VeraCrypt Trustworthiness?

2014-11-30 Thread Fabio Pietrosanti (naif) - lists 
Yo,

a friendly human rights lawyer just asked me for an opinion on
VeraCrypt's Trustworthiness.

I never heard about such project: https://veracrypt.codeplex.com/

Does the community have some critics or favorable opinion about that, in
place of truecrypt?

-- 
Fabio Pietrosanti (naif)
HERMES - Center for Transparency and Digital Human Rights
http://logioshermes.org - https://globaleaks.org - https://tor2web.org - 
https://ahmia.fi

Re: GoldBug SF projects [was: Bittorrent Bleep]

2014-09-24 Thread Fabio Pietrosanti (naif) 
Il 9/24/14, 12:51 AM, grarpamp ha scritto:
 Saw your arguments on the deletion page and figured you would like to
 be aware of these issues as well. 

Time has come, after few years of such very likely malicious/suspicious
activities, we have to strike back.

Kudos moritz!

Is it worth  making a small website to clearly put all of those
information in a collaborative way, published online?

The only way such suspicious projects will have to recover is by being
transparent on who they are, who pay them, what's their goal ;)

-- 
Fabio Pietrosanti (naif)
HERMES - Center for Transparency and Digital Human Rights
http://logioshermes.org - http://globaleaks.org - http://tor2web.org

SHA-7 crypto patented by Italian Postal Service

2014-03-19 Thread Fabio Pietrosanti (naif) 
LOL - LOL - LOL - LOL - LOL

On italian government innovation portal it has been published a patent
by the Italian Postal Service of SHA-7 :
The encryption SHA-7 allows to generate a unique “message digest” 

LOL reading on http://italiainnovatori.gov.it/en/innovations/sha-7-2/

-naif

Re: Dark Mail Alliance for end-to-end private and secure email

2013-10-31 Thread Fabio Pietrosanti (naif) 
Il 10/31/13 9:50 AM, coderman ha scritto:
 darkmail.info: end-to-end encrypted protocol and architecture ...
 [for] private and secure email, presumably a white paper is
 forthcoming. initial release anticipated in 2014.
The best tweet i saw about this initiative:
Guess which crypto company actually showed its brand new encrypted
email spec to journalists before other cryptographers? One guess.

I think that we should consider to update the so called Snake Oil
Encryption mis-practices by carefully considering how the Crypto
Practices can be abused for marketing stunt purposes, while effectively
focusing in deploying a wallet garden.

-naif

[liberationtech] Defeating massive wiretapping with opportunistic, unauthenticated encryption in HTTP ?

2013-10-28 Thread Fabio Pietrosanti (naif) 
Greetings,

thinking on how to practically challenge the massive wiretapper
(interceping on telecommunication lines/fibers/internet exchanges),
there is a general acceptance that opportunistic encryption systems
could be a good approach.

To protect against massive wiretapping of SMTP email that's the approach
already discussed here:
https://mailman.stanford.edu/pipermail/liberationtech/2013-August/011130.html

To protect against massive wiretapping of HTTP traffic, the general
understanding is to use HTTPS.

However HTTPS have several serious drawbacks:
- The owner of a website have to pay more for the security of it's
web-clients (buy a digital certificate)
- The owner of a website have to pay more for the hosting of an HTTPS
site vs. HTTP site
- If the owner of a web don't pay more the end-user browser receive a
BIG SECURITY WARNING (self-signed certificate)

For the reason previously identified the HTTPS approach is still very
valuable but it does not scale up to protect against massive wiretapper
intercepting HTTP.

The idea to fix this problem by creating a technology that enable
opportunistic encryption of all data exchanged (via AJAX) by modern
javascript applications by leveraging unathenticated TLS with DHE
ciphers (providing Perfect Forward Secrecy).

This could be realized by providing a thin layer of integration into
any existing Javascript application to wrap the XHR/Ajax requests,
proxying them trough a Javascript TLS Client, with some server-side code
acting as a gateway/minimal TLS implementation working within an HTTP in
HTTP tunnelling model.

If a techology like that would exists, it would be possible to integrate
it as part of Wordpress or Django or other commonly used web
framework/technology.

This would provide by default unauthenticated TLS encryption for most of
it's web traffic, with perfect forward secrecy, without HTTPS.

I tried to summarize the idea on the Forge (Javascript TLS stack) github
issue at https://github.com/digitalbazaar/forge/issues/84 .

I know that this kind of argument attract crypto-trolling (Javascript
encryption and Unauthenticated encryption and Opportunistic
encryption) but i think that it's worth discussing because it could be
a revolutionary approach to challenge massive wiretapping.

What does various people think about this approach?
 

-- 
Fabio Pietrosanti (naif)
HERMES - Center for Transparency and Digital Human Rights
http://logioshermes.org - http://globaleaks.org - http://tor2web.org

-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Mailing list format with Subject Tagging

2013-09-21 Thread Fabio Pietrosanti (naif) 
Hi all,

i would suggest to start tagging the Subject for all the messages
going trough the cypherpunks mailing list.

It really help in spooling and organizing emails in everybody inbox.

Mailman does that by default, pre-pending [ListName] in the Subject line.

I'd love it.

-naif