Thank you for your quick response.
I'm not convinced by your arguements yet. I comment in between.
On 08/12/13 04:13, Francisco Ruiz wrote:
In your message, you wrote:
1. I have to *run* it to get the hash of the application from the help
page. That is already a leap of faith to run
On 11/08/13 at 09:37pm, Francisco Ruiz wrote:
I still have to read through the references you supply, but I can already
see a misconception. They refer to the dangers of carrying out cryptography
with javascript-containing dynamic pages. My previous posting referred to
_perfectly static_ pages
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 08/11/2013 12:35 AM, h0ost wrote:
Hi Arjen,
May I ask what Swiss providers would you recommend?
(disclaimer: I am normally very hesitant to 'advertise' for specific
companies since as a consultant I do my very best to remain
independent from
On 11/08/13 22:28, Nadim Kobeissi wrote:
On 2013-08-11, at 10:36 PM, danimoth danim...@cryptolab.net wrote:
On 11/08/13 at 01:10pm, Francisco Ruiz wrote:
Twice again, privacy has taken a hit across the land. Lavabit and Silent
Mail are gone, and to quote Phil Zimmermann, “the writing is on
- Forwarded message from coderman coder...@gmail.com -
Date: Sun, 11 Aug 2013 13:28:53 -0700
From: coderman coder...@gmail.com
To: cypherpu...@cpunks.org
Subject: Re: Lavabit and End-point Security
one last cautionary tale:
some time back i used the techniques discussed to harden some
- Forwarded message from nettime's secret court staffer nett...@kein.org
-
Date: Sat, 10 Aug 2013 23:26:02 +0200
From: nettime's secret court staffer nett...@kein.org
To: nettim...@mx.kein.org
Subject: nettime Interview with Lavabit's Ladar Levison
Reply-To: a moderated mailing list for
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 08/11/2013 08:10 PM, Francisco Ruiz wrote:
There’s no legal action that can shut down PassLok because it
consist of pure code, and pure code is speech, protected from
government interference under the 1^st amendment to the US
Constitution.
For
On Mon, Aug 12, 2013 at 01:46:26PM +0200, Arjen Kamphuis wrote:
Client-side encryption means a Free Software code stack running on a
machine that is physically under your control at all time. Anything
else is BS.
Indeed. And it can be argued that we even need open, fully inspectable
hardware,
On 12/08/13 14:02, Ben Laurie wrote:
On 12 August 2013 06:14, Ximin Luo infini...@gmx.com wrote:
How is it possible to defend against timing attacks in JS? Any language
theoretically can be complied into anything, but the JS runtime does not
give you much control in what the CPU actually
Libtech,
A friend passed along little noticed comments by Gen. Hayden in June, which
I would suggest are the most direct elaboration on the differences between
the American security apparatus and piracy development efforts. The actual
interview is long, but there is one statement in particular
On Mon, Aug 12, 2013 at 7:53 PM, Collin Anderson
col...@averysmallbird.comwrote:
Alright so on the one hand we're fighting anonymity on the other hand
we're chucking products out there to protect anonymity on the net.
I've been saying that for years. Except...backwards.
--
*Note: *I am
On 2013-08-12, at 8:53 PM, Collin Anderson col...@averysmallbird.com wrote:
Libtech,
A friend passed along little noticed comments by Gen. Hayden in June, which I
would suggest are the most direct elaboration on the differences between the
American security apparatus and piracy
Nadim Kobeissi wrote:
Here's the thing: you ultimately have two types of software that the
U.S. is interested in funding:
*Software Type A:* Software that protects useful dissidents and anyone
else from all governments (to an extent), including the U.S. government.
*Software Type B:*
From: Katsiaficas, George katsiafic...@wit.edu
I write because my friend and enormously active Bangladeshi human
rights lawyer Adilur Rahman Khan was picked up by unmarked cars/police
and given 5 days remand in Dhaka—equivalent to 5 days torture.
His arrest will no doubt have a chilling effect
Thanks for a thoughtful and extensive reply. Let me see if I'm
understanding your position correctly. Running crypto code in a browser is
inherently insecure because we don't really know what the browser is doing
with it, regardless of whether it is communicating with a server. Of
course, we can't
Hey Arjen, you make a huge point. Unfortunately the Netherlands aren't any
better this way, are they? Looking around, it seems the only safe place
for a crypto server these days would be Switzerland. I'm ready to move my
stuff over there.
Does anybody know of a good, cheap, SSL-enabled web host
Quick request.
In comments to a recent post, people seemed to agree that publishing a
video of someone reading a hash might be a fairly hard-to-hack way to
deliver that hash to the public, and thus assure the authenticity of a
piece of code, a public key, or whatnot. The problem is that the
John Cusack comes to mind - he's on the board of Freedom of the Press
Foundation.
~Griffin
On 08/12/2013 04:32 PM, Francisco Ruiz wrote:
Quick request.
In comments to a recent post, people seemed to agree that publishing a
video of someone reading a hash might be a fairly hard-to-hack way to
Some idle thoughts:
Edward Snowden
Bradley Manning
Julian Assange
Gen. Hayden
Jacob or Nadim
On 08/12/2013 04:32 PM, Francisco Ruiz wrote:
Quick request.
In comments to a recent post, people seemed to agree that publishing a
video of someone reading a hash might be a fairly hard-to-hack way
On 2013-08-12 15:32, Francisco Ruiz wrote:
Does any one know of a celebrity who cares
enough about computer security to be persuaded to take one minute of
his/her time to read a hash before a camera?
Hugh Grant has made privacy issues the focus of his Twitter feed.
However, he is more
Ashton Kutcher has talked publicly multiple times about the value of
privacy, both in his personal life and as an investor.
On Aug 12, 2013 4:38 PM, Richard Brooks r...@acm.org wrote:
Some idle thoughts:
Edward Snowden
Bradley Manning
Julian Assange
Gen. Hayden
Jacob or Nadim
On
On 8/12/13 1:45 PM, Sarah A. Downey wrote:
Ashton Kutcher has talked publicly multiple times about the value of
privacy, both in his personal life and as an investor.
He made some comments today that were sort of unfortunate in that area.
On 12/08/13 at 02:58pm, Francisco Ruiz wrote:
Thanks for a thoughtful and extensive reply. Let me see if I'm
understanding your position correctly.
[snip, snip, snip]
So, trusting the OS but not trusting the browser seems to me a curious case
of double standard. They are made by the same
Prior to XKeyscore, the work of the NSA analysts was comparable with Forrest
Gump on his
shrimping boat off the coast of Alabama, reads the report from Griesheim. From
the ocean
of data, the report reads, the analysts pulled in a boot, a toilet seat,
seaweed, and,
there they are . three shrimp!
On 08/12/2013 04:32 PM, Francisco Ruiz wrote:
Quick request.
In comments to a recent post, people seemed to agree that
publishing a video of someone reading a hash might be a fairly
hard-to-hack way to deliver that hash to the public, and thus
assure the authenticity of a piece of code, a
Dear professor Ruiz.
The real issue is to create an *easy* way to do hash validation
correctly. Reading a hash on youtube is not going to make it.
You use HTTPS without DNSSEC and DANE. Please use those first. It solves
a lot of your server validation issues. At least it allows your users'
Cory Doctorow
- sent from my phone.
On Aug 12, 2013 9:33 PM, Francisco Ruiz r...@iit.edu wrote:
Quick request.
In comments to a recent post, people seemed to agree that publishing a
video of someone reading a hash might be a fairly hard-to-hack way to
deliver that hash to the public,
-Original Message-
From: dewayne-...@warpspeed.com [mailto:dewayne-...@warpspeed.com] On Behalf
Of Dewayne Hendricks
Sent: Tuesday, August 13, 2013 4:32 AM
To: Multiple recipients of Dewayne-Net
Subject: [Dewayne-Net] Are Hackers the Next Bogeyman Used to Scare Americans
Into Giving Up
I'm sorry but aren't we spending a lot of time conflating code
quality, secure coding practices, software distribution, .. with
~JavaScript in a browser~?
There are alternate pathways, signed and delivered as a Dashboard
widget via the Apple App Store for example.
I'm not proposing ~that~ as
Online Certificate Course - TC105 : Mobiles for International Development
When: September 30 - October 25, 2013
Can mobile technology transform international development?
Mobile technology is everywhere and is being applied in different ways
across the world from financial services, public
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi Francisco,
On 08/12/2013 10:04 PM, Francisco Ruiz wrote:
Hey Arjen, you make a huge point. Unfortunately the Netherlands
aren't any better this way, are they?
They are not, being a fully signed up member of the Coalition of the
Killing. And
So re Germany bring the bastion of Internet freedom blah blah, are we all
forgetting about the Staatstrojaner?
Or have we forgiven them for that now?
On Tuesday, August 13, 2013, Arjen Kamphuis wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi Francisco,
On 08/12/2013 10:04 PM,
On Mon, Aug 12, 2013 at 3:07 PM, Ali-Reza Anghaie a...@packetknife.comwrote:
I'm sorry but aren't we spending a lot of time conflating code
quality, secure coding practices, software distribution, .. with
~JavaScript in a browser~?
I think the title of the thread has a lot to do with that.
Nice idea. I would use a trusted timestamp instead of a headline, but
anyway. What do you think, should I do this for torservers.net/onion.to?
http://www.rsync.net/resources/notices/canary.txt
rsync.net will also make available, weekly, a warrant canary in the
form of a cryptographically signed
Hi,
Thank you EFF for the well-written reminder:
https://www.eff.org/deeplinks/2013/08/google-fiber-continues-awful-isp-tradition-banning-servers
[...] No ISP will come forward with a tighter definition of “server”
because they want to give themselves leeway to ban users and
technologies that
The problem with occasionally looking at Huffington Post is that I'm
subjected to such things...
Matt Damon:
*He broke up with me, the Elysium star said. There are a lot of things
that I really question, you know: the legality of the drone strikes, and
these NSA revelations they’re, you know,
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 08/13/2013 12:48 AM, Tom O wrote:
So re Germany bring the bastion of Internet freedom blah blah, are
we all forgetting about the Staatstrojaner?
No we are not. But the difference between Germany and many other
countries is the outrage and
Libtech,
Some of you might be interested in the latest Small Media Infrastructure
report, which covers the time between election day and inauguration. Unlike
the prior report, which was heavily technical, this iteration largely
focuses on the vibrant policy discussion happening around the state
Francisco, you assume that all browsers will save a static version of the
page identically. This is not the case.
I ran a test using 'wget https://passlok.site44.com' and Chrome's Save
As. The former will actually match the hash value you've posted, but the
latter does not.
I spotted at least 5
I didn't know LibTech had become the PassLok development mailing list.
On Mon, Aug 12, 2013 at 6:26 PM, Collin Anderson
col...@averysmallbird.com wrote:
The problem with occasionally looking at Huffington Post is that I'm
subjected to such things...
Matt Damon:
He broke up with me, the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 08/13/2013 01:58 AM, Tom O wrote:
That's not a good enough reason to trust Germany.
And I don't. I trust the German people to stand up when it counts.
Because they know the consequence of failing to do so.
Ensuring privacy is not a requirement
Penn Jilette
On Mon, Aug 12, 2013 at 1:32 PM, Francisco Ruiz r...@iit.edu wrote:
Quick request.
In comments to a recent post, people seemed to agree that publishing a
video of someone reading a hash might be a fairly hard-to-hack way to
deliver that hash to the public, and thus assure the
Moritz Bartl:
Nice idea. I would use a trusted timestamp instead of a headline, but
anyway. What do you think, should I do this for torservers.net/onion.to?
http://www.rsync.net/resources/notices/canary.txt
rsync.net will also make available, weekly, a warrant canary in the
form of a
Moritz Bartl:
Nice idea. I would use a trusted timestamp instead of a headline, but
anyway. What do you think, should I do this for torservers.net/onion.to?
http://www.rsync.net/resources/notices/canary.txt
rsync.net will also make available, weekly, a warrant canary in the
form of a
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
BBC Blogs (Aug 8) - BUGGER: Maybe The Real State Secret Is That Spies
Aren't Very Good At Their Jobs and Don't Know Very Much About The
World by Adam Curtis:
http://www.bbc.co.uk/blogs/adamcurtis/posts/BUGGER
It's really nice to see Adam Curtis
Spideroak claims to use client-side encryption for desktop client but
doesn't not use zero-knowledge password proof for mobile Apps or website
portal.
In light of Lavabit, spideroak could also forced to intercept password if
users ever use mobile Apps or website login while being gagged . Then
Percy
From https://spideroak.com/mobile
How Mobile Works with SpiderOak’s Zero Knowledge Policy
Here's the deal: when accessing your data via the SpiderOak website or on a
mobile device you must enter your password. The password will then exist in
the SpiderOak server memory for the duration
@Tom, For this amount of time your password is stored in encrypted memory
but to actually use the key, the key has to be in plain-text form for
sometime, during which it can be (forced to )intercepted.
If they can force Lavabit to intercept users' emails, why can't they ask
spideroak to secretly
@Tony, they claim to use zero-knowledge password proof for desktop client,
but not for mobile or website. I wonder why, not accepted by App Store?
--
Liberationtech is a public list whose archives are searchable on Google.
Violations of list guidelines will get you moderated:
On Tue, Aug 13, 2013 at 1:35 AM, Percy Alpha percyal...@gmail.com wrote:
@Tom, For this amount of time your password is stored in encrypted
memory but to actually use the key, the key has to be in plain-text form
for sometime, during which it can be (forced to )intercepted.
If they can force
On Mon, Aug 12, 2013 at 10:36 PM, Percy Alpha percyal...@gmail.com wrote:
@Tony, they claim to use zero-knowledge password proof for desktop client,
but not for mobile or website. I wonder why, not accepted by App Store?
Can you please link specifically to what you're talking about? Their
I'm not saying they cant. I'm saying they acknowledge it, althought the way
they do makes it seem as if its a non-issue.
I don't think it is.
I prefer tahoe-lafs
On Tue, Aug 13, 2013 at 3:35 PM, Percy Alpha percyal...@gmail.com wrote:
@Tom, For this amount of time your password is stored in
52 matches
Mail list logo