Re: [liberationtech] Why we can't go back to business as usual post-PRISM.
All, I am still trying to digest the full significance of everything that has been disclosed and discussed in the past 72 hours, but the issues that I keep coming back to in my head, and which I will likely write more about, are: 1. This scandal, and the financial crisis that happened not long after it really began, represent major situations where all three branches of government failed, both in their own capacities, and in their role as checks on the other branches of government. 2. President Obama's defense of PRISM as being court-sanctioned, entirely consistent with what we would do, for example, in a criminal investigation, is so blatantly disingenuous that it truly staggers me. Criminal investigations do not take place in secret courts that issue secret orders. Some do involve documents under seal, but to argue, as Obama did, that the FISC is just like any other court is just wrong. Secondly, (and I have read this point elsewhere), his implication that members of Congress should have just spoken up if they were concerned, when doing so would have been considered a crime of the highest order, is unbelievable. (If you missed it, his speech on PRISM is transcribed here: http://blogs.wsj.com/washwire/2013/06/07/transcript-what-obama-said-on-nsa-controversy/.) Generally, I am not surprised by any of this. I, like many, already knew that Palantir does work for the NSA, that the NSA oversteps its reach regularly, and that government is severely broken. I don't have a cell phone and never have, this type of scenario being a major reason why. But to hear the President of the United States--and not George W. Bush--defend such brazenly unconstitutional activities is deeply, deeply disturbing to me, and leaves me feeling as though the nation has finally completed its slide into a larger-than-average third-world autocracy, run by small-minded men who mainly fear the unknown. Given that I'm a person who asks a lot of questions, it makes me incredibly anxious knowing for certain that I live there. Aaron -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
[liberationtech] What PRISM means for Europe / Brussels
Hi, Just a short note from Brussels where we're now seeing (and starting to explain) the massive US lobbying under a different light... Last year, the Commission presented a legislative proposal to update privacy laws in Europe. EDRi has been reporting on this for a while now and since then, lobbying efforts have only intensified: http://www.edri.org/US-DPR and http://www.edri.org/us-eudatap. A year ago, we were particularly worried about the fact that Article 42 on access to European data in the absence of an EU legal framework disappeared from in the first draft of the proposal. Even though this article has been re-introduced by the European Parliament, pressure is high to kick it out again. It would now be interesting to see what amendments to the data protection reform have actually been written by the companies that are cooperating with the NSA - to weaken Europe's standards: see http://lobbyplag.eu/docs and http://lobbyplag.eu/map. Best, Kirsten -- | @kirst3nf | edri.org -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] OSS Devs: Talk about metadata!
On 8 June 2013 22:04, Nadim Kobeissi na...@nadim.cc wrote: I want to encourage all the open source, communication and security software developers on this list to start talking about metadata. 1. Start raising awareness on what metadata is given to your software and how it's handled. 2. Don't limit your privacy policy to content but also clarify what's done with metadata. [Shameless plug] We've already done this at Cryptocat. Our table can serve as a template: https://blog.crypto.cat/2013/06/cryptocat-who-has-your-metadata/ Something I would add (there's no comments enabled, or I missed them) is that most online messaging protocols (XMPP, Email, OTR, IRC, Cryptocat I think, etc) enable attackers to de-anonymize recipients if they have a publicly accessible point of contact that accepts data from unknown senders, and the attacker can watch the network. Stated more simply, if the Syrian government sends 5MB emails to syriandissidentx...@yahoo.com, they just have to look for who receives that much data from the appropriate server at appropriate intervals.[0] This can work over Tor too, although it's a tad more difficult. This may be obvious to us... but then again, that table is obvious to us also, we're aiming this at everyone else ;) The solution is something as complex as Pond (which requires users to be authorized) or possibly XMPP contact lists requests (I'm not actually sure if those prevent you from sending lots of data to a user before they accept you.) -tom [0] I mention this briefly in https://crypto.is/blog/tagging_attacks, but owe a better blog post to it. -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Boundless Informant: the NSA's secret tool to track global surveillance data
On Mon, Jun 10, 2013 at 01:30:19AM -0700, x z wrote:
First of all, I don't feel offended by Jacob's reply to my email at all,
probably because I know and expect his style of wording. So far I think the
discussion is still pretty civil.
I concur. This is what spirited discussion looks like. It's healthy.
Let's dig in.
- The PRISM slides do not prove such direct access (as we interpret it)
exists. [snip]
You're correct. To take your point further, they don't prove *anything*,
they...well, for lack of a better word, they indicate. They point in
a general direction, omitting significant details -- which is of course
why we're debating just what those details are.
But, that said: the NSA (and every other similar agency) has a long
history of engineering for their convenience over engineering for due
process and safeguards. And certainly direct access is far more convenient
for them than multistep processes. So I think it's pretty safe to say
that the NSA would very much *like* direct access if they can get it.
Which leaves us with the question of whether or not they have. Yet.
- The firms (Apple, Google, Facebook, etc) do not have any incentive to
participate in such a program to offer direct access to NSA.
A, but I think they do. There's a message I noticed on this list
this morning, which was forwarded from Dave Farber's excellent IP
(Interesting People) mailing list and explains one such incentive:
https://mailman.stanford.edu/pipermail/liberationtech/2013-June/008815.html
Then, what kind of power do people think NSA possesses that
can secretly coerce these firms into cooperation??
That kind of power. (see link, just above). To paraphrase an old
saying, you can get much more with a kind word and a hide nailed to
the wall than you can with just a kind word.
Will these firm's CEO or Chief Legal Officer go to jail, for not providing
direct access?
Maybe. See above. But jail is not the only possible unhappy outcome.
There are other kinds of pressure that can be brought to bear as well.
Consider the set S of {all Cxx executives at all the tech companies
mentioned so far plus the ones involved but not yet mentioned}.
Now consider the number N of members of set S who (a) are in financial
difficulty (b) have a monkey on their back (c) have something in their
past (d) did something dubious on their tax returns (e) failed to disclose
something to the SEC (f) etc.
As the size of set S increases, the probability that N=0 decreases.
And whatever N is, it provides N opportunities for leverage.
I think it's also safe to say that some of those people would do it
merely because they're asked: it appeals to their sense of patriotism.
We might argue that this is wrong, that it violates the Constitution and
thus is about as unpatriotic as it's possible to be; but they would not
agree with us.
And there's another approach: large companies like this are very
sensitive to bad press, or even the possibility of bad press.
None of them want any part of this potential future story:
US law enforcement: we could have stopped [name of future
attack], but Internet giant Blah, Inc. wouldn't cooperate.
Yeah, that's a longshot, but to risk-averse Cxx people, it might be
enough of a nonzero probability to convince them. (And there's
already a long history of blame the Internet narratives, so it
would dovetail nicely.) Blah, Inc.'s stock would drop a kazillion
points in the minutes after that story broke and thus so would the
personal fortunes of many. Then there would follow recriminations
and the blame game, board meetings and firings, and in the end,
suitably obedient people would be put in place to make sure that
it never happened again.
- If all these participating firms have built such a system to feed NSA's
request automatically, many people would have got involved. This is not a
trivial task, the executives need to find engineers to make it happen. And
the number of engineers won't be small, given the diversity of data
mentioned here.
I think this is the strongest argument in support of your proposition.
I've spent some time over the past few days trying to figure out how
this could be done and haven't yet figured out a method that would be
likely to succeed.
On the other hand, the NSA has had years, billions of dollars, and
thousands of people to throw at the problem, so if a solution within
those constraints exists, they're far more likely to have found it
than I'll ever be.
But let me requote something you wrote:
[...] the executives need to find engineers to make it happen.
Not if the executives weren't involved.
The NSA *could* go directly to the NOC engineers, for example, and
there are certain advantages to doing so: for one, these are people
with a lot less wealth and power, thus perhaps more readily manipulated.
For another, these are the people who actually need to do the work --
unlike the Cxx-level people who don't need to be
[liberationtech] Canadian phone and Internet surveillance program revealed
Some news in Canada similar to the NSA revelations in the US: Defence Minister Peter MacKay approved a secret electronic eavesdropping program that scours global telephone records and Internet data trails – including those of Canadians – for patterns of suspicious activity. Mr. MacKay signed a ministerial directive formally renewing the government’s “metadata” surveillance program on Nov. 21, 2011, according to records obtained by The Globe and Mail. The program had been placed on a lengthy hiatus, according to the documents, after a federal watchdog agency raised concerns that it could lead to warrantless surveillance of Canadians. http://www.theglobeandmail.com/news/national/data-collection-program-got-green-light-from-mackay-in-2011/article12444909/ NK -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Canadian phone and Internet surveillance program revealed
the buried lede in all these stories is that cooperation agreements mean Canadians can spy on US citizens (but are only ever asked about Canadians, Canadian pols only talk about protections for their citizens), US can spy on Canadians (but are only asked about US, US pols only talk about protections for their citizens), etc., etc.--esp. for UK, NZ, and Aus-- share the info as they like. and not spy on their own citizens and (kind of) tell the truth when they say it. or a half-truth that makes them feel better and appears to comply with letter of the law. On Mon, Jun 10, 2013 at 11:48 AM, Nadim Kobeissi na...@nadim.cc wrote: Some news in Canada similar to the NSA revelations in the US: Defence Minister Peter MacKay approved a secret electronic eavesdropping program that scours global telephone records and Internet data trails – including those of Canadians – for patterns of suspicious activity. Mr. MacKay signed a ministerial directive formally renewing the government’s “metadata” surveillance program on Nov. 21, 2011, according to records obtained by The Globe and Mail. The program had been placed on a lengthy hiatus, according to the documents, after a federal watchdog agency raised concerns that it could lead to warrantless surveillance of Canadians. http://www.theglobeandmail.com/news/national/data-collection-program-got-green-light-from-mackay-in-2011/article12444909/ NK -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- David Golumbia dgolum...@gmail.com -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Mechanisms of intercepting service provider internal connectivity
Another application for the deep packet inspection technique.. On Jun 9, 2013 6:32 PM, Gregory Maxwell g...@xiph.org wrote: On Fri, Jun 7, 2013 at 6:47 AM, Eugen Leitl eu...@leitl.org wrote: but the ability to assemble intelligence out of taps on providers' internal connections would require reverse engineering the ever changing protocols of all of those providers. This is somewhat less difficult than some people think. Various equipment manufacturers have implemented passive monitoring support on their interfaces specifically for these applications. You configure the interface to go into UP/UP state and to listen in a half duplex manner. This way you get the compatibility advantage of using standard network equipment to implement the interception, and so it will likely speak the same link-layer protocols the device being intercepted speaks. (E.g. here is some of the relevant documentation for Juniper: http://kb.juniper.net/InfoCenter/index?page=contentid=KB23036 and https://www.juniper.net/techpubs/en_US/junos11.2/topics/concept/flowmonitoring-passive-overview-solutions.html ) A lot of the mechanisms— the protocols, techniques, equipment features— for mass surveillance are easily visible to the public but the things visible to the public are all technical minutia dealing with the practical engineering challenges (Like the one you raise here— how the heck do you keep up with the ever changing layer 1/2 protocols used by service providers) that most people wouldn't even think to ask about. Using commodity hardware gets you compatibility, lower costs, and fast deployment. Even though budgets for massive surveillance no doubt allow for all kinds of specialized hardware— you can get more of it faster if you use commodity stuff with a few tweaks where you can. Here's another tidbit in public docs: Another challenge in implementing massive surveillance is the sheer volumes of traffic involved. People do seem to be aware of this one, but they argue that it makes the task impossible but there are few technical challenges which can't be solved by the suitable application of ingenuity and money. (_Lots_ of money: but keep in mind defense spending is just on another order of magnitude from regular spending. How much does a fighter jet cost? A one time use smart munition? How much more valuable is a good network tap than these devices? In light of that— how much is a fair defense industry price for one?) One way that the traffic volume problems gets solved is to realize that the vast majority of traffic is uninteresting. If you can rapidly filter the traffic you can throw out the 99% of uninteresting stuff and capture all of the rest. Filtering is, of course, computationally expensive— but it turns out that the power of 'commodity' technology can come to the rescue again: The same standard networking equipment that you need to speak the L1/L2 protocols on your optical taps also has built in line-rate packet filtering with scalability to millions of filter criteria (at no extra cost! :) ). The filtering in these devices has not historically been DPI grade: you can do stateless range/prefix matches on the packet headers, not free-form regex (although this is changing and the latest generation of hardware is more powerful— the need for NAT everywhere, if nothing else, is mandating it). But, if you can update those filters very fast— say, in under 50ms— then it doesn't matter that the filters aren't very powerful: Configure the filters to catch all known interesting hosts, the beginning of every new connection, and some small fraction (say, 1:1 of all packets) and then feed that data to analysis systems which trigger updates to the filters when they spot something interesting. They only need to be powerful enough to limit a terabit of traffic to tens of gigabits, and that level of filtering can be accomplished just on 5-tuples.. You can go even further, then, by having two sets of filters with a delay line— say implemented using the 100ms of delay-product packet buffers in high end commodity networking hardware— in between them. The first set of filters catches enough so that your analysis systems can identify and track interesting flows, and by the time the traffic makes it through the delay line the second set of filters has been updated to capture the entirety of the interesting flow. ... though the persistence of traffic and the delay created by the TCP three way handshake make going this far not terribly necessary. Of course, using filtering in this way would require a protocol between the network elements and the analysis systems so that they could rapidly and dynamically 'task' the filters like you task surveillance satellites... And it sure would be convenient if the protocol was standardized so you could get many kinds of devices speaking it. ... something like:
Re: [liberationtech] NSA whistleblower revealed
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 06/09/2013 05:43 PM, Matt Johnson wrote: I have to say going to Hong Kong for free speech and safety seems like a very odd choice to me. What was he thinking? The articles state that he was assigned to and living in Hawaii. It is possible that he caught the first flight out of US territory available to him at that time - Hong Kong. - -- The Doctor [412/724/301/703] [ZS] Developer, Project Byzantium: http://project-byzantium.org/ PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F DD89 3BD8 FF2B 807B 17C1 WWW: https://drwho.virtadpt.net/ TOYNBEE IDEA IN Kubrick's 2001 RESURRECT DEAD ON PLANET JUPITER -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.20 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlG2BIoACgkQO9j/K4B7F8EU5gCghGluvYEXYSBPWr1CHXeHYf6u mSwAoIDbYrRasjB2MWm58f2Xr22oxihJ =6Xct -END PGP SIGNATURE- -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] NSA whistleblower revealed
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 06/09/2013 06:04 PM, Anthony Papillion wrote: Still, I have to wonder why he didn't go somewhere like Iceland. To me, that would have been a no-brainer. He would probably have had to make at least one, possibly more layovers in the United States by doing so. It's been mentioned that his home has already been visited by LEA's, meaning that they were looking for him already. That implies that LEAs elsewhere on US soil were keeping eyes open for him just in case he tried flying eastward rather than westward. In such a scenario, agents looking for someone + layover in the US could very likely == arrested - -- The Doctor [412/724/301/703] [ZS] Developer, Project Byzantium: http://project-byzantium.org/ PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F DD89 3BD8 FF2B 807B 17C1 WWW: https://drwho.virtadpt.net/ TOYNBEE IDEA IN Kubrick's 2001 RESURRECT DEAD ON PLANET JUPITER -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.20 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlG2BSMACgkQO9j/K4B7F8FEaACg7qwRoif3bjKJbzAh8ZuQDe+a cMoAoJZmnX068X1ndFTvaj2iF6yjWvXg =gn+g -END PGP SIGNATURE- -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] NSA whistleblower revealed
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 06/09/2013 08:40 PM, Raven Jiang CX wrote: than us. My guess is that asylum in Iceland is ideal if everything worked out, but he doesn't think it is strong enough to resist U.S. pressure. Hypothetically speaking, would being granted asylum /really/ prevent extraordinary rendition? It sort of follows that if someone is sufficiently honked off at someone to warrant their getting a squad (in-house, third party, whatever) to gank someone, throw a black sack over their head, and haul them off to a secret prison then a little thing like political asylum isn't much of a deterrent. - -- The Doctor [412/724/301/703] [ZS] Developer, Project Byzantium: http://project-byzantium.org/ PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F DD89 3BD8 FF2B 807B 17C1 WWW: https://drwho.virtadpt.net/ For my next trick: anvils. --Harry Dresden -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.20 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlG2B0UACgkQO9j/K4B7F8HjAQCfWO0AdJP9gBPh1bXAoYDYe6oq MREAoLz+Cn+4X1oZukgtfcpPZcmRmo7y =s4rW -END PGP SIGNATURE- -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] NSA whistleblower revealed
You have to love the reply: We've come a long way since the Pentagon Papers were sidelined by Tricia Nixon's garden wedding party ROFLMAO! SN On Sun, Jun 9, 2013 at 8:35 PM, Nadim Kobeissi na...@nadim.cc wrote: Check out this screenshot of the front page of the New York Times right now. Unbelievable: https://twitter.com/kaepora/status/343888967554457600 NK On 2013-06-09, at 8:17 PM, Matt Johnson railm...@gmail.com wrote: Snowden says he wants asylum in Iceland. Why not go there directly? Going to Hong Kong makes him vulnerable to accusations of working for the PRC. None of that makes sense to me, but what do I know. I will watch, and learn. -- Matt On Sun, Jun 9, 2013 at 3:52 PM, Raven Jiang CX j...@stanford.edu wrote: There is a strong resistance against Chinese strong-arming in Hong Kong, plus I am not sure that it is actually in the interest of the Chinese government to help the US do anything about this. I think you can make a case for why it's a better choice, though it is definitely debatable. On 9 June 2013 15:10, Sheila Parks sheilaruthpa...@comcast.net wrote: I agree with what you say about Hong Kong He does say he would like to end up in Iceland Wonder why he did not go there in the first place Such an immensely brave and honest person Sheila At 06:04 PM 6/9/2013, you wrote: On 06/09/2013 04:43 PM, Matt Johnson wrote: I have to say going to Hong Kong for free speech and safety seems like a very odd choice to me. What was he thinking? Actually, and I think this is pointed out in either the video or an article somewhere, Hong Kong doesn't generally suffer the speech restrictions mainland China does. Sure, they aren't completely free but protests and unpopular political speech happen quite frequently and are generally well tolerated by the government. Still, I have to wonder why he didn't go somewhere like Iceland. To me, that would have been a no-brainer. Anthony -- Anthony Papillion Phone: 1.918.533.9699 SIP: sip:cajuntec...@iptel.org iNum:+883510008360912 XMPP:cypherpun...@jit.si www.cajuntechie.org -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech Sheila Parks, Ed.D. Founder Center for Hand-Counted Paper Ballots Watertown, MA 02472 617 744 6020 DEMOCRACY IN OUR HANDS www.handcountedpaperballots.org she...@handcountedpaperballots.org -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Shava Nerad shav...@gmail.com -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
[liberationtech] PRISM vs Tor | The Tor Blog
https://blog.torproject.org/blog/prism-vs-tor By now, just about everybody has heard about the PRISM surveillance program, and many are beginning to speculate on its impact on Tor. Unfortunately, there still are a lot of gaps to fill in terms of understanding what is really going on, especially in the face of conflicting information between the primary source material and Google, Facebook, and Apple's claims of non-involvement. This apparent conflict means that it is still hard to pin down exactly how the program impacts Tor, and is leading many to assume worst-case scenarios. For example, some of the worst-case scenarios include the NSA using weaponized exploits to compromise datacenter equipment at these firms. Less severe, but still extremely worrying possibilities include issuing gag orders to mid or low-level datacenter staff to install backdoors or monitoring equipment without any interaction what-so-ever with the legal and executive staff of the firms themselves. We're going to save analysis of those speculative and invasive scenarios for when more information becomes available (though we may independently write a future blog post onthe dangers of the government use of weaponized exploits). For now, let's review what Tor can do, what tools go well with Tor to give you defense-in-depth for your communications, and what work needs to be done so we can make it easier to protect communications from instances where the existing centralized communications infrastructure is compromised by the NSA, China, Iran, or by anyone else who manages to get ahold of the keys to the kingdom. The core Tor software's job is to conceal your identity from your recipient, and to conceal your recipient and your content from observers on your end. By itself, Tor does not protect the actual communications content once it leaves the Tor network. This can make it useful against some forms of metadata analysis, but this also means Tor is best used in combination with other tools. Through the use of HTTPS-Everywhere in Tor Browser, in many cases we can protect your communications content where parts of the Tor network and/or your recipients' infrastructure are compromised or under surveillance. The EFF has created an excellent interactive graphic to help illustrate and clarify these combined properties. Through the use of combinations of additional software like TorBirdy and Enigmail, OTR, and Diaspora, Tor can also protect your communications content in cases where the communications infrastructure (Google/Facebook) is compromised. However, the real interesting use cases for Tor in the face of dragnet surveillance like this is not that Tor can protect your gmail/facebook accounts from analysis (in fact, Tor could never really protect account usage metadata), but that Tor and hidden services are actually a key building block to build systems where it is no longer possible to go to a single party and obtain the full metadata, communications frequency, *or* contents. Tor hidden services are arbitrary communications endpoints that are resistant to both metadata analysis and surveillance. A simple (to deploy) example of a hidden service based mechanism to significantly hinder exactly this type of surveillance is an XMPP client that also ships with an XMPP server and a Tor hidden service. Such a P2P communication system (where the clients are themselves the servers) is both end-to-end secure, and does *not* have a single central server where metadata is available. This communication is private, pseudonymous, and does not have involve any single central party or intermediary. More complex examples would include the use of Diaspora and other decentralized social network protocols with hidden service endpoints. Despite these compelling use cases and powerful tool combination possibilities, the Tor Project is under no illusion that these more sophisticated configurations are easy, usable, or accessible by the general public. We recognize that a lot of work needs to be done even for the basic tools like Tor Browser, TorBirdy, EnigMail, and OTR to work seamlessly and securely for most users, let alone complex combinations like XMPP or Diaspora with Hidden Services. Additionally, hidden services themselves are in need of quite a bit of development assistance just to maintain their originally designed level of security, let alone scaling to support large numbers of endpoints. Being an Open Source project with limited resources, we welcome contributions from the community to make any of this software work better with Tor, or to help improve the Tor software itself. If you're not a developer, but you would still like to help us succeed in our mission of securing the world's communications, please donate! It is a rather big job, after all. We will keep you updated as we learn more about the exact capabilities of this program. -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at
[liberationtech] Privacy Promises and Client-Side Betrayal.
Hi. I thought this might be of interest here: http://www.rants.org/2013/06/09/privacy-promises-and-client-side-betrayal/ Thesis: Apps that promise self-destructing data, promise emails that can be un-sent, etc, are making promises they cannot keep -- at least not if they are to work with recipients who use open source software (but in principle they can't work reliably even in proprietary environments). We can't expect most users to follow these things at the level of detail we do -- so it's all the more important that we try hard to avoid making users promises that we can't keep. (I'm aware that we is a fuzzy term here and doesn't always include the people who most often make such promises... But we can call it when we see it, at least.) Best, Karl -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] NSA whistleblower revealed
Regarding extraordinary renditions: I have to note that there has been phenomenally zip in the news media on these since Obama got smacked on the nose about them a few years ago. Most of the FBI news stories regarding domestic terrorism have been show trials regarding sting operations of Muslim men, usually seeming to have mental health issues, who were entrapped by a network of operatives into planting a fake bomb and then put on some trial with a grand jury and put away on felony charges in some form of War on Terror theater. It is hard for me to believe that, in the interim of the administration getting its nose smacked and now, that nothing but the Boston bombing has erupted (pardon the term) on the domestic terrorism front. So I have to assume DHS has quietly been continuing with renditions. Much more quietly. To God knows where, since they seem to be doing overtures to shut down Gitmo now. When that gets revealed, it will make Prism look like a sideshow -- sending US citizens to foreign prisons without trial for interminable imprisonment? Tasty. Honestly it's hard for me to imagine it hasn't been happening. The absence of news nearly proves it. I can't believe that the terrorists have just...given up. Well, except for two boys in Boston, unanticipated. This is a big country, and we have at least as many enemies as Israel and other places that are quite rife with violence. I'm sure there is gang violence being misreported and other things being spun. But I am equally sure we are disappearing people. It can't have stopped, and there are no real trials. Strategically, as risk management, historically, statistically -- it makes no sense. This is my assessment. Yet several journalists I've asked about it (one of whom is on this list) have told me, Find evidence and we'll report it. Oddly, I used to think that was the job of investigative journalists -- to find the gaps in logic and find the facts to fit them. I don't have those resources, but then, neither do the newsrooms these days. And some of them won't jeopardize sources if they did, so it's on the back of...whistleblowers, traitors, the semantics get ever more complicated. Every year as I age I get more and more compassion for the current elder generation in Germany. It makes me sad. What color rose shall the American resistance pick -- blue perhaps? We have them now. yrs, -- Shava Nerad shav...@gmail.com -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Why we can't go back to business as usual post-PRISM.
I don't know who you are or what work you do; perhaps it is the greatest work ever done in law and the digital age. You were linked on Hacker Newshttps://mailman.stanford.edu/pipermail/liberationtech/2013-June/008839.html, so I will assume what you are concerned with is important. There is an aspect of this story worth mentioning. It is how *little* power the government has used to protect and provide for the poor and disadvantaged. And just when the economy was improving, just when health care for all could be possible, just when the *evidence* that government could work not just for the privileged, this story, important in it's own right, has the potential to undermine this progress. Government has to begin to work for the collective good of the people and not be exploited by private interests. Yes. We need to protect the people from abusive government power. But it is as much of a problem of how private interests, through law and economics, limit the governments power to achieve a public good. Health care, education, infrastructure, and jobs, are some of the areas that increased, not less, government power could be effectively utilized. I worry that governments ability to work for our common good, is going to be undermined through recent news. I hope all will keep in mind the richness and complexity of the issues at hand. Thanks. -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
[liberationtech] 2nd Ethics of Surveillance Conference: Moving towards Ubiquitous Surveillance?
From: h.herzogenrath-amel...@leeds.ac.uk We're sure you all agree that the most recent developments in the US have confirmed again the importance of continuing critical scholarly debate on the scope and implications of current surveillance practices. The Leeds Humanities Research Institute is jointly with the Centre for Interdisciplinary Ethics Applied and the Institute of Communications Studies holding the 2nd Ethics of Surveillance Conference at the University of Leeds on the 24th and 25th of June: Confirmed keynote speakers: Prof. Gary Marx Professor Emeritus of Sociology, M.I.T., United States Prof. Christian Fuchs Professor of Social Media at the University of Westminster's Communication and Media Research Institute and the Centre for Social Media Research Dr. Kirstie Ball Reader in Surveillance and Organisation at the Open University Business School, Milton Keynes Dr. Mark Andrejevic Deputy Director of the Centre for Critical and Cultural Studies at the University of Queensland, Australia Prof. Charles Raab Professor of Government at the University of Edinburgh School of Social and Political Science A detailed programme is available at http://bit.ly/12eZLEA The deadline for registration is June the 14th. Registration is available at http://tinyurl.com/surveillanceethics The registration fee for both days is £50.00, for one day £30.00 and includes lunches and refreshments. We anticipate a very lively discussion and hope to welcome as many of you as possible. The conference organizers. --- Heidi Herzogenrath-Amelung, PhD Researcher at the University of Leeds' Institute of Communications Studies Kevin Macnish PhD Researcher and Teaching Fellow at the University of Leeds' Centre for Interdisciplinary Applied Ethics Pinelopi Troullinou PhD Researcher at the Open University Business School Conference coordinators Founders of the research group IC ICTs: Research Group on ICTs, Surveillance Society http://icicts.wordpress.com/ -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] NSA whistleblower revealed
Assange is still living at the Ecuadorean Embassy in London, coming up on his first anniversary, despite being granted asylum.. so.. Best Regards | Cordiales Saludos | Grato, Andrés L. Pacheco Sanfuentes a...@acm.org +1 (817) 271-9619 On Mon, Jun 10, 2013 at 12:29 PM, Shava Nerad shav...@gmail.com wrote: Regarding extraordinary renditions: I have to note that there has been phenomenally zip in the news media on these since Obama got smacked on the nose about them a few years ago. Most of the FBI news stories regarding domestic terrorism have been show trials regarding sting operations of Muslim men, usually seeming to have mental health issues, who were entrapped by a network of operatives into planting a fake bomb and then put on some trial with a grand jury and put away on felony charges in some form of War on Terror theater. It is hard for me to believe that, in the interim of the administration getting its nose smacked and now, that nothing but the Boston bombing has erupted (pardon the term) on the domestic terrorism front. So I have to assume DHS has quietly been continuing with renditions. Much more quietly. To God knows where, since they seem to be doing overtures to shut down Gitmo now. When that gets revealed, it will make Prism look like a sideshow -- sending US citizens to foreign prisons without trial for interminable imprisonment? Tasty. Honestly it's hard for me to imagine it hasn't been happening. The absence of news nearly proves it. I can't believe that the terrorists have just...given up. Well, except for two boys in Boston, unanticipated. This is a big country, and we have at least as many enemies as Israel and other places that are quite rife with violence. I'm sure there is gang violence being misreported and other things being spun. But I am equally sure we are disappearing people. It can't have stopped, and there are no real trials. Strategically, as risk management, historically, statistically -- it makes no sense. This is my assessment. Yet several journalists I've asked about it (one of whom is on this list) have told me, Find evidence and we'll report it. Oddly, I used to think that was the job of investigative journalists -- to find the gaps in logic and find the facts to fit them. I don't have those resources, but then, neither do the newsrooms these days. And some of them won't jeopardize sources if they did, so it's on the back of...whistleblowers, traitors, the semantics get ever more complicated. Every year as I age I get more and more compassion for the current elder generation in Germany. It makes me sad. What color rose shall the American resistance pick -- blue perhaps? We have them now. yrs, -- Shava Nerad shav...@gmail.com -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
[liberationtech] Mobile Payments, Bitcoin and the Law
Hello again… I'm giving a talk/book signing on mobile payments, Bitcoin and the law on June 20th in downtown Palo Alto. Liberationtech folks welcome. http://legalforce52.eventbrite.com Registration (which I don't control) appears to be open for the next two days. Aaron -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
[liberationtech] Use of PRISM corporations by social activists campaigns
From: Charles Lenchner clench...@organizing20.org, the well known sell out and corporate shill from Organizing 2.0 I'll never give up using FB and gmail. I want the government to know what I'm up to at all times so it's completely transparent and I'll never be suspected of anything. Then, if I want to cause mayhem, I'll use all those Tor/darknet/burner phone stuff on the side. Switching now would just make me look suspicious! Serious revolutionaries need to appear to be cheerful do-gooders. Charles -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
[liberationtech] So, I was buying my nephew a bond...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 I was going to buy my nephew a savings bond for his birthday (he is one, what else can you really get him?) and I was trying to sign up on treasurydirect.gov and was appauled by the security so I thought I would share. First they have all these different rules regarding what you must have in your password (which I always think is dumb, let me pick my own password), however they limit you to 16 characters. Then I go to login and find out that the password isn't case sensitive (which makes me question if it's being hashed), and their security is that you can't type your password you have to use their onscreen keyboard (which can easily be fixed by opening up web dev tools and removing readonly=readonly from the input field. http://cl.ly/PYNw I am just saying that I wish the government body which is in charge of money stuff would be a little smarter with their development. -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.19 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCgAGBQJRthu0AAoJEES9cOv0A0l0Me8IALPQPYYSdrriOxg0iw0n8xAV y0pzSChhl0GUvDA9GtD5WEgmEBrQD/Sarj8cly8txfUrxdXtQk1cZcw4dvlIVY/K Knbfwqgsg+IZl+kret818eo3ZuNPRbI3uJkO5Kb1DK1jT3E7tV7Go9EsCZCHFzlv bD5X7LpOQZruiwLMQ/DRGfQjeHTBRkrfJzJwRJUwGlHFqxRh4gRF8zycVDA/eQz1 lbf1O1ooxEX1Jj2anj8KImpRGAQk+yhl3g4/zgmLtZ8jtDXzh9hq91xLk5pUHI5a JS4l7MuhZHdpnT+kHsxx00ta+ZBaZsBEuKqXbz3knkwM01db2R36YRimISxqZFc= =3+jt -END PGP SIGNATURE- -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
[liberationtech] A Taxonomy of PRISM Possibilities « Unhandled Exception
A Taxonomy of PRISM Possibilities June 7, 2013 By Alex Stamos I have been fielding a decent number of calls and emails from reporters on the NSA PRISM scandal. A lot of people are trying to synthesize reasonable technical explanations for how the NSA could implement the program described in the leaked PowerPoint deck and keep it secret for so long. In an effort to improve the quality of the public discussion, I have decided to create a taxonomy of the theories that I have seen floated and supply my own commentary in italics. To be clear, I have no special knowledge or insight into this program. Everything listed below is based upon data contained in the news articles I have seen. I also recognize that many of these theories sound far-fetched, although I have to admit that my personal Overton Window for crazy conspiracy theories has shifted in the last 24 hours. My goal is to keep this list up to date as more information is published, so please let me know if you have any corrections or additions by leaving a comment or via email. My GPG key is available here. The list is below the fold… http://unhandled.com/2013/06/07/a-taxonomy-of-prism-possibilities/-- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Use of PRISM corporations by social activists campaigns
OK, but now the government knows you're one of them faux cheerful do-gooders! xd Best Regards | Cordiales Saludos | Grato, Andrés L. Pacheco Sanfuentes a...@acm.org +1 (817) 271-9619 On Mon, Jun 10, 2013 at 1:26 PM, Yosem Companys compa...@stanford.edu wrote: From: Charles Lenchner clench...@organizing20.org, the well known sell out and corporate shill from Organizing 2.0 I'll never give up using FB and gmail. I want the government to know what I'm up to at all times so it's completely transparent and I'll never be suspected of anything. Then, if I want to cause mayhem, I'll use all those Tor/darknet/burner phone stuff on the side. Switching now would just make me look suspicious! Serious revolutionaries need to appear to be cheerful do-gooders. Charles -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Boundless Informant: the NSA's secret tool to track global surveillance data
On Mon, Jun 10, 2013 at 12:01 PM, x z xhzh...@gmail.com wrote: Occam's razor would give us the following is what has actually happened in the past three days: a semi-clueless whistle blower fed an overzealous journalist a low-quality powerpoint deck, which met the privacy-paranoia and exploded. I agree. I also don't understand what's the big deal. It is well-known that the NSA (with cooperation with SIGINT agencies of other countries) scans all communication channels it can get to. By reaching popular communication methods like webmail and social media, it is just doing its job. What apparently is at the core of the hysterical public reaction is that the NSA spies on Americans, who think that they are special, and should be treated differently. The reason they think they are special is that the huge geopolitical / economic / military-industrial complex influence of the United States elevates and accustoms them to a position that's completely out of proportion with their actual value to the world — utterly un-democratic, if you think about it. Well, your spy agencies are more democratic than you guys — they spy on you, too. If that wouldn't have been the case, it would mean that your military-industrial complex is not that powerful, which would imply that you are not special anymore, which, ironically, rejects the original premise. Hopefully someone else can appreciate the irony as well (hence writing this). -- Maxim Kammerer Liberté Linux: http://dee.su/liberte -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Boundless Informant: the NSA's secret tool to track global surveillance data
Maxim Kammerer: On Mon, Jun 10, 2013 at 12:01 PM, x z xhzh...@gmail.com wrote: Occam's razor would give us the following is what has actually happened in the past three days: a semi-clueless whistle blower fed an overzealous journalist a low-quality powerpoint deck, which met the privacy-paranoia and exploded. I agree. I also don't understand what's the big deal. It is well-known that the NSA (with cooperation with SIGINT agencies of other countries) scans all communication channels it can get to. By reaching popular communication methods like webmail and social media, it is just doing its job. What apparently is at the core of the hysterical public reaction is that the NSA spies on Americans, who think that they are special, and should be treated differently. The reason they think they are special is that the huge geopolitical / economic / military-industrial complex influence of the United States elevates and accustoms them to a position that's completely out of proportion with their actual value to the world — utterly un-democratic, if you think about it. Well, your spy agencies are more democratic than you guys — they spy on you, too. If that wouldn't have been the case, it would mean that your military-industrial complex is not that powerful, which would imply that you are not special anymore, which, ironically, rejects the original premise. Hopefully someone else can appreciate the irony as well (hence writing this). Occam's razor doesn't work the way that it is presented here. All things being equal, the multi-billion dollar spy agency really does the spying and it was really just revealed. And yes, it really does shatter the idea American exceptionalism - that is actually the best part of the entire discussion. Americans need this wakeup call - with our drone strikes that kill people based on their metadata (eg: signature strikes) surveillance programs and with our death camp (eg: Gitmo) in Cuba. We as a nation should be ashamed of these things and the first step to such shame is the inability to deny what is being done in our name. It is now the case that it is impossible to deny the dragnet surveillance order published about Verizon. Our leaders have acknowledged it. It is also impossible to deny the massive surveillance as a whole - the DNI, the White House and other agencies have confirmed it. It is also now impossible to deny the existence of specific programs named UPSTREAM, PRISM and BOUNDLESSINFORMANT. The open questions are merely about scope. In time, we'll learn the details - but we need not debate that this is just the tip of the iceberg - it is obviously the case that we don't have all the details. To attack Glenn and Snowden is pointless. Without a doubt, if anyone knows less than them - it is all of us. Unless you hold a TS/SCI clearance, of course. In which case, please do feel free to speak up - we'd love to hear some clarifications on the matter! Though overall - we should all be speaking up - but lets be clear that not all voices here have access to the same information, or the same understanding even when presented with the same information. All the best, Jacob -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Use of PRISM corporations by social activists campaigns
From: Yosem Companys compa...@stanford.edu To: Liberation Technologies liberationtech@lists.stanford.edu Cc: Charles Lenchner clench...@organizing20.org Sent: Monday, June 10, 2013 2:26 PM Subject: [liberationtech] Use of PRISM corporations by social activists campaigns From: Charles Lenchner clench...@organizing20.org, the well known sell out and corporate shill from Organizing 2.0 I'll never give up using FB and gmail. I want the government to know what I'm up to at all times so it's completely transparent and I'll never be suspected of anything. Then, if I want to cause mayhem, I'll use all those Tor/darknet/burner phone stuff on the side. Switching now would just make me look suspicious! Serious revolutionaries need to appear to be cheerful do-gooders. Regardless of whether that's a parody or not, it's a technically incompetent statement. If I understand it correctly, Tor is freely available by design because the wider the availability the greater the (potential) cover traffic. I assume this is why the Naval Research Laboratory didn't fund a system that would only provide access to people with certain credentials-- that would remove all cover traffic and threaten to undermine the entire purpose for the system. That statement also wrongly assumes government intrusion is the only attack vector. I'm currently migrating from Yahoo Mail not because of the reported actions of a spy agency, but because the _next_ time someone hacks Yahoo Mail's crummy security I don't want to waste any of my time worrying about what data I had stored there and what could be used from it to run a confidence scam on me. To me, the real tragedy is that there isn't some super-simple tool for running the equivalent of Google Docs using a Tor hidden service. It has nothing to do with anonymous mayhem, and everything to do with breaking through NAT's so that I can host my own cloud and have control and access over it from anywhere in the world that I can connect my laptop to the internet. No unwanted changes to the interface, no dropping of unpopular services, just an economy of one that responds to my needs and my needs only. I know there are plenty of people who want similar control over the tools they use, and they'd happily take the performance hit of Tor for that. (And for text documents it shouldn't be such a big deal anyway.) -Jonathan -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Boundless Informant: the NSA's secret tool to track global surveillance data
On 10-06-13 21:36, Jacob Appelbaum wrote: Maxim Kammerer: On Mon, Jun 10, 2013 at 12:01 PM, x zxhzh...@gmail.com wrote: Occam's razor would give us the following is what has actually happened in the past three days: a semi-clueless whistle blower fed an overzealous journalist a low-quality powerpoint deck, which met the privacy-paranoia and exploded. I agree. I also don't understand what's the big deal. The big deal is that now it's become impossible to believe the lies, and that you [Americans] are forced to accept the truth. And truth hurts! Especially when you want to believe the lies. Wanting to believe is easier than facing the truth, even when deep in your heart you've known the truth for a long time. Now is the time to come clear with your conscience, end this abusive relationship and kick the abusive partner out of your life. (ie: repeal the unjust laws.) Cheers, Guido. -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Boundless Informant: the NSA's secret tool to track global surveillance data
Nadim Kobeissi na...@nadim.cc wrote: What qualifies a journalist as overzealous? Is it passion and hard work? When this passion produces a consistent stream of intelligent arguments and debate, is it still overzealous? Ask yourself these questions. I don't think Glenn Greenwald is overzealous, but I think his passion is... untempered at times. Not a bad thing at all. But not everyone's going to like his work. ~Griffin -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] NSA whistleblower revealed
On 9 June 2013 17:43, Matt Johnson railm...@gmail.com wrote: I have to say going to Hong Kong for free speech and safety seems like a very odd choice to me. What was he thinking? I actually think Hong Kong seems pretty smart. Parroting the news organizations, Hong Kong has some extradition protection against political crimes. Likewise, Hong Kong is pretty free, it's not mainland China. It has a high quality of living, tolerates a lot of political dissent, and it'd be pretty easy to stay lost there (well, if you hadn't told people where you were going anyway.) Plus, the fact that it's China. HK is a Special Administrative Region, but Capital-C China would not take kindly to any mucking about there. It seems like it would cause a pretty big incident if the US snatched him from there or tried to inappropriately exert pressure. China is on the UN Security Council and is not likely to play nice if the US affronted it's sovereignty. And they have a lot of ways they can hit the US back too: UNSC, trade sanctions, debt or currency manipulation, the North Korean situation, not to mention (more) cyber espionage on the government or corporations. (I refuse to say cyberwar, it's espionage.) Compare than to Iceland: if the US pisses off Iceland, what's Iceland going to do about it? The major disadvantages I see are that 1) it makes him look a little bit more like a Chinese actor/spy/etc. And 2) There is probably a decent chance the Chinese would hand him over as part of a handshake and a nod type deal where they're going to get... something, but we may never know what. Anything from tarif exemptions, returning Chinese spies, backing off on some US military (cyber?) operation or something else. -tom -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Canadian phone and Internet surveillance program revealed
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 The Pirate Party of Canada has issued a release on this, due to Canadians interest in themselves we are focusing on Canadian surveillance of Canadians rather than foreign cooperation. https://www.pirateparty.ca/newsletter/warrantless-surveillance/ David Golumbia wrote: the buried lede in all these stories is that cooperation agreements mean Canadians can spy on US citizens (but are only ever asked about Canadians, Canadian pols only talk about protections for their citizens), US can spy on Canadians (but are only asked about US, US pols only talk about protections for their citizens), etc., etc.--esp. for UK, NZ, and Aus-- share the info as they like. and not spy on their own citizens and (kind of) tell the truth when they say it. or a half-truth that makes them feel better and appears to comply with letter of the law. On Mon, Jun 10, 2013 at 11:48 AM, Nadim Kobeissi na...@nadim.cc mailto:na...@nadim.cc wrote: Some news in Canada similar to the NSA revelations in the US: Defence Minister Peter MacKay approved a secret electronic eavesdropping program that scours global telephone records and Internet data trails – including those of Canadians – for patterns of suspicious activity. Mr. MacKay signed a ministerial directive formally renewing the government’s “metadata” surveillance program on Nov. 21, 2011, according to records obtained by The Globe and Mail. The program had been placed on a lengthy hiatus, according to the documents, after a federal watchdog agency raised concerns that it could lead to warrantless surveillance of Canadians. http://www.theglobeandmail.com/news/national/data-collection-program-got-green-light-from-mackay-in-2011/article12444909/ NK -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu mailto:compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- David Golumbia dgolum...@gmail.com mailto:dgolum...@gmail.com -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.19 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCgAGBQJRtkQ6AAoJEES9cOv0A0l0q34IAIgqfyKCLtgjWjH4UWiP0IPA 3aFTRbQxZmIsoWb5R0IEVJhftpSFD76PyHjR3+qPTExVJzRGnqjNKKuSsH5v42xw zww62bOoNvWFADxQ0sBVChy4ghHI+xG7qIzEbfvLwG24EM63brdsp66VN6i+qT0l wQhPrQtcFDYuXgTRJJuVgdmVhIz216kQUG/nP4/Z9bzWjmiyiXoI3C/vSPIIhYkY LRlRMO0YQ2gMSfpsKvJ3jfhrHQV3TXDPugzM4Omk8e9NuYUUTSO2Mw+VRakMr/T7 7zI4H+p0FoibZPmSdZfH5Gt+fZu3gbphCqUSe/w6Mqn3aH/5lbN+ou5IaQE6wWo= =m6UH -END PGP SIGNATURE- -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Cryptocat: Translation Volunteers Needed
Thanks so much to everyone who helped! The translations are now all up to date. I'd like to extend special thanks to Dragana Kaurin from OpenITP. OpenITP is launching a localization management platform soon, too, so I hope working with them will make this stuff easier in the future. :-) NK On 2013-05-24, at 10:23 PM, Buddhadeb Halder bhalder...@gmail.com wrote: Hi Nadim, I have done with the Bengali translation. Thanks, Buddha On Fri, May 24, 2013 at 6:36 PM, Nadim Kobeissi na...@nadim.cc wrote: Hi everyone, An entire Cryptocat translation is less than 300 words. You can view translations here. There is an easy-to-use interface that can help you input your translations: https://www.transifex.com/projects/p/Cryptocat/resource/cryptocat/ Priority lies with the following languages. The rest is good to go: • Czech • Estonian • Urdu • Tibetan • Khmer • Uighur • Chinese (Hong Kong) • Bengali • Latvian Thanks again to everyone who already helped! :-) NK On Fri, May 24, 2013 at 6:53 AM, Moritz Bartl mor...@torservers.net wrote: On 24.05.2013 11:09, Sjoerd de Vries wrote: About how much is needed to translate. Are you talking about 1.000 words or more about 1.000.000 words. If it isn't to much I'm willing to help you translate to Dutch Nadim should have made this more clear: All translations and texts are readily available. Anyone can add or refine translations of sentences. There's no need to send anything else, everything is at the following link: https://www.transifex.com/projects/p/Cryptocat/resource/cryptocat/ To work on a translation, just create a Transifex account and add yourself to the translation team. -- Moritz Bartl https://www.torservers.net/ -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Boundless Informant: the NSA's secret tool to track global surveillance data
x z: @Jacob, I agree with your points regarding American exceptionalism. @Eugen, to prepare for the worst scenario is one thing, to advocate some shady rumor as fact is another. @Rich, those are good movie scripts :-). But it does not work for 9 firms, and hundreds of execs all with diverse values and objectives. @Nadim, when you say we all always 'knew' this was happening, I don't know what this refers to. Is it NSA surveillance, or is it the direct access bit? To me, the crucial point is the *direct access*, and also Guardian's claim of these firms willingly participating in PRISM. I argued that direct access is untrue in my previous email, but none of your replies (except Rich's) are relevant to my arguments. What would you call a FISA API for government agents to query a system and return data on a target? Would you call that direct access or an indirect access? If Google runs the FISA API server, does that make it more or less direct than if the FISA API server is a blackbox run by the NSA? The direct access bit is what made this story sensational. Without this bit, the story would be much less juicy but more true. In the long run, truth gives more power than lies. Washington Post has backed down to reality, for which I applaud their judgment. Guardian has not, and keeps on defending their misinformation and bad reporting, for which I resent deeply. You don't know the truth and you seem to think you do. The story that is important is that Google makes one claim, while the NSA slide makes another. Note that the law doesn't allow Google to even tell the press the whole truth. If Snowden and Greenwald do not mislead the world on 'direct access and just report it rationally, I'd applaud their courage. Now I think Snowden is not more than a self-aggrandizing douche. I'm sorry, did you watch his video interview? On what grounds to you call him a self-aggrandizing douche exactly? I hope internet freedom can advance with accurate awareness, not by public paranoia. You take issue with a very weird semantic bit of the larger story. How does such semantic nitpicking, where you don't actually even know the facts behind your speculations, help advance any cause, anywhere? All the best, Jacob -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Cryptocat: Translation Volunteers Needed
Catherine, Opera is not shut out. It's simply difficult to develop for Opera due to its limited browser extension API. Your email made it sound as if Cryptocat had something against the Opera browser. We have a ticket open for Opera compatibility in our code base. If you'd like to, you can contribute to Cryptocat for Opera development here: https://github.com/cryptocat/cryptocat/issues/190 NK On 2013-06-10, at 6:10 PM, Catherine Roy ecr...@catherine-roy.net wrote: Congrats. But, as I asked in a private email to which I got not response, is there any reason why Opera is shut out ? Best, Catherine -- Catherine Roy http://www.catherine-roy.net On 2013-06-10 17:44, Nadim Kobeissi wrote: Thanks so much to everyone who helped! The translations are now all up to date. I'd like to extend special thanks to Dragana Kaurin from OpenITP. OpenITP is launching a localization management platform soon, too, so I hope working with them will make this stuff easier in the future. :-) NK On 2013-05-24, at 10:23 PM, Buddhadeb Halder bhalder...@gmail.com wrote: Hi Nadim, I have done with the Bengali translation. Thanks, Buddha On Fri, May 24, 2013 at 6:36 PM, Nadim Kobeissi na...@nadim.cc wrote: Hi everyone, An entire Cryptocat translation is less than 300 words. You can view translations here. There is an easy-to-use interface that can help you input your translations: https://www.transifex.com/projects/p/Cryptocat/resource/cryptocat/ Priority lies with the following languages. The rest is good to go: • Czech • Estonian • Urdu • Tibetan • Khmer • Uighur • Chinese (Hong Kong) • Bengali • Latvian Thanks again to everyone who already helped! :-) NK On Fri, May 24, 2013 at 6:53 AM, Moritz Bartl mor...@torservers.net wrote: On 24.05.2013 11:09, Sjoerd de Vries wrote: About how much is needed to translate. Are you talking about 1.000 words or more about 1.000.000 words. If it isn't to much I'm willing to help you translate to Dutch Nadim should have made this more clear: All translations and texts are readily available. Anyone can add or refine translations of sentences. There's no need to send anything else, everything is at the following link: https://www.transifex.com/projects/p/Cryptocat/resource/cryptocat/ To work on a translation, just create a Transifex account and add yourself to the translation team. -- Moritz Bartl https://www.torservers.net/ -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Boundless Informant: the NSA's secret tool to track global surveillance data
On 2013-06-10, at 6:09 PM, Jacob Appelbaum ja...@appelbaum.net wrote: x z: @Jacob, I agree with your points regarding American exceptionalism. @Eugen, to prepare for the worst scenario is one thing, to advocate some shady rumor as fact is another. @Rich, those are good movie scripts :-). But it does not work for 9 firms, and hundreds of execs all with diverse values and objectives. @Nadim, when you say we all always 'knew' this was happening, I don't know what this refers to. Is it NSA surveillance, or is it the direct access bit? To me, the crucial point is the *direct access*, and also Guardian's claim of these firms willingly participating in PRISM. I argued that direct access is untrue in my previous email, but none of your replies (except Rich's) are relevant to my arguments. What would you call a FISA API for government agents to query a system and return data on a target? Would you call that direct access or an indirect access? If Google runs the FISA API server, does that make it more or less direct than if the FISA API server is a blackbox run by the NSA? The direct access bit is what made this story sensational. Without this bit, the story would be much less juicy but more true. In the long run, truth gives more power than lies. Washington Post has backed down to reality, for which I applaud their judgment. Guardian has not, and keeps on defending their misinformation and bad reporting, for which I resent deeply. You don't know the truth and you seem to think you do. The story that is important is that Google makes one claim, while the NSA slide makes another. Note that the law doesn't allow Google to even tell the press the whole truth. If Snowden and Greenwald do not mislead the world on 'direct access and just report it rationally, I'd applaud their courage. Now I think Snowden is not more than a self-aggrandizing douche. I'm sorry, did you watch his video interview? On what grounds to you call him a self-aggrandizing douche exactly? I can't believe I was actually feeling bad for this guy yesterday. Dismissing one of the greatest whistleblowers of century as a self-aggrandizing douche is just beyond words. Maybe we're being trolled. NK I hope internet freedom can advance with accurate awareness, not by public paranoia. You take issue with a very weird semantic bit of the larger story. How does such semantic nitpicking, where you don't actually even know the facts behind your speculations, help advance any cause, anywhere? All the best, Jacob -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Boundless Informant: the NSA's secret tool to track global surveillance data
On 2013-06-10, at 6:26 PM, Yosem Companys compa...@stanford.edu wrote: The distinction between direct or indirect access is semantic, not substantive, and likely irrelevant to most Americans. What Americans want to know is whether there is access to their personal data, and I would bet focus groups would show that's the key takeaway of this incident. Hear hear. And not just Americans want to know this — due to the fact that most Big Data is centred in the US, these secret programs affect the privacy of world citizens as well, just as much, and in the same way, as they affect Americans NK As I said, a recent NY Times article spoke specifically of the embedding of NSA employees at US tech firms via firms' corporate legal departments, and we know how it happened at ATT, with the employee getting cart blanche to do whatever he wanted at the firm and take as much data as he wanted with no questions asked. On Mon, Jun 10, 2013 at 3:09 PM, Jacob Appelbaum ja...@appelbaum.net wrote: x z: @Jacob, I agree with your points regarding American exceptionalism. @Eugen, to prepare for the worst scenario is one thing, to advocate some shady rumor as fact is another. @Rich, those are good movie scripts :-). But it does not work for 9 firms, and hundreds of execs all with diverse values and objectives. @Nadim, when you say we all always 'knew' this was happening, I don't know what this refers to. Is it NSA surveillance, or is it the direct access bit? To me, the crucial point is the *direct access*, and also Guardian's claim of these firms willingly participating in PRISM. I argued that direct access is untrue in my previous email, but none of your replies (except Rich's) are relevant to my arguments. What would you call a FISA API for government agents to query a system and return data on a target? Would you call that direct access or an indirect access? If Google runs the FISA API server, does that make it more or less direct than if the FISA API server is a blackbox run by the NSA? The direct access bit is what made this story sensational. Without this bit, the story would be much less juicy but more true. In the long run, truth gives more power than lies. Washington Post has backed down to reality, for which I applaud their judgment. Guardian has not, and keeps on defending their misinformation and bad reporting, for which I resent deeply. You don't know the truth and you seem to think you do. The story that is important is that Google makes one claim, while the NSA slide makes another. Note that the law doesn't allow Google to even tell the press the whole truth. If Snowden and Greenwald do not mislead the world on 'direct access and just report it rationally, I'd applaud their courage. Now I think Snowden is not more than a self-aggrandizing douche. I'm sorry, did you watch his video interview? On what grounds to you call him a self-aggrandizing douche exactly? I hope internet freedom can advance with accurate awareness, not by public paranoia. You take issue with a very weird semantic bit of the larger story. How does such semantic nitpicking, where you don't actually even know the facts behind your speculations, help advance any cause, anywhere? All the best, Jacob -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] NSA whistleblower revealed
On 6/10/13 4:40 PM, Tom Ritter wrote: On 9 June 2013 17:43, Matt Johnson railm...@gmail.com wrote: I have to say going to Hong Kong for free speech and safety seems like a very odd choice to me. What was he thinking? I actually think Hong Kong seems pretty smart. Parroting the news organizations, Hong Kong has some extradition protection against political crimes. Christian Science Monitor (Jun 10) - Edward Snowden: Why the NSA whistleblower fled to Hong Kong by Peter Ford (Beijing): http://www.csmonitor.com/World/Asia-Pacific/2013/0610/Edward-Snowden-Why-the-NSA-whistleblower-fled-to-Hong-Kong Has details on recent changes in Hong Kong's asylum law relevant to this case. HT @douglasmcnabb, https://twitter.com/douglasmcnabb/status/344216800227119104 gf -- Gregory Foster || gfos...@entersection.org @gregoryfoster http://entersection.com/ -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
[liberationtech] Spin alerts
Two issues that are tending to get conflated in the wider discourse about PRISM, Boundless Informant, etc. are: (1) Are these programs justifieid? (2) Was it justified to keep the existence of these programs secret? Snowden has said his primary judgment was about question (2), but proponents of surveillance are acting as if all we need to address is (1). This is an important distinction because even conservatives like David Brooks have said they think the existence of these programs should be public knowledge (The secrecy of the program was a mistake. I agree with that. - http://www.pbs.org/newshour/bb/politics/jan-june13/politicalwrap_06-07.html#transcript). How can this mistake be corrected without whistleblowers like Snowden, when Congressional oversight is as deferential as it is? On (1), there is a poll out today that focuses just on phone records, which the Washington Post headline summarizes as Most Americans back NSA tracking phone records, prioritize probes over privacy (http://www.washingtonpost.com/politics/most-americans-support-nsa-tracking-phone-records-prioritize-investigations-over-privacy/2013/06/10/51e721d6-d204-11e2-9f1a-1a7cdee20287_story.html). But once you read it, you see that these opinions depend heavily on whether the respondent's own party is in power: In early 2006, 37 percent of Democrats found the agency’s activities acceptable; now nearly twice that number — 64 percent — say the use of telephone records is okay. By contrast, Republicans slumped from 75 percent acceptable to 52 percent today. So rather than looking at overall public support at a given time, a better number to look at when assessing public support is the one from people whose party does not control the White House, averaged across different parties, which puts support well below 50% in this case. People don't get to remove the effects of their support for surveillance when presidents they don't trust take power. Todd-- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Boundless Informant: the NSA's secret tool to track global surveillance data
I argue that direct access or not is is substantive, not semantic. We have the following two versions of the story: *A: The Guardian story alleges that NSA has direct access to user data from major internet firms, and these firms are willingly cooperating with NSA for the capability of en masse data pull. It indicates that NSA can pull whatever data they feel like, and that NSA has such dark power that all the internet firms have to kowtow.* *B: On the other hand, NSA and these companies' statement is consistent to what most of us have already known, that NSA can request data from these firms on the basis of FISA. And the data pull is quite limited. (By the way, it doesn't really matter it's US or non-US citizens to me, there's nothing special about America).* Do you think the difference between the two is merely semantic? Also, if you believe in A, then everybody on the NSA/corporation side are liars, and we are truly living in a police state. This, is, not, semantic. @Jacob, if your hypothetical FISA API thingy works only on the limited data the firms knowingly disclose to NSA, then it's not big deal. This FISA API thing is semantic, not substantive, to use your classification scheme. @Yosem, I always applaud the accurate disclosure of the ATT and Verizon cases. That is one thing that we need to change. Let me stress it again, I am not rooting for B, I think it need more transparency and FISA need revision. But let's not pretend that the government is so powerful, that *is* paranoia. 2013/6/10 Jacob Appelbaum ja...@appelbaum.net Yosem Companys: The distinction between direct or indirect access is semantic, not substantive, and likely irrelevant to most Americans. What Americans want to know is whether there is access to their personal data, and I would bet focus groups would show that's the key takeaway of this incident. Indeed. As I said, a recent NY Times article spoke specifically of the embedding of NSA employees at US tech firms via firms' corporate legal departments, and we know how it happened at ATT, with the employee getting cart blanche to do whatever he wanted at the firm and take as much data as he wanted with no questions asked. The word stasi comes to mind with this kind of DIRECT ACCESS. The server, taps and likely API itself are almost irrelevant details when we consider HUMAN INFILTRATION as part of the NSA strategy. Land of the free... refill? All the best, Jacob -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Spin alerts
Of course they're not justified, unless you want to flush civil liberties down the drain. On Jun 10, 2013 6:03 PM, Todd Davies dav...@stanford.edu wrote: Two issues that are tending to get conflated in the wider discourse about PRISM, Boundless Informant, etc. are: (1) Are these programs justifieid? (2) Was it justified to keep the existence of these programs secret? Snowden has said his primary judgment was about question (2), but proponents of surveillance are acting as if all we need to address is (1). This is an important distinction because even conservatives like David Brooks have said they think the existence of these programs should be public knowledge (The secrecy of the program was a mistake. I agree with that. - http://www.pbs.org/newshour/**bb/politics/jan-june13/** politicalwrap_06-07.html#**transcripthttp://www.pbs.org/newshour/bb/politics/jan-june13/politicalwrap_06-07.html#transcript). How can this mistake be corrected without whistleblowers like Snowden, when Congressional oversight is as deferential as it is? On (1), there is a poll out today that focuses just on phone records, which the Washington Post headline summarizes as Most Americans back NSA tracking phone records, prioritize probes over privacy ( http://www.washingtonpost.**com/politics/most-americans-** support-nsa-tracking-phone-**records-prioritize-** investigations-over-privacy/**2013/06/10/51e721d6-d204-11e2-** 9f1a-1a7cdee20287_story.htmlhttp://www.washingtonpost.com/politics/most-americans-support-nsa-tracking-phone-records-prioritize-investigations-over-privacy/2013/06/10/51e721d6-d204-11e2-9f1a-1a7cdee20287_story.html ). But once you read it, you see that these opinions depend heavily on whether the respondent's own party is in power: In early 2006, 37 percent of Democrats found the agency’s activities acceptable; now nearly twice that number — 64 percent — say the use of telephone records is okay. By contrast, Republicans slumped from 75 percent acceptable to 52 percent today. So rather than looking at overall public support at a given time, a better number to look at when assessing public support is the one from people whose party does not control the White House, averaged across different parties, which puts support well below 50% in this case. People don't get to remove the effects of their support for surveillance when presidents they don't trust take power. Todd -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Boundless Informant: the NSA's secret tool to track global surveillance data
x z: I argue that direct access or not is is substantive, not semantic. We have the following two versions of the story: *A: The Guardian story alleges that NSA has direct access to user data from major internet firms, and these firms are willingly cooperating with NSA for the capability of en masse data pull. It indicates that NSA can pull whatever data they feel like, and that NSA has such dark power that all the internet firms have to kowtow.* That is correct. *B: On the other hand, NSA and these companies' statement is consistent to what most of us have already known, that NSA can request data from these firms on the basis of FISA. And the data pull is quite limited. (By the way, it doesn't really matter it's US or non-US citizens to me, there's nothing special about America).* This sounds like semantic bickering. If the FISA order says to pull data on your account, your account is pulled; Twitter did not automate it, others did. Do you think the difference between the two is merely semantic? Also, if you believe in A, then everybody on the NSA/corporation side are liars, and we are truly living in a police state. This, is, not, semantic. Yes. It is semantic. The reason is because under FISA, basically any and all data is fair game. Thus, a FISA API may be only limited in what it might say and as we see from Verizon, well, gosh, some limit! However, UPSTREAM tells us how they complete the picture. So in the case of the Verizon order, if they installed a tapping device on a span port in Verizon's network - does that count as direct access? I'd say yes. @Jacob, if your hypothetical FISA API thingy works only on the limited data the firms knowingly disclose to NSA, then it's not big deal. This FISA API thing is semantic, not substantive, to use your classification scheme. The firms don't know it, perhaps some agent might know but say, the CEO of Google? Is he read into the program and cleared? If not, actually, I'd argue that the firm doesn't know it. Nor would the board. @Yosem, I always applaud the accurate disclosure of the ATT and Verizon cases. That is one thing that we need to change. Let me stress it again, I am not rooting for B, I think it need more transparency and FISA need revision. But let's not pretend that the government is so powerful, that *is* paranoia. FISA needs to be torn down. It is a disgrace. The US Government is powerful and what we see is that the only thing you're grasping at here is about direct versus indirect access semantics. In good time, I think you will find that you were seriously mistaken by your read on all of these things. I look forward to hearing your suggestions on what to do next - once you accept the seriously awful reality that is reflected in these leaks and in places like Bluffdale. All the best, Jacob -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Boundless Informant: the NSA's secret tool to track global surveillance data
Heu! On 11.06.2013, at 01:11, x z xhzh...@gmail.com wrote: I argue that direct access or not is is substantive, not semantic. We have the following two versions of the story: *A: The Guardian story alleges that NSA has direct access to user data from major internet firms, and these firms are willingly cooperating with NSA for the capability of en masse data pull. It indicates that NSA can pull whatever data they feel like, and that NSA has such dark power that all the internet firms have to kowtow.* *B: On the other hand, NSA and these companies' statement is consistent to what most of us have already known, that NSA can request data from these firms on the basis of FISA. And the data pull is quite limited. (By the way, it doesn't really matter it's US or non-US citizens to me, there's nothing special about America).* Do you think the difference between the two is merely semantic? Also, if you believe in A, then everybody on the NSA/corporation side are liars, and we are truly living in a police state. This, is, not, semantic. Taking a look how this works in other countries, I'm sure it works pretty much the same way in the US. I.e. in Germany there is traffic duplication at provider level where the data gets send over so called SINA boxes - nowadays even without any sort of real safe guards, and providers simply don't know anymore what's really going on in their networks (so far for the Upstream part for LI and homeland secret service). For direct data access there are in fact known APIs for everything, be it Swift, PNR or whatever. You shouln't need much fantasy to get an idea of the actual implementation at service level. So I agree 100% with Jake. And really: At the end it doesn't matter how exactly it works - it just does and it is widely used. As a side note: An interesting story popped up today in the German press where a 18 year old Au Pair got send back home because of her private Facebook conversations. So it seems that even the DHS has this kind of capabilities. Giving the fact that there are thousands of people entering the US every day, do you really think they don't get this information in an automated fashion via API? I seriously doubt that. @Jacob, if your hypothetical FISA API thingy works only on the limited data the firms knowingly disclose to NSA, then it's not big deal. This FISA API thing is semantic, not substantive, to use your classification scheme. Jake made the most important point already: The laws doesn't allow the companies to even tell the whole story. Although it might look like a weak argumentation, it is in fact a strong one. Also do you *really* believe a guy like Zuckerberg more than internal training material of the NSA? I don't for a simple reason: Why should they lie on these slides? It makes no sense at all. These were not made with a public audience in mind. This has nothing to do with paranoia of any sort but common sense. Take care, fukami -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Cryptocat: Translation Volunteers Needed
On 10/06/2013 6:18 PM, Nadim Kobeissi wrote: Catherine, Opera is not shut out. It's simply difficult to develop for Opera due to its limited browser extension API. Your email made it sound as if Cryptocat had something against the Opera browser. My email is simply stating that Opera is shut out. How else should I interpret this message : Cryptocat is not available for your browser. See screenshot : http://www.flickr.com/photos/zazie/9010759541/ I sent you a message off-list to inquire about this and received no response. We have a ticket open for Opera compatibility in our code base. If you'd like to, you can contribute to Cryptocat for Opera development here: https://github.com/cryptocat/cryptocat/issues/190 I am not a developer. Must we all be developers to have a significant influence on these types of issues ? Best regards, Catherine -- Catherine Roy http://www.catherine-roy.net NK On 2013-06-10, at 6:10 PM, Catherine Roy ecr...@catherine-roy.net wrote: Congrats. But, as I asked in a private email to which I got not response, is there any reason why Opera is shut out ? Best, Catherine -- Catherine Roy http://www.catherine-roy.net -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Cryptocat: Translation Volunteers Needed
On 11.06.2013 02:21, Catherine Roy wrote: We have a ticket open for Opera compatibility in our code base. If you'd like to, you can contribute to Cryptocat for Opera development here: I am not a developer. Must we all be developers to have a significant influence on these types of issues ? In capitalism, you can also pay someone to do it for you. Given that Opera has roughly 1-2% market share, only introduced plugins (too) late, and now decided to switch to Webkit in the future, why would there be much incentive for anyone to support a more-or-less legacy browser? It involves a lot of work. -- Moritz Bartl https://www.torservers.net/ -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Cryptocat: Translation Volunteers Needed
you're the best nadim. thank you so much :) On Monday, June 10, 2013 17:44 EDT, Nadim Kobeissi na...@nadim.cc wrote: Thanks so much to everyone who helped! The translations are now all up to date. I'd like to extend special thanks to Dragana Kaurin from OpenITP. OpenITP is launching a localization management platform soon, too, so I hope working with them will make this stuff easier in the future. :-) NK On 2013-05-24, at 10:23 PM, Buddhadeb Halder bhalder...@gmail.com wrote: Hi Nadim, I have done with the Bengali translation. Thanks, Buddha On Fri, May 24, 2013 at 6:36 PM, Nadim Kobeissi na...@nadim.cc wrote: Hi everyone, An entire Cryptocat translation is less than 300 words. You can view translations here. There is an easy-to-use interface that can help you input your translations: https://www.transifex.com/projects/p/Cryptocat/resource/cryptocat/ Priority lies with the following languages. The rest is good to go: • Czech • Estonian • Urdu • Tibetan • Khmer • Uighur • Chinese (Hong Kong) • Bengali • Latvian Thanks again to everyone who already helped! :-) NK On Fri, May 24, 2013 at 6:53 AM, Moritz Bartl mor...@torservers.net wrote: On 24.05.2013 11:09, Sjoerd de Vries wrote: About how much is needed to translate. Are you talking about 1.000 words or more about 1.000.000 words. If it isn't to much I'm willing to help you translate to Dutch Nadim should have made this more clear: All translations and texts are readily available. Anyone can add or refine translations of sentences. There's no need to send anything else, everything is at the following link: https://www.transifex.com/projects/p/Cryptocat/resource/cryptocat/ To work on a translation, just create a Transifex account and add yourself to the translation team. -- Moritz Bartl https://www.torservers.net/ -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Dragana Kaurin Program Associate OpenITP kau...@openitp.org (937) 626 3617 -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
[liberationtech] DNI Clapper's NBC interview
Office of the Director of National Intelligence (Jun 10) - Director James R. Clapper Interview with Andrea Mitchell, NBC News Chief Foreign Affairs Correspondent (Liberty Crossing, Tyson's Corner, VA: Jun 8, 1pm): http://www.dni.gov/index.php/newsroom/speeches-and-interviews/195-speeches-interviews-2013/874-director-james-r-clapper-interview-with-andrea-mitchell NBC (Jun 8) - Clapper: Surveillance leaks fallout is 'gut-wrenching': http://www.nbcnews.com/id/21134540/vp/52144169#52144169 Ms. Mitchell: Senator Wyden made quite a lot out of your exchange with him last March during the hearings. Can you explain what you meant when you said there was not data collection on millions of Americans? Director Clapper: First, as I said, I have great respect for Senator Wyden. I thought though in retrospect I was asked when are you going to start--stop beating your wife kind of question which is, meaning not answerable necessarily, by a simple yes or no. So I responded in what I thought was the most truthful or least most untruthful manner, by saying, “No.” And again, going back to my metaphor, what I was thinking of is looking at the Dewey Decimal numbers of those books in the metaphorical library. To me collection of U.S. Persons data would mean taking the books off the shelf, opening it up and reading it. Amongst unrelated psychological hypotheses, I have encountered no better proof that the NSA's operating legal definition of the verb to collect stipulates a human being requesting specific information. This is the legal cover NSA whistleblower Bill Binney has emphasized as enabling the NSA's automated *collection* of digital content. And yes, Director Clapper compared the NSA's datastore to an electronic library - wherein you, and I, and all human beings are therefore: the books. Does Director Clapper know you cannot judge a book by its cover? ... gf -- Gregory Foster || gfos...@entersection.org @gregoryfoster http://entersection.com/ -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Android Full-Disk Encryption Cracked
It's important for the data-at-rest password to have lots of entropy. But using a long password for unlocking the screen annoys the user, and they will choose a shorter one. Therefore it's important to separate them. See this open source app to set them separately: https://play.google.com/store/apps/details?id=org.nick.cryptfs.passwdmanager The screen unlock password is used for authentication while the OS is running, so throttling is enough to defend against password guessing. On 04/29/2013 12:09 PM, Seth David Schoen wrote: Griffin Boyce writes: Hashkill can now determine the master password for Android's full-disk encryption scheme. image showing the process: http://i.imgur.com/bFUf7lR.png script: https://github.com/gat3way/hashkill Thoughts? It seems like this is just a tool for doing dictionary and brute force attacks against these passwords, not a class-break that is inherently able to decrypt every single Android device. So, if your Android FDE passphrase is long and unpredictable enough, this tool should still not be able to crack it. There are a lot of problems about disk encryption on small mobile devices. One that was highlighted by Belenko and Sklyarov at Black Hat EU 2012 is that mobile device CPUs are relatively slow, so it's difficult to do very large numbers of iterations of key derivation functions, which would make brute-force cracking slower. http://www.elcomsoft.com/WP/BH-EU-2012-WP.pdf https://en.wikipedia.org/wiki/Key_derivation_function The more KDF iterations that are used, the slower _both_ unlocking by the legitimate authenticated user and offline cracking will be. But if the legitimate user's device has a slow CPU, the user may not accept the human-perceptible delays that would result from using a lot of iterations. This tradeoff is a pretty fundamental problem. The user wants to unlock their device using a very short, easy-to- remember code. They want the device to be able to unlock quickly when this code is entered, using information that can be calculated from the code in a short time on a comparatively slow mobile CPU. Then they also want someone with a very fast cracking device like a desktop GPU not to be able to brute-force that same code quickly. Belenko and Sklyarov also observed that some mobile crypto applications were just not using KDFs at all or were using them improperly, but I don't know of an indication that that's true of the official Android FDE. Another problem is that, especially if people are using touchscreens, they may want a very short unlock PIN rather than a long passphrase, which will inherently favor cracking. (For example, if you imagine a system with a 5-digit numeric PIN, you can quickly conclude that there is no number of KDF iterations that will be acceptable to the mobile device user and be a practical deterrent to a brute-force attacker with even a single desktop GPU, at least for KDFs that can be implemented efficiently on a GPU.) I don't think this problem is very well appreciated by mobile device crypto users! Two ways to address this that come to mind would be using tamper-resistant hardware (which apparently Apple is doing for crypto in iOS devices) to store or generate the decryption keys using cryptographic secrets kept inside the particular device itself, and finding some way for the user to somehow input a much higher entropy unlock password. -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Spin alerts
On Mon, Jun 10, 2013 at 11:03 PM, Todd Davies dav...@stanford.edu wrote: Two issues that are tending to get conflated in the wider discourse about PRISM, Boundless Informant, etc. are: (1) Are these programs justifieid? (2) Was it justified to keep the existence of these programs secret? Snowden has said his primary judgment was about question (2), but proponents of surveillance are acting as if all we need to address is (1). This is an important distinction because even conservatives like David Brooks have said they think the existence of these programs should be public knowledge (The secrecy of the program was a mistake. I agree with that. - http://www.pbs.org/newshour/**bb/politics/jan-june13/** politicalwrap_06-07.html#**transcripthttp://www.pbs.org/newshour/bb/politics/jan-june13/politicalwrap_06-07.html#transcript). How can this mistake be corrected without whistleblowers like Snowden, when Congressional oversight is as deferential as it is? On (1), there is a poll out today that focuses just on phone records, which the Washington Post headline summarizes as Most Americans back NSA tracking phone records, prioritize probes over privacy ( http://www.washingtonpost.**com/politics/most-americans-** support-nsa-tracking-phone-**records-prioritize-** investigations-over-privacy/**2013/06/10/51e721d6-d204-11e2-** 9f1a-1a7cdee20287_story.htmlhttp://www.washingtonpost.com/politics/most-americans-support-nsa-tracking-phone-records-prioritize-investigations-over-privacy/2013/06/10/51e721d6-d204-11e2-9f1a-1a7cdee20287_story.html ). But once you read it, you see that these opinions depend heavily on whether the respondent's own party is in power: In early 2006, 37 percent of Democrats found the agency’s activities acceptable; now nearly twice that number — 64 percent — say the use of telephone records is okay. By contrast, Republicans slumped from 75 percent acceptable to 52 percent today. So rather than looking at overall public support at a given time, a better number to look at when assessing public support is the one from people whose party does not control the White House, averaged across different parties, which puts support well below 50% in this case. People don't get to remove the effects of their support for surveillance when presidents they don't trust take power. Todd An interesting statistic will be the long-term outcome of this. The cat's out of the bag regarding (2), and public opinion of (1) appears to vary, but will the public's opinion now change because the idea is no longer hyperbole and paranoia? And will this be true regardless of on which side of the isle you expect your representative to sit? Also, to whom and by what standards are these programs justified? We can all hypothesize the reasoning that is being used: known terrorists, suspected terrorist, enemies of the state, etc. But this is another piece of the puzzle that is still secret. Sure, it's all in the interest of national security, but we really have no idea where this line is drawn. Dianne Feinstein...went to the FISA court and asked that the FISA court report more frequently, or at all, on what it is doing...and the court refused. So, Clapper said that she's now asked him to report within a month on ways where they could narrow the scope of what they're vacuuming up, without hurting national security says Andrea Mitchell. [0] I'm not holding my breath. Note, also, that these requests are not regarding the same subject matter. What are you doing? vs. Tell us how can you 'spy' less given that we don't know what you're doing. Great. Remember, don't falsely yell TERRORIST! in a crowded theater, the consequences could be worse than yelling fire. [1] [0] http://video.msnbc.msn.com/msnbc/52144169#52144169 via Gregory Foster [1] http://en.wikipedia.org/wiki/Shouting_fire_in_a_crowded_theater -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Spin alerts
On Mon, 10 Jun 2013, Gregory Maxwell wrote: On Mon, Jun 10, 2013 at 4:03 PM, Todd Davies dav...@stanford.edu wrote: Two issues that are tending to get conflated in the wider discourse about PRISM, Boundless Informant, etc. are: (1) Are these programs justifieid? (2) Was it justified to keep the existence of these programs secret? (1) can't be answered in a vacuum of secrecy because— as almost anyone who finds the program concerning would agree— a fundamental concept of democracy is no one person or small group of people has the general moral authority to make that kind of decision— absent some kind of immediate exigency ... uh, which is really hard to argue for something which has gone on so long. And so absent (2) we can't even have the conversation about (1). I think these two points are less distinct than you think they are: (2) was the question Snowden needed to answer for himself so that the rest of us would be able to even consider (1). I agree with your last sentence (after the colon), Gregory. And my own answer to both questions is a firm no. But if we want to convince enough others, we need to pay attention to what *they* think. My point was that there are lots of people who answer yes to (1) and no to (2). And that is an opening. The opinion poll I also mentioned shows us that people haven't really thought this through, because about half the U.S. population change their position on surveillance depending on who is in power at the moment. Todd-- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
