Deterministic compilation of Android applications would be a great step forward to provide some protection against forced insertion of backdoors into binaries. Not perfect, but helpful. Of course it doesn't help on Apple.
It would also be interesting to have a mechanism where you can ask an application serve up the compiled byte code for any class for remote verification. Of course this would be spoofable, but including the "real" byte code would bloat the application, which would be noticeable in the increased size of the class files. Actually, I am over-doing that. We could have a service where the android apps get compiled from public, auditable source code, and the APKs downloaded from the net or people's phones (to stop attacks forcing Google to do two-faced apk serving, with the "bad" apk going to phones, and the "good" apk going to the audit server). Then compare the compiled classes and resource files to look for any differences. Has the advantage that it would reveal any naughty insertions. Would these be useful things? Paul. On Tue, Feb 10, 2015 at 1:22 AM, Patrick Connolly < [email protected]> wrote: > This is great! Thanks, Nick! > > Related to your comment, Tim, it might be informative if the watermarks of > the endorsers at the bottom of the "about" page were also near the top of > the front. It seems the partners could be more visible on page one to give > the whole project more weight. > > I've cc'd canary watch, as I'm not 100% sure Nick is on this list. > > -------------------------------------------- > Q: Why is this email [hopefully] five sentences or less? | A: > http://five.sentenc.es > > NOTE that my incoming emails are delayed from arriving in my inbox until > 9am daily. If you need to reach me sooner, please use other means of > getting in touch. #slowwebmovement > On Feb 9, 2015 5:31 AM, "Hans-Christoph Steiner" < > [email protected]> wrote: > >> >> I imagine EFF, Harvard Law's Berkman Center, and NYU Law had some really >> good >> lawyers look at this before they endorsed it ;-) It is uncharted >> territory to >> some degree, in terms of courts. But it sounds like those lawyers >> forming a >> posse in case this does go to court. >> >> Also, for those who don't know, Nick Merrill, the man behind Calyx, was >> the >> plaintiff in Doe v. Ashcroft, which challenged the legality of aspects of >> National Security Letters (NSLs): >> https://en.wikipedia.org/wiki/Nicholas_Merrill >> >> I can't really imagine a better legal team behind this effort. I suppose >> they >> are missing an ACLU endorsement... >> >> .hc >> >> Tim Bray: >> > I almost don’t want to show this to others because of the alphabetical >> > ordering putting 8chan prominently at the top… Also I’d like to hear >> some >> > really good lawyers take up the question of whether these things >> actually >> > work. But interesting, thanks. >> > >> > On Sat, Feb 7, 2015 at 1:20 AM, Hans-Christoph Steiner < >> > [email protected]> wrote: >> > >> >> >> >> Looks like our man Nick has vetted the warrant canary idea and thinks >> its >> >> worth doing: >> >> >> >> https://canarywatch.org/ >> >> >> >> At the very least, there are a bunch of lawyers behind it (EFF, >> Berkman, >> >> NYU >> >> Law), so hopefully they'll be willing to offer their services if it >> comes >> >> to it. >> >> >> >> .hc >> >> >> >> -- >> >> PGP fingerprint: 5E61 C878 0F86 295C E17D 8677 9F0F E587 374B BE81 >> >> https://pgp.mit.edu/pks/lookup?op=vindex&search=0x9F0FE587374BBE81 >> >> >> >> _______________________________________________ >> >> Guardian-dev mailing list >> >> >> >> Post: [email protected] >> >> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev >> >> >> >> To Unsubscribe >> >> Send email to: [email protected] >> >> Or visit: >> >> >> https://lists.mayfirst.org/mailman/options/guardian-dev/tbray%40textuality.com >> >> >> >> You are subscribed as: [email protected] >> >> >> > >> > >> > >> >> -- >> PGP fingerprint: 5E61 C878 0F86 295C E17D 8677 9F0F E587 374B BE81 >> https://pgp.mit.edu/pks/lookup?op=vindex&search=0x9F0FE587374BBE81 >> _______________________________________________ >> Guardian-dev mailing list >> >> Post: [email protected] >> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev >> >> To Unsubscribe >> Send email to: [email protected] >> Or visit: >> https://lists.mayfirst.org/mailman/options/guardian-dev/patrick.c.connolly%40gmail.com >> >> You are subscribed as: [email protected] >> > > _______________________________________________ > Guardian-dev mailing list > > Post: [email protected] > List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev > > To Unsubscribe > Send email to: [email protected] > Or visit: > https://lists.mayfirst.org/mailman/options/guardian-dev/paul%40servalproject.org > > You are subscribed as: [email protected] > >
_______________________________________________ Guardian-dev mailing list Post: [email protected] List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev To Unsubscribe Send email to: [email protected] Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/archive%40mail-archive.com You are subscribed as: [email protected]
