[cryptography] Cypherpunks mailing list
The original Cypherpunks mailing list seems dead. Is there any list that it's successor? -- Tony Arcieri ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Cypherpunks mailing list
Yeah but that is basically zero traffic, and I suspect in large part because its a silly domain that people who dislike inviting their addition to a watch-list will avoid. Maybe someone with a more neutral domain could try it - or a cypherpunks.* domain if they have a listserv handy. Adam On Mon, Mar 25, 2013 at 08:59:43AM +0100, Eugen Leitl wrote: On Mon, Mar 25, 2013 at 12:46:49AM -0700, Tony Arcieri wrote: The original Cypherpunks mailing list seems dead. Is there any list that it's successor? De facto it's cypherpu...@al-qaeda.net ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] msft skype IM snooping stats PGP/X509 in IM?? (Re: why did OTR succeed in IM?)
Ever since Microsoft bought the company, these rumors have been floating around. I have yet to see any real evidence. Here are the two best articles I've seen: https://www.nytimes.com/2013/02/25/technology/microsoft-inherits-sticky-data-collection-issues-from-skype.html http://paranoia.dubfire.net/2012/07/the-known-unknows-of-skype-interception.html Both point out reasons for concern, but there's still no *evidence*. Yes, I've not seen what we might call substantial evidence. But I am uncomfortable with demanding it, before concluding. I propose that in the presence of secrecy, the burden of proof switches to Microsoft to show that they are not doing it. Longer answer (rant for the day!). The question that is at hand is: what does a reasonable person conclude in these circumstances? If we have the evidence, then it is reasonable to assume that Microsoft has done the backdooring, and it is open for various parties to use abuse. And maybe they'll govern it accordingly, because we know, and they would be keen to show it. On the other hand, *if we do not have the evidence* , is it then reasonable to assume that Microsoft is *not in possession of the backdoor key* and cannot abuse our comms? Microsoft are not stating they are not doing it, and are hoping we believe that this means they are not. I suggest this lacks credibility, indeed it borders on vexatious behaviour. Let me digress to the CA industry. For many years they were selling sub-CAs to corporates, and not telling anyone [0]. Amongst other things, the sub-CAs were variously claimed to be outside their CPS, not their responsibility, not their audit jurisdiction, and even explicitly sold for local MITM purposes. I can't be precise because ... I haven't the evidence. This was a nice little earner, but they could only do this because there was a lid of secrecy over their entire affairs. In the policy and open governance side [1] we were naive to this situation, literally because we had no evidence. And the lack of evidence was what enabled them to do it. We were frequently reminded that accusations without evidence were not acceptable. Once evidence surfaced we were able to work through it (in the public policy list, albeit slowly and against the resistance of the CAs) and reach a conclusion that the practice should be banned. We were able to maintain the pressure to get that practice dropped. It might seem obvious, but every step of the way was fraught with resistance and opposition, and still layered under multiple blankets of secrecy. We still don't know who was doing it (except for the one CA that admitted it in one instance). To conclude, Microsoft (as well as Google and Apple) maintains a blanket of secrecy over its operations. Same with its Skype operations. While such a policy of secrecy is in place, I think a call for evidence fails. IMHO, it is reasonable to conclude that Microsoft can and will and probably has backdoored Skype [2]. In the presence of secrecy, the burden of proof switches to Microsoft to show us that it is not backdooring Skype [3]. iang [0] For those familiar with the finance industry, there are SEC rules that all messages must be recorded. Which is to say, there are even reasonable business cases to support compulsive MITMing. Why then the secrecy? [1] I spent a long time with Mozilla and CAcert. I don't know what other vendors thought about it. Secrecy, again. [2] What is left is the question of how well they will govern it. For this reason, the disclosures on law enforcement access is very welcome. It is indeed far more comforting to see things out in the open air. Now, we know that these players -- google and microsoft -- are receiving multiple thousand requests for assistance, and cooperating. Now, I think it is reasonable to conclude that the players are governing the process well. [3] Postscript on the CAs. They present no such disclosures over law enforcement activity, and they maintain secrecy. What then is reasonable to conclude? http://www.financialcryptography.com/mt/archives/000206.html ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Keyspace: client-side encryption for key/value stores
On 23 March 2013 16:21, danimoth danim...@cryptolab.net wrote: On 21/03/13 at 03:07am, Jeffrey Walton wrote: Linux has not warmed up to the fact that userland needs help in storing secrets from the OS. http://standards.freedesktop.org/secret-service/ but maybe I have misunderstood your statement. Does anything implement this service? BTW, a colleague and I are working on improving the state of secret storage on Linux (and other free OSes), particularly using the TPM, but also in general, so I'm quite interested in suggestions :-) ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Apple Keychain (was Keyspace: client-side encryption for key/value stores)
Paul Walker p...@blacksun.org.uk writes: I'm curious which bits you feel Apple got right with the Keychain - not because I disbelieve you, but because I don't know. :-) Have you got any links or documents, either for what they did right or for what the others do wrong? Link sent off-list. Another nice thing Apple have done, which no-one else has managed so far, is to get people to actively use the Keychain API and capabilities. When was the last time you saw an app (not produced by Microsoft or part of the Gnome desktop) that used DPAPI or the Gnome Keyring? Peter. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Keyspace: client-side encryption for key/value stores
danimoth wrote: On 21/03/13 at 03:07am, Jeffrey Walton wrote: Linux has not warmed up to the fact that userland needs help in storing secrets from the OS. http://standards.freedesktop.org/secret-service/ but maybe I have misunderstood your statement. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography From Chapter 10. What's not included in the API: The service may choose to implement any method for locking secrets. Back to the core difficulty! Security by management exhaustion (the time we discuss this vs others ...). -- - Thierry Moreau CONNOTECH Experts-conseils inc. 9130 Place de Montgolfier Montreal, QC, Canada H2M 2A1 Tel. +1-514-385-5691 ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Keyspace: client-side encryption for key/value stores
On 25/03/13 16:51 PM, Thierry Moreau wrote: Security by management exhaustion (the time we discuss this vs others ...). We need a committee! They're inexhaustible! iang ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] mTLS: miTLS is a verified reference implementation of the TLS protocol
miTLS is a verified reference implementation of the TLS protocolhttp://tools.ietf.org/html/rfc5246. Our code fully supports its wire formats, ciphersuites, sessions and connections, re-handshakes and resumptions, alerts and errors, and data fragmentation, as prescribed in the RFCs; it interoperates with mainstream web browsers and servers. At the same time, our code is carefully structured to enable its modular, automated verification, from its main API down to computational assumptions on its cryptographic algorithms. http://mitls.rocq.inria.fr/ --- Look interesting, so i post here Best Regards ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Apple Keychain (was Keyspace: client-side encryption for key/value stores)
[Posted to list only] On 2013-03-25, at 8:02 AM, Peter Gutmann pgut...@cs.auckland.ac.nz wrote: Another nice thing Apple have done, which no-one else has managed so far, is to get people to actively use the Keychain API and capabilities. I just looked in my login (default) OS X Keychain for Application Passwords that aren't from Apple supplied applications. I found 27 distinct applications used. (I suspect that I also have a bunch of Login Passwords that are tied to non-Apple applications as well, but don't have a convenient way to count these). The first versions of 1Password (the password management software I've involved with) used the OS X Keychain for the site passwords we stored. (There were reasons why we moved away from the OS X keychain, most notably because MobileMe syncing of keychains wasn't reliable). It used a distinct Keychain from the user's login Keychain. In later versions of 1Password we used the OS X keychain only for the purposes that Keyspace seems designed for. We had different components that needed to talk to each other security (The stuff that ran the browser plug-ins and the main application). So using the OS X Keychain to restrict some data to specific applications was a good solution for us. Now, with browser sandboxing and extension requirements, we can't use that same technique (we can't write pure JavaScript extensions that make use of the OS X Keychain, and so now use a websocket daemon running on localhost) and we want a solution that works across platforms. So something like Keyspace may be the sort of thing we will have to rely on. We are also looking at whitebox cryptography so that at least we will have some theory behind how good (or bad) our obfuscation is. Basically, we'd love to have access to something like the OS X Keychain everywhere. It worked, and we didn't have to develop our own techniques for managing secrets needed by multiple related applications. Cheers, -j –- Jeffrey Goldberg Chief Defender Against the Dark Arts @ AgileBits http://agilebits.com ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Cypherpunks mailing list
On Mon, Mar 25, 2013 at 05:13:57PM +0100, Moritz wrote: On 25.03.2013 09:25, Adam Back wrote: because its a silly domain that people who dislike inviting their addition to a watch-list will avoid. Isn't exactly that a nice property of a cypherpunks list? No it is not, it is a way to persuade people to leave, or not join the listserv. Maybe someone with a more neutral domain could try it - or a cypherpunks.* domain if they have a listserv handy. Cypherpunks is a distributed mailing list. A subscriber can subscribe to one node of the list and thereby participate on the full list. Each node (called a Cypherpunks Distributed Remailer [CDR], although they are not related to anonymous remailers) exchanges messages with the other nodes in addition to sending messages to its subscribers. Yes I know, but that badly named listserv is the last CDR. Adam ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Cypherpunks mailing list
On Mon, Mar 25, 2013 at 05:50:18PM +0100, Adam Back wrote: Isn't exactly that a nice property of a cypherpunks list? No it is not, it is a way to persuade people to leave, or not join the listserv. We have to agree to disagree on that one. A 'punk' of any kind will tend to thumb his nose at authorities. If they consider the name annoying, so much the better. Maybe someone with a more neutral domain could try it - or a cypherpunks.* domain if they have a listserv handy. Cypherpunks is a distributed mailing list. A subscriber can subscribe to one node of the list and thereby participate on the full list. Each node (called a Cypherpunks Distributed Remailer [CDR], although they are not related to anonymous remailers) exchanges messages with the other nodes in addition to sending messages to its subscribers. Yes I know, but that badly named listserv is the last CDR. I find the base is a very good name for a listserv. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Cypherpunks mailing list
Cyberpunk, cypherpunk, coderpunks... is all fine, I think people have understood the etymology of those terms after a few decades, negative connotations to some of 'punk' notwithstanding, a cypherpunk is a term for an area of interest or philosophy with a dictionary definition at this point. But my point actually was b...@al-qaeda.net??? Come on that is watch list bait and an invitation NOT to join list blah, whatever it is about. Adam On Mon, Mar 25, 2013 at 06:18:14PM +0100, Eugen Leitl wrote: On Mon, Mar 25, 2013 at 05:50:18PM +0100, Adam Back wrote: Isn't exactly that a nice property of a cypherpunks list? No it is not, it is a way to persuade people to leave, or not join the listserv. We have to agree to disagree on that one. A 'punk' of any kind will tend to thumb his nose at authorities. If they consider the name annoying, so much the better. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Cypherpunks mailing list
Well then start one up and show us how it's done Adam. Put your money where your mouth is. Adam Back a...@cypherspace.org wrote: On Mon, Mar 25, 2013 at 05:13:57PM +0100, Moritz wrote: On 25.03.2013 09:25, Adam Back wrote: because its a silly domain that people who dislike inviting their addition to a watch-list will avoid. Isn't exactly that a nice property of a cypherpunks list? No it is not, it is a way to persuade people to leave, or not join the listserv. Maybe someone with a more neutral domain could try it - or a cypherpunks.* domain if they have a listserv handy. Cypherpunks is a distributed mailing list. A subscriber can subscribe to one node of the list and thereby participate on the full list. Each node (called a Cypherpunks Distributed Remailer [CDR], although they are not related to anonymous remailers) exchanges messages with the other nodes in addition to sending messages to its subscribers. Yes I know, but that badly named listserv is the last CDR. Adam ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography -- -- -- -- -- Venimus, Vidimus, Dolavimus jamescho...@austin.rr.com jcho...@confusionresearchcenter.org rav...@ssz.com james.cho...@g.austincc.edu jchoate00...@gmail.com james.cho...@twcable.com h: 512-657-1279 w: 512-845-8989 http://hackerspaces.org/wiki/Confusion_Research_Center http://confusionresearchcenter.org http://arbornet.org (ravage) Adapt, Adopt, Improvise -- -- -- -- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Cypherpunks mailing list
Speaking as one of the two people who started that particular effort, it never quite worked out that way. Way too many TLAs, law suits, IRS visits, and those who read their own press releases to make it nearly as enjoyable as it sounds. Moritz mor...@headstrong.de wrote: On 25.03.2013 09:25, Adam Back wrote: because its a silly domain that people who dislike inviting their addition to a watch-list will avoid. Isn't exactly that a nice property of a cypherpunks list? Maybe someone with a more neutral domain could try it - or a cypherpunks.* domain if they have a listserv handy. Cypherpunks is a distributed mailing list. A subscriber can subscribe to one node of the list and thereby participate on the full list. Each node (called a Cypherpunks Distributed Remailer [CDR], although they are not related to anonymous remailers) exchanges messages with the other nodes in addition to sending messages to its subscribers. --Mo ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography -- -- -- -- -- Venimus, Vidimus, Dolavimus Adapt, Adopt, Improvise -- -- -- -- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Cypherpunks mailing list
On Mon, Mar 25, 2013 at 1:25 AM, Adam Back a...@cypherspace.org wrote: Yeah but that is basically zero traffic, and I suspect in large part because its a silly domain that people who dislike inviting their addition to a watch-list will avoid. i like it. waiting for the day they accept donations and i can provide material support to al-qaeda... ;) ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Cypherpunks mailing list
* Adam Back schrieb am 2013-03-25 um 09:25 Uhr: Maybe someone with a more neutral domain could try it - or a cypherpunks.* domain if they have a listserv handy. Our local hackerspace uses a rather neutral address: URL:https://list.lstsrv.org/ We could also host the Cypherpunks list, if you like. However here is no Majordomo running (and probably never will be). As far as I see it the list doesn't use the distributed feature, so switching to Mailman should not be a hard problem. If you like a more on topic domain I could setup a mailing list at anonymitaet-im-inter.net. ;) This is german for »anonymity on the internet«. The site hosts at the moment only a Mixmaster node. -- Jens Kubieziel http://www.kubieziel.de Wo die Zivilcourage keine Heimat hat, reicht die Freiheit nicht weit. Willy Brandt signature.asc Description: Digital signature ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] New mailing list for crypto politics/non-tech (Was: Cypherpunks mailing list)
I just created a new mailman list https://lists.randombit.net/mailman/listinfo/cryptopolitics as a venue for discussions that would normally go to cypherpunks but hasn't because of the name or spam or whatever reason, and which are off topic for this list so haven't happened here. As with this list, postings allowed only by subscribers, strong attempt at automated spam control but no human moderation. Enjoy. Jack On Mon, Mar 25, 2013 at 07:03:04PM +0100, Adam Back wrote: Cyberpunk, cypherpunk, coderpunks... is all fine, I think people have understood the etymology of those terms after a few decades, negative connotations to some of 'punk' notwithstanding, a cypherpunk is a term for an area of interest or philosophy with a dictionary definition at this point. But my point actually was b...@al-qaeda.net??? Come on that is watch list bait and an invitation NOT to join list blah, whatever it is about. Adam On Mon, Mar 25, 2013 at 06:18:14PM +0100, Eugen Leitl wrote: On Mon, Mar 25, 2013 at 05:50:18PM +0100, Adam Back wrote: Isn't exactly that a nice property of a cypherpunks list? No it is not, it is a way to persuade people to leave, or not join the listserv. We have to agree to disagree on that one. A 'punk' of any kind will tend to thumb his nose at authorities. If they consider the name annoying, so much the better. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Cypherpunks mailing list
On Mon, Mar 25, 2013 at 07:03:04PM +0100, Adam Back wrote: But my point actually was b...@al-qaeda.net??? Come on that is watch list Of course it is pure watch list bait. That's the point. bait and an invitation NOT to join list blah, whatever it is about. If you think it's a deterrent, then it's not the right list to join, anyway. I think I should be on any watch list known to man, if not, they've been asleep at the wheel. And it would be self-DoS, which is precisely the point. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Cypherpunks mailing list
On Mon, 2013-03-25 at 21:28 +0100, Eugen Leitl wrote: On Mon, Mar 25, 2013 at 07:03:04PM +0100, Adam Back wrote: But my point actually was b...@al-qaeda.net??? Come on that is watch list Of course it is pure watch list bait. That's the point. bait and an invitation NOT to join list blah, whatever it is about. If you think it's a deterrent, then it's not the right list to join, anyway. I think I should be on any watch list known to man, if not, they've been asleep at the wheel. And it would be self-DoS, which is precisely the point. I think the name of the recently-created list aptly demonstrates this point: crypto-politics, not cypherpunk. They're decidedly different meme pools: one produces key escrow, the other produces Wikileaks and OpenPGP. -- Sent from Ubuntu signature.asc Description: This is a digitally signed message part ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] New mailing list for crypto politics/non-tech (Was: Cypherpunks mailing list)
On 2013-03-26 6:21 AM, Jack Lloyd wrote: I just created a new mailman list https://lists.randombit.net/mailman/listinfo/cryptopolitics as a venue for discussions that would normally go to cypherpunks but hasn't because of the name or spam or whatever reason, and which are off topic for this list so haven't happened here. You don't have cryptopolitics unless the government is trying to ban stuff. Current bans focus on bitcoins and file sharing. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] New mailing list for crypto politics/non-tech (Was: Cypherpunks mailing list)
2013/3/25 James A. Donald jam...@echeque.com You don't have cryptopolitics unless the government is trying to ban stuff. Current bans focus on bitcoins and file sharing. To politics there is more than the destructive side. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] New mailing list for crypto politics/non-tech (Was: Cypherpunks mailing list)
Lodewijk andré de la porte l...@odewijk.nl wrote: To politics there is more than the destructive side. That is the funniest thing I've read in a long while. You sir don't have a drop of Cypherpunk blood in your body. -- -- -- -- -- Venimus, Vidimus, Dolavimus jamescho...@austin.rr.com jcho...@confusionresearchcenter.org rav...@ssz.com james.cho...@g.austincc.edu jchoate00...@gmail.com james.cho...@twcable.com h: 512-657-1279 w: 512-845-8989 http://hackerspaces.org/wiki/Confusion_Research_Center http://confusionresearchcenter.org http://arbornet.org (ravage) Adapt, Adopt, Improvise -- -- -- -- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] New mailing list for crypto politics/non-tech (Was: Cypherpunks mailing list)
Can we slowly move back to crypto on this list, and discuss politics and cypherpunk or whatever definitions on the new one? On 26.03.2013 06:19, James A. Donald wrote: Politics is collective decision making. Cypherpunk is opposed to collective decision making. Definition of POLITICS [Merriam-Webster] 1 a : the art or science of government b : the art or science concerned with guiding or influencing governmental policy c : the art or science concerned with winning and holding control over a government 2 : political actions, practices, or policies 3 a : political affairs or business; especially : competition between competing interest groups or individuals for power and leadership (as in a government) b : political life especially as a principal activity or profession c : political activities characterized by artful and often dishonest practices 4 : the political opinions or sympathies of a person 5 a : the total complex of relations between people living in society b : relations or conduct in a particular area of experience especially as seen or dealt with from a political point of view ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] New mailing list for crypto politics/non-tech (Was: Cypherpunks mailing list)
Actually, you're both wrong. Politics is a coping strategy we inherited from our social ancestors, nothing scientific or intelligent about it - it's an emotional behavior. http://www.google.com/#hl=engs_rn=7gs_ri=psy-abcp=13gs_id=1gxhr=tq=chimpanzee+politicses_nrs=truepf=psclient=psy-aboq=chimpanzee+pogs_l=pbx=1bav=on.2,or.r_qf.bvm=bv.44158598,d.b2Ifp=14b8b13aa4492d2cbiw=1751bih=873 Moritz mor...@headstrong.de wrote: Can we slowly move back to crypto on this list, and discuss politics and cypherpunk or whatever definitions on the new one? On 26.03.2013 06:19, James A. Donald wrote: Politics is collective decision making. Cypherpunk is opposed to collective decision making. Definition of POLITICS [Merriam-Webster] 1 a : the art or science of government b : the art or science concerned with guiding or influencing governmental policy c : the art or science concerned with winning and holding control over a government 2 : political actions, practices, or policies 3 a : political affairs or business; especially : competition between competing interest groups or individuals for power and leadership (as in a government) b : political life especially as a principal activity or profession c : political activities characterized by artful and often dishonest practices 4 : the political opinions or sympathies of a person 5 a : the total complex of relations between people living in society b : relations or conduct in a particular area of experience especially as seen or dealt with from a political point of view ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography -- -- -- -- -- Venimus, Vidimus, Dolavimus jamescho...@austin.rr.com jcho...@confusionresearchcenter.org rav...@ssz.com james.cho...@g.austincc.edu jchoate00...@gmail.com james.cho...@twcable.com h: 512-657-1279 w: 512-845-8989 http://hackerspaces.org/wiki/Confusion_Research_Center http://confusionresearchcenter.org http://arbornet.org (ravage) Adapt, Adopt, Improvise -- -- -- -- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography