On Sun, 30 Jun 2013 02:25:54 -0500
Anthony Papillion anth...@cajuntechie.org wrote:
what exactly is the problem with Pidgin OTR
This page summarizes what might be wrong with Pidgin and OTR:
https://micahflee.com/2013/02/using-gajim-instead-of-pidgin-for-more-secure-otr-chat/
In short: Pidgin
Yosem Companys:
Speaking of which...
If you had an extra $2-3K to give to a liberationtech or crypto project,
who do you think would benefit the most?
I would sponsor http://genode.org/ to bring their capability os to a
number of android capable devices.
What's lacking in current
On 1 July 2013 05:20, Adam Back a...@cypherspace.org wrote:
The remaining claimed problems are then pidgin itself having bugs, nothing
on OTR. So if you want to argue for an interpreted language chat client,
go
for it.
If libpurple/pidgin itself has bugs, that compromises OTR. If an
Yosem Companys compa...@stanford.edu wrote:
If you had an extra $2-3K to give to a liberationtech or crypto project,
who do you think would benefit the most?
If I had an extra $3000 to I would give it to transparency toolkit [1].
While it's still early-stage, it shows a lot of promise and the
On Mon, Jul 01, 2013 at 07:02:03AM -0400, Tom Ritter wrote:
If libpurple/pidgin itself has bugs, that compromises OTR. If an
attacker gets in through a window or your sliding door, he's still in
your house. And libpurple is full of bugs. That's the easy, go-to
answer for this question.
On Mon, Jul 01, 2013 at 02:15:15AM +0200, André Rebentisch wrote:
Dear all,
do you follow the news?
http://www.guardian.co.uk/world/2013/jun/30/berlin-washington-cold-war
http://www.theglobeandmail.com/news/national/eu-confronts-us-over-alleged-spying-on-european-allies/article12899295/
It is huge and a strong burden on transatlantic relations, a game
Do you really think that such large scale intercepts are possible without full
knowledge and cooperation of key people in politics and industry?
Of course not, Eugen! They all know it. But now there's proof. Tangible
Nikola Kotur:
On Sun, 30 Jun 2013 02:25:54 -0500
Anthony Papillion anth...@cajuntechie.org wrote:
what exactly is the problem with Pidgin OTR
This page summarizes what might be wrong with Pidgin and OTR:
..on Mon, Jul 01, 2013 at 02:26:11PM +0200, Eugen Leitl wrote:
On Mon, Jul 01, 2013 at 02:15:15AM +0200, André Rebentisch wrote:
Dear all,
do you follow the news?
http://www.guardian.co.uk/world/2013/jun/30/berlin-washington-cold-war
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Mon, 01 Jul 2013 14:03:09 +
Jacob Appelbaum ja...@appelbaum.net wrote:
As one of the people currently working libotr, I'd like to as you to
reload that page and note the footnote
I apologize for referring somewhat outdated information, I
Alireza Mahdian alireza.mahd...@gmail.com writes:
this is to prevent modifications that would render it as a malware. I
haven't signed the code yet so I am just protecting myself from such
liabilities.
Hi, Alireza Mahdian. Please don't call the code open source nor free
software when it's not.
Hey guys,
A colleague and I are exploring the world of physical hacks to protect
privacy and freedom. For example, this is what we mean:
IR LEDs Overwhelm Surveillance cameras
*http://makezine.com/2008/02/24/led-security-camera-disruptor/*
Using makeup and hairstyles to overcome facial
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
de-lurking
On 07/01/2013 03:44 PM, taxakis wrote:
Of course not, Eugen! They all know it. But now there's proof.
Tangible documents stamped Top Secret. And there's a witness,
Snowden, who plainly details it in front of a TV camera. And in a
On 07/01/2013 11:21 AM, Lorenzo Franceschi Bicchierai wrote:
Any other cool examples you can think of? I'd like to get as many examples
as possible, so I thought I'd ask here since you guys must know many more.
One idea that I am working on in a *very* rough form, is making
smartphones that are
On 07/01/2013 11:30 AM, Nathan of Guardian wrote:
Like I said, this idea is early, and perhaps a futile exercise, but I
think it is empowering to explore how easy it is for a person to modify
the hardware of a smartphone in a privacy-enhancing way.
Sorry, I forgot to add that this is inspired
Any hacks to make a privacy modification of cellphone where a microphone can
be physically disconnected?
Something like this http://www.stahlke.org/dan/phonemute/, but for recent
phones.
Pavol
On Mon, Jul 01, 2013 at 11:30:24AM -0400, Nathan of Guardian wrote:
On 07/01/2013 11:21 AM, Lorenzo
Speaking as maintainer of Whonix here.
Jacob Appelbaum:
When upgrading a tails machine today, I noticed that the default
download link is HTTP.
This is actually a problem for many (security related) application
downloads, not only for Tails. For example, also the gpg4win homepage
has no https
On 07/01/2013 02:03 PM, adrelanos wrote:
I think, this kind of tool doesn't exist yet.
Could torrents and magnet links address this issue? Should we push all
projects to promote torrents if they are unable to offer HTTPS?
I, for one, am eager for this to stop being an experiment:
Hello,
We believe sharing ideas can make the development sector stronger. Do you
have an initiative you'd like to tell the world about? If so, it'd be great
to hear from you! Simply go to
http://www.practicalinitiatives.org/register, and submit an
initiative.
We promote the work of all our
http://gcn.com/blogs/cybereye/2013/06/agencies-sudden-interest-encrypted-comm.aspx
Agencies showing sudden interest in encrypted comm
Silent Circle, the company that provides end-to-end BYOD encryption,
has introduced a Web-based management console to support large
deployments of crypto
Nathan of Guardian:
On 07/01/2013 02:03 PM, adrelanos wrote:
I think, this kind of tool doesn't exist yet.
Could torrents and magnet links address this issue?
As far I know they include hash verification.
Issues:
- you still have to tell the user you must download tool X before you
can
..on Mon, Jul 01, 2013 at 11:35:13AM -0700, Yosem Companys wrote:
http://gcn.com/blogs/cybereye/2013/06/agencies-sudden-interest-encrypted-comm.aspx
Agencies showing sudden interest in encrypted comm
Suckers.
--
Julian Oliver
http://julianoliver.com
http://criticalengineering.org
--
Too
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 2013.07.01 12.19, adrelanos wrote:
- you still have to tell the user you must download tool X before
you can download Y
This, of course, is a global problem everywhere. A secure channel
requires a shared secret, in this case between the
A security engineered downloader design is Thandy.
https://trac.torproject.org/projects/tor/wiki/org/roadmaps/Thandy
http://google-opensource.blogspot.de/2009/03/thandy-secure-update-for-tor.html
Still, I agree that a less 'perfect' installer might be easier to put
together and actually get into
Nadim, I hope you, Arturo, and other clueful people will reach out to
reporters who may be interested in covering these issues. Let me know if I
can assist with making contacts.
Brian
On Mon, Jul 1, 2013 at 1:45 PM, Nadim Kobeissi na...@nadim.cc wrote:
Silent Circle's response to critical
On 01-07-13 23:01, Eleanor Saitta wrote:
On 2013.07.01 12.19, adrelanos wrote:
- you still have to tell the user you must download tool X before
you can download Y
This, of course, is a global problem everywhere. A secure channel
requires a shared secret, in this case between the
Dear all,
I highly recommend this really excellent interview between Terry Winograd
and Evgeny Morozov about his new book, *To Save Everything, Click Here *...
http://www.bostonreview.net/books-ideas/whats-wrong-technological-fixes
Best wishes,
David
--
David V. Johnson
Web Editor
Boston
On Jul 1, 2013 5:02 PM, Eleanor Saitta e...@dymaxion.org wrote:
This, of course, is a global problem everywhere. A secure channel
requires a shared secret, in this case between the developers and the
end user. How does the user get their initial OS image if it didn't
come with their machine
I think, this kind of tool doesn't exist yet.
I wonder if Thandy - the Google(?)-funded Tor secure installer tool --
be used for securely-installing software other than Tor?
https://gitweb.torproject.org/thandy.git
--
Too many emails? Unsubscribe, change to digest, or change password by
Shorter Morozov
We should not try to understand too much what we don't yet understand because
it may not actually lead to understanding because not everything you try and
understand does actually lead to some new type of understanding, in which case
the fallacy of understanding is that you are
..on Mon, Jul 01, 2013 at 06:03:01PM +, adrelanos wrote:
In response to the tool doesn't exist...
apt-get install tor torify wget http://path.to/file
;)
--
Julian Oliver
http://julianoliver.com
http://criticalengineering.org
--
Too many emails? Unsubscribe, change to digest, or
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 2013.07.01 15.15, Julian Oliver wrote:
..on Mon, Jul 01, 2013 at 06:03:01PM +, adrelanos wrote:
In response to the tool doesn't exist...
apt-get install tor torify wget http://path.to/file
And how did you verify the trust path for your
Eleanor Saitta:
On 2013.07.01 15.15, Julian Oliver wrote:
..on Mon, Jul 01, 2013 at 06:03:01PM +, adrelanos wrote:
In response to the tool doesn't exist...
apt-get install tor torify wget http://path.to/file
And how did you verify the trust path for your initial debian install
It is
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
(And the quote I cannot find ATM from the cryptography guy back in the 1800s
who
said you should be able to describe how a cryptosystem works without
breaking it probably applies here.)
https://en.wikipedia.org/wiki/Kerckhoffs's_principle
-
apt-get install tor torify wget http://path.to/file
And how did you verify the trust path for your initial debian install
It is easy enough for me, nearly impossible for regular users.
FYI, there was recently an interesting thread on the OSS-Security list
on this topic:
Subject:
Jacob Appelbaum ja...@appelbaum.net wrote:
...
We need a secure downloading tool, we need it to be built into every OS
by default and until then, we'll have to rely on tricks to hack it -
preloading certs in browsers, having a website to download it from and
so on.
What we need are
2013/7/1 Glassman, Michael glassman...@osu.edu
Shorter Morozov
We should not try to understand too much what we don't yet understand
because it may not actually lead to understanding because not everything
you try and understand does actually lead to some new type of
understanding, in
..on Mon, Jul 01, 2013 at 03:17:27PM -0700, Eleanor Saitta wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 2013.07.01 15.15, Julian Oliver wrote:
..on Mon, Jul 01, 2013 at 06:03:01PM +, adrelanos wrote:
In response to the tool doesn't exist...
apt-get install tor
This is roughly what I was suggesting with the http header (fetching the
hash with a TLS HEAD request even if the download itself is not TLS). I
think this may be preferable to encoding the hash with the link, as it
would work even with 3rd party links.
Getting support in the browser or OS is
A fairly dramatic example of this sort of problem:
http://www.ubuntu.com/download is not HTTPS. The page with the hashes
is, though. https://help.ubuntu.com/community/UbuntuHashes
--
Too many emails? Unsubscribe, change to digest, or change password by emailing
moderator at compa...@stanford.edu
Eleanor Saitta:
On 2013.07.01 15.15, Julian Oliver wrote:
..on Mon, Jul 01, 2013 at 06:03:01PM +, adrelanos wrote:
In response to the tool doesn't exist...
apt-get install tor torify wget http://path.to/file
And how did you verify the trust path for your initial debian install?
On 07/01/2013 07:06 PM, Landon Hurley wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
(And the quote I cannot find ATM from the cryptography guy back in the 1800s
who
said you should be able to describe how a cryptosystem works without
breaking it probably applies here.)
Jonathan Wilkes jancs...@yahoo.com:
On 07/01/2013 07:22 PM, Martin Uecker wrote:
Jacob Appelbaum ja...@appelbaum.net wrote:
...
We need a secure downloading tool, we need it to be built into every OS
by default and until then, we'll have to rely on tricks to hack it -
preloading
On Mon, Jul 1, 2013 at 6:28 PM, Martin Uecker uec...@eecs.berkeley.eduwrote:
Owen Barton o...@civicactions.com wrote:
This is roughly what I was suggesting with the http header (fetching the
hash with a TLS HEAD request even if the download itself is not TLS). I
think this may be
How do you apply to this to pages? Do you hash all their elements, or just
the page? If it's the former: in what order do you do it? What if the
author of a product decides to release a bug fix version? Your link will
stop working, and make the software seem malicious when it's probably not.
How
On 07/01/2013 09:22 PM, Martin Uecker wrote:
Jonathan Wilkes jancs...@yahoo.com:
On 07/01/2013 07:22 PM, Martin Uecker wrote:
Jacob Appelbaum ja...@appelbaum.net wrote:
...
We need a secure downloading tool, we need it to be built into every OS
by default and until then, we'll have to rely
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 2013.07.01 17.28, adrelanos wrote:
Eleanor Saitta:
On 2013.07.01 15.15, Julian Oliver wrote:
..on Mon, Jul 01, 2013 at 06:03:01PM +, adrelanos wrote:
In response to the tool doesn't exist...
apt-get install tor torify wget
Eleanor Saitta:
On 2013.07.01 17.28, adrelanos wrote:
Eleanor Saitta:
On 2013.07.01 15.15, Julian Oliver wrote:
..on Mon, Jul 01, 2013 at 06:03:01PM +, adrelanos wrote:
In response to the tool doesn't exist...
apt-get install tor torify wget http://path.to/file
And how did you verify
Hi Owen,
Owen Barton o...@civicactions.com wrote:
On Mon, Jul 1, 2013 at 6:28 PM, Martin Uecker uec...@eecs.berkeley.eduwrote:
Owen Barton o...@civicactions.com wrote:
This is roughly what I was suggesting with the http header (fetching the
hash with a TLS HEAD request even if the
YouTube (Jun 29) - Hackers for hire (NATO Review):
http://www.youtube.com/watch?v=MkOYfWdBLeg
Hackers are the 21st century warriors who worry many. As everything we
use becomes increasingly connected, so their opportunities to hack,
divert or destroy increase. NATO Review talked to some
Patrick Mylund Nielsen cryptogra...@patrickmylund.com wrote:
How do you apply to this to pages? Do you hash all their elements, or just
the page? If it's the former: in what order do you do it?
Just the page, the page could again have self-certifying links embedded.
What if the
author of
Hi all,
I'm in the process of designing a qualitative study looking at the way
people learn to use encryption tools (PGP and Tor, specifically). This is *
not* a usability study--more an exploration of the social practices
involved in selecting a tool and then figuring out how to configure and
What is the most effective way to protect users against a compelled
fake certificate attack? Since any CA can issue any cert and any US
based CA could probably be compelled to issue a fake CA, how can we
protect against this?
My initial thought would be to publish the certificate
Edward Snowden has just requested political asylum to several countries,
including Brazil. We wrote about that in Portuguese:
http://juntos.org.br/2013/07/dilma-conceda-asilo-a-edward-snowden/ and we
started an online petition in Avaaz.org urging the president of Brazil,
Dilma Rousseff, to grant
54 matches
Mail list logo