Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Rich Kulawiec]

On Fri, Feb 15, 2013 at 01:35:53PM -0800, Adam Fisk wrote:
 At the risk of getting swept up in this by consciously saying something
 unpopular, I want to put my shoulder against the wheel of the open source
 process produces more secure software machine. [snip]

I've been thinking about your (excellent) comments for several weeks now.
And I'm going to argue that open source doesn't necessarily produce more
secure software, but it's a prerequisite for any credible attempt.  And
that in this particular case, there's just no substitute for it.

But before I get started, let me pointed out that I'm very much *not*
arguing that the contrapositive is true, that open source == chewy
goodness automatically.  We've all seen open source code that was junk.
Lots of it.  We've all probably written some, too; I know I have.

So here goes:

Consider this hypothetical: you have the imaginary disease Bieberitis,
which progressively imposes the characteristics of Justin Bieber on you,
then kills you.  So not only do you die, you die badly.  Clearly: it's
an awful fate.

There are only two drugs available to treat this disease.

Drug A has a history that looks something like this: the basic
biochemistry has been known for 18 years.  It's been studied at multiple
universities and research institutions.  There are numerous published
papers on it.  Early animal trials were conducted 15 years ago, and those
results were published as well, leading to another round of animal trials
with a slightly different formulation and more publication.  Following
review by independent agencies 12 years ago, limited human trials were
held, with still more publication.  A lengthy review and debate ensued,
the drug was discussed and debated at numerous conferences and meetings,
other (new) researchers weighed in with their papers, and a second
round of human trials took place 9 years ago.  Following that, review
by multiple government agencies commenced.  Additional work continued
in parallel on refinement of dosage and delivery.  Eventually, following
another blizzard of paperwork and publication, the drug was approved --
and is now available to you.  Studies are still ongoing, of course,
and it's expected that half a dozen more papers will be published in
referreed journals this year.

So: drug A has a long history.  Lots of clueful eyeballs have investigated
it personally, and many more clueful eyeballs have read the published body
of work, thought about it, argued about it, reviewed it, critiqued it,
supported it, rebutted it, and otherwise been involved in the process.
Moreover: nearly all those clueful eyeballs are INDEPENDENT clueful
eyeballs, who have, in many cases, substantial motivation to disprove
claims made -- since one of the best ways to make one's academic
reputation is to perform ingenious, ground-breaking work which
demonstrates that something everyone agrees on is completely wrong.

Now, about drug B: drug B has no publications associated with it.
It's never been independently reviewed.  It has none of the lengthy
history of A.  What's it got?  It's got a shiny color brochure written by
the marketing department that tells you how great it is, because it was
developed by some of the top people ever.  Really.  Top people.  As in:

Major Eaton: We have top men working on it now.
Indiana Jones: Who?
Major Eaton: Top...men.

That's it.  That's all you get.  Promises.  Assurances.  Hand-waving.
Top...men.

Now: which drug are you going to take?

Of course the obvious answer is A, since B is more commonly known as
snake oil.  It's garbage.  No thinking, responsible person would
ever choose B, because -- absent the history and the research and
the publication and everything else -- it might be the instant cure
for Bieberitis, or it might be sugar pills, or it might be poison.
There's no way to know.

All serious fields of intellectual endeavor use the same model as I
outlined in the development of drug A, which I'll lump under the rubric
peer review.  Architecture and law, physics and economics, medicine and
civil engineering, everybody uses this.  And they use it because, despite
its flaws, it works really, really well.  It's an essential component of
the scientific method.  It's how we make forward progress, however slowly.

Fields of study that don't use this are crap.  Astrology, creationism,
alchemy, homeopathy, phrenology, and yes, closed-source software: all crap.

There is no way we should accept what any closed-source vendor claims
about their code.  There is no reason to, no matter who they are, no
matter how much we trust them, no matter how pure their motives are.
Heck, we often can't even trust OUR OWN CODE to do what we think we want
it to do, even when we're staring right at it -- so why in the world
should we make the fantastic leap of faith to trust someone else's when
we can't even see it?

Closed-source software is the equivalent of drug B.  We're expected
to take the authors' word that it 

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Nadim Kobeissi]

Rich,
That was the best email I have ever read on this mailing list.
Congratulations and thank you. Please post this as a blog post somewhere.


NK


On Tue, Mar 5, 2013 at 6:23 PM, Rich Kulawiec r...@gsp.org wrote:

 On Fri, Feb 15, 2013 at 01:35:53PM -0800, Adam Fisk wrote:
  At the risk of getting swept up in this by consciously saying something
  unpopular, I want to put my shoulder against the wheel of the open
 source
  process produces more secure software machine. [snip]

 I've been thinking about your (excellent) comments for several weeks now.
 And I'm going to argue that open source doesn't necessarily produce more
 secure software, but it's a prerequisite for any credible attempt.  And
 that in this particular case, there's just no substitute for it.

 But before I get started, let me pointed out that I'm very much *not*
 arguing that the contrapositive is true, that open source == chewy
 goodness automatically.  We've all seen open source code that was junk.
 Lots of it.  We've all probably written some, too; I know I have.

 So here goes:

 Consider this hypothetical: you have the imaginary disease Bieberitis,
 which progressively imposes the characteristics of Justin Bieber on you,
 then kills you.  So not only do you die, you die badly.  Clearly: it's
 an awful fate.

 There are only two drugs available to treat this disease.

 Drug A has a history that looks something like this: the basic
 biochemistry has been known for 18 years.  It's been studied at multiple
 universities and research institutions.  There are numerous published
 papers on it.  Early animal trials were conducted 15 years ago, and those
 results were published as well, leading to another round of animal trials
 with a slightly different formulation and more publication.  Following
 review by independent agencies 12 years ago, limited human trials were
 held, with still more publication.  A lengthy review and debate ensued,
 the drug was discussed and debated at numerous conferences and meetings,
 other (new) researchers weighed in with their papers, and a second
 round of human trials took place 9 years ago.  Following that, review
 by multiple government agencies commenced.  Additional work continued
 in parallel on refinement of dosage and delivery.  Eventually, following
 another blizzard of paperwork and publication, the drug was approved --
 and is now available to you.  Studies are still ongoing, of course,
 and it's expected that half a dozen more papers will be published in
 referreed journals this year.

 So: drug A has a long history.  Lots of clueful eyeballs have investigated
 it personally, and many more clueful eyeballs have read the published body
 of work, thought about it, argued about it, reviewed it, critiqued it,
 supported it, rebutted it, and otherwise been involved in the process.
 Moreover: nearly all those clueful eyeballs are INDEPENDENT clueful
 eyeballs, who have, in many cases, substantial motivation to disprove
 claims made -- since one of the best ways to make one's academic
 reputation is to perform ingenious, ground-breaking work which
 demonstrates that something everyone agrees on is completely wrong.

 Now, about drug B: drug B has no publications associated with it.
 It's never been independently reviewed.  It has none of the lengthy
 history of A.  What's it got?  It's got a shiny color brochure written by
 the marketing department that tells you how great it is, because it was
 developed by some of the top people ever.  Really.  Top people.  As in:

 Major Eaton: We have top men working on it now.
 Indiana Jones: Who?
 Major Eaton: Top...men.

 That's it.  That's all you get.  Promises.  Assurances.  Hand-waving.
 Top...men.

 Now: which drug are you going to take?

 Of course the obvious answer is A, since B is more commonly known as
 snake oil.  It's garbage.  No thinking, responsible person would
 ever choose B, because -- absent the history and the research and
 the publication and everything else -- it might be the instant cure
 for Bieberitis, or it might be sugar pills, or it might be poison.
 There's no way to know.

 All serious fields of intellectual endeavor use the same model as I
 outlined in the development of drug A, which I'll lump under the rubric
 peer review.  Architecture and law, physics and economics, medicine and
 civil engineering, everybody uses this.  And they use it because, despite
 its flaws, it works really, really well.  It's an essential component of
 the scientific method.  It's how we make forward progress, however slowly.

 Fields of study that don't use this are crap.  Astrology, creationism,
 alchemy, homeopathy, phrenology, and yes, closed-source software: all crap.

 There is no way we should accept what any closed-source vendor claims
 about their code.  There is no reason to, no matter who they are, no
 matter how much we trust them, no matter how pure their motives are.
 Heck, we often can't even trust OUR OWN CODE to 

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Joseph Lorenzo Hall]

Another aspect of this discussion I'm a bit surprised that no one has yet 
raised is the simple truth that no amount of testing and source code review can 
(or should) anoint a tool as secure.

Even with formally provably secure software, OS, hardware, etc. it is still a 
very hard problem to make sure the code you fuzzed, reviewed, tested, 
statically analyzed, etc. ends up being the code you run.

We faced this in a few projects hacking US voting machines where we had to 
struggle with the question of how much does one get from open source... the 
answer was not necessarily necessary or sufficient (but that was not in a 
human rights context).

best, Joe

--
Joseph Lorenzo Hall
Senior Staff Technologist
Center for Democracy  Technology
https://www.cdt.org/

On Feb 19, 2013, at 18:36, Q. Parker ghostdan...@gmail.com wrote:

 On Tue, Feb 19, 2013 at 11:21:11PM +0100, Julian Oliver wrote:
 ..on Mon, Feb 18, 2013 at 08:00:24PM -0800, Adam Fisk wrote:
 
 I think the principle of that is great, but in practice we just can't
 all review all the code all the time. In practice we often end up
 trusting open source code that is far worse reviewed than much of the
 closed source code we trust. I'm not trying to attack open source --
 I've been writing open source code full time for the past 13 years --
 it's what I do. But I don't think we should be delusional about it.
 
 
 I find this an unproductive black-and-white argument. Proprietary software 
 does
 not grant and encourage its own users even the /possibility/ to fully audit 
 the
 service whereas open source software does. 
 
 It's a no brainer, quite frankly. 
 
 We need to simply stop considering proprietary solutions at all (as it's 
 clearly
 ridiculous to have any case of trust built atop it) and make our starting 
 point
 the wide variety of open source software, some of which is poorly engineered 
 and
 some which is not.
 
 The what sucks the least scale must begin with open source, not proprietary
 offerings from for-profit companies with a centralised service.
 
 Again, it's a no-brainer.
 
 This is a pretty gross oversimplification that ignores a lot of realities 
 about
 the nature of trust and how complicated things like large software systems are
 assembled.
 
 First, it seems that trust in the context of this thread means do the 
 readers
 of this list trust this software which has come to mean, from my reading, 
 do 
 the members of this list have unfettered access to the source code. That's a
 rather narrow view of trust. There are all sorts of reasons a human rights 
 activist
 might choose to trust a vendor. After all, for a non-technical user, what's to
 recommend the opinion of a volunteer over the opinion of a number of 
 professionals
 working at a relatively small firm? The first is wholly dependent on the 
 expertise
 and access of the volunteer. The second is wholly dependent on the expertise 
 and
 access of the professional. The latter, however, comes with the sense of 
 trust that people tend to have for somebody whose livelihood depends upon 
 maintaining
 a track record of fulfilling obligations to customers with competence and 
 good faith.
 It's not so simple as volunteer is better than vendor.
 
 Second, I think it's hard to defend the claim that end users always know more
 about the inner workings of large open source projects than they do closed 
 ones
 at private firms. Does everybody who uses Debian observe key-signing parties
 among Debian developers? No, they don't. Do I use open firmware? Do I know 
 with
 absolute certainty what every piece of hardware in my laptop is doing? No, not
 really. We make decisions about which systems we should trust and in what way
 based on a complicated series of risk assessments, each based on a lot of 
 factors.
 I think the assertion that open source projects are always of higher quality 
 by virtue 
 of being open and that the issue is just that simple is hard to defend. For 
 most users, 
 the code being open doesn't make it any more possible for them to review it.
 They'd still have to trust another reviewer, right?  It's not so simple as 
 open versus 
 closed source.
 
 Third, I think responses on the list tend to be excessively hostile toward 
 for-profit firms
 that hope to make a living by selling/making software. A good many such firms 
 have contributed
 substantially to the Linux kernel and the Debian distribution. There are a 
 lot of competing 
 interests at play, as made obvious by the parallel thread about Ubuntu's Dash 
 product search. 
 But I'm sure there are a lot of list members who've thoroughly enjoyed the 
 conveniences afforded 
 them by the Ubuntu distro, for example, only to break into hysterics over the 
 in-built product 
 search (which should be opt-in but is disabled pretty easily) without 
 offering up any 
 alternative suggestions for paying Canonical developers. Does it make sense 
 to expect all 
 security work to happen with grant money? Do we 

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Adam Fisk]

On Fri, Feb 15, 2013 at 2:01 PM, Nadim Kobeissi na...@nadim.cc wrote:
 On Fri, Feb 15, 2013 at 4:35 PM, Adam Fisk af...@bravenewsoftware.org
 wrote:

 I'm certainly more confident in the overall security of silent circle in
 its first release than I was in the overall security of cryptocat.


 Of course this is true. The first release of Cryptocat was made in early
 2011 by me back when I was in my second year of university and only barely
 beginning to understand proper programming and security practice. It was an
 experimental product full of holes and by no means secure. The first release
 of Silent Circle was by a team of superheroes with 25 years of experience in
 being totally badass. Big difference!

That's really my point exactly -- there are many things that determine
the security of a piece of software.


 But when your model is closed-source, you're not participating in
 reviewable, verifiable security practice and you're negatively affecting the
 practical cryptography industry as a whole. Look at Cryptocat — it
 progressed from a toy into a real product that I'm proud of, and that fully
 passed a security audit with a 100/100 score just last week
 (https://blog.crypto.cat/2013/02/cryptocat-passes-security-audit-with-flying-colors/)
 after two years of hard work, restructuring and redesigning the whole thing,
 and getting alternatively beaten up and helped by experts in the field.—
 This would have *never* happened had we not been open source from the
 beginning.

Sure. Again, I believe that open source is a beneficial license for
security, but we have to keep in mind that it's a means to an end --
secure code -- and that it's not the only means. I think you were
beaten up unfairly under the circumstances for cryptocat 1, and I
similarly think we're beating up Silent Circle unfairly.


 Being open source is a painful but necessary process. It invites criticism,
 bone-breaking and having to admit bad design, apologize for your mistakes
 and work hard on fixing them. But only through that process you create
 something great that benefits the security community by offering
 opportunities to learn. Sure, Silent Circle started off as a good product,
 but by being closed-source they disregard the proper practice of what makes
 this industry progress in terms of engineering, and they cast a shadow of
 uncertainty and closed progress upon themselves, too.


There are just so many aspects that go into software licensing that I
just don't draw that same line. If the goal is secure code, I again
think the key is having an adequate number of capable people analyzing
and dissecting that code on a constant basis. That can mean closed
source code audits, and it can mean having a full time security team
analyzing and improving the code at all times (Google, Facebook, many
others) regardless of the software license. Open source is awesome,
and I believe in it wholeheartedly, but I don't think if an
organization doesn't open source their code they're automatically
crazy and kicked out of the club.

-a
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Brian Conley]

Adam,

There is a difference between telling someone you should *trust* this
software and telling them this software is probably going to work for you
because of X Y  Z.

I feel like you are conflating two different issues. I firmly believe you
should *never* just *trust* encryption software that is not open to
independent auditing at *any time.*

However, we don't live in an open source utopia yet, so yes, we make
judgement calls based on what information *is* available to the public. But
I think you're making a bit of a tempest in a teapot here.

(Yes I realize I am possibly the last person who should be making such
comments, though I'm trying to be better about it.)

Whether or not code *IS* secure is not the issue. It is whether or not you
should *TRUST* code that cannot be *VERIFIED SECURE* and verified
*INDEPENDENTLY AT ANY TIME*.

You might believe Apple or Google are secure, in fact I would be willing to
believe Facebook is doing its damnedest to keep their servers and users
data secure, **within their closed paradigms** which may or may not line up
with my needs as an individual user at any given time. And I can't engage
in informed consent in that process, except where I consent that I do not
get to know Corporation X's paradigm.

regards

Brian

PS even crypto-gods are fallible. and that's not a bad thing, its just
human nature.

On Tue, Feb 19, 2013 at 10:00 AM, Adam Fisk a...@littleshoot.org wrote:

 On Fri, Feb 15, 2013 at 2:01 PM, Nadim Kobeissi na...@nadim.cc wrote:
  On Fri, Feb 15, 2013 at 4:35 PM, Adam Fisk af...@bravenewsoftware.org
  wrote:
 
  I'm certainly more confident in the overall security of silent circle in
  its first release than I was in the overall security of cryptocat.
 
 
  Of course this is true. The first release of Cryptocat was made in early
  2011 by me back when I was in my second year of university and only
 barely
  beginning to understand proper programming and security practice. It was
 an
  experimental product full of holes and by no means secure. The first
 release
  of Silent Circle was by a team of superheroes with 25 years of
 experience in
  being totally badass. Big difference!

 That's really my point exactly -- there are many things that determine
 the security of a piece of software.

 
  But when your model is closed-source, you're not participating in
  reviewable, verifiable security practice and you're negatively affecting
 the
  practical cryptography industry as a whole. Look at Cryptocat — it
  progressed from a toy into a real product that I'm proud of, and that
 fully
  passed a security audit with a 100/100 score just last week
  (
 https://blog.crypto.cat/2013/02/cryptocat-passes-security-audit-with-flying-colors/
 )
  after two years of hard work, restructuring and redesigning the whole
 thing,
  and getting alternatively beaten up and helped by experts in the field.—
  This would have *never* happened had we not been open source from the
  beginning.

 Sure. Again, I believe that open source is a beneficial license for
 security, but we have to keep in mind that it's a means to an end --
 secure code -- and that it's not the only means. I think you were
 beaten up unfairly under the circumstances for cryptocat 1, and I
 similarly think we're beating up Silent Circle unfairly.

 
  Being open source is a painful but necessary process. It invites
 criticism,
  bone-breaking and having to admit bad design, apologize for your mistakes
  and work hard on fixing them. But only through that process you create
  something great that benefits the security community by offering
  opportunities to learn. Sure, Silent Circle started off as a good
 product,
  but by being closed-source they disregard the proper practice of what
 makes
  this industry progress in terms of engineering, and they cast a shadow of
  uncertainty and closed progress upon themselves, too.
 

 There are just so many aspects that go into software licensing that I
 just don't draw that same line. If the goal is secure code, I again
 think the key is having an adequate number of capable people analyzing
 and dissecting that code on a constant basis. That can mean closed
 source code audits, and it can mean having a full time security team
 analyzing and improving the code at all times (Google, Facebook, many
 others) regardless of the software license. Open source is awesome,
 and I believe in it wholeheartedly, but I don't think if an
 organization doesn't open source their code they're automatically
 crazy and kicked out of the club.

 -a
 --
 Unsubscribe, change to digest, or change password at:
 https://mailman.stanford.edu/mailman/listinfo/liberationtech




-- 



Brian Conley

Director, Small World News

http://smallworldnews.tv

m: 646.285.2046

Skype: brianjoelconley
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Nadim Kobeissi]

On Tue, Feb 19, 2013 at 5:05 PM, Brian Conley bri...@smallworldnews.tvwrote:


 PS even crypto-gods are fallible. and that's not a bad thing, its just
 human nature.


Yep. The day after Silent Phone code was published, someone found a privacy
issue:
https://github.com/SilentCircle/silent-phone-base/issues/3

It's definitely true that the people behind Silent Circle are badasses. But
no one is excused from proper cryptography practice just because of who
they are. Mistakes exist in all software and it's totally okay and normal
for your software to have mistakes — just follow the proper procedure from
the first step.



 On Tue, Feb 19, 2013 at 10:00 AM, Adam Fisk a...@littleshoot.org wrote:

 On Fri, Feb 15, 2013 at 2:01 PM, Nadim Kobeissi na...@nadim.cc wrote:
  On Fri, Feb 15, 2013 at 4:35 PM, Adam Fisk af...@bravenewsoftware.org
  wrote:
 
  I'm certainly more confident in the overall security of silent circle
 in
  its first release than I was in the overall security of cryptocat.
 
 
  Of course this is true. The first release of Cryptocat was made in early
  2011 by me back when I was in my second year of university and only
 barely
  beginning to understand proper programming and security practice. It
 was an
  experimental product full of holes and by no means secure. The first
 release
  of Silent Circle was by a team of superheroes with 25 years of
 experience in
  being totally badass. Big difference!

 That's really my point exactly -- there are many things that determine
 the security of a piece of software.

 
  But when your model is closed-source, you're not participating in
  reviewable, verifiable security practice and you're negatively
 affecting the
  practical cryptography industry as a whole. Look at Cryptocat — it
  progressed from a toy into a real product that I'm proud of, and that
 fully
  passed a security audit with a 100/100 score just last week
  (
 https://blog.crypto.cat/2013/02/cryptocat-passes-security-audit-with-flying-colors/
 )
  after two years of hard work, restructuring and redesigning the whole
 thing,
  and getting alternatively beaten up and helped by experts in the field.—
  This would have *never* happened had we not been open source from the
  beginning.

 Sure. Again, I believe that open source is a beneficial license for
 security, but we have to keep in mind that it's a means to an end --
 secure code -- and that it's not the only means. I think you were
 beaten up unfairly under the circumstances for cryptocat 1, and I
 similarly think we're beating up Silent Circle unfairly.

 
  Being open source is a painful but necessary process. It invites
 criticism,
  bone-breaking and having to admit bad design, apologize for your
 mistakes
  and work hard on fixing them. But only through that process you create
  something great that benefits the security community by offering
  opportunities to learn. Sure, Silent Circle started off as a good
 product,
  but by being closed-source they disregard the proper practice of what
 makes
  this industry progress in terms of engineering, and they cast a shadow
 of
  uncertainty and closed progress upon themselves, too.
 

 There are just so many aspects that go into software licensing that I
 just don't draw that same line. If the goal is secure code, I again
 think the key is having an adequate number of capable people analyzing
 and dissecting that code on a constant basis. That can mean closed
 source code audits, and it can mean having a full time security team
 analyzing and improving the code at all times (Google, Facebook, many
 others) regardless of the software license. Open source is awesome,
 and I believe in it wholeheartedly, but I don't think if an
 organization doesn't open source their code they're automatically
 crazy and kicked out of the club.

 -a
 --
 Unsubscribe, change to digest, or change password at:
 https://mailman.stanford.edu/mailman/listinfo/liberationtech




 --



 Brian Conley

 Director, Small World News

 http://smallworldnews.tv

 m: 646.285.2046

 Skype: brianjoelconley



 --
 Unsubscribe, change to digest, or change password at:
 https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Julian Oliver]

..on Mon, Feb 18, 2013 at 08:00:24PM -0800, Adam Fisk wrote:
 
 I think the principle of that is great, but in practice we just can't
 all review all the code all the time. In practice we often end up
 trusting open source code that is far worse reviewed than much of the
 closed source code we trust. I'm not trying to attack open source --
 I've been writing open source code full time for the past 13 years --
 it's what I do. But I don't think we should be delusional about it.


I find this an unproductive black-and-white argument. Proprietary software does
not grant and encourage its own users even the /possibility/ to fully audit the
service whereas open source software does. 

It's a no brainer, quite frankly. 

We need to simply stop considering proprietary solutions at all (as it's clearly
ridiculous to have any case of trust built atop it) and make our starting point
the wide variety of open source software, some of which is poorly engineered and
some which is not.

The what sucks the least scale must begin with open source, not proprietary
offerings from for-profit companies with a centralised service.

Again, it's a no-brainer.

Cheers,

-- 
Julian Oliver
http://julianoliver.com
http://criticalengineering.org
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Adam Fisk]

 I don't think anyone would claim that every piece of free software is
 automatically more secure than every piece of proprietary software,
 because as you say there are many other factors involved.

Nor would I!


 But in your definition of security, you seem to be discounting the
 user's ability to verify things for herself, or to commission a 3rd
 party to verify things for her. You seem to be treating security merely
 as a trust issue, or an available/obvious/likely exploits issue.

I really think it's just a matter of building something that works,
that actually is secure, and I think there are many factors that go
into that. Open source can be a great advantage, but not if none of
those users actually do go and verify things for themselves. The
reality is that none of us have the time to verify the security of all
the tools we use, and that's even if everyone had the expertise. We
all trust the vast majority of the tools we use as a result. That's
not by any means to say that security should be based on that trust -
it should be based on peer review, continuous research, and careful
coding. All of that takes a great deal of time and often money,
however, and poorly funded open source projects usually fall way short
because they've got one part of the structure right but not the
others. Proprietary software clearly falls way short all the time too.
All that said, there's just an astounding degree of cooperation in
this community of people devoting countless hours to improving the
security of so many tools, and that's certainly to be applauded, but
those people are largely fighting an uphill battle because they're
underfunded.


 That's a limit on the definition that doesn't work for me. Software that
 I can't look at or ask someone to look at is by definition insecure in
 one important way.

I think the principle of that is great, but in practice we just can't
all review all the code all the time. In practice we often end up
trusting open source code that is far worse reviewed than much of the
closed source code we trust. I'm not trying to attack open source --
I've been writing open source code full time for the past 13 years --
it's what I do. But I don't think we should be delusional about it.


 Your points also doesn't disprove the claim that, if you are designing a
 new project that you want to be secure, a free software approach should
 be chosen. You should do lots of other things right too, of course, that
 have nothing to do with licensing.

Totally agreed! It can just be overemphasized amongst the list of
factors -- it's a super important one to be sure, but not the only
one.

-Adam


 -john

 --
 John Sullivan | Executive Director, Free Software Foundation
 GPG Key: 61A0963B | http://status.fsf.org/johns | http://fsf.org/blogs/RSS

 Do you use free software? Donate to join the FSF and support freedom at
 http://www.fsf.org/register_form?referrer=8096.
 --
 Unsubscribe, change to digest, or change password at: 
 https://mailman.stanford.edu/mailman/listinfo/liberationtech



-- 
--
Adam
pgp A998 2B6E EF1C 373E 723F A813 045D A255 901A FD89
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Miles Fidelman]

Adam Fisk wrote:
but there are many other factors at play, including the resources and 
expertise an organization is able to devote to the problem. Apple, for 
example, has an overall great security track record, with most of that 
code closed source. 


Umm last time I looked, most of the guts, and the attack surface, of 
MacOS are NOT closed source, they're derived from BSD unix and the code 
is mostly open source.  The proprietary stuff is a relatively thin layer 
on top of that.


Having said that, if you want to look at folks with LOTS of money and 
expertise to apply - and a pretty good track - look at NSA.


Then again, it's pretty hard to tell about the security provided by 
closed source systems - are they really secure, or is it a matter of 
security by obscurity (think of those NSA chips that are designed to 
self-destruct if you try to dissect them), and the various crypto 
systems that have been compromised because human beings stole crypto 
boxes from embassies.   One of the real problems with closed-source 
systems is that you create a target of opportunity - compromise the 
organization behind the technology and you can either identify 
vulnerabilities, or insert them surreptitiously.


Miles Fidelman

--
In theory, there is no difference between theory and practice.
In practice, there is.    Yogi Berra

--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Adam Fisk]

When I say million, I always mean billion...

On Fri, Feb 15, 2013 at 1:35 PM, Adam Fisk a...@bravenewsoftware.org wrote:
 At the risk of getting swept up in this by consciously saying something
 unpopular, I want to put my shoulder against the wheel of the open source
 process produces more secure software machine. The reasons for software
 licensing are complex, as we all know, but I'm certainly more confident in
 the overall security of silent circle in its first release than I was in the
 overall security of cryptocat 1. Why? Because there are much more
 experienced people involved (not meant as a jab Nadim - PZ had about a 25
 year head start if not more) and also because they have judiciously sought
 the review of experts prior to release. If you have to choose between open
 and closed in terms of the potential for building a secure architecture, of
 course open is overall better, but there are many other factors at play,
 including the resources and expertise an organization is able to devote to
 the problem. Apple, for example, has an overall great security track record,
 with most of that code closed source. Having $100 million in the bank helps.
 A lot. It helps a lot more than the license. In fact the overall number of
 eyes on the code is likely the more relevant factor - the precise area where
 open source ostensibly scores such a resounding victory, but only if in fact
 more experienced eyes review the code than they do comparable closed source
 systems.

 It just seems healthier to recognize this is a complex issue, and I don't
 think reducing it to open versus closed source does that complexity justice.

 -Adam


 On Wednesday, February 6, 2013, Nadim Kobeissi wrote:

 What I'm trying to point out is that Silent Circle can call itself a
 super-group creating unbreakable encryption, market closed-source software
 towards activists, and some experts will still speak out for them
 favourably.


 NK


 On Wed, Feb 6, 2013 at 11:21 PM, Brian Conley bri...@smallworldnews.tv
 wrote:

 C'mon Nadim, that's a bit of a cheap shot, no? Do you disagree
 fundamentally with anything he said there?

 Brian

 On Feb 6, 2013, at 19:56, Nadim Kobeissi na...@nadim.cc wrote:

 Chris Soghoian gives Silent Circle's unbreakable encryption an entire
 article's worth of lip service here, it must be really unbreakable:

 http://www.theverge.com/2013/2/6/3950664/phil-zimmermann-wants-to-save-you-from-your-phone


 NK


 On Wed, Feb 6, 2013 at 10:49 PM, Brian Conley bri...@smallworldnews.tv
 wrote:

 I heard they have a super secret crypto clubhouse in the belly of an
 extinct volcano.

 Other rumors suggest they built their lab in the liberated tunnels
 beneath bin ladens secret lair in Pakistan...

 Sent from my iPad

 On Feb 6, 2013, at 19:42, Nadim Kobeissi na...@nadim.cc wrote:

 Actual headline.


 http://www.extremetech.com/mobile/147714-cryptography-super-group-creates-unbreakable-encryption-designed-for-mass-market


 NK

 --
 Unsubscribe, change to digest, or change password at:
 https://mailman.stanford.edu/mailman/listinfo/liberationtech


 --
 Unsubscribe, change to digest, or change password at:
 https://mailman.stanford.edu/mailman/listinfo/liberationtech


 --
 Unsubscribe, change to digest, or change password at:
 https://mailman.stanford.edu/mailman/listinfo/liberationtech


 --
 Unsubscribe, change to digest, or change password at:
 https://mailman.stanford.edu/mailman/listinfo/liberationtech




 --
 Sent from Gmail Mobile



--
Adam
pgp A998 2B6E EF1C 373E 723F A813 045D A255 901A FD89
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Fabio Pietrosanti (naif)]

On 2/14/13 8:36 AM, Jacob Appelbaum wrote:
 The live code review with ascii art was really something to behold. It
 was some kind of new art form that isn't very good but at the same time
 is nearly impossible to not watch...
Something interesting happened yesterday, here a summary in case someone
would like to get on it again

* After few hours the pad was vandalized insulting nadim
https://pad.riseup.net/p/silentcircle

* A Backup of the Pad content has been put read-only online (with some
comments and further analysis to be done)
  * http://pastebit.com/pastie/12001
  * http://pastebin.com/dKRPrGMN

* SilentCircle source code has been temporarly removed from Github:
https://github.com/SilentCircle/silent-phone-base

* Nadim opened a ticket to ask about the code back:
https://github.com/SilentCircle/silent-phone-base/issues/1

* A new (different) version of the code has been uploaded online:
https://github.com/SilentCircle/silent-phone-base

* Someone in the meantime put the original code back online (as a zip
archive):
http://jednorog.sneakyness.com/1U060B2S3I1P

* A diff between the original SC opensource release  and the modified
SC opensource release reveal some code difference
 * Output of git diff original/silent-phone-base new/silent-phone-base/
 sc.patch is available at
http://temp-share.com/show/f3Yg95cXn

-naif
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Petter Ericson]

On 14 February, 2013 - Fabio Pietrosanti (naif) wrote:

 On 2/14/13 8:36 AM, Jacob Appelbaum wrote:
  The live code review with ascii art was really something to behold. It
  was some kind of new art form that isn't very good but at the same time
  is nearly impossible to not watch...
 Something interesting happened yesterday, here a summary in case someone
 would like to get on it again
 
 * After few hours the pad was vandalized insulting nadim
 https://pad.riseup.net/p/silentcircle
 
 * A Backup of the Pad content has been put read-only online (with some
 comments and further analysis to be done)
   * http://pastebit.com/pastie/12001
   * http://pastebin.com/dKRPrGMN
 
 * SilentCircle source code has been temporarly removed from Github:
 https://github.com/SilentCircle/silent-phone-base
 
 * Nadim opened a ticket to ask about the code back:
 https://github.com/SilentCircle/silent-phone-base/issues/1
 
 * A new (different) version of the code has been uploaded online:
 https://github.com/SilentCircle/silent-phone-base
 
 * Someone in the meantime put the original code back online (as a zip
 archive):
 http://jednorog.sneakyness.com/1U060B2S3I1P
 
 * A diff between the original SC opensource release  and the modified
 SC opensource release reveal some code difference
  * Output of git diff original/silent-phone-base new/silent-phone-base/
  sc.patch is available at
 http://temp-share.com/show/f3Yg95cXn
 
 -naif
 --
 Unsubscribe, change to digest, or change password at: 
 https://mailman.stanford.edu/mailman/listinfo/liberationtech

A quick scan through the patch seems to indicate it is _mostly_
formatting changes.

A version bump 14322 to 14326 on the CFBundleVersion.

And various license headers (BSD-style afaict - not a license expert)

Oh, and they removed an snprintf, and const-declared an argument.

Also a new android make file and a tina_exp.h header.

All in all, nothing _too_ exciting I don't think... 

Non-formatting/licensing changes extracted below:


diff --git 
a/original/silent-phone-base/silentphone/apple/ios/Classes/CallManeger.mm 
b/new/silent-phone-base/silentphone/apple/ios/Classes/CallManeger.mm
index ac8cf87..d185e90 100644
--- a/original/silent-phone-base/silentphone/apple/ios/Classes/CallManeger.mm
+++ b/new/silent-phone-base/silentphone/apple/ios/Classes/CallManeger.mm
@@ -70,7 +70,7 @@ NSString *toNSFromTB(CTStrBase *b);
 }
 
 -(void)redraw{
-
+
if(!calls-getCallCnt()){
   [[self navigationController] popViewControllerAnimated:YES];
   return;
   
@@ -99,14 +99,14 @@ NSString *toNSFromTB(CTStrBase *b);
 
 - (id)initWithStyle:(UITableViewStyle)style
 {
...
 - (void) viewWillAppear:(BOOL)animated
@@ -129,7 +129,7 @@ NSString *toNSFromTB(CTStrBase *b);
 - (void)viewDidDisappear:(BOOL)animated{
...
@@ -143,22 +143,22 @@ NSString *toNSFromTB(CTStrBase *b);
...
 }
 
 - (void)viewDidUnload
 {
...
@@ -166,18 +166,18 @@ NSString *toNSFromTB(CTStrBase *b);
 
 - 
(BOOL)shouldAutorotateToInterfaceOrientation:(UIInterfaceOrientation)interfaceOrientation
...
 - (NSInteger)numberOfSectionsInTableView:(UITableView *)tableView
...
 - (NSInteger)tableView:(UITableView *)tableView 
numberOfRowsInSection:(NSInteger)section
...
@@ -188,13 +188,13 @@ NSString *toNSFromTB(CTStrBase *b);
... 
 -(void)tableView:(UITableView *)tableView willDisplayCell:(UITableViewCell 
*)cell forRowAtIndexPath:(NSIndexPath *)indexPath{
...
@@ -207,7 +207,7 @@ NSString *toNSFromTB(CTStrBase *b);
...
 - (UITableViewCell *)tableView:(UITableView *)tableView 
cellForRowAtIndexPath:(NSIndexPath *)indexPath
...
@@ -486,14 +492,14 @@ NSString *toNSFromTB(CTStrBase *b);

 - (void)tableView:(UITableView *)tableView 
didSelectRowAtIndexPath:(NSIndexPath *)indexPath
...
diff --git 
a/original/silent-phone-base/silentphone/apple/ios/VoipPhone/VoipPhone-Info.plist
 b/new/silent-phone-base/silentphone/apple/ios/VoipPhone/VoipPhone-Info.plist
index 319dbde..0431a76 100755
--- 
a/original/silent-phone-base/silentphone/apple/ios/VoipPhone/VoipPhone-Info.plist
+++ b/new/silent-phone-base/silentphone/apple/ios/VoipPhone/VoipPhone-Info.plist
keyCFBundleVersion/key
-   string14322/string
+   string14326/string
diff --git 
a/new/silent-phone-base/silentphone/codecs/vTiVi/android/jni/Android.mk 
b/new/silent-phone-base/silentphone/codecs/vTiVi/android/jni/Android.mk
new file mode 100644
...
diff --git 
a/new/silent-phone-base/silentphone/codecs/vTiVi/android/jni/tina_exp.h 
b/new/silent-phone-base/silentphone/codecs/vTiVi/android/jni/tina_exp.h
new file mode 100644
...
diff --git 
a/original/silent-phone-base/silentphone/encrypt/zrtp/libwerner_zrtp.a 
b/original/silent-phone-base/silentphone/encrypt/zrtp/libwerner_zrtp.a
deleted file mode 100644
...
diff --git a/original/silent-phone-base/silentphone/utils/CTCoutryCode.cpp 
b/new/silent-phone-base/silentphone/utils/CTCoutryCode.cpp
index dd67a09..a36db86 100755
--- a/original/silent-phone-base/silentphone/utils/CTCoutryCode.cpp
+++ 

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Nadim Kobeissi]

The collaborative platform which we've been using to inspect Silent
Circle's code (and where we were making good progress) has been
continuously vandalized for the past seven hours straight. Yes, that's
someone who's been on that pad for literally seven hours trying to prevent
collaboration. They've specifically been flooding the pad with insults
directed at me, and nothing else. This happened shortly after Silent Circle
code was taken offline for around 20 minutes.

This really makes me wonder who would have the tenacity to attempt to stop
collaborative auditing of Silent Circle for seven straight hours, and would
coincidentally happen to have some apparently very real hatred towards me.


NK


On Thu, Feb 14, 2013 at 8:54 AM, Joseph Lorenzo Hall j...@cdt.org wrote:


 On Feb 14, 2013, at 7:35, Petter Ericson pett...@acc.umu.se wrote:

  And various license headers (BSD-style afaict - not a license expert)

 I'm no licensing expert but do think about them a lot... it looks like a
 non-commercial-uses version of a BSD-style license. That's much better than
 what I've seen before with code released for review and testing only-like
 licenses. best, Joe
 --
 Unsubscribe, change to digest, or change password at:
 https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Nadim Kobeissi]

Hi guys,
Let's set up another pad for collaboration, which hopefully will not get
vandalized.
Please try not to share this pad on Twitter or outside LibTech.

https://pad.riseup.net/p/silentcircle9504


NK


On Thu, Feb 14, 2013 at 9:43 AM, Nadim Kobeissi na...@nadim.cc wrote:

 The collaborative platform which we've been using to inspect Silent
 Circle's code (and where we were making good progress) has been
 continuously vandalized for the past seven hours straight. Yes, that's
 someone who's been on that pad for literally seven hours trying to prevent
 collaboration. They've specifically been flooding the pad with insults
 directed at me, and nothing else. This happened shortly after Silent Circle
 code was taken offline for around 20 minutes.

 This really makes me wonder who would have the tenacity to attempt to stop
 collaborative auditing of Silent Circle for seven straight hours, and would
 coincidentally happen to have some apparently very real hatred towards me.


 NK


 On Thu, Feb 14, 2013 at 8:54 AM, Joseph Lorenzo Hall j...@cdt.org wrote:


 On Feb 14, 2013, at 7:35, Petter Ericson pett...@acc.umu.se wrote:

  And various license headers (BSD-style afaict - not a license expert)

 I'm no licensing expert but do think about them a lot... it looks like a
 non-commercial-uses version of a BSD-style license. That's much better than
 what I've seen before with code released for review and testing only-like
 licenses. best, Joe
 --
 Unsubscribe, change to digest, or change password at:
 https://mailman.stanford.edu/mailman/listinfo/liberationtech



--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Ali-Reza Anghaie]

Nadim,

While I ~entirely~ agree this sucks and you're been mercilessly and
tastelessly trolled - if you're inferring there was any relation to the SC
code being swapped out - that's an irrelevant and unnecessary stretch.

Lets look at it from the other side w/ the same irrelevant
and unnecessary stretching..

Early in the pad you admitted to jumping the gun and people were already
calling you out. You even, if you recall, said there may be a point to
criticizing you for all the LOLing comments and such. You were - for all
intents and purposes - an ass early on. You did admit that in a lengthy
back-and-forth with one of the anonymous parties before the whole
conversation and your LOLing were deleted. I think deleted by you with
humility and the intention of drawing attention back to the task at hand -
or one could speculate you just don't want any evidence you were a jerk
(and that would be unfair I think you'd agree). Whoever (or how many ever)
are/were trolling you were bringing up Slashdot, the CSIS incident,
Cryptocat, etc. etc. and seems to have it out for you. I'm not convinced
that's at all related to SC itself - just mostly pissing on you for
behavior.

I only write that narrative out because you repeatedly exclude yourself
from ~any~ criticism when it comes to reporting back to the list. This
too, like the mysterious trolling, can lead to conspiracy chains of
thoughts. And I'm certain you don't appreciate that unfounded inference
than any other party does. So don't further promote that cycle.

Regarding the SC code swap itself - as I pointed out (but has also been
lost in the noise) there were two different github profiles to the same
person and it appeared that all that really happened (besides a codebase
update) was that the acct he was using for non-SC stuff was used to
initially upload silent-phone-base and that whole account's worth of stuff
was pulled and re-uploaded under the account that originally setup all the
SC stuff. Occam's Razor applies here.

-Ali



On Thu, Feb 14, 2013 at 9:43 AM, Nadim Kobeissi na...@nadim.cc wrote:

 The collaborative platform which we've been using to inspect Silent
 Circle's code (and where we were making good progress) has been
 continuously vandalized for the past seven hours straight. Yes, that's
 someone who's been on that pad for literally seven hours trying to prevent
 collaboration. They've specifically been flooding the pad with insults
 directed at me, and nothing else. This happened shortly after Silent Circle
 code was taken offline for around 20 minutes.

 This really makes me wonder who would have the tenacity to attempt to stop
 collaborative auditing of Silent Circle for seven straight hours, and would
 coincidentally happen to have some apparently very real hatred towards me.


 NK


 On Thu, Feb 14, 2013 at 8:54 AM, Joseph Lorenzo Hall j...@cdt.org wrote:


 On Feb 14, 2013, at 7:35, Petter Ericson pett...@acc.umu.se wrote:

  And various license headers (BSD-style afaict - not a license expert)

 I'm no licensing expert but do think about them a lot... it looks like a
 non-commercial-uses version of a BSD-style license. That's much better than
 what I've seen before with code released for review and testing only-like
 licenses. best, Joe
 --
 Unsubscribe, change to digest, or change password at:
 https://mailman.stanford.edu/mailman/listinfo/liberationtech



 --
 Unsubscribe, change to digest, or change password at:
 https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Lex van Roon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

All,

First of all, hi, I'm Lex van Roon from the Netherlands, and I've been
a lurker of this list up until now. Seeing the issues you guys have
had with keeping the silentcircle pad up  running, I've setup a pad
on one of my colo boxen on which I have root access. This way, I can
maintain a black- or whitelist for access towards this pad. Let me
know if you need this service, and if you need it, what your
requirements are for it.

Kind Regards,

Lex van Roon
- -- 
LRO-RIPE | 398E38C3 | 748D 6359 389B 4E5A 4A44 82F5 BEC5 07FD 398E 38C3
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJRHQ6ZAAoJEL7FB/05jjjDtEgH/iTPlwdDS+vvCLKbUYj04dA+
mxqh25oREsxNYjpnASCSsWFIj4rZM8nABiCLZgjl2Sr0f4iEMMuwSYBo1gs8bSy2
TjJ/iuVq6eSGMxiww4yygfNQv8USXVlLavdkzZdhAEzxXx4K4Dlsmi8VU4PMiaaX
+O2r4FmWGBQPZkhA9JHHBU+Uepl5Xtsli8Q9gsRfKb4Hcwc3HRb2s33SexD09Y06
kK7yoWwvuzy6oB1rU6PZTfdn8qLZOWIxo/gNmitL8Eu4TQLCnggdbGQ73K6F1ERe
ntihaHt3mXKqwvgbBHoHUpmlelppqK/qjSh+DFY3y8VRO5Ccc7RxsCoDQVT0LaI=
=1QfZ
-END PGP SIGNATURE-
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Joseph Lorenzo Hall]

looks like the Silent Circle code is up on github?

https://github.com/SilentCircle--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Nadim Kobeissi]

This is good news! Still far from a complete source code release, but it's
good that they're progressing, even if very slowly.

Once all of the code is out I'll finally shut up about Silent Circle.


NK


On Wed, Feb 13, 2013 at 5:51 PM, Joseph Lorenzo Hall j...@cdt.org wrote:

 looks like the Silent Circle code is up on github?

 https://github.com/SilentCircle

 --
 Unsubscribe, change to digest, or change password at:
 https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Fabio Pietrosanti (naif)]

Here some notes i collected with a quick review of the source code:

https://pad.riseup.net/p/silentcircle

-naif

On 2/14/13 1:36 AM, Nadim Kobeissi wrote:
 This is good news! Still far from a complete source code release, but
 it's good that they're progressing, even if very slowly.

 Once all of the code is out I'll finally shut up about Silent Circle.


 NK


--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Nathan of Guardian]

Fabio Pietrosanti (naif):
 Here some notes i collected with a quick review of the source code:

I can see the headlines now...

Cryptography super-group more like a cover band
Cryptography Boy Band covers Latvian super-group
Cryptography super-group? More like Milli Vanilli!

or perhaps simply:
SilentCircle's premiere product was outsourced, and based on
out-of-date security libraries with known bugs

Finally, just to be clear, I have nothing against re-using code,
especially open-source projects that are complimentary. This is exactly
what we have done for our work on OSTN/OStel.

I do have a problem with people representing software they license from
someone else as their own brilliant, weaved-by-the-gods invention.

+n

--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Nadim Kobeissi]

So to recap:
It hasn't been a few hours since Silent Circle released *some* of their
source code, and we already know that:


   1. Silent Circle isn't in built to be a secure communications platform,
   but is simply a rebranding of TiviPhone, a latvian-made VoIP software, with
   added encryption libraries,
   2. The encryption libraries are themselves not developed by Silent
   Circle, but are third party libraries,
   3. The third party librares are in some cases outdated, even in the face
   of security advisories,
   4. There's a good possibility of a buffer overflow being there
   somewhere, with over 40 uses of snprintf().

I know what I'm doing this weekend! :D


NK


On Wed, Feb 13, 2013 at 11:33 PM, Nathan of Guardian 
nat...@guardianproject.info wrote:

 Fabio Pietrosanti (naif):
  Here some notes i collected with a quick review of the source code:

 I can see the headlines now...

 Cryptography super-group more like a cover band
 Cryptography Boy Band covers Latvian super-group
 Cryptography super-group? More like Milli Vanilli!

 or perhaps simply:
 SilentCircle's premiere product was outsourced, and based on
 out-of-date security libraries with known bugs

 Finally, just to be clear, I have nothing against re-using code,
 especially open-source projects that are complimentary. This is exactly
 what we have done for our work on OSTN/OStel.

 I do have a problem with people representing software they license from
 someone else as their own brilliant, weaved-by-the-gods invention.

 +n

 --
 Unsubscribe, change to digest, or change password at:
 https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Nadim Kobeissi]

Fabio just discovered that Silent Phone derives device IDs by hashing the
device IMEI with MD5...

WOW


NK


On Wed, Feb 13, 2013 at 11:51 PM, Nadim Kobeissi na...@nadim.cc wrote:

 So to recap:
 It hasn't been a few hours since Silent Circle released *some* of their
 source code, and we already know that:


1. Silent Circle isn't in built to be a secure communications
platform, but is simply a rebranding of TiviPhone, a latvian-made VoIP
software, with added encryption libraries,
2. The encryption libraries are themselves not developed by Silent
Circle, but are third party libraries,
3. The third party librares are in some cases outdated, even in the
face of security advisories,
4. There's a good possibility of a buffer overflow being there
somewhere, with over 40 uses of snprintf().

 I know what I'm doing this weekend! :D


 NK


 On Wed, Feb 13, 2013 at 11:33 PM, Nathan of Guardian 
 nat...@guardianproject.info wrote:

 Fabio Pietrosanti (naif):
  Here some notes i collected with a quick review of the source code:

 I can see the headlines now...

 Cryptography super-group more like a cover band
 Cryptography Boy Band covers Latvian super-group
 Cryptography super-group? More like Milli Vanilli!

 or perhaps simply:
 SilentCircle's premiere product was outsourced, and based on
 out-of-date security libraries with known bugs

 Finally, just to be clear, I have nothing against re-using code,
 especially open-source projects that are complimentary. This is exactly
 what we have done for our work on OSTN/OStel.

 I do have a problem with people representing software they license from
 someone else as their own brilliant, weaved-by-the-gods invention.

 +n

 --
 Unsubscribe, change to digest, or change password at:
 https://mailman.stanford.edu/mailman/listinfo/liberationtech



--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Fabio Pietrosanti (naif)]

Wait, wait, i just read some code around but without taking care much
about the logic of the code itself.

So there are stuff that should be checked more in details by someone
else, notes also by other people ended up on that sort of
collaborative/caotic pad https://pad.riseup.net/p/silentcircle .

-naif

On 2/14/13 5:54 AM, Nadim Kobeissi wrote:
 Fabio just discovered that Silent Phone derives device IDs by hashing
 the device IMEI with MD5...

 WOW


 NK

--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Ali-Reza Anghaie]

The TiVi rebranding page is gone but the cache:

https://webcache.googleusercontent.com/search?q=cache:http://rebrand.tiviphone.com/

It would be utterly bizarre if Silent Circle started as a $199 euro
investment. I just can't swallow that. Not, by default, a negative
attribute - just - whacky.

I really hope they start responding more specifically soon. -Ali



On Thu, Feb 14, 2013 at 12:01 AM, Fabio Pietrosanti (naif) 
li...@infosecurity.ch wrote:

 Wait, wait, i just read some code around but without taking care much
 about the logic of the code itself.

 So there are stuff that should be checked more in details by someone
 else, notes also by other people ended up on that sort of
 collaborative/caotic pad https://pad.riseup.net/p/silentcircle .

 -naif

 On 2/14/13 5:54 AM, Nadim Kobeissi wrote:
  Fabio just discovered that Silent Phone derives device IDs by hashing
  the device IMEI with MD5...
 
  WOW
 
 
  NK
 
 --
 Unsubscribe, change to digest, or change password at:
 https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Nadim Kobeissi]

Who is light green on the etherpad??


NK


On Thu, Feb 14, 2013 at 12:13 AM, Ali-Reza Anghaie a...@packetknife.comwrote:

 The TiVi rebranding page is gone but the cache:


 https://webcache.googleusercontent.com/search?q=cache:http://rebrand.tiviphone.com/

 It would be utterly bizarre if Silent Circle started as a $199 euro
 investment. I just can't swallow that. Not, by default, a negative
 attribute - just - whacky.

 I really hope they start responding more specifically soon. -Ali



 On Thu, Feb 14, 2013 at 12:01 AM, Fabio Pietrosanti (naif) 
 li...@infosecurity.ch wrote:

 Wait, wait, i just read some code around but without taking care much
 about the logic of the code itself.

 So there are stuff that should be checked more in details by someone
 else, notes also by other people ended up on that sort of
 collaborative/caotic pad https://pad.riseup.net/p/silentcircle .

 -naif

 On 2/14/13 5:54 AM, Nadim Kobeissi wrote:
  Fabio just discovered that Silent Phone derives device IDs by hashing
  the device IMEI with MD5...
 
  WOW
 
 
  NK
 
 --
 Unsubscribe, change to digest, or change password at:
 https://mailman.stanford.edu/mailman/listinfo/liberationtech



 --
 Unsubscribe, change to digest, or change password at:
 https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Ali-Reza Anghaie]

The last useful version of the Silent Circle pad before troll-erasing is at
http://pastebit.com/pastie/12001 if you want to DL it..

Useful has varying definitions. Cheers, -Ali



On Thu, Feb 14, 2013 at 12:30 AM, Nadim Kobeissi na...@nadim.cc wrote:

 Who is light green on the etherpad??


 NK


 On Thu, Feb 14, 2013 at 12:13 AM, Ali-Reza Anghaie 
 a...@packetknife.comwrote:

 The TiVi rebranding page is gone but the cache:


 https://webcache.googleusercontent.com/search?q=cache:http://rebrand.tiviphone.com/

 It would be utterly bizarre if Silent Circle started as a $199 euro
 investment. I just can't swallow that. Not, by default, a negative
 attribute - just - whacky.

 I really hope they start responding more specifically soon. -Ali



 On Thu, Feb 14, 2013 at 12:01 AM, Fabio Pietrosanti (naif) 
 li...@infosecurity.ch wrote:

 Wait, wait, i just read some code around but without taking care much
 about the logic of the code itself.

 So there are stuff that should be checked more in details by someone
 else, notes also by other people ended up on that sort of
 collaborative/caotic pad https://pad.riseup.net/p/silentcircle .

 -naif

 On 2/14/13 5:54 AM, Nadim Kobeissi wrote:
  Fabio just discovered that Silent Phone derives device IDs by hashing
  the device IMEI with MD5...
 
  WOW
 
 
  NK
 
 --
 Unsubscribe, change to digest, or change password at:
 https://mailman.stanford.edu/mailman/listinfo/liberationtech



 --
 Unsubscribe, change to digest, or change password at:
 https://mailman.stanford.edu/mailman/listinfo/liberationtech



 --
 Unsubscribe, change to digest, or change password at:
 https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Brian Conley]

Well so we've learned a few things:

1. The limits of completely open/anonymous spaces
2. Why anarchists operate in affinity groups and not everyone has equal right 
hooray!
3. Someone is obviously threatened by nadim(be proud not frustrated Nadim!)
4. People are still utter douchebags. I'm looking at you unnamed.

Thanks Ali.

Sent from my iPad

On Feb 13, 2013, at 22:26, Ali-Reza Anghaie a...@packetknife.com wrote:

 Before the pad was ruined we also found out that:
 
 - TiViPhone seems to be part of Silent Circle, (c) and all.. the lead 
 developers are listed on SC's founding page.
 - Likewise the libraries notes, except PolarSSL, also seem to be develop led 
 by people now working for Silent Circle.
 - Nadim admittingly jumped the gun on snprintf() issue
 - We can't verify the libraries used or any of the code against the binary 
 builds
 
 Etc.
 
 So the skewering was premature. The pad, with other commentary, before it was 
 ruined is DLable at http://pastebit.com/pastie/12001 .. the revision history 
 slider still works but who knows how long as someone is mercilessly trolling 
 Nadim through it now. -Ali
 
 
 
 On Wed, Feb 13, 2013 at 11:51 PM, Nadim Kobeissi na...@nadim.cc wrote:
 So to recap:
 It hasn't been a few hours since Silent Circle released *some* of their 
 source code, and we already know that:
 
 Silent Circle isn't in built to be a secure communications platform, but is 
 simply a rebranding of TiviPhone, a latvian-made VoIP software, with added 
 encryption libraries,
 The encryption libraries are themselves not developed by Silent Circle, but 
 are third party libraries,
 The third party librares are in some cases outdated, even in the face of 
 security advisories,
 There's a good possibility of a buffer overflow being there somewhere, with 
 over 40 uses of snprintf().
 I know what I'm doing this weekend! :D
 
 
 NK
 
 
 On Wed, Feb 13, 2013 at 11:33 PM, Nathan of Guardian 
 nat...@guardianproject.info wrote:
 Fabio Pietrosanti (naif):
  Here some notes i collected with a quick review of the source code:
 
 I can see the headlines now...
 
 Cryptography super-group more like a cover band
 Cryptography Boy Band covers Latvian super-group
 Cryptography super-group? More like Milli Vanilli!
 
 or perhaps simply:
 SilentCircle's premiere product was outsourced, and based on
 out-of-date security libraries with known bugs
 
 Finally, just to be clear, I have nothing against re-using code,
 especially open-source projects that are complimentary. This is exactly
 what we have done for our work on OSTN/OStel.
 
 I do have a problem with people representing software they license from
 someone else as their own brilliant, weaved-by-the-gods invention.
 
 +n
 
 --
 Unsubscribe, change to digest, or change password at: 
 https://mailman.stanford.edu/mailman/listinfo/liberationtech
 
 
 --
 Unsubscribe, change to digest, or change password at: 
 https://mailman.stanford.edu/mailman/listinfo/liberationtech
 
 --
 Unsubscribe, change to digest, or change password at: 
 https://mailman.stanford.edu/mailman/listinfo/liberationtech
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Nadim Kobeissi]

Overall, I am dissatisfied with Chris totally ignoring my point regarding
hype in the media. Chris selectively criticizes projects he doesn't like
when the media hypes them up, but when it's Silent Circle, even calling it
unbreakable crypto doesn't get anything out of him but dozens of
quotations all over their media blitz. I remain convinced that he is being
absolutely unfair and biased.


NK


On Thu, Feb 7, 2013 at 8:14 PM, Christopher Soghoian ch...@soghoian.netwrote:

 See Inline

 On Thu, Feb 7, 2013 at 12:15 PM, Andy Isaacson a...@hexapodia.org wrote:

 Silent Circle may be an excellent privacy app.  It might not have any
 significant security problems.  It might even do a good job of
 mitigating important platform-based attacks and supporting important new
 use cases (the burn after reading feature).  When it's actually open
 source I'll take a look and if it is good, I'll recommend it to users.

 Until that open review happens, I think it's inappropriate for voices in
 our community to commend or recommend such a proprietary system.  Each
 person makes their own choices, of course, and nobody should base their
 actions solely on what *I* think is right, but I hope you can hear my
 concerns and consider the outcomes of your actions.


 Twitter's official client and server code are not open source. That hasn't
 stopped the good folks at EFF, as well as many other privacy advocates from
 praising the company's law enforcement transparency policies, as well as
 Twitter's willingness to go the extra mile when responding to various forms
 of legal process.

 Much of Google's code, including all of the Gmail backend code is not open
 source, but that hasn't stopped privacy advocates from legitimately
 praising the company for voluntarily publishing some really useful data on
 government requests and DMCA takedown demands.

 Although I have not recommended Silent Circle to anyone, I believe that it
 is entirely legitimate to praise the company for its commitment to
 transparency regarding law enforcement requests and the company's overall
 law enforcement policy.

 Hell, looking at the list of companies ranked on EFF's Who's got your
 back website, closed source is by far the norm, not the exception. That
 hasn't stopped EFF from giving out gold stars where they feel they are
 deserved. See:
 https://www.eff.org/pages/when-government-comes-knocking-who-has-your-back

 In fact, for many of the factors that I am most interested in, source code
 is completely irrelevant. Client source code does not reveal a company's
 data retention policy, and server data retention configurations are
 impossible to verify. Source code does not reveal whether a company will
 tell its users about subpoenas submitted for user data where not prevented
 from doing so by a gag order. Source code will not reveal a company's
 willingness to spend hundreds of thousands of dollars on legal bills to
 fight an improper request submitted by lawyers at the Department of
 Justice. For such things, you have to evaluate the company on its public
 policy (and, once the policy is put into action, you can judge the company
 via its track record).

 By all means, continue to harass Silent Circle about its source code.
 Likewise, please do hold journalists accountable for the bogus headlines
 they, or their editors have selected. But do not dismiss my legitimate
 interest in the law enforcement legal policies adopted by companies. These
 policies are often just as important, yet impossible to verify, even when
 companies publish their source code.

 Cheers,

 Chris

 --
 Unsubscribe, change to digest, or change password at:
 https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Nadim Kobeissi]

At this point, I'd like to realize that I'm no longer contributing
productively to this conversation. I've stated my points, would like to
apologize should anyone have felt offended, and am going to bow out.


NK


On Fri, Feb 8, 2013 at 11:48 AM, Nadim Kobeissi na...@nadim.cc wrote:

 Overall, I am dissatisfied with Chris totally ignoring my point regarding
 hype in the media. Chris selectively criticizes projects he doesn't like
 when the media hypes them up, but when it's Silent Circle, even calling it
 unbreakable crypto doesn't get anything out of him but dozens of
 quotations all over their media blitz. I remain convinced that he is being
 absolutely unfair and biased.


 NK


 On Thu, Feb 7, 2013 at 8:14 PM, Christopher Soghoian 
 ch...@soghoian.netwrote:

 See Inline

 On Thu, Feb 7, 2013 at 12:15 PM, Andy Isaacson a...@hexapodia.org wrote:

 Silent Circle may be an excellent privacy app.  It might not have any
 significant security problems.  It might even do a good job of
 mitigating important platform-based attacks and supporting important new
 use cases (the burn after reading feature).  When it's actually open
 source I'll take a look and if it is good, I'll recommend it to users.

 Until that open review happens, I think it's inappropriate for voices in
 our community to commend or recommend such a proprietary system.  Each
 person makes their own choices, of course, and nobody should base their
 actions solely on what *I* think is right, but I hope you can hear my
 concerns and consider the outcomes of your actions.


 Twitter's official client and server code are not open source. That
 hasn't stopped the good folks at EFF, as well as many other privacy
 advocates from praising the company's law enforcement transparency
 policies, as well as Twitter's willingness to go the extra mile when
 responding to various forms of legal process.

 Much of Google's code, including all of the Gmail backend code is not
 open source, but that hasn't stopped privacy advocates from legitimately
 praising the company for voluntarily publishing some really useful data on
 government requests and DMCA takedown demands.

 Although I have not recommended Silent Circle to anyone, I believe that
 it is entirely legitimate to praise the company for its commitment to
 transparency regarding law enforcement requests and the company's overall
 law enforcement policy.

 Hell, looking at the list of companies ranked on EFF's Who's got your
 back website, closed source is by far the norm, not the exception. That
 hasn't stopped EFF from giving out gold stars where they feel they are
 deserved. See:
 https://www.eff.org/pages/when-government-comes-knocking-who-has-your-back

 In fact, for many of the factors that I am most interested in, source
 code is completely irrelevant. Client source code does not reveal a
 company's data retention policy, and server data retention configurations
 are impossible to verify. Source code does not reveal whether a company
 will tell its users about subpoenas submitted for user data where not
 prevented from doing so by a gag order. Source code will not reveal a
 company's willingness to spend hundreds of thousands of dollars on legal
 bills to fight an improper request submitted by lawyers at the Department
 of Justice. For such things, you have to evaluate the company on its public
 policy (and, once the policy is put into action, you can judge the company
 via its track record).

 By all means, continue to harass Silent Circle about its source code.
 Likewise, please do hold journalists accountable for the bogus headlines
 they, or their editors have selected. But do not dismiss my legitimate
 interest in the law enforcement legal policies adopted by companies. These
 policies are often just as important, yet impossible to verify, even when
 companies publish their source code.

 Cheers,

 Chris

 --
 Unsubscribe, change to digest, or change password at:
 https://mailman.stanford.edu/mailman/listinfo/liberationtech



--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Christopher Soghoian]

An entire article's worth of lip service?

“I’m agnostic about this,” he says, “I don’t really care if Silent Circle
captures this market, just as long as somebody does.”


I spent the entire interview with the Verge writer complaining about the
crappy security delivered by the wireless carriers, which, I think, is
entirely accurate, and consistent with my other efforts to shine light upon
the carriers' awful security.
See this in-depth today's Washington Post, for example:
http://www.washingtonpost.com/business/technology/android-phones-vulnerable-to-hackers/2013/02/01/f3248922-6723-11e2-9e1b-07db1d2ccd5b_print.html

It is clear that you seem to have developed a foaming-in-the-mouth,
irrational hate of Silent Circle. As such, anyone who fails to denounce
Phil Zimmermann as the great Satan is, in your eyes, some kind of corrupt
shill.

I proudly stand by every single statement quoted in that Verge story.

Chris


On Wed, Feb 6, 2013 at 8:56 PM, Nadim Kobeissi na...@nadim.cc wrote:

 Chris Soghoian gives Silent Circle's unbreakable encryption an entire
 article's worth of lip service here, it must be really unbreakable:

 http://www.theverge.com/2013/2/6/3950664/phil-zimmermann-wants-to-save-you-from-your-phone


 NK


 On Wed, Feb 6, 2013 at 10:49 PM, Brian Conley bri...@smallworldnews.tvwrote:

 I heard they have a super secret crypto clubhouse in the belly of an
 extinct volcano.

 Other rumors suggest they built their lab in the liberated tunnels
 beneath bin ladens secret lair in Pakistan...

 Sent from my iPad

 On Feb 6, 2013, at 19:42, Nadim Kobeissi na...@nadim.cc wrote:

 Actual headline.


 http://www.extremetech.com/mobile/147714-cryptography-super-group-creates-unbreakable-encryption-designed-for-mass-market


 NK

 --
 Unsubscribe, change to digest, or change password at:
 https://mailman.stanford.edu/mailman/listinfo/liberationtech


 --
 Unsubscribe, change to digest, or change password at:
 https://mailman.stanford.edu/mailman/listinfo/liberationtech



 --
 Unsubscribe, change to digest, or change password at:
 https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Andreas Bader]

On 02/07/2013 04:42 AM, Nadim Kobeissi wrote:
 Actual headline.

 http://www.extremetech.com/mobile/147714-cryptography-super-group-creates-unbreakable-encryption-designed-for-mass-market


 NK

Notionally there is no unbreakable encryption.
Practically there is a unbreakable encryption (AES, SHA-3); our
standarts are more than adequate.
The risk with encryptions is more the possibility of a hardware hack.
Or a bad guy beating the shit out of you with a 5 Dollar Wrench until
you tell him the password.
In real life no one will use a super computer to break our hardcore
encrypted harddrives.

Andreas
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Jens Christian Hillerup]

On Thu, Feb 7, 2013 at 11:41 AM, Andreas Bader noergelpi...@hotmail.de wrote:
 Notionally there is no unbreakable encryption.
 Practically there is a unbreakable encryption (AES, SHA-3); our
 standarts are more than adequate.
 The risk with encryptions is more the possibility of a hardware hack.
 Or a bad guy beating the shit out of you with a 5 Dollar Wrench until
 you tell him the password.
 In real life no one will use a super computer to break our hardcore
 encrypted harddrives.

I think Nadim was being sarcastic. I'm also eager to see what comes
from this. I too think it's rather odd that these supposedly
respectable cryptographers are so blatantly ignoring Kirchoff's
principle.

Quickly skimmed the article; it seems that you have to trust them to
*actually* encrypt your stuff on your phone before storing it on their
servers. As with so many others, it'd behoove them to put their code
where their mouths are; I don't mind them making money off of this,
but at least they should stop leveraging their big names in the
industry to get a lot of media attention around them selling
snake-oil.

JC
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Andreas Bader]

On 02/07/2013 11:58 AM, Jens Christian Hillerup wrote:
 On Thu, Feb 7, 2013 at 11:41 AM, Andreas Bader noergelpi...@hotmail.de 
 wrote:
 Notionally there is no unbreakable encryption.
 Practically there is a unbreakable encryption (AES, SHA-3); our
 standarts are more than adequate.
 The risk with encryptions is more the possibility of a hardware hack.
 Or a bad guy beating the shit out of you with a 5 Dollar Wrench until
 you tell him the password.
 In real life no one will use a super computer to break our hardcore
 encrypted harddrives.
 I think Nadim was being sarcastic. I'm also eager to see what comes
 from this. I too think it's rather odd that these supposedly
 respectable cryptographers are so blatantly ignoring Kirchoff's
 principle.

 Quickly skimmed the article; it seems that you have to trust them to
 *actually* encrypt your stuff on your phone before storing it on their
 servers. As with so many others, it'd behoove them to put their code
 where their mouths are; I don't mind them making money off of this,
 but at least they should stop leveraging their big names in the
 industry to get a lot of media attention around them selling
 snake-oil.

 JC
 --
 Unsubscribe, change to digest, or change password at: 
 https://mailman.stanford.edu/mailman/listinfo/liberationtech


Didn't get it, sorry.
I always forget that you can have humor in such a serious world. :-)

Andreas
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Nadim Kobeissi]

Small follow-up:
Maybe it's true I look like my goal here is just to foam at the mouth at
Silent Circle. Maybe it looks like I'm just here to annoy Chris, and I'm
truly sorry. These are not my goals, even if my method seems forced.

I've tried writing multiple blog posts about Silent Circle, contacting
Silent Circle, asking journalists to *please* mention the importance of
free, open source in cryptography, and so on. All of this has failed. It
has simply become clear to me that Silent Circle enjoys a double standard
because of the reputation of those behind it.

Silent Circle may be developed by Gods, but this is just quite plainly
unfair. If someone repeatedly claims, towards activists, to have developed
unbreakable encryption, markets it closed-source for money, and receives
nothing but nods of recognition and applause from the press and even
from *security
experts* (?!) then something is seriously wrong! No one should be allowed
to commit these wrongs, not even Silent Circle.

I feel like I'm fighting for our own sanity here. Look at what you're
allowing to happen!


NK


On Thu, Feb 7, 2013 at 10:15 AM, Nadim Kobeissi na...@nadim.cc wrote:

 On Thu, Feb 7, 2013 at 4:11 AM, Christopher Soghoian 
 ch...@soghoian.netwrote:


 It is clear that you seem to have developed a foaming-in-the-mouth,
 irrational hate of Silent Circle. As such, anyone who fails to denounce
 Phil Zimmermann as the great Satan is, in your eyes, some kind of corrupt
 shill.


 Chris,
 You have repeatedly stood up asking VoIP software to be more transparent
 about their encryption. You have repeatedly stood up when the media
 overblew coverage into hype.

 However, Silent Circle remains *the only case* where you remain mentioned
 regularly in articles on the company, where you make a point to completely
 ignore that they are posting everywhere on their social media that they are
 developing unbreakable encryption, and marketing it, closed-source,
 towardsactivists. When I confront you about this, you publicly accuse me of
 soliciting a hit piece (!!) against Silent Circle.

 That is what I have a problem with: A huge, clear, obvious double standard
 strictly made available for Silent Circle.



 I proudly stand by every single statement quoted in that Verge story.

 Chris


 On Wed, Feb 6, 2013 at 8:56 PM, Nadim Kobeissi na...@nadim.cc wrote:

 Chris Soghoian gives Silent Circle's unbreakable encryption an entire
 article's worth of lip service here, it must be really unbreakable:

 http://www.theverge.com/2013/2/6/3950664/phil-zimmermann-wants-to-save-you-from-your-phone


 NK


 On Wed, Feb 6, 2013 at 10:49 PM, Brian Conley 
 bri...@smallworldnews.tvwrote:

 I heard they have a super secret crypto clubhouse in the belly of an
 extinct volcano.

 Other rumors suggest they built their lab in the liberated tunnels
 beneath bin ladens secret lair in Pakistan...

 Sent from my iPad

 On Feb 6, 2013, at 19:42, Nadim Kobeissi na...@nadim.cc wrote:

 Actual headline.


 http://www.extremetech.com/mobile/147714-cryptography-super-group-creates-unbreakable-encryption-designed-for-mass-market


 NK

 --
 Unsubscribe, change to digest, or change password at:
 https://mailman.stanford.edu/mailman/listinfo/liberationtech


 --
 Unsubscribe, change to digest, or change password at:
 https://mailman.stanford.edu/mailman/listinfo/liberationtech



 --
 Unsubscribe, change to digest, or change password at:
 https://mailman.stanford.edu/mailman/listinfo/liberationtech



 --
 Unsubscribe, change to digest, or change password at:
 https://mailman.stanford.edu/mailman/listinfo/liberationtech



--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Julien Rabier]

Hello all,

I'm no sec expert but to me, it's so obvious that Nadim is right on this.
Perhaps the form is not perfect, but if he's the only one fighting for our
own sanity here, as he says, that's no surprise.

We should all be asking Silent Circle to commit to their statement and show
us the source code of their so-called unbreakable encryption tools.

Again, I'm no sec expert and I won't be the guy who will do the hard task of
auditing and reviewing this code. But as a user, as a citizen and perhaps an
activist, I want the source code of such tools to be reviewed widely and
publicly before using and promoting it. 

My 2 euro cents,
Julien

Le 07 févr. - 10:31, Nadim Kobeissi a écrit :
 Small follow-up:
 Maybe it's true I look like my goal here is just to foam at the mouth at
 Silent Circle. Maybe it looks like I'm just here to annoy Chris, and I'm
 truly sorry. These are not my goals, even if my method seems forced.
 
 I've tried writing multiple blog posts about Silent Circle, contacting
 Silent Circle, asking journalists to *please* mention the importance of
 free, open source in cryptography, and so on. All of this has failed. It
 has simply become clear to me that Silent Circle enjoys a double standard
 because of the reputation of those behind it.
 
 Silent Circle may be developed by Gods, but this is just quite plainly
 unfair. If someone repeatedly claims, towards activists, to have developed
 unbreakable encryption, markets it closed-source for money, and receives
 nothing but nods of recognition and applause from the press and even
 from *security
 experts* (?!) then something is seriously wrong! No one should be allowed
 to commit these wrongs, not even Silent Circle.
 
 I feel like I'm fighting for our own sanity here. Look at what you're
 allowing to happen!
 
 
 NK
 
 
 On Thu, Feb 7, 2013 at 10:15 AM, Nadim Kobeissi na...@nadim.cc wrote:
 
  On Thu, Feb 7, 2013 at 4:11 AM, Christopher Soghoian 
  ch...@soghoian.netwrote:
 
 
  It is clear that you seem to have developed a foaming-in-the-mouth,
  irrational hate of Silent Circle. As such, anyone who fails to denounce
  Phil Zimmermann as the great Satan is, in your eyes, some kind of corrupt
  shill.
 
 
  Chris,
  You have repeatedly stood up asking VoIP software to be more transparent
  about their encryption. You have repeatedly stood up when the media
  overblew coverage into hype.
 
  However, Silent Circle remains *the only case* where you remain mentioned
  regularly in articles on the company, where you make a point to completely
  ignore that they are posting everywhere on their social media that they are
  developing unbreakable encryption, and marketing it, closed-source,
  towardsactivists. When I confront you about this, you publicly accuse me of
  soliciting a hit piece (!!) against Silent Circle.
 
  That is what I have a problem with: A huge, clear, obvious double standard
  strictly made available for Silent Circle.
 
 
 
  I proudly stand by every single statement quoted in that Verge story.
 
  Chris
 
 
  On Wed, Feb 6, 2013 at 8:56 PM, Nadim Kobeissi na...@nadim.cc wrote:
 
  Chris Soghoian gives Silent Circle's unbreakable encryption an entire
  article's worth of lip service here, it must be really unbreakable:
 
  http://www.theverge.com/2013/2/6/3950664/phil-zimmermann-wants-to-save-you-from-your-phone
 
 
  NK
 
 
  On Wed, Feb 6, 2013 at 10:49 PM, Brian Conley 
  bri...@smallworldnews.tvwrote:
 
  I heard they have a super secret crypto clubhouse in the belly of an
  extinct volcano.
 
  Other rumors suggest they built their lab in the liberated tunnels
  beneath bin ladens secret lair in Pakistan...
 
  Sent from my iPad
 
  On Feb 6, 2013, at 19:42, Nadim Kobeissi na...@nadim.cc wrote:
 
  Actual headline.
 
 
  http://www.extremetech.com/mobile/147714-cryptography-super-group-creates-unbreakable-encryption-designed-for-mass-market
 
 
  NK
 
  --
  Unsubscribe, change to digest, or change password at:
  https://mailman.stanford.edu/mailman/listinfo/liberationtech
 
 
  --
  Unsubscribe, change to digest, or change password at:
  https://mailman.stanford.edu/mailman/listinfo/liberationtech
 
 
 
  --
  Unsubscribe, change to digest, or change password at:
  https://mailman.stanford.edu/mailman/listinfo/liberationtech
 
 
 
  --
  Unsubscribe, change to digest, or change password at:
  https://mailman.stanford.edu/mailman/listinfo/liberationtech
 
 
 

 --
 Unsubscribe, change to digest, or change password at: 
 https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Griffin Boyce]

On Thu, Feb 7, 2013 at 10:31 AM, Nadim Kobeissi na...@nadim.cc wrote:

 I've tried writing multiple blog posts about Silent Circle, contacting
 Silent Circle, asking journalists to *please* mention the importance of
 free, open source in cryptography, and so on. All of this has failed. It
 has simply become clear to me that Silent Circle enjoys a double standard
 because of the reputation of those behind it.

 Silent Circle may be developed by Gods, but this is just quite plainly
 unfair. If someone repeatedly claims, towards activists, to have developed
 unbreakable encryption, markets it closed-source for money, and receives
 nothing but nods of recognition and applause from the press and even from
 *security experts* (?!) then something is seriously wrong! No one should
 be allowed to commit these wrongs, not even Silent Circle.


  It's definitely not for nothing. *Any* project with that amount of hype
around it should be taken skeptically by media covering it, but until very
recently, that has not been the case with Silent Circle. You and other
vocal proponents of open-source crypto have changed the dialogue. Nothing
is perfect, but it's getting there. (There being more even-handed media
coverage. I don't actually expect them to open source anything.)

  There are many double standards in tech and especially tech-focused
journalism. Phil Zimmerman is going to have less pushback on his
product/service than an MIT grad student would, and the MIT grad student
would have less skepticism directed their way than a graduate of the
Univeristy of Edinburgh -- on down the line.  And personal relationships
affect these structures at every level.

  Anyone who thinks class stratification doesn't exist just because we're
Internauts is mistaken.

~Griffin
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[scarp]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Nadim Kobeissi:
 Small follow-up: Maybe it's true I look like my goal here is just
 to foam at the mouth at Silent Circle. Maybe it looks like I'm just
 here to annoy Chris, and I'm truly sorry. These are not my goals,
 even if my method seems forced.
 
 I've tried writing multiple blog posts about Silent Circle,
 contacting Silent Circle, asking journalists to *please* mention
 the importance of free, open source in cryptography, and so on. All
 of this has failed. It has simply become clear to me that Silent
 Circle enjoys a double standard because of the reputation of those
 behind it.
 
 Silent Circle may be developed by Gods, but this is just quite
 plainly unfair. If someone repeatedly claims, towards activists, to
 have developed unbreakable encryption, markets it closed-source
 for money, and receives nothing but nods of recognition and
 applause from the press and even from *security experts* (?!) then
 something is seriously wrong! No one should be allowed to commit
 these wrongs, not even Silent Circle.
 
 I feel like I'm fighting for our own sanity here. Look at what
 you're allowing to happen!

I've been monitoring this discussion about Silent Circle and the one
on cryptogra...@randombit.net

Software such as TrueCrypt would never have gained the popularity and
widespread usage if it were closed source. Likewise things like SSL
and TLS would not have gained widespread usage without standards
bodies and technical specifications.

I don't see Silent Circle being anything revolutionary. Encryption
software which encrypts the contents before uploading it to the cloud
already exists, see Cyphertite. They have actually released their source.

I also don't see how any burn function of software on sensitive data
has any useful purpose. I see that as a false sense of security. If
someone were to take a photo of the phone with another phone, it would
be circumvented.

I also don't see any problem in Silent Circle releasing source, and
using a restrictive license if they so please, the point is while it
is closed source we're really just expected to trust these big names.

Rich and popular men can be bought and sold, so really their
identities or names mean nothing to me. We need independent verifiable
proof by people who understand the most inner workings of the
implementations of the encryption to say yes this works, and also
people attempting to break it.

Also by saying unbreakable encryption do they mean to say they've
developed encryption technology using unbreakable ciphers? or is it
just the implementation of them. To me it seems like a massive
marketing campaign if they're using social media as much as people say
they are this would further support this.

Also unbreakable encryption is similar to saying to you've made an
unsinkable ship, and we all know what happened last time someone said
that.

I also think journalists publishing about Secret Circle should find
independent qualified sources to verify the claims of it being
unbreakable before publishing it. To  me that seems like good
journalism vs bad.

- -- 
scarp | A4F7 25DB 2529 CB1A 605B  3CB4 5DA0 4859 0FD4 B313
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJRE9HGAAoJEF2gSFkP1LMTiT0P/RP6WeR9MEBX3ps8O/9dFaAt
nsxh47sU9cTlbsxkRQJaRgVMUIWMGNBW2Zm6IdkZtXB63O1fm2jzt/6Oy7+2HJ80
s9WBVD3hKJd0lKED0Qj9aPIwdaSl0+7cu9GkdnwptpW6rLTyZGpk0aV1NI0CTSLQ
30BPYzb2LYFOrNt+F3KIZODX7czPHlCqxhLjvRuJ5+392qYnLE6f8/I2RiS4BKD3
cVULmzRvg05RiJRHuTsYtgum8CicKK6OENoFqmvfu8Y80I04Gy6H/toD8IGZvTKC
AnW2SkDfyUW2wxJ5Bm5YL7+u3LQlgpB9C9e44pbUjEcFJVD0A6NHhkEuKDZ/NEU6
F/I5bKsI5m3v0FKKt7xKO1UTC4uIzmN4yLyVo32qz++N3ejiYyvrLHTuTWRQkCoT
GyrShIQvzvAlt6qOYPdOdMYNVq/E4dlF51aDD+9Oiq3uua6EAQSwbT/Tx+eAj4C4
n2Pin1fYOBm1mm1V7llgtj7BStPbfOOZaywE7XIFfXpAdQS4I3N+xcp1owmD6wg7
EuJ77z7mM/lE7g2vuaMYQKTqeH16tXb6V5B639q8FLdYu/NNDRuN11GnMhvuTmqX
tYTM6/4/cQyk0wC1ggzLAPjqdJ8RrxbvSSVuSl29PTIr2Wkdee8YudEYSeg2BBlx
hZdbWhuhzGHZKEsfU27a
=o2k+
-END PGP SIGNATURE-
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[scarp]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Jens Christian Hillerup:
 Hear-hear. They don't need to open-source their software to
 convince me, as long as they are open about their protocol at
 least.

And what if there's a second set of decryption master keys? You're
willing to trust them because they say We're famous guys, we won't do
anything bad, and plus we hate naughty governments.

In any case if they can match a person of interest with a with an
account (through other means) they can apply rubber-hose cryptanalysis
or key disclosure law to the user or recipient to really find out what
they've been sending and receiving with it.

The fact you can't buy into this service anonymously, so at least
payment credentials will be available. Even if Phil says he won't be
bad what is to stop Apple revealing your iTunes account purchased this
application in AppStore when the necessary legal screws are applied to
them.

- -- 
scarp | A4F7 25DB 2529 CB1A 605B  3CB4 5DA0 4859 0FD4 B313
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJRE9d6AAoJEF2gSFkP1LMTpVcQAIe/fslf4ahQ/yUUIKUElCKP
7fhpCc6WYmrl5JPQUsYqiL7SOBkBHFtgrqj9eoe00QqRKFb/+BTi5va58KINyIBk
/YS8AyMHz+tQvkqPrLmLVPGdweR423oZEmZhywsuhqPkc1dcd+o/lZrLilLxueV4
nJblJFtf1BqtG/P/PNb3kCH8A5XRZBJvk1Brns2Aa3M9AisI5wUzj+gxFgLUIIo1
PRwhTTEyQhkpsa9nfWBiwT6CrdEema4gnxhHB4l42Tf51d8AhYemc/w8p3i+1RMR
d1g7x28K8uVsT3D0irBfmD/EIuhhAAGIBHqpb94c5u0vnbSqNJ+wYpm8XVnYUGbM
X7WytDxVrXa6QMHjpjx0Vev6zz+4BmdjmXUnkgM9JS2yWZzxfdK36th53z3LokR6
A+Aa6IIaT90MclUHhCNXJcd/ifa0+637dNlEsqHc5ir94GuU/npTwEFdSOIY/RKV
9in+kqrKRr1YvEuIIJ+trTtrCAb2zhKKgIB9vWqDGoAbZ4c1zU8yDHAlqfc519Yj
SdMLu4u71TN8EeZFvxBWlyNqHMEmzanG8dlkZQBeVgohbdxM1fCB3ERoWWgogmG2
mhMUV2fDYHUVdUV24z0awFjXeISqlbmRuo/7rxad1RclQc1zsymm9haTf6WkJrIC
6j5HoVOUiZO4pBIfkpMG
=nYLq
-END PGP SIGNATURE-
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Douglas Lucas]

Can Silent Circle promoters explain why Zimmerman is excused from
Kerckhoffs's principle?

Is it because something unverifiable is allegedly better than nothing?
Even if we had divine knowledge to tell us Silent Circle is secure,
isn't it an overriding problem to encourage lock-in of closed source
being acceptable for something as common as text-messaging?

It is good to have a scrappy talented young person such as Nadim being
pesky to older, accepted people.


On 02/07/2013 09:45 AM, Julien Rabier wrote:
 Hello all,
 
 I'm no sec expert but to me, it's so obvious that Nadim is right on this.
 Perhaps the form is not perfect, but if he's the only one fighting for our
 own sanity here, as he says, that's no surprise.
 
 We should all be asking Silent Circle to commit to their statement and show
 us the source code of their so-called unbreakable encryption tools.
 
 Again, I'm no sec expert and I won't be the guy who will do the hard task of
 auditing and reviewing this code. But as a user, as a citizen and perhaps an
 activist, I want the source code of such tools to be reviewed widely and
 publicly before using and promoting it. 
 
 My 2 euro cents,
 Julien
 
 Le 07 févr. - 10:31, Nadim Kobeissi a écrit :
 Small follow-up:
 Maybe it's true I look like my goal here is just to foam at the mouth at
 Silent Circle. Maybe it looks like I'm just here to annoy Chris, and I'm
 truly sorry. These are not my goals, even if my method seems forced.

 I've tried writing multiple blog posts about Silent Circle, contacting
 Silent Circle, asking journalists to *please* mention the importance of
 free, open source in cryptography, and so on. All of this has failed. It
 has simply become clear to me that Silent Circle enjoys a double standard
 because of the reputation of those behind it.

 Silent Circle may be developed by Gods, but this is just quite plainly
 unfair. If someone repeatedly claims, towards activists, to have developed
 unbreakable encryption, markets it closed-source for money, and receives
 nothing but nods of recognition and applause from the press and even
 from *security
 experts* (?!) then something is seriously wrong! No one should be allowed
 to commit these wrongs, not even Silent Circle.

 I feel like I'm fighting for our own sanity here. Look at what you're
 allowing to happen!


 NK


 On Thu, Feb 7, 2013 at 10:15 AM, Nadim Kobeissi na...@nadim.cc wrote:

 On Thu, Feb 7, 2013 at 4:11 AM, Christopher Soghoian 
 ch...@soghoian.netwrote:


 It is clear that you seem to have developed a foaming-in-the-mouth,
 irrational hate of Silent Circle. As such, anyone who fails to denounce
 Phil Zimmermann as the great Satan is, in your eyes, some kind of corrupt
 shill.


 Chris,
 You have repeatedly stood up asking VoIP software to be more transparent
 about their encryption. You have repeatedly stood up when the media
 overblew coverage into hype.

 However, Silent Circle remains *the only case* where you remain mentioned
 regularly in articles on the company, where you make a point to completely
 ignore that they are posting everywhere on their social media that they are
 developing unbreakable encryption, and marketing it, closed-source,
 towardsactivists. When I confront you about this, you publicly accuse me of
 soliciting a hit piece (!!) against Silent Circle.

 That is what I have a problem with: A huge, clear, obvious double standard
 strictly made available for Silent Circle.



 I proudly stand by every single statement quoted in that Verge story.

 Chris


 On Wed, Feb 6, 2013 at 8:56 PM, Nadim Kobeissi na...@nadim.cc wrote:

 Chris Soghoian gives Silent Circle's unbreakable encryption an entire
 article's worth of lip service here, it must be really unbreakable:

 http://www.theverge.com/2013/2/6/3950664/phil-zimmermann-wants-to-save-you-from-your-phone


 NK


 On Wed, Feb 6, 2013 at 10:49 PM, Brian Conley 
 bri...@smallworldnews.tvwrote:

 I heard they have a super secret crypto clubhouse in the belly of an
 extinct volcano.

 Other rumors suggest they built their lab in the liberated tunnels
 beneath bin ladens secret lair in Pakistan...

 Sent from my iPad

 On Feb 6, 2013, at 19:42, Nadim Kobeissi na...@nadim.cc wrote:

 Actual headline.


 http://www.extremetech.com/mobile/147714-cryptography-super-group-creates-unbreakable-encryption-designed-for-mass-market


 NK

 --
 Unsubscribe, change to digest, or change password at:
 https://mailman.stanford.edu/mailman/listinfo/liberationtech


 --
 Unsubscribe, change to digest, or change password at:
 https://mailman.stanford.edu/mailman/listinfo/liberationtech



 --
 Unsubscribe, change to digest, or change password at:
 https://mailman.stanford.edu/mailman/listinfo/liberationtech



 --
 Unsubscribe, change to digest, or change password at:
 https://mailman.stanford.edu/mailman/listinfo/liberationtech



 
 --
 Unsubscribe, change to digest, or change password at: 
 https://mailman.stanford.edu/mailman/listinfo/liberationtech
 
 --
 

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[scarp]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Douglas Lucas:
 Is it because something unverifiable is allegedly better than
 nothing? Even if we had divine knowledge to tell us Silent Circle
 is secure, isn't it an overriding problem to encourage lock-in of
 closed source being acceptable for something as common as
 text-messaging?
 
 It is good to have a scrappy talented young person such as Nadim
 being pesky to older, accepted people.

Agreed, and this is one of the larger problems people in social
censorship bubbles, where basically if you don't have the tech you
can't talk to the person. One of the things that encryption
technologies like Off the Record Messaging try to bridge.

Nobody wants to be forced to use specific technology from a specific
individual or entity. It's bad enough everyone uses Facebook.

Decentralization is the only way to avoid this becoming a weak link.

- -- 
scarp | A4F7 25DB 2529 CB1A 605B  3CB4 5DA0 4859 0FD4 B313
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJRE9zUAAoJEF2gSFkP1LMTOlgP/RE96vcmU5RwUU8TqdXlebCl
P9MtBRye6gnYcMyNQIsrTOh9iY7xXUHfg/OYX09rBFS9zsfKS8rEJG8BlwJ57hEY
ldO82Z/kEC7ZTJUlQN+sGt1eMruEzmPGb8T4nVA2CtvKAyUaiJ4HFQQ2C00HS3Pz
qahL3qFp5qW5q2cPILsnMXLpZOzipQN4JD/TE/DgZNZ2OCGBt4DUAp+8jB/3BOAm
j1a/mJR4Rd/StvR+ugIFefItk/H1DZNGZ9qWxrHVv8L0xYnXjkRZ+m4WsKTffTS4
AUOqFZKxU6Krg5cl63KzsA92Fdv7TsZwQeVIl9sl0swOLMZ4h8FKkw19YFTYx4s6
CwzbJ8+knwSPLXyyWrdE1cBEhTrAtQb4lWLMOxCEROV50OqbkcQyxT26Vsl89BpD
Q9qVdKRTn1QwfGcODO6XfT+wlruByTJBMwd05nWAuQmqg6kgPQTIT1gjEmbC8H5p
32P106p72egFC/7r1lr9rtl1zKRE6DckfOnN7J9b7lO/C2b6AeF0w2/GYU3Fd7Ko
CtWgH3xUBWJ/0sbz3ssVpm7OWtVSOQ/SZqGHy1OxrkvxDlRpjizRp5n0G6VQ5Hcz
3RppIEEIK5zU5LAOedkcMtkNAG053fkj8XlfsQy4de0bAdlxjI9bB7XLw9O+GHrX
baDxW7pwheACW9RcAGEz
=Elw9
-END PGP SIGNATURE-
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Gregory Maxwell]

On Thu, Feb 7, 2013 at 8:36 AM, Douglas Lucas d...@riseup.net wrote:
 Can Silent Circle promoters explain why Zimmerman is excused from
 Kerckhoffs's principle?

 Is it because something unverifiable is allegedly better than nothing?
 Even if we had divine knowledge to tell us Silent Circle is secure,
 isn't it an overriding problem to encourage lock-in of closed source
 being acceptable for something as common as text-messaging?

Even if it were acceptable because we trust the source this time
that won't be clear to the public— and the next unscrupulous sake oil
salesman who comes around using identical marketing will look just as
trustworthy to the public.  Accordingly, this work still demands a
strong negative reaction if we're to continue to established in
people's mind that snazzy names, buzzword technobable, and big claims
do not show security products to be trustworthy: Only independent
auditing and open code do.
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Christopher Soghoian]

 Chris,
 You have repeatedly stood up asking VoIP software to be more transparent
 about their encryption. You have repeatedly stood up when the media
 overblew coverage into hype.


I've never asked Skype to release the source code to their products, nor
have I berated Apple, Facebook or Microsoft for not releasing the source
code to their products. I have, however, asked Skype to be more transparent
about the extent to which it can provide communications interception
assistance to law enforcement and intelligence agencies. There is a big
difference.

If you don't want to use Silent Circle without seeing the source code, that
is an entirely legitimate point of view (and in fact, one that I share, and
that I expressed to Ryan Gallagher last year):
http://www.slate.com/articles/technology/future_tense/2012/10/silent_circle_mike_janke_s_iphone_app_makes_encryption_easy_governments.single.html

Christopher Soghoian, principal technologist at the ACLU's Speech Privacy
and Technology Project, said he was excited to see a company like Silent
Circle visibly competing on privacy and security but that he was waiting
for it to go open source and be audited by independent security experts
before he would feel comfortable using it for sensitive communications.


Even though I am not using Silent Circle for sensitive conversations, I am
still absolutely delighted to see them be as proactive as they have been
about embracing and documenting progressive law enforcement policies.
https://silentcircle.com/web/law-compliance/

My area of research is the intersection of law, policy and technology. As
such, I am most interested in companies' surveillance policies, their
commitment to transparency, and their stated willingness to tell the
government to GTFO if they come and ask for backdoors. On this front,
Silent Circle is extremely interesting, probably more so than any other
Internet company.

For many people on this list, source code is their #1 priority. That is
fine. However, it is not my priority. I am more concerned with surveillance
policy, because that is what I study and where I think I can be most
effective in applying pressure.

What I resent though, is Nadim's repeated, malicious attempts to drag my
name through the mud, simply because I will not join his witch hunt against
Silent Circle. Since he cannot find a single example of me saying anything
false in the handful of interviews I have given to journalists writing
about this company, instead he criticizes me for not throwing rocks at Phil
Zimmermann.
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[scarp]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

scarp:
 Douglas Lucas:
 Is it because something unverifiable is allegedly better than 
 nothing? Even if we had divine knowledge to tell us Silent
 Circle is secure, isn't it an overriding problem to encourage
 lock-in of closed source being acceptable for something as common
 as text-messaging?
 
 It is good to have a scrappy talented young person such as Nadim 
 being pesky to older, accepted people.
 
 Agreed, and this is one of the larger problems people in social 
 censorship bubbles, where basically if you don't have the tech you 
 can't talk to the person. One of the things that encryption 
 technologies like Off the Record Messaging try to bridge.
 
 Nobody wants to be forced to use specific technology from a
 specific individual or entity. It's bad enough everyone uses
 Facebook.
 
 Decentralization is the only way to avoid this becoming a weak
 link.
 

Which brings me to another point, what if in 1991 Phil Zimmermann said
you must use his bbs/email server to use PGP, and wouldn't release the
source for the encrypting client? I wonder if it would be as popular
as it is today if that was the case.

I find it also amusing:

https://en.wikipedia.org/wiki/Pretty_Good_Privacy#Criminal_investigation
 Shortly after its release, PGP encryption found its way outside the
 United States, and in February 1993 Zimmermann became the formal
 target of a criminal investigation by the US Government for
 munitions export without a license. Cryptosystems using keys
 larger than 40 bits were then considered munitions within the
 definition of the US export regulations; PGP has never used keys
 smaller than 128 bits so it qualified at that time. Penalties for
 violation, if found guilty, were substantial. After several years,
 the investigation of Zimmermann was closed without filing criminal
 charges against him or anyone else. Zimmermann challenged these
 regulations in a curious way. He published the entire source code
 of PGP in a hardback book,[13]

To me this seems like a big middle finger to totalitarian government
dictating how and who it must be used by. Of course by this point the
government couldn't stop people using it even if they wanted to, the
source was everywhere.

Given his interest in anti-nuclear activism, I wonder if in today's
world that could have been construed as anti-government and possibly a
person of interest by the government.

The other question is what's to stop Apple being legally forced to
push a modified copy of this software to a person's phone that has a
backdoor?

While people might say this isn't possible due to XXX law, what is to
prevent one being created that changes that. Encryption technology's
effectiveness should not be based on what the government is allowed
and not allowed to do. I guess this is an inherent problem with
storing data in the cloud.

 For an annual price of $20/month (closer to $30/month on their
 3-month plan)

Poorer people of poorer nations won't be able to afford this, and
neither will the average citizen care enough to pay this.

I don't imagine some factory worker in china for example who earns 50
cents a day being able to pay for this so he can talk about how shitty
the conditions are.

To me it seems like it will only get used by businesses and enterprise
needing security abroad rather than activists residing in areas where
they would need it in order to have some semblance of freedom.

- -- 
scarp | A4F7 25DB 2529 CB1A 605B  3CB4 5DA0 4859 0FD4 B313
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJRE+N1AAoJEF2gSFkP1LMT4HAQAJOKz9LOqn0eY7/TDB5T4dhH
VuHzEq58jWeCedz4S2YMJx1oqymTLtuVAx8Z3K3KUrqlJZUOw3bWoqjK9QyfvnmD
fGdsqXY9GlUDEEc33DENXhAuRyFSuDMluu01DbB0c8HK4o64U1fiA7DrH9lXEGcT
vxBCBzh3fuenfcsxqAQMxNv0D8owSMfDsyeGhm52bUeaiCZ5HzXcUcHEiRJ1Ij9Q
nb1alnBFokyY8XJR6CdLvETgoCthnPM2JM3ZbHsybqHKQxCMU/35eO2+T1AbZN+n
XeJPwp42BLH7S44sPpQJ3huE1JBxrbRY3zv1tIZgWnm50mmUHOuOQhQQUgDFUzRk
zf1WksZqtonHtC5NerXvLASnBx38cEfAOSrQCJHWS7cVsc1IXbk6bGK9VCNUzTpe
IS9x+D2Ch5xBwNQayBGrE93mjwwoEwkXVnTDLPJVlktU7lI6DZkvY+r0OYDEmIfC
3ZnFQs+/wVFzdk0I/ZZeebm2BfxB5xyf8Lvks/6F0ixy40MXXAOCfZnyI83NpdED
MckjQeX9uMeNKmS7HHxgH5OYAcN+k2O6qsQVxGtURhxS5p3l1pQWREJTVcScC7u7
9I1hXp9LuMMpsG+QjVZu/EYn0cnT8qp8xU2ttYslXFkxvhGpdhvvLVN0Qy3YHpwf
c0TB1wxstLSouyjw/ep2
=whpX
-END PGP SIGNATURE-
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Gregory Maxwell]

On Thu, Feb 7, 2013 at 9:12 AM, Christopher Soghoian ch...@soghoian.net wrote:
 My area of research is the intersection of law, policy and technology. As
 such, I am most interested in companies' surveillance policies, their
 commitment to transparency, and their stated willingness to tell the
 government to GTFO if they come and ask for backdoors. On this front, Silent
 Circle is extremely interesting, probably more so than any other Internet
 company.

You may think these are your preferences, but what you're saying makes
it clear that your preferences are actually subtly different.

If someone says we won't put in 'lawful surveillance' backdoors but
doesn't back that up with independent auditing (which can come in the
form of access to source code) and you find that acceptable then what
you have is a preference for _claiming_ that there are no back doors,
and not a preference for being open about what the policy is (the real
policy is in the software, which the public has not observed) or a
preference for there being no back doors. Considering the long history
of mistakes and outright lies in security software— this is simply how
it is.

Doubly so when you consider that lying about a backdoor or being
mistaken about severe security holes is unlikely to carry consequence
more negative than being open to begin with.  If there were a surety
bond commensurate with the loss of life that could result from
mistakes and dishonesty here and there were independent auditing...
plus many of a number of other things then perhaps you could say that
you cared about transparency, policy, and backdoors.

 For many people on this list, source code is their #1 priority. That is
 fine. However, it is not my priority. I am more concerned with surveillance
 policy, because that is what I study and where I think I can be most
 effective in applying pressure.

You're erroneously concluding that people who disagree with you have
source code [as] their #1 priority— rather, I think it would be more
fair in the context of security software to characterize the position
has facts as #1 priority instead of warm and fuzzy hyperbole. Source
code access is simply the least expensive and most direct way to start
getting any real confidence that claims match reality.

Following the argument that something is not necessarily better than
nothing— we'd be better off if people who weren't interested in
producing trustworthy software we're pressed into making fuzzy
sounding fanciful claims.  If all you can be effective at doing is
improving the art of marketing (potential) snake oil, then perhaps you
need to reevaluate what you're working on.
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Nadim Kobeissi]

On Thu, Feb 7, 2013 at 12:12 PM, Christopher Soghoian ch...@soghoian.netwrote:


 What I resent though, is Nadim's repeated, malicious attempts to drag my
 name through the mud, simply because I will not join his witch hunt against
 Silent Circle. Since he cannot find a single example of me saying anything
 false in the handful of interviews I have given to journalists writing
 about this company, instead he criticizes me for not throwing rocks at Phil
 Zimmermann.


This is not at all what I am asking for. When the press mentioned my own
project, Cryptocat, as a tool for activists, you threw every rock at your
disposal both at the media and at my work, even though I had made every
effort to label the limitations of my software and to release all source
code, and even to correct the false claims made by the media.

However, when the media calls Silent Circle unbreakable, and when Silent
Circle posts those articles on their websites without releasing any source
code, and then market their products towards activists, you in fact
continue to speak in articles about them and compliment them. You cannot
deny the double standard that you are instituting here, Chris. You have
absolutely attacked projects that have been hyped in the media, even when
they had good policies and even when they were open source. You are
exercising a double standard. Stop denying it.




 --
 Unsubscribe, change to digest, or change password at:
 https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Rich Kulawiec]

Alchemy is to chemistry, astrology is to astronomy, as closed-source
is to open source.

Closed-source is intellectual fraud.  It is the equivalent of an academic
paper which has a synopsis and conclusions -- but nothing else.  No honest
reviewer would ever approve such tripe for publication in a refereed
journal of mechanical engineering or physics or medicine...yet we, in
computer science, are expected to do the equivalent.  We're actually
expected to take someone's word that their code does what they say it
does -- even though we have a mountain of evidence stretching back to the
beginning of our field that says it's NEVER been true, even when the
code's written by people who are smart/experienced/honest/diligent/etc.

Not even Stephen Hawking gets his papers published without showing
his data/reasoning/work/etc.  As it should be.

So yes, my response to this is source or GTFO.  Extraordinary claims
require extraordinary proof and in this case, there is none.

---rsk
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Ali-Reza Anghaie]

Inline below..


On Thu, Feb 7, 2013 at 11:34 AM, scarp sc...@tormail.org wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA512

 Jens Christian Hillerup:
  Hear-hear. They don't need to open-source their software to
  convince me, as long as they are open about their protocol at
  least.

 And what if there's a second set of decryption master keys? You're
 willing to trust them because they say We're famous guys, we won't do
 anything bad, and plus we hate naughty governments.


We need to verify everything they say is true - keys aren't generated on
servers (with the PGP Universal option for email they allow it but
discourage it). Sure, yes, absolutely we all want to verify it from source
to wire.. no argument.

The fact you can't buy into this service anonymously, so at least
 payment credentials will be available. Even if Phil says he won't be
 bad what is to stop Apple revealing your iTunes account purchased this
 application in AppStore when the necessary legal screws are applied to
 them.


They do offer the Ronin option for anonymous purchasing of the provisioning
keys - the App is free itself.

-Ali
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Ali-Reza Anghaie]

Douglas, I'm not sure many people are disagreeing with the end-goals and
even Zimmerman acknolwedges the window for verifiable source proof is
closing fast (longer than many would have liked as-is).

My comments to Nadim are coming from a tact perspective - if the goal is to
gain wider adoption and recognition for all the community work, good
projects, verified projects, etc. etc. then it helps when you play in the
sanboxes occupied by more than the hackers and programmers making it happen.

It's not uncommon to have people, who need solutions the most, to be afraid
of projects because of the main name associated with them after some
cursory rant reading. Nadim = Cryptocat, Jacob = TOR, Theo = OpenBSD, etc.
etc.

It's easy to tell everyone else to pound sand or to roll all activist
causes into one for the collective libtech us - it's not so each when we
take it elsewhere. Just trying to see how we can promote things that look
less like personal grips and trolls - and more like building something
useful. -Ali



On Thu, Feb 7, 2013 at 11:36 AM, Douglas Lucas d...@riseup.net wrote:

 Can Silent Circle promoters explain why Zimmerman is excused from
 Kerckhoffs's principle?

 Is it because something unverifiable is allegedly better than nothing?
 Even if we had divine knowledge to tell us Silent Circle is secure,
 isn't it an overriding problem to encourage lock-in of closed source
 being acceptable for something as common as text-messaging?

 It is good to have a scrappy talented young person such as Nadim being
 pesky to older, accepted people.


 On 02/07/2013 09:45 AM, Julien Rabier wrote:
  Hello all,
 
  I'm no sec expert but to me, it's so obvious that Nadim is right on this.
  Perhaps the form is not perfect, but if he's the only one fighting for
 our
  own sanity here, as he says, that's no surprise.
 
  We should all be asking Silent Circle to commit to their statement and
 show
  us the source code of their so-called unbreakable encryption tools.
 
  Again, I'm no sec expert and I won't be the guy who will do the hard
 task of
  auditing and reviewing this code. But as a user, as a citizen and
 perhaps an
  activist, I want the source code of such tools to be reviewed widely and
  publicly before using and promoting it.
 
  My 2 euro cents,
  Julien
 
  Le 07 févr. - 10:31, Nadim Kobeissi a écrit :
  Small follow-up:
  Maybe it's true I look like my goal here is just to foam at the mouth at
  Silent Circle. Maybe it looks like I'm just here to annoy Chris, and I'm
  truly sorry. These are not my goals, even if my method seems forced.
 
  I've tried writing multiple blog posts about Silent Circle, contacting
  Silent Circle, asking journalists to *please* mention the importance of
  free, open source in cryptography, and so on. All of this has failed. It
  has simply become clear to me that Silent Circle enjoys a double
 standard
  because of the reputation of those behind it.
 
  Silent Circle may be developed by Gods, but this is just quite plainly
  unfair. If someone repeatedly claims, towards activists, to have
 developed
  unbreakable encryption, markets it closed-source for money, and
 receives
  nothing but nods of recognition and applause from the press and even
  from *security
  experts* (?!) then something is seriously wrong! No one should be
 allowed
  to commit these wrongs, not even Silent Circle.
 
  I feel like I'm fighting for our own sanity here. Look at what you're
  allowing to happen!
 
 
  NK
 
 
  On Thu, Feb 7, 2013 at 10:15 AM, Nadim Kobeissi na...@nadim.cc wrote:
 
  On Thu, Feb 7, 2013 at 4:11 AM, Christopher Soghoian 
 ch...@soghoian.netwrote:
 
 
  It is clear that you seem to have developed a foaming-in-the-mouth,
  irrational hate of Silent Circle. As such, anyone who fails to
 denounce
  Phil Zimmermann as the great Satan is, in your eyes, some kind of
 corrupt
  shill.
 
 
  Chris,
  You have repeatedly stood up asking VoIP software to be more
 transparent
  about their encryption. You have repeatedly stood up when the media
  overblew coverage into hype.
 
  However, Silent Circle remains *the only case* where you remain
 mentioned
  regularly in articles on the company, where you make a point to
 completely
  ignore that they are posting everywhere on their social media that
 they are
  developing unbreakable encryption, and marketing it, closed-source,
  towardsactivists. When I confront you about this, you publicly accuse
 me of
  soliciting a hit piece (!!) against Silent Circle.
 
  That is what I have a problem with: A huge, clear, obvious double
 standard
  strictly made available for Silent Circle.
 
 
 
  I proudly stand by every single statement quoted in that Verge story.
 
  Chris
 
 
  On Wed, Feb 6, 2013 at 8:56 PM, Nadim Kobeissi na...@nadim.cc
 wrote:
 
  Chris Soghoian gives Silent Circle's unbreakable encryption an entire
  article's worth of lip service here, it must be really unbreakable:
 
 
 

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Yosem Companys]

Just as a reminder, please let's all try to refrain from engaging in any
personal attacks.  We're all build and use liberationtech to make a
difference in various ways, and we're bound to have disagreements.  But
let's not forget that we're all working toward the same broad goal of
making people's lives better.  Otherwise, we would likely not be on this
list.

Best,

YC

On Thu, Feb 7, 2013 at 11:21 AM, Ali-Reza Anghaie a...@packetknife.comwrote:

 Douglas, I'm not sure many people are disagreeing with the end-goals and
 even Zimmerman acknolwedges the window for verifiable source proof is
 closing fast (longer than many would have liked as-is).

 My comments to Nadim are coming from a tact perspective - if the goal is
 to gain wider adoption and recognition for all the community work, good
 projects, verified projects, etc. etc. then it helps when you play in the
 sanboxes occupied by more than the hackers and programmers making it happen.

 It's not uncommon to have people, who need solutions the most, to be
 afraid of projects because of the main name associated with them after
 some cursory rant reading. Nadim = Cryptocat, Jacob = TOR, Theo = OpenBSD,
 etc. etc.

 It's easy to tell everyone else to pound sand or to roll all activist
 causes into one for the collective libtech us - it's not so each when we
 take it elsewhere. Just trying to see how we can promote things that look
 less like personal grips and trolls - and more like building something
 useful. -Ali



 On Thu, Feb 7, 2013 at 11:36 AM, Douglas Lucas d...@riseup.net wrote:

 Can Silent Circle promoters explain why Zimmerman is excused from
 Kerckhoffs's principle?

 Is it because something unverifiable is allegedly better than nothing?
 Even if we had divine knowledge to tell us Silent Circle is secure,
 isn't it an overriding problem to encourage lock-in of closed source
 being acceptable for something as common as text-messaging?

 It is good to have a scrappy talented young person such as Nadim being
 pesky to older, accepted people.


 On 02/07/2013 09:45 AM, Julien Rabier wrote:
  Hello all,
 
  I'm no sec expert but to me, it's so obvious that Nadim is right on
 this.
  Perhaps the form is not perfect, but if he's the only one fighting for
 our
  own sanity here, as he says, that's no surprise.
 
  We should all be asking Silent Circle to commit to their statement and
 show
  us the source code of their so-called unbreakable encryption tools.
 
  Again, I'm no sec expert and I won't be the guy who will do the hard
 task of
  auditing and reviewing this code. But as a user, as a citizen and
 perhaps an
  activist, I want the source code of such tools to be reviewed widely and
  publicly before using and promoting it.
 
  My 2 euro cents,
  Julien
 
  Le 07 févr. - 10:31, Nadim Kobeissi a écrit :
  Small follow-up:
  Maybe it's true I look like my goal here is just to foam at the mouth
 at
  Silent Circle. Maybe it looks like I'm just here to annoy Chris, and
 I'm
  truly sorry. These are not my goals, even if my method seems forced.
 
  I've tried writing multiple blog posts about Silent Circle, contacting
  Silent Circle, asking journalists to *please* mention the importance of
  free, open source in cryptography, and so on. All of this has failed.
 It
  has simply become clear to me that Silent Circle enjoys a double
 standard
  because of the reputation of those behind it.
 
  Silent Circle may be developed by Gods, but this is just quite plainly
  unfair. If someone repeatedly claims, towards activists, to have
 developed
  unbreakable encryption, markets it closed-source for money, and
 receives
  nothing but nods of recognition and applause from the press and even
  from *security
  experts* (?!) then something is seriously wrong! No one should be
 allowed
  to commit these wrongs, not even Silent Circle.
 
  I feel like I'm fighting for our own sanity here. Look at what you're
  allowing to happen!
 
 
  NK
 
 
  On Thu, Feb 7, 2013 at 10:15 AM, Nadim Kobeissi na...@nadim.cc
 wrote:
 
  On Thu, Feb 7, 2013 at 4:11 AM, Christopher Soghoian 
 ch...@soghoian.netwrote:
 
 
  It is clear that you seem to have developed a foaming-in-the-mouth,
  irrational hate of Silent Circle. As such, anyone who fails to
 denounce
  Phil Zimmermann as the great Satan is, in your eyes, some kind of
 corrupt
  shill.
 
 
  Chris,
  You have repeatedly stood up asking VoIP software to be more
 transparent
  about their encryption. You have repeatedly stood up when the media
  overblew coverage into hype.
 
  However, Silent Circle remains *the only case* where you remain
 mentioned
  regularly in articles on the company, where you make a point to
 completely
  ignore that they are posting everywhere on their social media that
 they are
  developing unbreakable encryption, and marketing it, closed-source,
  towardsactivists. When I confront you about this, you publicly accuse
 me of
  soliciting a hit piece (!!) against Silent Circle.
 
  That is 

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Ali-Reza Anghaie]

And even the proponents already have. Here, elsewhere, .. Nobody is happy
at technically ignorant gee-whiz journalism.

The discussion has been, a few times now, how we tend to speak out about
it. And what busses people on the same side seem willing to throw each
other under. Gods know why. -Ali
 On Feb 7, 2013 3:46 PM, Jillian C. York jilliancy...@gmail.com wrote:

 I'm not going to get into the politics or pettiness of this because
 frankly, I don't care.

 But this 
 headlinehttp://www.extremetech.com/mobile/147714-cryptography-super-group-creates-unbreakable-encryption-designed-for-mass-marketand
  the accompanying claims of unbreakability are so incredibly egregious
 that I would expect *every single person on this list* to speak out
 against those (claims, that is), regardless of their feelings on the actual
 product.



 On Thu, Feb 7, 2013 at 12:20 PM, Yosem Companys compa...@stanford.eduwrote:

 Just as a reminder, please let's all try to refrain from engaging in any
 personal attacks.  We're all build and use liberationtech to make a
 difference in various ways, and we're bound to have disagreements.  But
 let's not forget that we're all working toward the same broad goal of
 making people's lives better.  Otherwise, we would likely not be on this
 list.

 Best,

 YC

 On Thu, Feb 7, 2013 at 11:21 AM, Ali-Reza Anghaie 
 a...@packetknife.comwrote:

 Douglas, I'm not sure many people are disagreeing with the end-goals and
 even Zimmerman acknolwedges the window for verifiable source proof is
 closing fast (longer than many would have liked as-is).

 My comments to Nadim are coming from a tact perspective - if the goal is
 to gain wider adoption and recognition for all the community work, good
 projects, verified projects, etc. etc. then it helps when you play in the
 sanboxes occupied by more than the hackers and programmers making it happen.

 It's not uncommon to have people, who need solutions the most, to be
 afraid of projects because of the main name associated with them after
 some cursory rant reading. Nadim = Cryptocat, Jacob = TOR, Theo = OpenBSD,
 etc. etc.

 It's easy to tell everyone else to pound sand or to roll all activist
 causes into one for the collective libtech us - it's not so each when we
 take it elsewhere. Just trying to see how we can promote things that look
 less like personal grips and trolls - and more like building something
 useful. -Ali



 On Thu, Feb 7, 2013 at 11:36 AM, Douglas Lucas d...@riseup.net wrote:

 Can Silent Circle promoters explain why Zimmerman is excused from
 Kerckhoffs's principle?

 Is it because something unverifiable is allegedly better than nothing?
 Even if we had divine knowledge to tell us Silent Circle is secure,
 isn't it an overriding problem to encourage lock-in of closed source
 being acceptable for something as common as text-messaging?

 It is good to have a scrappy talented young person such as Nadim being
 pesky to older, accepted people.


 On 02/07/2013 09:45 AM, Julien Rabier wrote:
  Hello all,
 
  I'm no sec expert but to me, it's so obvious that Nadim is right on
 this.
  Perhaps the form is not perfect, but if he's the only one fighting
 for our
  own sanity here, as he says, that's no surprise.
 
  We should all be asking Silent Circle to commit to their statement
 and show
  us the source code of their so-called unbreakable encryption tools.
 
  Again, I'm no sec expert and I won't be the guy who will do the hard
 task of
  auditing and reviewing this code. But as a user, as a citizen and
 perhaps an
  activist, I want the source code of such tools to be reviewed widely
 and
  publicly before using and promoting it.
 
  My 2 euro cents,
  Julien
 
  Le 07 févr. - 10:31, Nadim Kobeissi a écrit :
  Small follow-up:
  Maybe it's true I look like my goal here is just to foam at the
 mouth at
  Silent Circle. Maybe it looks like I'm just here to annoy Chris, and
 I'm
  truly sorry. These are not my goals, even if my method seems forced.
 
  I've tried writing multiple blog posts about Silent Circle,
 contacting
  Silent Circle, asking journalists to *please* mention the importance
 of
  free, open source in cryptography, and so on. All of this has
 failed. It
  has simply become clear to me that Silent Circle enjoys a double
 standard
  because of the reputation of those behind it.
 
  Silent Circle may be developed by Gods, but this is just quite
 plainly
  unfair. If someone repeatedly claims, towards activists, to have
 developed
  unbreakable encryption, markets it closed-source for money, and
 receives
  nothing but nods of recognition and applause from the press and even
  from *security
  experts* (?!) then something is seriously wrong! No one should be
 allowed
  to commit these wrongs, not even Silent Circle.
 
  I feel like I'm fighting for our own sanity here. Look at what you're
  allowing to happen!
 
 
  NK
 
 
  On Thu, Feb 7, 2013 at 10:15 AM, Nadim Kobeissi na...@nadim.cc
 wrote:
 
  On Thu, Feb 7, 2013 at 

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Jens Christian Hillerup]

On Thu, Feb 7, 2013 at 5:34 PM, scarp sc...@tormail.org wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA512

 Jens Christian Hillerup:
 Hear-hear. They don't need to open-source their software to
 convince me, as long as they are open about their protocol at
 least.

 And what if there's a second set of decryption master keys? You're
 willing to trust them because they say We're famous guys, we won't do
 anything bad, and plus we hate naughty governments.

No, I think we agree. I meant by protocol that it'd be possible for me
to create a client for the service from scratch (maybe even the server
part, too, but not strictly needed), i.e. I get to choose the
encryption key(s), etc. Sorry for the misunderstanding.

JC
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Nadim Kobeissi]

The latest unbreakable even by a supercomputer article includes artistic,
black and white photographs of Phil Zimmermann and John Callas:
http://www.dailymail.co.uk/sciencetech/article-2274597/How-foil-eavesdroppers-The-smartphone-encryption-app-promises-make-communications-private-again.html#axzz2KDR1XKE6


NK


On Thu, Feb 7, 2013 at 4:15 PM, Ali-Reza Anghaie a...@packetknife.comwrote:

 And even the proponents already have. Here, elsewhere, .. Nobody is
 happy at technically ignorant gee-whiz journalism.

 The discussion has been, a few times now, how we tend to speak out about
 it. And what busses people on the same side seem willing to throw each
 other under. Gods know why. -Ali
  On Feb 7, 2013 3:46 PM, Jillian C. York jilliancy...@gmail.com wrote:

 I'm not going to get into the politics or pettiness of this because
 frankly, I don't care.

 But this 
 headlinehttp://www.extremetech.com/mobile/147714-cryptography-super-group-creates-unbreakable-encryption-designed-for-mass-marketand
  the accompanying claims of unbreakability are so incredibly egregious
 that I would expect *every single person on this list* to speak out
 against those (claims, that is), regardless of their feelings on the actual
 product.



 On Thu, Feb 7, 2013 at 12:20 PM, Yosem Companys compa...@stanford.eduwrote:

 Just as a reminder, please let's all try to refrain from engaging in any
 personal attacks.  We're all build and use liberationtech to make a
 difference in various ways, and we're bound to have disagreements.  But
 let's not forget that we're all working toward the same broad goal of
 making people's lives better.  Otherwise, we would likely not be on this
 list.

 Best,

 YC

 On Thu, Feb 7, 2013 at 11:21 AM, Ali-Reza Anghaie 
 a...@packetknife.comwrote:

 Douglas, I'm not sure many people are disagreeing with the end-goals
 and even Zimmerman acknolwedges the window for verifiable source proof is
 closing fast (longer than many would have liked as-is).

 My comments to Nadim are coming from a tact perspective - if the goal
 is to gain wider adoption and recognition for all the community work, good
 projects, verified projects, etc. etc. then it helps when you play in the
 sanboxes occupied by more than the hackers and programmers making it 
 happen.

 It's not uncommon to have people, who need solutions the most, to be
 afraid of projects because of the main name associated with them after
 some cursory rant reading. Nadim = Cryptocat, Jacob = TOR, Theo = OpenBSD,
 etc. etc.

 It's easy to tell everyone else to pound sand or to roll all activist
 causes into one for the collective libtech us - it's not so each when we
 take it elsewhere. Just trying to see how we can promote things that look
 less like personal grips and trolls - and more like building something
 useful. -Ali



 On Thu, Feb 7, 2013 at 11:36 AM, Douglas Lucas d...@riseup.net wrote:

 Can Silent Circle promoters explain why Zimmerman is excused from
 Kerckhoffs's principle?

 Is it because something unverifiable is allegedly better than nothing?
 Even if we had divine knowledge to tell us Silent Circle is secure,
 isn't it an overriding problem to encourage lock-in of closed source
 being acceptable for something as common as text-messaging?

 It is good to have a scrappy talented young person such as Nadim being
 pesky to older, accepted people.


 On 02/07/2013 09:45 AM, Julien Rabier wrote:
  Hello all,
 
  I'm no sec expert but to me, it's so obvious that Nadim is right on
 this.
  Perhaps the form is not perfect, but if he's the only one fighting
 for our
  own sanity here, as he says, that's no surprise.
 
  We should all be asking Silent Circle to commit to their statement
 and show
  us the source code of their so-called unbreakable encryption tools.
 
  Again, I'm no sec expert and I won't be the guy who will do the hard
 task of
  auditing and reviewing this code. But as a user, as a citizen and
 perhaps an
  activist, I want the source code of such tools to be reviewed widely
 and
  publicly before using and promoting it.
 
  My 2 euro cents,
  Julien
 
  Le 07 févr. - 10:31, Nadim Kobeissi a écrit :
  Small follow-up:
  Maybe it's true I look like my goal here is just to foam at the
 mouth at
  Silent Circle. Maybe it looks like I'm just here to annoy Chris,
 and I'm
  truly sorry. These are not my goals, even if my method seems forced.
 
  I've tried writing multiple blog posts about Silent Circle,
 contacting
  Silent Circle, asking journalists to *please* mention the
 importance of
  free, open source in cryptography, and so on. All of this has
 failed. It
  has simply become clear to me that Silent Circle enjoys a double
 standard
  because of the reputation of those behind it.
 
  Silent Circle may be developed by Gods, but this is just quite
 plainly
  unfair. If someone repeatedly claims, towards activists, to have
 developed
  unbreakable encryption, markets it closed-source for money, and
 receives
  nothing but nods of 

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Nadim Kobeissi]

“I tell them go ahead and use Skype — I don’t even want to talk to you.
This is for serious people interested in serious cryptography,” Zimmermann
said. “We are not Facebook. We are the opposite of Facebook.”
http://bits.blogs.nytimes.com/2013/02/05/security-pioneer-creates-service-to-encrypt-phone-calls-and-text-messages/


NK


On Thu, Feb 7, 2013 at 4:32 PM, Nadim Kobeissi na...@nadim.cc wrote:

 The latest unbreakable even by a supercomputer article includes
 artistic, black and white photographs of Phil Zimmermann and John Callas:

 http://www.dailymail.co.uk/sciencetech/article-2274597/How-foil-eavesdroppers-The-smartphone-encryption-app-promises-make-communications-private-again.html#axzz2KDR1XKE6


 NK


 On Thu, Feb 7, 2013 at 4:15 PM, Ali-Reza Anghaie a...@packetknife.comwrote:

 And even the proponents already have. Here, elsewhere, .. Nobody is
 happy at technically ignorant gee-whiz journalism.

 The discussion has been, a few times now, how we tend to speak out about
 it. And what busses people on the same side seem willing to throw each
 other under. Gods know why. -Ali
  On Feb 7, 2013 3:46 PM, Jillian C. York jilliancy...@gmail.com
 wrote:

 I'm not going to get into the politics or pettiness of this because
 frankly, I don't care.

 But this 
 headlinehttp://www.extremetech.com/mobile/147714-cryptography-super-group-creates-unbreakable-encryption-designed-for-mass-marketand
  the accompanying claims of unbreakability are so incredibly egregious
 that I would expect *every single person on this list* to speak out
 against those (claims, that is), regardless of their feelings on the actual
 product.



 On Thu, Feb 7, 2013 at 12:20 PM, Yosem Companys 
 compa...@stanford.eduwrote:

 Just as a reminder, please let's all try to refrain from engaging in
 any personal attacks.  We're all build and use liberationtech to make a
 difference in various ways, and we're bound to have disagreements.  But
 let's not forget that we're all working toward the same broad goal of
 making people's lives better.  Otherwise, we would likely not be on this
 list.

 Best,

 YC

 On Thu, Feb 7, 2013 at 11:21 AM, Ali-Reza Anghaie 
 a...@packetknife.comwrote:

 Douglas, I'm not sure many people are disagreeing with the end-goals
 and even Zimmerman acknolwedges the window for verifiable source proof is
 closing fast (longer than many would have liked as-is).

 My comments to Nadim are coming from a tact perspective - if the goal
 is to gain wider adoption and recognition for all the community work, good
 projects, verified projects, etc. etc. then it helps when you play in the
 sanboxes occupied by more than the hackers and programmers making it 
 happen.

 It's not uncommon to have people, who need solutions the most, to be
 afraid of projects because of the main name associated with them after
 some cursory rant reading. Nadim = Cryptocat, Jacob = TOR, Theo = OpenBSD,
 etc. etc.

 It's easy to tell everyone else to pound sand or to roll all activist
 causes into one for the collective libtech us - it's not so each when we
 take it elsewhere. Just trying to see how we can promote things that look
 less like personal grips and trolls - and more like building something
 useful. -Ali



 On Thu, Feb 7, 2013 at 11:36 AM, Douglas Lucas d...@riseup.net wrote:

 Can Silent Circle promoters explain why Zimmerman is excused from
 Kerckhoffs's principle?

 Is it because something unverifiable is allegedly better than nothing?
 Even if we had divine knowledge to tell us Silent Circle is secure,
 isn't it an overriding problem to encourage lock-in of closed source
 being acceptable for something as common as text-messaging?

 It is good to have a scrappy talented young person such as Nadim being
 pesky to older, accepted people.


 On 02/07/2013 09:45 AM, Julien Rabier wrote:
  Hello all,
 
  I'm no sec expert but to me, it's so obvious that Nadim is right on
 this.
  Perhaps the form is not perfect, but if he's the only one fighting
 for our
  own sanity here, as he says, that's no surprise.
 
  We should all be asking Silent Circle to commit to their statement
 and show
  us the source code of their so-called unbreakable encryption tools.
 
  Again, I'm no sec expert and I won't be the guy who will do the
 hard task of
  auditing and reviewing this code. But as a user, as a citizen and
 perhaps an
  activist, I want the source code of such tools to be reviewed
 widely and
  publicly before using and promoting it.
 
  My 2 euro cents,
  Julien
 
  Le 07 févr. - 10:31, Nadim Kobeissi a écrit :
  Small follow-up:
  Maybe it's true I look like my goal here is just to foam at the
 mouth at
  Silent Circle. Maybe it looks like I'm just here to annoy Chris,
 and I'm
  truly sorry. These are not my goals, even if my method seems
 forced.
 
  I've tried writing multiple blog posts about Silent Circle,
 contacting
  Silent Circle, asking journalists to *please* mention the
 importance of
  free, open source in cryptography, and so 

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Ali-Reza Anghaie]

I do have to wonder why they've twice mentioned embargoes countries they
couldn't sell to legally anyway.

Is there something I'm missing about ~selling~ dissidents solutions in Iran
and NK? US Government have an exception for that? -Ali
On Feb 7, 2013 4:38 PM, Nadim Kobeissi na...@nadim.cc wrote:

 “I tell them go ahead and use Skype — I don’t even want to talk to you.
 This is for serious people interested in serious cryptography,” Zimmermann
 said. “We are not Facebook. We are the opposite of Facebook.”

 http://bits.blogs.nytimes.com/2013/02/05/security-pioneer-creates-service-to-encrypt-phone-calls-and-text-messages/


 NK


 On Thu, Feb 7, 2013 at 4:32 PM, Nadim Kobeissi na...@nadim.cc wrote:

 The latest unbreakable even by a supercomputer article includes
 artistic, black and white photographs of Phil Zimmermann and John Callas:

 http://www.dailymail.co.uk/sciencetech/article-2274597/How-foil-eavesdroppers-The-smartphone-encryption-app-promises-make-communications-private-again.html#axzz2KDR1XKE6


 NK


 On Thu, Feb 7, 2013 at 4:15 PM, Ali-Reza Anghaie a...@packetknife.comwrote:

 And even the proponents already have. Here, elsewhere, .. Nobody is
 happy at technically ignorant gee-whiz journalism.

 The discussion has been, a few times now, how we tend to speak out about
 it. And what busses people on the same side seem willing to throw each
 other under. Gods know why. -Ali
  On Feb 7, 2013 3:46 PM, Jillian C. York jilliancy...@gmail.com
 wrote:

 I'm not going to get into the politics or pettiness of this because
 frankly, I don't care.

 But this 
 headlinehttp://www.extremetech.com/mobile/147714-cryptography-super-group-creates-unbreakable-encryption-designed-for-mass-marketand
  the accompanying claims of unbreakability are so incredibly egregious
 that I would expect *every single person on this list* to speak out
 against those (claims, that is), regardless of their feelings on the actual
 product.



 On Thu, Feb 7, 2013 at 12:20 PM, Yosem Companys 
 compa...@stanford.eduwrote:

 Just as a reminder, please let's all try to refrain from engaging in
 any personal attacks.  We're all build and use liberationtech to make a
 difference in various ways, and we're bound to have disagreements.  But
 let's not forget that we're all working toward the same broad goal of
 making people's lives better.  Otherwise, we would likely not be on this
 list.

 Best,

 YC

 On Thu, Feb 7, 2013 at 11:21 AM, Ali-Reza Anghaie a...@packetknife.com
  wrote:

 Douglas, I'm not sure many people are disagreeing with the end-goals
 and even Zimmerman acknolwedges the window for verifiable source proof is
 closing fast (longer than many would have liked as-is).

 My comments to Nadim are coming from a tact perspective - if the goal
 is to gain wider adoption and recognition for all the community work, 
 good
 projects, verified projects, etc. etc. then it helps when you play in the
 sanboxes occupied by more than the hackers and programmers making it 
 happen.

 It's not uncommon to have people, who need solutions the most, to be
 afraid of projects because of the main name associated with them after
 some cursory rant reading. Nadim = Cryptocat, Jacob = TOR, Theo = 
 OpenBSD,
 etc. etc.

 It's easy to tell everyone else to pound sand or to roll all activist
 causes into one for the collective libtech us - it's not so each when 
 we
 take it elsewhere. Just trying to see how we can promote things that look
 less like personal grips and trolls - and more like building something
 useful. -Ali



 On Thu, Feb 7, 2013 at 11:36 AM, Douglas Lucas d...@riseup.netwrote:

 Can Silent Circle promoters explain why Zimmerman is excused from
 Kerckhoffs's principle?

 Is it because something unverifiable is allegedly better than
 nothing?
 Even if we had divine knowledge to tell us Silent Circle is secure,
 isn't it an overriding problem to encourage lock-in of closed source
 being acceptable for something as common as text-messaging?

 It is good to have a scrappy talented young person such as Nadim
 being
 pesky to older, accepted people.


 On 02/07/2013 09:45 AM, Julien Rabier wrote:
  Hello all,
 
  I'm no sec expert but to me, it's so obvious that Nadim is right
 on this.
  Perhaps the form is not perfect, but if he's the only one fighting
 for our
  own sanity here, as he says, that's no surprise.
 
  We should all be asking Silent Circle to commit to their statement
 and show
  us the source code of their so-called unbreakable encryption tools.
 
  Again, I'm no sec expert and I won't be the guy who will do the
 hard task of
  auditing and reviewing this code. But as a user, as a citizen and
 perhaps an
  activist, I want the source code of such tools to be reviewed
 widely and
  publicly before using and promoting it.
 
  My 2 euro cents,
  Julien
 
  Le 07 févr. - 10:31, Nadim Kobeissi a écrit :
  Small follow-up:
  Maybe it's true I look like my goal here is just to foam at the
 mouth at
  Silent Circle. Maybe it 

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Collin Anderson]

 Is there something I'm missing about ~selling~ dissidents solutions in
Iran and NK? US Government have an exception for that? -Ali

There is a Favorable Licensing Policy for Iran on Internet Freedom that
specifically mentions Fee-Based Internet Communication Services, although
since published in March 2012 it is unclear whether any actual license has
been approved. North Korea might have larger impediments since as I am
fairly sure there is next to no access to international telephony or
Internet connections.


On Thu, Feb 7, 2013 at 4:47 PM, Ali-Reza Anghaie a...@packetknife.comwrote:

 I do have to wonder why they've twice mentioned embargoes countries they
 couldn't sell to legally anyway.

 Is there something I'm missing about ~selling~ dissidents solutions in
 Iran and NK? US Government have an exception for that? -Ali
 On Feb 7, 2013 4:38 PM, Nadim Kobeissi na...@nadim.cc wrote:

 “I tell them go ahead and use Skype — I don’t even want to talk to you.
 This is for serious people interested in serious cryptography,” Zimmermann
 said. “We are not Facebook. We are the opposite of Facebook.”

 http://bits.blogs.nytimes.com/2013/02/05/security-pioneer-creates-service-to-encrypt-phone-calls-and-text-messages/


 NK


 On Thu, Feb 7, 2013 at 4:32 PM, Nadim Kobeissi na...@nadim.cc wrote:

 The latest unbreakable even by a supercomputer article includes
 artistic, black and white photographs of Phil Zimmermann and John Callas:

 http://www.dailymail.co.uk/sciencetech/article-2274597/How-foil-eavesdroppers-The-smartphone-encryption-app-promises-make-communications-private-again.html#axzz2KDR1XKE6


 NK


 On Thu, Feb 7, 2013 at 4:15 PM, Ali-Reza Anghaie 
 a...@packetknife.comwrote:

 And even the proponents already have. Here, elsewhere, .. Nobody is
 happy at technically ignorant gee-whiz journalism.

 The discussion has been, a few times now, how we tend to speak out
 about it. And what busses people on the same side seem willing to throw
 each other under. Gods know why. -Ali
  On Feb 7, 2013 3:46 PM, Jillian C. York jilliancy...@gmail.com
 wrote:

 I'm not going to get into the politics or pettiness of this because
 frankly, I don't care.

 But this 
 headlinehttp://www.extremetech.com/mobile/147714-cryptography-super-group-creates-unbreakable-encryption-designed-for-mass-marketand
  the accompanying claims of unbreakability are so incredibly egregious
 that I would expect *every single person on this list* to speak out
 against those (claims, that is), regardless of their feelings on the 
 actual
 product.



 On Thu, Feb 7, 2013 at 12:20 PM, Yosem Companys compa...@stanford.edu
  wrote:

 Just as a reminder, please let's all try to refrain from engaging in
 any personal attacks.  We're all build and use liberationtech to make a
 difference in various ways, and we're bound to have disagreements.  But
 let's not forget that we're all working toward the same broad goal of
 making people's lives better.  Otherwise, we would likely not be on this
 list.

 Best,

 YC

 On Thu, Feb 7, 2013 at 11:21 AM, Ali-Reza Anghaie 
 a...@packetknife.com wrote:

 Douglas, I'm not sure many people are disagreeing with the end-goals
 and even Zimmerman acknolwedges the window for verifiable source proof 
 is
 closing fast (longer than many would have liked as-is).

 My comments to Nadim are coming from a tact perspective - if the
 goal is to gain wider adoption and recognition for all the community 
 work,
 good projects, verified projects, etc. etc. then it helps when you play 
 in
 the sanboxes occupied by more than the hackers and programmers making it
 happen.

 It's not uncommon to have people, who need solutions the most, to be
 afraid of projects because of the main name associated with them after
 some cursory rant reading. Nadim = Cryptocat, Jacob = TOR, Theo = 
 OpenBSD,
 etc. etc.

 It's easy to tell everyone else to pound sand or to roll all
 activist causes into one for the collective libtech us - it's not so 
 each
 when we take it elsewhere. Just trying to see how we can promote things
 that look less like personal grips and trolls - and more like building
 something useful. -Ali



 On Thu, Feb 7, 2013 at 11:36 AM, Douglas Lucas d...@riseup.netwrote:

 Can Silent Circle promoters explain why Zimmerman is excused from
 Kerckhoffs's principle?

 Is it because something unverifiable is allegedly better than
 nothing?
 Even if we had divine knowledge to tell us Silent Circle is secure,
 isn't it an overriding problem to encourage lock-in of closed source
 being acceptable for something as common as text-messaging?

 It is good to have a scrappy talented young person such as Nadim
 being
 pesky to older, accepted people.


 On 02/07/2013 09:45 AM, Julien Rabier wrote:
  Hello all,
 
  I'm no sec expert but to me, it's so obvious that Nadim is right
 on this.
  Perhaps the form is not perfect, but if he's the only one
 fighting for our
  own sanity here, as he says, that's no surprise.
 
  We should all be asking 

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Christopher Soghoian]

See Inline

On Thu, Feb 7, 2013 at 12:15 PM, Andy Isaacson a...@hexapodia.org wrote:

 Silent Circle may be an excellent privacy app.  It might not have any
 significant security problems.  It might even do a good job of
 mitigating important platform-based attacks and supporting important new
 use cases (the burn after reading feature).  When it's actually open
 source I'll take a look and if it is good, I'll recommend it to users.

 Until that open review happens, I think it's inappropriate for voices in
 our community to commend or recommend such a proprietary system.  Each
 person makes their own choices, of course, and nobody should base their
 actions solely on what *I* think is right, but I hope you can hear my
 concerns and consider the outcomes of your actions.


Twitter's official client and server code are not open source. That hasn't
stopped the good folks at EFF, as well as many other privacy advocates from
praising the company's law enforcement transparency policies, as well as
Twitter's willingness to go the extra mile when responding to various forms
of legal process.

Much of Google's code, including all of the Gmail backend code is not open
source, but that hasn't stopped privacy advocates from legitimately
praising the company for voluntarily publishing some really useful data on
government requests and DMCA takedown demands.

Although I have not recommended Silent Circle to anyone, I believe that it
is entirely legitimate to praise the company for its commitment to
transparency regarding law enforcement requests and the company's overall
law enforcement policy.

Hell, looking at the list of companies ranked on EFF's Who's got your
back website, closed source is by far the norm, not the exception. That
hasn't stopped EFF from giving out gold stars where they feel they are
deserved. See:
https://www.eff.org/pages/when-government-comes-knocking-who-has-your-back

In fact, for many of the factors that I am most interested in, source code
is completely irrelevant. Client source code does not reveal a company's
data retention policy, and server data retention configurations are
impossible to verify. Source code does not reveal whether a company will
tell its users about subpoenas submitted for user data where not prevented
from doing so by a gag order. Source code will not reveal a company's
willingness to spend hundreds of thousands of dollars on legal bills to
fight an improper request submitted by lawyers at the Department of
Justice. For such things, you have to evaluate the company on its public
policy (and, once the policy is put into action, you can judge the company
via its track record).

By all means, continue to harass Silent Circle about its source code.
Likewise, please do hold journalists accountable for the bogus headlines
they, or their editors have selected. But do not dismiss my legitimate
interest in the law enforcement legal policies adopted by companies. These
policies are often just as important, yet impossible to verify, even when
companies publish their source code.

Cheers,

Chris
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Griffin Boyce]

Christopher Soghoian ch...@soghoian.net wrote:

 Twitter's official client and server code are not open source

 Much of Google's code, including all of the Gmail backend code is not open
 source


  That's a bit of a false equivalency, don't you think? Silent Circle's
whole premise is that their code will encrypt data and protect it from
outside parties (including the government). Twitter and Google make no such
promise, and in fact their legal policies run counter to that...

~Griffin
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Robert Guerra]

Chris,

Nicely put. Agree with your comments 100%


Robert

--


On 2013-02-07, at 8:14 PM, Christopher Soghoian wrote:

 See Inline
 
 On Thu, Feb 7, 2013 at 12:15 PM, Andy Isaacson a...@hexapodia.org wrote:
 Silent Circle may be an excellent privacy app.  It might not have any
 significant security problems.  It might even do a good job of
 mitigating important platform-based attacks and supporting important new
 use cases (the burn after reading feature).  When it's actually open
 source I'll take a look and if it is good, I'll recommend it to users.
 
 Until that open review happens, I think it's inappropriate for voices in
 our community to commend or recommend such a proprietary system.  Each
 person makes their own choices, of course, and nobody should base their
 actions solely on what *I* think is right, but I hope you can hear my
 concerns and consider the outcomes of your actions.
 
 Twitter's official client and server code are not open source. That hasn't 
 stopped the good folks at EFF, as well as many other privacy advocates from 
 praising the company's law enforcement transparency policies, as well as 
 Twitter's willingness to go the extra mile when responding to various forms 
 of legal process.
 
 Much of Google's code, including all of the Gmail backend code is not open 
 source, but that hasn't stopped privacy advocates from legitimately praising 
 the company for voluntarily publishing some really useful data on government 
 requests and DMCA takedown demands.
 
 Although I have not recommended Silent Circle to anyone, I believe that it is 
 entirely legitimate to praise the company for its commitment to transparency 
 regarding law enforcement requests and the company's overall law enforcement 
 policy.
 
 Hell, looking at the list of companies ranked on EFF's Who's got your back 
 website, closed source is by far the norm, not the exception. That hasn't 
 stopped EFF from giving out gold stars where they feel they are deserved. 
 See: 
 https://www.eff.org/pages/when-government-comes-knocking-who-has-your-back
 
 In fact, for many of the factors that I am most interested in, source code is 
 completely irrelevant. Client source code does not reveal a company's data 
 retention policy, and server data retention configurations are impossible to 
 verify. Source code does not reveal whether a company will tell its users 
 about subpoenas submitted for user data where not prevented from doing so by 
 a gag order. Source code will not reveal a company's willingness to spend 
 hundreds of thousands of dollars on legal bills to fight an improper request 
 submitted by lawyers at the Department of Justice. For such things, you have 
 to evaluate the company on its public policy (and, once the policy is put 
 into action, you can judge the company via its track record).
 
 By all means, continue to harass Silent Circle about its source code. 
 Likewise, please do hold journalists accountable for the bogus headlines 
 they, or their editors have selected. But do not dismiss my legitimate 
 interest in the law enforcement legal policies adopted by companies. These 
 policies are often just as important, yet impossible to verify, even when 
 companies publish their source code.
 
 Cheers,
 
 Chris
 --
 Unsubscribe, change to digest, or change password at: 
 https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[scarp]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Ali-Reza Anghaie:
 Inline below..
 
 
 On Thu, Feb 7, 2013 at 11:34 AM, scarp sc...@tormail.org wrote:
 
 The fact you can't buy into this service anonymously, so at least
 payment credentials will be available. Even if Phil says he won't
 be bad what is to stop Apple revealing your iTunes account
 purchased this application in AppStore when the necessary legal
 screws are applied to them.
 
 
 They do offer the Ronin option for anonymous purchasing of the
 provisioning keys - the App is free itself.
 
 -Ali

Ah yes, although the application is free, what I meant is Apple will
still have a record that you installed it on that iTunes account. They
actually send you an invoice for $0.00.

It also appears BitcoinEAST resell the activation codes, so I guess
you could acquire some bitcoins via mail order and that would be
pretty safe way of purchasing.

- -- 
scarp | A4F7 25DB 2529 CB1A 605B  3CB4 5DA0 4859 0FD4 B313
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJRFHtbAAoJEF2gSFkP1LMTIjIP/iRSh/ZXHhwtXA/psF4h+YoA
piRD1safggSgHTBBNfGlQEK9F+BkCChsTZKhenFYpalGv5WGlVE4Qn67i7nW//+V
MkNTZ/jkSrGYbNUiL2BW9s7e2NSFAr2Z/ej121qhqFfIGeRfkwVmvUDlvWyAAfcB
hRmPUcSofazupxZ5SWCyH+VsQI6wGR5Ki9R3x/MX6RcrW/g39E8eyxRJx914Gkgj
wxnoA6ET8ZUa3XzUTdBKt7S7zVNN+kw3/ZwjxdW5hC6CB6fZNvEdRw6gvezbnn2p
/NHQuz24wBDFMfx+S0FRv5XpJbrBKsNCVxAXbSEHPCk8IWDhOM28rZqmAHz5ygiB
Bv66+hS3kvUZfWw6n41lwX7epnxvjy7rHG8y78Tyc9gpYLllvRX2rqXM5C5myLNl
p8vpQdgMIuzxLOKF/saMPhFdZ4O3lN+u2qRBS7hUp7rsun1yLINWG4sn5LolBEpE
VS1jULExcxi2faO/o3xN2C7zB8T6xP4o5yBNPxZfmp6vkwZ9ZCuqFRDn1PXbhyXZ
NiPNr1R0RzMfPQz2ENB3oCCmXSQcZOMnZr08OuKHWuASW6Jy8gUahNiQ8Frnh67M
yD/ryqRtc6QcRoOBcDqwyPOOIGUjKMztFQmo5pfmnoWGnQpkzLYUr/ypHZiAI4Cr
FhtNHqbhGW6yFSZSbEV9
=KGbV
-END PGP SIGNATURE-
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Brian Conley]

+1.

I wish I could say otherwise, but now after a few years working as a
journalism trainer and in the journalism field I've been led to recognize
that, whether I like it or not, and whether it is ethical or not:

1. headlines are used to grab readers and generate buzz. I'd not read the
article until it was posted here, and I'm sure many others had not. That
generated buzz and eyeballs.

2. journalists are again and again and again guilty of access bias. They
are biased to report on the thing they have access to, whether that be
because a PR firm sent them a release and made individuals available for
interview, or a great many other reasons.

3. the best way to counter media spin is to make friends with journalists,
put out counter press releases, and above all, not engage in personal
attacks or petty bullshit.

I don't like it, and I tell all my students to avoid it, but there it is.

Brian

On Thu, Feb 7, 2013 at 12:46 PM, Jillian C. York jilliancy...@gmail.comwrote:

 I'm not going to get into the politics or pettiness of this because
 frankly, I don't care.

 But this 
 headlinehttp://www.extremetech.com/mobile/147714-cryptography-super-group-creates-unbreakable-encryption-designed-for-mass-marketand
  the accompanying claims of unbreakability are so incredibly egregious
 that I would expect *every single person on this list* to speak out
 against those (claims, that is), regardless of their feelings on the actual
 product.



 On Thu, Feb 7, 2013 at 12:20 PM, Yosem Companys compa...@stanford.eduwrote:

 Just as a reminder, please let's all try to refrain from engaging in any
 personal attacks.  We're all build and use liberationtech to make a
 difference in various ways, and we're bound to have disagreements.  But
 let's not forget that we're all working toward the same broad goal of
 making people's lives better.  Otherwise, we would likely not be on this
 list.

 Best,

 YC

 On Thu, Feb 7, 2013 at 11:21 AM, Ali-Reza Anghaie 
 a...@packetknife.comwrote:

 Douglas, I'm not sure many people are disagreeing with the end-goals and
 even Zimmerman acknolwedges the window for verifiable source proof is
 closing fast (longer than many would have liked as-is).

 My comments to Nadim are coming from a tact perspective - if the goal is
 to gain wider adoption and recognition for all the community work, good
 projects, verified projects, etc. etc. then it helps when you play in the
 sanboxes occupied by more than the hackers and programmers making it happen.

 It's not uncommon to have people, who need solutions the most, to be
 afraid of projects because of the main name associated with them after
 some cursory rant reading. Nadim = Cryptocat, Jacob = TOR, Theo = OpenBSD,
 etc. etc.

 It's easy to tell everyone else to pound sand or to roll all activist
 causes into one for the collective libtech us - it's not so each when we
 take it elsewhere. Just trying to see how we can promote things that look
 less like personal grips and trolls - and more like building something
 useful. -Ali



 On Thu, Feb 7, 2013 at 11:36 AM, Douglas Lucas d...@riseup.net wrote:

 Can Silent Circle promoters explain why Zimmerman is excused from
 Kerckhoffs's principle?

 Is it because something unverifiable is allegedly better than nothing?
 Even if we had divine knowledge to tell us Silent Circle is secure,
 isn't it an overriding problem to encourage lock-in of closed source
 being acceptable for something as common as text-messaging?

 It is good to have a scrappy talented young person such as Nadim being
 pesky to older, accepted people.


 On 02/07/2013 09:45 AM, Julien Rabier wrote:
  Hello all,
 
  I'm no sec expert but to me, it's so obvious that Nadim is right on
 this.
  Perhaps the form is not perfect, but if he's the only one fighting
 for our
  own sanity here, as he says, that's no surprise.
 
  We should all be asking Silent Circle to commit to their statement
 and show
  us the source code of their so-called unbreakable encryption tools.
 
  Again, I'm no sec expert and I won't be the guy who will do the hard
 task of
  auditing and reviewing this code. But as a user, as a citizen and
 perhaps an
  activist, I want the source code of such tools to be reviewed widely
 and
  publicly before using and promoting it.
 
  My 2 euro cents,
  Julien
 
  Le 07 févr. - 10:31, Nadim Kobeissi a écrit :
  Small follow-up:
  Maybe it's true I look like my goal here is just to foam at the
 mouth at
  Silent Circle. Maybe it looks like I'm just here to annoy Chris, and
 I'm
  truly sorry. These are not my goals, even if my method seems forced.
 
  I've tried writing multiple blog posts about Silent Circle,
 contacting
  Silent Circle, asking journalists to *please* mention the importance
 of
  free, open source in cryptography, and so on. All of this has
 failed. It
  has simply become clear to me that Silent Circle enjoys a double
 standard
  because of the reputation of those behind it.
 
  Silent Circle may be developed by 

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Brian Conley]

C'mon Nadim, that's a bit of a cheap shot, no? Do you disagree fundamentally 
with anything he said there?

Brian

On Feb 6, 2013, at 19:56, Nadim Kobeissi na...@nadim.cc wrote:

 Chris Soghoian gives Silent Circle's unbreakable encryption an entire 
 article's worth of lip service here, it must be really unbreakable:
 http://www.theverge.com/2013/2/6/3950664/phil-zimmermann-wants-to-save-you-from-your-phone
 
 
 NK
 
 
 On Wed, Feb 6, 2013 at 10:49 PM, Brian Conley bri...@smallworldnews.tv 
 wrote:
 I heard they have a super secret crypto clubhouse in the belly of an extinct 
 volcano.
 
 Other rumors suggest they built their lab in the liberated tunnels beneath 
 bin ladens secret lair in Pakistan...
 
 Sent from my iPad
 
 On Feb 6, 2013, at 19:42, Nadim Kobeissi na...@nadim.cc wrote:
 
 Actual headline.
 
 http://www.extremetech.com/mobile/147714-cryptography-super-group-creates-unbreakable-encryption-designed-for-mass-market
 
 
 NK
 --
 Unsubscribe, change to digest, or change password at: 
 https://mailman.stanford.edu/mailman/listinfo/liberationtech
 
 --
 Unsubscribe, change to digest, or change password at: 
 https://mailman.stanford.edu/mailman/listinfo/liberationtech
 
 --
 Unsubscribe, change to digest, or change password at: 
 https://mailman.stanford.edu/mailman/listinfo/liberationtech
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Nadim Kobeissi]

What I'm trying to point out is that Silent Circle can call itself a
super-group creating unbreakable encryption, market closed-source software
towards activists, and some experts will still speak out for
them favourably.


NK


On Wed, Feb 6, 2013 at 11:21 PM, Brian Conley bri...@smallworldnews.tvwrote:

 C'mon Nadim, that's a bit of a cheap shot, no? Do you disagree
 fundamentally with anything he said there?

 Brian

 On Feb 6, 2013, at 19:56, Nadim Kobeissi na...@nadim.cc wrote:

 Chris Soghoian gives Silent Circle's unbreakable encryption an entire
 article's worth of lip service here, it must be really unbreakable:

 http://www.theverge.com/2013/2/6/3950664/phil-zimmermann-wants-to-save-you-from-your-phone


 NK


 On Wed, Feb 6, 2013 at 10:49 PM, Brian Conley bri...@smallworldnews.tvwrote:

 I heard they have a super secret crypto clubhouse in the belly of an
 extinct volcano.

 Other rumors suggest they built their lab in the liberated tunnels
 beneath bin ladens secret lair in Pakistan...

 Sent from my iPad

 On Feb 6, 2013, at 19:42, Nadim Kobeissi na...@nadim.cc wrote:

 Actual headline.


 http://www.extremetech.com/mobile/147714-cryptography-super-group-creates-unbreakable-encryption-designed-for-mass-market


 NK

 --
 Unsubscribe, change to digest, or change password at:
 https://mailman.stanford.edu/mailman/listinfo/liberationtech


 --
 Unsubscribe, change to digest, or change password at:
 https://mailman.stanford.edu/mailman/listinfo/liberationtech


 --
 Unsubscribe, change to digest, or change password at:
 https://mailman.stanford.edu/mailman/listinfo/liberationtech


 --
 Unsubscribe, change to digest, or change password at:
 https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Douglas Lucas]

The enemy knows the system, but some enemies are more equal than others.

On 02/06/2013 10:21 PM, Brian Conley wrote:
 C'mon Nadim, that's a bit of a cheap shot, no? Do you disagree
 fundamentally with anything he said there?
 
 Brian
 
 On Feb 6, 2013, at 19:56, Nadim Kobeissi na...@nadim.cc
 mailto:na...@nadim.cc wrote:
 
 Chris Soghoian gives Silent Circle's unbreakable encryption an entire
 article's worth of lip service here, it must be really unbreakable:
 http://www.theverge.com/2013/2/6/3950664/phil-zimmermann-wants-to-save-you-from-your-phone


 NK


 On Wed, Feb 6, 2013 at 10:49 PM, Brian Conley
 bri...@smallworldnews.tv mailto:bri...@smallworldnews.tv wrote:

 I heard they have a super secret crypto clubhouse in the belly of
 an extinct volcano.

 Other rumors suggest they built their lab in the liberated tunnels
 beneath bin ladens secret lair in Pakistan...

 Sent from my iPad

 On Feb 6, 2013, at 19:42, Nadim Kobeissi na...@nadim.cc
 mailto:na...@nadim.cc wrote:

 Actual headline.

 
 http://www.extremetech.com/mobile/147714-cryptography-super-group-creates-unbreakable-encryption-designed-for-mass-market


 NK
 --
 Unsubscribe, change to digest, or change password at:
 https://mailman.stanford.edu/mailman/listinfo/liberationtech

 --
 Unsubscribe, change to digest, or change password at:
 https://mailman.stanford.edu/mailman/listinfo/liberationtech


 --
 Unsubscribe, change to digest, or change password at:
 https://mailman.stanford.edu/mailman/listinfo/liberationtech
 
 
 --
 Unsubscribe, change to digest, or change password at: 
 https://mailman.stanford.edu/mailman/listinfo/liberationtech
 
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech