Re: EncFS
Thus spake cypherpunk ([EMAIL PROTECTED]) [28/04/05 18:48]: : A remailer posted about EncFS. Gerow quoted the first paragraph and : added the criticism that it doesn't do locking. Dixon saw the quoted : first paragraph, which said that the link to the program was "below". : And indeed, it was below, in the first message from the remailer. It : included this link, http://arg0.net/users/vgough/encfs.html. But Dixon : apparently didn't understand the notion of quoting partial messages in : a mailing list conversation. He just saw the part about the link being : "below", and in Gerow's message there was no such link. So he : complained: there was nothing "below". But Gerow misunderstood, he : though Dixon was commenting about EncFS's locking mechanisms. So Gerow : responded as below, adding to the confusion. In my defense, I assumed a baseline of understanding when it comes to public lists. The last thing I expected was him to quote /me/ and complain about something that someone /else/ had said, when it was all painfully obvious from the first message. I guess I just won't assume that around here anymore. : Honestly, I don't know how you people generate enough brain power to : keep yourselves alive. Breathing comes automatically. No thought required.
Re: [Politech] Thumbprinting visitors at the Statue of Liberty (fwd from declan@well.com)
On 2005-04-28T15:37:19-0700, cypherpunk wrote: > > Matthew's snapshots: one > > (http://www.boingboing.net/images/Liberty-Locker-Thumbs-2.jpg), two > > (http://www.boingboing.net/images/Liberty-Locker-Thumbs1.jpg). > > If this were really as much of a conspiracy as people are making it > out to be, wouldn't it make sense to ask for THUMB prints? that's what > the subject line says, and that's what the titles of the two jpeg > files are. But if you look at the pictures, they plainly ask for the > right index finger. I doubt the machine cares which finger visitors use. Since most people in this country are functionally illiterate, the average visitor may well present a thumb rather than an index finger.
Re: [IP] more on Privacy tip: be wary of Google's "personal history" feature [priv] (fwd from dave@farber.net)
The question is, with regard to Google, does turning "personal history" on or off make a difference in what records they keep about your searches? Obviously if it's on they do keep records, but if you disable it or never turn it on, does that mean that they don't keep records? http://www.google.com/searchhistory/privacy.html says: "You can delete information from My Search History, and it will be removed from the service and no longer available to you. However, as is common practice in the industry, and as outlined in the Google Privacy Policy, Google maintains a separate logs system for auditing purposes and to help us improve the quality of our services for users." http://www.google.com/privacy.html says: "Google collects limited non-personally identifying information your browser makes available whenever you visit a website. This log information includes your Internet Protocol address, browser type, browser language, the date and time of your query and one or more cookies that may uniquely identify your browser. We use this information to operate, develop and improve our services." The bottom line seems to be that even with MSH turned off, Google will still record your IP address and cookie, presumably along with the search query you made. You can block Google cookies to help with this, and if you use a shared IP address then this will give you some privacy protection. Chances are that other search engines do the same thing. For real privacy, do as I do: use TOR or some other anonymizer, and either block cookies or use a separate browser altogether for anonymous browsing. CP
Re: EncFS
A remailer posted about EncFS. Gerow quoted the first paragraph and added the criticism that it doesn't do locking. Dixon saw the quoted first paragraph, which said that the link to the program was "below". And indeed, it was below, in the first message from the remailer. It included this link, http://arg0.net/users/vgough/encfs.html. But Dixon apparently didn't understand the notion of quoting partial messages in a mailing list conversation. He just saw the part about the link being "below", and in Gerow's message there was no such link. So he complained: there was nothing "below". But Gerow misunderstood, he though Dixon was commenting about EncFS's locking mechanisms. So Gerow responded as below, adding to the confusion. Honestly, I don't know how you people generate enough brain power to keep yourselves alive. CP On 4/28/05, Damian Gerow <[EMAIL PROTECTED]> wrote: > Thus spake Jim Dixon ([EMAIL PROTECTED]) [28/04/05 09:41]: > : > It also doesn't do locking. > : > : There was nothing "below". > > Someone I know just tried it out three days ago. He said it flat-out didn't > 'lock' the files properly. It's got nothing to do with having something > "below". >
Re: [Politech] Thumbprinting visitors at the Statue of Liberty (fwd from declan@well.com)
> Matthew's snapshots: one > (http://www.boingboing.net/images/Liberty-Locker-Thumbs-2.jpg), two > (http://www.boingboing.net/images/Liberty-Locker-Thumbs1.jpg). If this were really as much of a conspiracy as people are making it out to be, wouldn't it make sense to ask for THUMB prints? that's what the subject line says, and that's what the titles of the two jpeg files are. But if you look at the pictures, they plainly ask for the right index finger. Thumbprints are widely used, drivers' licenses and banks often require them. If they wanted to be able to track average users, they would ask for thumb prints. But they're not. The really funny thing is how people see what they expect to see. Isn't it strange to have these documents titled Thumbsx.jpg, when they ask for index finger prints? People are so ruled by their preconceptions that they actually blind themselves to what is directly in front of them. I hope no one on this list is so foolish as to put ideology ahead of reality. CP
[Politech] Thumbprinting visitors at the Statue of Liberty (fwd from declan@well.com)
- Forwarded message from Declan McCullagh - From: Declan McCullagh Date: Thu, 28 Apr 2005 12:30:43 -0400 To: politech@politechbot.com Subject: [Politech] Thumbprinting visitors at the Statue of Liberty User-Agent: Mozilla Thunderbird 1.0 (Macintosh/20041206) Previous Politech message: http://www.politechbot.com/2005/04/28/arkansas-salon-requires/ Original Message Subject: BB: Thumbprinting visitors at Statue of Liberty Date: Thu, 28 Apr 2005 08:37:14 -0700 From: Xeni Jardin <[EMAIL PROTECTED]> To: 'Declan McCullagh' Thumbprinting visitors at Statue of Liberty http://www.boingboing.net/2005/04/28/thumbprinting_visito.html Responding to yesterday's Boing Boing post about tanning salons and gyms that require users to sumbit to thumbprint ID, reader Matthew A. Dietzen of Chicago-Kent College of Law says: = = = = = = = = = = = = You might find these pictures of the Thumb-Scanning Lockers on Liberty Island, NYC interesting. In order to get to "Liberty" Island, you must first have your gear X-rayed by Wackenhut security goons. Then you ride to the island accompanied by Coast Guard types with German Shepherds. Once ashore, you are free to circle the island, take pictures of the statue, and buy overpriced Slurpees. However, in order to get inside the statue, you have to stow your gear in a locker... that requires you to use your fingerprint as a key!!! You can also pay with a credit card, that way if anyone hacks the machine, they can have your print AND your credit card information. This must be in place to protect us from those Al Qaeda frogmen that are clever enough to swim ashore, but are too stupid perform their dastardly deed at night where they can circumvent the locker bay by climbing the seemingly easy-to-climb wall. In all likelihood, its probably to condition us into giving up our biometric information at every turn [As if biometrics could never be hacked...] so that security companies can make even more $$$, while we become more and more sheep-like each day. In any case, I didn't go inside. However, later that day, I was falsely arrested near Ground Zero with 200 other people. I was a legal observer at the Republican National Conventions. First they said people could march, then they arrested them. They took us to Pier 57, and then the Tombs where we were laser-printed on ALL of our fingers with a SAGEM machine because we "might be terrorists." After denouncing us as anarchists and enemies of the state, the city dropped the charges [on our group anyway] a month later. The latest stories indicate that over 90% of the charges were dropped or found to be baseless. The police were also caught fabricating evidence. = = = = = = = = = = = = Matthew's snapshots: one (http://www.boingboing.net/images/Liberty-Locker-Thumbs-2.jpg), two (http://www.boingboing.net/images/Liberty-Locker-Thumbs1.jpg). Previously: Arkansas salon requires thumbprint to get a tan (http://www.boingboing.net/2005/04/27/arkansas_salon_requi.html) --- Xeni Jardin | www.xeni.net * co-editor, BoingBoing.net * correspondent: Wired Magazine, Wired News, NPR "Day to Day" say: /SHEH-nee zhar-DAN/ Mailing list for updates: http://groups.yahoo.com/group/xeni-net/ ___ Politech mailing list Archived at http://www.politechbot.com/ Moderated by Declan McCullagh (http://www.mccullagh.org/) - End forwarded message - -- Eugen* Leitl http://leitl.org";>leitl __ ICBM: 48.07078, 11.61144http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net signature.asc Description: Digital signature
Be in Business for Yourself, but not by yourself
One's own successful business. Flexibility in the work days and hrs. Work from your residence anywhere in the world. Current associates are at 5,000US to 12,000US per/Mo. Helping our courts. Professional customer training and assistance. http://vga.Cu.modernproductquest.com/lj/ For additional info or to un-register or to see our address. Finding no one awake except the boy the fellow sat upon the edge of the wall, with his feet dangling downward, and grinned wickedly at his former victim. Rob watched him with almost breathless eagerness After making many motions that conveyed no meaning whatever, the Turk drew the electric tube from his pocket and pointed his finger first at the boy and then at the instrument, as if inquiring what it was used for
zombied ypherpunks (Re: Email Certification?)
> I'm still having trouble understanding your threat model. Just assume braindeath and it becomes obvious. No tla with any dignity left would bother e-mail providers or try to get your password. All it need to do is fill gforms and get access to tapped traffic at major nodes (say, 20 in US is sufficient?). Think packet reassembly -> filter down -> store everything forever -> google on demand. Concerned about e-mail privacy? There is this obscure software called 'PGP', check it out. Too complicated? That's the good thing about evolution, not everyone makes it. end (of original message) Y-a*h*o-o (yes, they scan for this) spam follows: __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
AVISO: VIRUS Detectado
Seu email para ([EMAIL PROTECTED]) com assunto ( OI) foi rejeitado por conter virus. Virus encontrados: Worm.Mydoom.AQ
Re: Email Certification?
No, the threat model was outlined in a previous post. Consider some "agency" that has lots of resources and technologies, but also doesn't particularly want local authorities or (for instance) hotmail to know what they are doing. In general, this is going to make their operation much less intrusive, lower cost (ie, due to not having to physically send people) as well as avoiding a lot of legal hassles due to paper trails. So I guess what I'm looking for is way to be quite certain that someone (aside from Hotmail admin) is opening, reading, and closing my email 'unobtrusively'. Of course, once such an effort is detected, said agency may decide to follow a more intrusive investigative path, but this has practical consequences. My home alarm system is probably a better example. If NSA, for instance, is going to bother entering your house and setting up whatever, I'd bet they'd LOVE to not bother with the local security/alarm company, because then there's a paper trail, people who might be a friend of the surveilled, and other 'local' issues. They're definitely going to use their fancy gadgets, etc..., to bypass the alarm system while making the alarm company everything's going just fine, or perhaps a battery has expired. In this case there'd be nothing to subpeona. Therefore, if you suspect you're being surveilled, even if you can't secure anything you want might want to secure, you can at least force them to commit legally actionable acts, or else force them to give up their 'phishing' expeditions. -TD From: Bill Stewart <[EMAIL PROTECTED]> To: "Tyler Durden" <[EMAIL PROTECTED]> CC: [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Re: Email Certification? Date: Wed, 27 Apr 2005 16:04:54 -0700 I'm still having trouble understanding your threat model. If you're talking about somebody who can get Hotmail's cooperation, e.g. cops or sysadmins, there's no way you can prevent them from doing anything they want to your incoming mail. If you're worried about crackers guessing your password, then some web-based email systems automatically mark mail as read, some don't, some let you mark it, some let you remark it as unread. (I haven't ever used hotmail, and my cat stopped using it when the Child Online Protection Act required Hotmail to cancel accounts for anybody under 13 years old who didn't have parental permission, so the interface has probably changed since I last saw it.) Are you worried specifically about Hotmail? You're mentioning using gmail to pre-filter your hotmail messages - gmail's going to have similar potential threats, except that it's probably better managed, and if you're going to send the mail to gmail anyway, why not just read it on gmail? In general, if you've sent unencrypted email to an untrusted system, then you've got no way of knowing that it hasn't been read. At 01:09 PM 4/27/2005, Tyler Durden wrote: Oh...this post was connected to my previous one. Sorry...my ideas along these lines are still a little foggy but I'll try to articulate. Basically, let's assume someone with some resources has cracked your email and wants to monitor what you send and receive. let's also assume they don't want you to know it. Let's assume they also are not particularly thrilled about having hotmail know what they're up to (if needs be they can obtain a warrant, etc..., but this is clearly less than desirable compared to more direct techniques). It seems fairly easy to me to (for instance) create a bot that duplicates all of the email and resends it to your hotmail account so that when you log in everything looks fresh and new. (There are probably easier ways to do this via direct hacks of hotmail). Is there some way to make it evident that someone has opened your email? Right now, I can't think of anything you could do aside from suggesting that hotmail (or whoever) offer some kind of encryption service. BUT, it occurs to me that you might be able to have gmail forward your mail to hotmail via some intermediate application you've set up that takes the timestamp and whatever and creates a hash.
Invitation to Montenegro, Italy, and Slovenia 2005; c/bb
Dear potential Speaker: On behalf of the organizing committee, I would like to extend a cordial invitation for you to attend one of the upcoming IPSI BgD multidisciplinary, interdisciplinary, and transdisciplinary conferences. The first one will take place in Sveti Stefan, Montenegro: IPSI-2005 MONTENEGRO Hotel Sveti Stefan (arrival: 1 October 05 / departure: 8 October 05) Deadlines: 1 May 05 (abstract) / 1 July 05 (full paper) The second one will take place in Venice, Italy: IPSI-2005 VENICE Hotel Luna Baglioni (arrival: 9 November 05 / departure: 14 November 05) Deadlines: 1 June 05 (abstract) / 1 August 05 (full paper) The third one will take place on the Bled lake, Slovenia: IPSI-2005 SLOVENIA Hotel Toplice (arrival: 8 December 05 / departure: 11 December 05) Deadlines: 1 July 05 (abstract) & 1 September 05 (full paper) All IPSI BgD conferences are non-profit. They bring together the elite of the world science; so far, we have had seven Nobel Laureates speaking at the opening ceremonies. The conferences always take place in some of the most attractive places of the world. All those who come to IPSI conferences once, always love to come back (because of the unique professional quality and the extremely creative atmosphere); lists of past participants are on the web, as well as details of future conferences. These conferences are in line with the newest recommendations of the US National Science Foundation and of the EU research sponsoring agencies, to stress multidisciplinary, interdisciplinary, and transdisciplinary research (M+I+T++ research). The speakers and activities at the conferences truly support this type of scientific interaction. One of the main topics of this conference is "E-education and E-business with Special Emphasis on Semantic Web and Web Datamining" Other topics of interest include, but are not limited to: * Internet * Computer Science and Engineering * Mobile Communications/Computing for Science and Business * Management and Business Administration * Education * e-Medicine * e-Oriented Bio Engineering/Science and Molecular Engineering/Science * Environmental Protection * e-Economy * e-Law * Technology Based Art and Art to Inspire Technology Developments * Internet Psychology If you would like more information on either conference, please reply to this e-mail message. If you plan to submit an abstract and paper, please let us know immediately for planning purposes. Note that you can submit your paper also to the IPSI Transactions journal. Sincerely Yours, Prof. V. Milutinovic, Chairman, IPSI BgD Conferences * * * CONTROLLING OUR E-MAILS TO YOU * * * If you would like to continue to be informed about future IPSI BgD conferences, please reply to this e-mail message with a subject line of SUBSCRIBE. If you would like to be removed from our mailing list, please reply to this e-mail message with a subject line of REMOVE.
Re: Email Certification?
I'm still having trouble understanding your threat model. If you're talking about somebody who can get Hotmail's cooperation, e.g. cops or sysadmins, there's no way you can prevent them from doing anything they want to your incoming mail. If you're worried about crackers guessing your password, then some web-based email systems automatically mark mail as read, some don't, some let you mark it, some let you remark it as unread. (I haven't ever used hotmail, and my cat stopped using it when the Child Online Protection Act required Hotmail to cancel accounts for anybody under 13 years old who didn't have parental permission, so the interface has probably changed since I last saw it.) Are you worried specifically about Hotmail? You're mentioning using gmail to pre-filter your hotmail messages - gmail's going to have similar potential threats, except that it's probably better managed, and if you're going to send the mail to gmail anyway, why not just read it on gmail? In general, if you've sent unencrypted email to an untrusted system, then you've got no way of knowing that it hasn't been read. At 01:09 PM 4/27/2005, Tyler Durden wrote: Oh...this post was connected to my previous one. Sorry...my ideas along these lines are still a little foggy but I'll try to articulate. Basically, let's assume someone with some resources has cracked your email and wants to monitor what you send and receive. let's also assume they don't want you to know it. Let's assume they also are not particularly thrilled about having hotmail know what they're up to (if needs be they can obtain a warrant, etc..., but this is clearly less than desirable compared to more direct techniques). It seems fairly easy to me to (for instance) create a bot that duplicates all of the email and resends it to your hotmail account so that when you log in everything looks fresh and new. (There are probably easier ways to do this via direct hacks of hotmail). Is there some way to make it evident that someone has opened your email? Right now, I can't think of anything you could do aside from suggesting that hotmail (or whoever) offer some kind of encryption service. BUT, it occurs to me that you might be able to have gmail forward your mail to hotmail via some intermediate application you've set up that takes the timestamp and whatever and creates a hash.
Re: EncFS
Thus spake Jim Dixon ([EMAIL PROTECTED]) [28/04/05 09:41]: : > It also doesn't do locking. : : There was nothing "below". Someone I know just tried it out three days ago. He said it flat-out didn't 'lock' the files properly. It's got nothing to do with having something "below".
Re: Email Certification?
Yes, but this almost misses the point. Is it possible to detect ('for certain', within previously mentioned boundary conditions) that some has read it? This is a different problem from merely trying to retain secrecy. Remember, my brain is a little punch-drunk from all the Fight Club fighting. BUT, I believe that the fact that deeper TLAs desire to hide themselves from more run-of-the-mill operations might be exploited in an interesting way. Or at least force them to "commit" to officially surveiling you, thereby (one hopes) subjecting them to whatever frail tatters of the law still exist. A better example may be home security systems. If they're going to tempest you, I'd bet they'd prefer not to inform your local security company. They'd rather just shut down your alarm system and I bet this is easy for them. BUT, this fact may enable one to detect (with little doubt) such an intrusion, and about this I shall say no more... -TD From: Ola Bini <[EMAIL PROTECTED]> To: Tyler Durden <[EMAIL PROTECTED]> Subject: Re: Email Certification? Date: Thu, 28 Apr 2005 10:00:49 +0200 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A Can anyone figure out a way to determine if one's hotmail, etc...has been looked at or not? Hi. Email is more or less like sending a post card. Anyone inbetween can take a peek if they have the knowledge. (And not much knowledge is required). This is why cryptgraphic signing and encryption is preferable to communicate through EMail. So the answer to your question is: Always assume someone has looked at it. Regards Ola -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (MingW32) iD8DBQFCcJgxGTAxXnkBC3IRAs6NAJ9EJi8RwMWHF//Z3lgQz/FZ+UkdbwCbBZT5 L0mjFCQ3x+SYRjD6uatzCvY= =ef/B -END PGP SIGNATURE-
Re: EncFS
On Wed, 27 Apr 2005, Damian Gerow wrote: > Thus spake Userbeam Remailer ([EMAIL PROTECTED]) [27/04/05 02:33]: > : EncFS provides an encrypted filesystem in user-space. It runs without > : any special permissions and uses the FUSE library and Linux kernel > : module to provide the filesystem interface. You can find links to > : source and binary releases below. > > It also doesn't do locking. There was nothing "below". -- Jim Dixon [EMAIL PROTECTED] tel +44 117 982 0786 mobile +44 797 373 7881 http://xlattice.sourceforge.net p2p communications infrastructure
[IP] more on Privacy tip: be wary of Google's "personal history" feature [priv] (fwd from dave@farber.net)
- Forwarded message from Dave Farber <[EMAIL PROTECTED]> - From: Dave Farber <[EMAIL PROTECTED]> Date: Thu, 28 Apr 2005 08:46:18 -0500 To: ip Subject: [IP] more on Privacy tip: be wary of Google's "personal history" feature [priv] X-Mailer: Lonely Cat Games ProfiMail Reply-To: [EMAIL PROTECTED] --- Original message --- From: Steven M. Bellovin <[EMAIL PROTECTED]> Sent: 28/4/'05, 7:58 In message <[EMAIL PROTECTED]>, David Farber writes: > >And just for an oldie but a goodie, let's remember that for those of us >living in the USA, the Federal government can request and search your >travel, phone, financial, and medical records, in addition to any >records maintained by libraries, religious institutions, retailers >(think Amazon, bookstores, video rental stores) without having to >disclose anything to you. > It strikes me as likely that the government can obtain your search records from Amazon without even a minimal court order. Note the following item in Google's privacy policy: ? We conclude that we are required by law or have a good ? faith belief that access, preservation or disclosure of ? such information is reasonably necessary to protect the ? rights, property or safety of Google, its users or the ? public. It's pretty hard to avoid the conclusion that they're allowed to comply with a simple FBI request: "we think that your user so-and-so is an evil terrorist; can we have his search and email records?" Sure sounds like a public safety issue, right? Or how about "we think that so-and-so is an evil file-sharer; can we have records of all of her searches for 'mp3' or 'kazaa'?" from the RIAA? That sounds like a property issue. But we can go a step further. Google is really good at finding information matches; what if they themselves develop a search profile that "identifies" a terrorist, a file sharer, or what have you? - You are subscribed as [EMAIL PROTECTED] To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/ - End forwarded message - -- Eugen* Leitl http://leitl.org";>leitl __ ICBM: 48.07078, 11.61144http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net signature.asc Description: Digital signature
Re: Email Certification?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A Can anyone figure out a way to determine if one's hotmail, etc...has been looked at or not? Hi. Email is more or less like sending a post card. Anyone inbetween can take a peek if they have the knowledge. (And not much knowledge is required). This is why cryptgraphic signing and encryption is preferable to communicate through EMail. So the answer to your question is: Always assume someone has looked at it. Regards Ola -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (MingW32) iD8DBQFCcJgxGTAxXnkBC3IRAs6NAJ9EJi8RwMWHF//Z3lgQz/FZ+UkdbwCbBZT5 L0mjFCQ3x+SYRjD6uatzCvY= =ef/B -END PGP SIGNATURE-