ1swj5nxCqomImIf3BVX7vfcJzf m8jLe5c6ePScBiG6sNmog18F2eHZabRohfIBAbVUhHYmE/aQy4QfyUGZxCqtyDxO 6gv+RUctTGbM/A99KCjvn9/H3h5DmOI5ynEs0p+2IZsHhopoDwFjnvFMDVsetk0l Sd6bSF8FiVWbFZo4c8hZQ5+ov3ukCcyqvubnrlXlkk51uwxc4rAOq7gpJ9fl7zk= =4usx -END PGP SIGNATURE- -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
[liberationtech] OpenWatch Releases #OccupyGezi Android Application
We were asked by members of the media in Turkey who have been shut down to release a version of our new streaming media capture applications. In an effort document the history of the struggle and to help show abuses by authorities there, we are pleased to announce the Occupy Gezi android application. Announcement: https://openwatch.net/i/87/openwatch-releases-occupygezi-mobile-application Download: https://play.google.com/store/apps/details?id=org.ale.occupygezi Code: https://github.com/OpenWatch You will be able to see all of the media produced by the apps live as it comes in here: https://openwatch.net/w/occupygezi and we will use the media received to produce additional documentaries and reports. If you've got any feedback, please get at us: t...@openwatch.net Thanks!, Rich Jones OpenWatch = Why Turkey Needs an Independent Free Press - And How OpenWatch Is Helping *Media conglomeration and an ever-worsening press-freedom record have created a void in independent reporting in Turkey, so OpenWatch has released a mobile application for Turkish mobile reporters.* In support of a free press, the right to demonstrate, and the right to use media to document the truth, OpenWatch has released an Occupy Gezi application for Androidhttps://play.google.com/store/apps/details?id=org.ale.occupygezi (with an iPhone version coming out shortly) to allow people on the ground to collaboratively document the history they are making together. Download the application here on the Google Play storehttps://play.google.com/store/apps/details?id=org.ale.occupygezi ! The applications will send videos and photos directly online, where they can be found in the apps and on the web by following the #occupygezihttps://openwatch.net/w/occupygezi hashtag on OpenWatch https://openwatch.net/w/occupygezi, which will show a live feed of media as it is received. We have optimized the application to stream videos and photos to our servers in the fastest way possible, even in low-connectivity environments. We will be producing documentaries and reports using the media created by the Occupy Gezi applications. All media created is Creative Commons, and all of the code is Free and Open Source, and available on our GitHub pagehttp://github.com/openwatch. We have also updated our own open source software with additional Turkish translations. Why?While thousands of demonstrators took over a public space in an unprecedented act of mass political protest, the mainstream Turkish media instead ran documentaries about penguins. This is actually not surprising, as Turkey, which has the most imprisoned journalists of any country according to Reporters Without Borders, has been increasingly restrictive of press freedom in the past few years. As a result, much of the coverage of the events in the Turkish streets was provided by users of social networking services like Twitter. Now, authorities are targeting social media reporters and provocateurs as well: Authorities in Turkey have raided the houses and detained 38 people accused of using social media services to promote insurrection. What now?Going forward, we hope that people will be able to use mobile media to document the truth, the history they are making, and to protect themselves from abusive authorities by capturing and exposing the reality of events. The #OccupyGezi App was built on top of open source software which is being actively developed - there are some bugs, so please report them so that we can fix them. (It is not an app for anonymous reporting, and we do not make any such claims - it is an application simply designed to rapidly capture and redistribute important information which needs to be seen by as many people as possible. In the future, we do intend to build a separate architecture to support anonymous submissions, but we take identity security extremely seriously here, which is why we make no claims about anonymity at the moment.) If you are in Turkey and wish to document your experiences during this struggle, or just want to show your solidarity, use the applicationhttps://play.google.com/store/apps/details?id=org.ale.occupygezi and share your view with the world! -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] OpenWatch Releases #OccupyGezi Android Application
Hi Rich, That sounds pretty cool, have you heard of StoryMaker yet? It's an app we have been building at Small World News, in collaboration with the guardian project and scal.io, along with support from free press unlimited and the open tech fund. StoryMaker helps users tell stories not just document events and provides on the job training to improve their skills. It also does enable anonymous publishing via tor through integration with orbot. I wonder if your colleagues in turkey may be interested in using it? https://play.google.com/store/apps/details?id=info.guardianproject.mrapp Let me know if you have questions! Brian On Jun 7, 2013 8:14 PM, Rich Jones r...@anomos.info wrote: We were asked by members of the media in Turkey who have been shut down to release a version of our new streaming media capture applications. In an effort document the history of the struggle and to help show abuses by authorities there, we are pleased to announce the Occupy Gezi android application. Announcement: https://openwatch.net/i/87/openwatch-releases-occupygezi-mobile-application Download: https://play.google.com/store/apps/details?id=org.ale.occupygezi Code: https://github.com/OpenWatch You will be able to see all of the media produced by the apps live as it comes in here: https://openwatch.net/w/occupygezi and we will use the media received to produce additional documentaries and reports. If you've got any feedback, please get at us: t...@openwatch.net Thanks!, Rich Jones OpenWatch = Why Turkey Needs an Independent Free Press - And How OpenWatch Is Helping *Media conglomeration and an ever-worsening press-freedom record have created a void in independent reporting in Turkey, so OpenWatch has released a mobile application for Turkish mobile reporters.* In support of a free press, the right to demonstrate, and the right to use media to document the truth, OpenWatch has released an Occupy Gezi application for Androidhttps://play.google.com/store/apps/details?id=org.ale.occupygezi (with an iPhone version coming out shortly) to allow people on the ground to collaboratively document the history they are making together. Download the application here on the Google Play storehttps://play.google.com/store/apps/details?id=org.ale.occupygezi ! The applications will send videos and photos directly online, where they can be found in the apps and on the web by following the #occupygezihttps://openwatch.net/w/occupygezi hashtag on OpenWatch https://openwatch.net/w/occupygezi, which will show a live feed of media as it is received. We have optimized the application to stream videos and photos to our servers in the fastest way possible, even in low-connectivity environments. We will be producing documentaries and reports using the media created by the Occupy Gezi applications. All media created is Creative Commons, and all of the code is Free and Open Source, and available on our GitHub pagehttp://github.com/openwatch. We have also updated our own open source software with additional Turkish translations. Why?While thousands of demonstrators took over a public space in an unprecedented act of mass political protest, the mainstream Turkish media instead ran documentaries about penguins. This is actually not surprising, as Turkey, which has the most imprisoned journalists of any country according to Reporters Without Borders, has been increasingly restrictive of press freedom in the past few years. As a result, much of the coverage of the events in the Turkish streets was provided by users of social networking services like Twitter. Now, authorities are targeting social media reporters and provocateurs as well: Authorities in Turkey have raided the houses and detained 38 people accused of using social media services to promote insurrection. What now?Going forward, we hope that people will be able to use mobile media to document the truth, the history they are making, and to protect themselves from abusive authorities by capturing and exposing the reality of events. The #OccupyGezi App was built on top of open source software which is being actively developed - there are some bugs, so please report them so that we can fix them. (It is not an app for anonymous reporting, and we do not make any such claims - it is an application simply designed to rapidly capture and redistribute important information which needs to be seen by as many people as possible. In the future, we do intend to build a separate architecture to support anonymous submissions, but we take identity security extremely seriously here, which is why we make no claims about anonymity at the moment.) If you are in Turkey and wish to document your experiences during this struggle, or just want to show your solidarity, use the applicationhttps://play.google.com/store/apps/details?id=org.ale.occupygezi and share your view with the world! -- Too many emails?
Re: [liberationtech] Crypho
On Tue, Mar 26, 2013 at 09:24:13AM +0100, Yiorgis Gozadinos wrote: Assuming there is a point of reference for js code, some published instance of the code, that can be audited and verified by others that it does not leak. The point then becomes: Is the js I am running in my browser the same as the js that everybody else is?. Like you said, it comes down to the trust one can put in the verifier. A first step could be say for instance a browser extension, that compares a hash of the js with a trusted authority. The simplest version of that would be a comparison of a hash with a hash of the code on a repo. Another (better) idea, would be if browser vendors would take up the task (say Mozilla for instance) and act as the trusted authority and built-in verifier. Developers would sign their code and the browser would verify. Finally, I want to think there must be a way for users to broadcast some property of the js they received. Say for example the color of a hash. Then when I see blue when everyone else is seeing pink, I know there is something fishy. There might be a way to even do that in a decentralised way, without having to trust a central authority. Dear Yiorgis: I think this is a promising avenue for investigation. I think the problem is that people like you, authors of user-facing apps, know what the problem is that you want to solve, but you can't solve it without help from someone else, namely the authors of web browsers. With help from the web browser, this problem would be at least partly solvable. There is no reason why this problem is more impossible to solve for apps written in Javascript and executed by a web browser than for apps written in a language like C# and executed by an operating system like Windows. Perhaps the next step is to explain concisely to the makers of web browsers what we want. Ben Laurie has published a related idea: http://www.links.org/?p=1262 Regards, Zooko https://tahoe-lafs.org - Free, Open Source Secure Decentralized Storage https://LeastAuthority.com - Commercial Ciphertext Storage Service -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
