Re: [liberationtech] In defense of client-side encryption (Guido Witmond)
Thank you for your quick response. I'm not convinced by your arguements yet. I comment in between. On 08/12/13 04:13, Francisco Ruiz wrote: In your message, you wrote: 1. I have to *run* it to get the hash of the application from the help page. That is already a leap of faith to run unverified code. Good point. A counterfeit copy of the page might lead to a different server, and the help page thus obtained would display a different code which, of course, would check out all right. Both the active code and the help page come via TLS, but maybe this is not enough. In any case, this would be just about the same risk that anyone incurs when loading any page via https, so almost every crypto app out there would have the same security flaw.This is why I added the video verification, anyway. It's a lot harder to fake a video. What you run into is the classical secure distribution problem. With native applications (not js-apps) that's a once-per-install hurdle. With a server serving pages, it's a once-per-run hurdle. Unless, somehow my browser remembers the code. Then it degenerates into *installed* code. Now we have the secure update problem in another form. There is another problem. You rely on HTTPS. Here is the 64000 dollar question: Q._What is the CA-certificate for your banks' website?_ I ask that question to anyone who claims to be security conscious. No one has given me positive answer so far. Not even a wrong answer. Only that people don't know. So I take it for granted that people won't verify anything, ever. 2. I have to verify the hash code with a spoken message in a youtube video. The message is spoken by someone I've never met, so how do I verify that it is you who's saying it and not an actor hired by a spooky agency? Or just dubbed with a new audio score. Hollowood can do that without a blink. I'm not Justin Bieber (thank God) and there's nothing I can do about that. But maybe someone in this forum knows a privacy-conscious celebrity who could be persuaded to do the reading. It should be possible to find one. Actors are into all kinds of causes these days... I think I change my mind on voice hash verification. It's a neat idea but a big hassle. Not even GPG users check the certificates and identities. They just assume that if it is encrypted, it is secure. This xkcd is spot on: http://xkcd.com/1181/ I am using GPG to encrypt mail to a certain person. He uses one key to send mail to me, and I use a different key to send back. I haven't seen a complaint from him... Concerning faking a video. Sure, it can be done too, but mere dubbing won't work because you have to sync the lips. Chopping the video into little pieces and reassembling it to make a different code won't be easy to pull off, either, especially with background music to serve as a sort of tamper-evident paper. I'd like to see more discussion on this. Ok, here it comes: What is the music on the background? How do I know it is your music and not a score that the attacker downloaded from mp3.xyz? Hashes are for a computer-verified protocol. Not for humans. My view on Javascript as a platform: Browsers and javascript are a platform on their own. They are becoming operating systems. Firefox even calls their browser OS. Operating systems are not neutral technology. *He who controls the operating system, controls the user.* The most important aspect of operating systems is not to schedule resources efficiently. It is to *protect the user* against all threats, both external as well as their own ignorance/stupidity. The current crop of operating systems has gone a long way from DOS to where we are now. Unix/linux went through that phase, Windows followed. We still haven't got a way to protect against malware, drive by downloads and other threats. Threats due to the Ambient Authority model of Posix. See Polaris, KeyKos, Eros-os, genode.org, Qubes-os, MinorFS for capability-secure solutions to the malware problem. Why are virtual machines so popular? It's an easy way out of the ambient authority. But instead we have Javascript trains that are just leaving the DOS-station. Relearning all security errors from the past. The hard way. Again. No thanks. Let's fix our current OS'es first Regards, Guido. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] In defense of client-side encryption
On 11/08/13 at 09:37pm, Francisco Ruiz wrote: I still have to read through the references you supply, but I can already see a misconception. They refer to the dangers of carrying out cryptography with javascript-containing dynamic pages. My previous posting referred to _perfectly static_ pages [cut] I catched the point about secure delivery of the code, this is an open problem and you suggested a youtube video with a spoken hash, assuming no one could modify it. In this topic branch, let's assume that problem resolved (but in others, specifically in the branch started by Guido Witmond, it isn't). Talking about syntax (and so, the programming language) you and Nadim are correct when sentencing it's not a problem. I know, from my background, that every programming language will finish into assembly code, because it is the only one recognized by my CPU, so it isn't the node of the question. The really interesting thing is the environment where the code is executed, compiled, interpreted: in my point of view (but in many others) browsers aren't the best places to do critical things, because there a lot of points which aren't under our control. Is it Windows XP with a lot of mess installed? Is it a Linux Live CD? I don't know. Maybe the only way is throw away the entire technology stack and go back. But, if I need to choose between browsers and OSes, I choose OSes because they are closer to the CPU. You could have different vision, but please take it in consideration when presenting your product as the non-plus-ultra program of the year. Moving on the semantic aspect of the problem, I want to start saying my model in every crypto thing is NaCL library. Few of us (and few in the world) can safely play with little crypto bricks, joining them in new and fashion protocols. This is clearly not the way of reasoning of the majority of people: let's see for example the draft of Web Cryptography API.. So, you had an idea: making the 20-year old PGP in a new and simple way, to permit inexperienced users to have the same functionality. You used little bricks (AES, elliptic curves..), and provided high level functionalities (Lock, Unlock, Stamp, Verify). What about reverting this paradigm, using NaCL experience as background, and so using something which already provides high level functionalities, focusing on user experience following your ideas (one simple place where doing all things, less buttons, less configurations..) ? And yes, this is only an interface problem, because you already have the background: GPG, NaCL, ... And don't think interface problems are trivial or stupid. They can make differences.. big differences. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Lavabit, Silent Circle both shut down
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 08/11/2013 12:35 AM, h0ost wrote: Hi Arjen, May I ask what Swiss providers would you recommend? (disclaimer: I am normally very hesitant to 'advertise' for specific companies since as a consultant I do my very best to remain independent from having any interest in procurement of specific products or services). Have great personal experience with a small company: webstyle.ch they provide a range of hosting services (like many others) but its the fast support I enjoy mostly (I can mail at 07:00 on a sunday with a non-urgent question and will have a reply within 2 hours). I am not one some hyper-expensive corporate 24x7 support contract. SwissVPN provides some nice VPN services but it is not the only VPN provider I use. A directory of (mostly) smaller Swiss IT-services companies: http://www.ossdirectory.ch/ - -- Met vriendelijke groet/With kind regards, Arjen Kamphuis Gendo B.V. Main: +31 20 891 0330 mail: ar...@gendo.ch gendo.ch(website) gendo.nl/blog/arjen (Dutch blog) gendo.ch/en/blog/arjen (English blog) about.me/arjenkamphuis (social media) files.gendo.nl/keys/ar...@gendo.ch.asc (public key) PGP fingerprint: 55FB B3B7 949D ABF5 F31B BA1D 237D 4C50 118A 0EC2 Gendo BV Wibautstraat 150, 1091 GR Amsterdam The Netherlands P please consider the environment before printing this email This e-mail message and its attachments are subject to the disclaimer published at the following website of Gendo: http://www.gendo.nl/disclaimer Gendo B.V. is registered with the trade register in The Netherlands under number 28116864. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQIcBAEBAgAGBQJSCMCAAAoJECN9TFARig7CspYQAJDhRKAjGuhcCErZccaN8ZdM 7S54yP0rCVxuffXtli4+zwCH+5DN7jQZ81aKkBrCRzZF+066Xdm+CnDjsZo90JYJ Fup+GUNYvPNwS5TBv1PZ0Lngvk12HtNMevU7Emy3PD41qtqQqh+EFT9xUnJbN61o 2er0/PyooBGE3KFCOzq8bGCXoG1ZMQenX4Rz/XlnyrCBULcxAKOsqOxye9h05zIO XzDibIdlIaf7PV+Q1e/vIPyeY0uoeNnPbhDo7MYqsq0xc2+5qUgTW+sJtbF9Oboa rb/z9Ln7kFPq3aVMvZSjnMvWlKK0hxOcPFzTNPjiOXV7KC/s3ONFOyywz4e/7qbb V0NAEgWYoaiD5nr3fWYlzMDJTN1X8CroPCFWXKtYXN5hXiGW0rfENJM4MgCK63+t BKaLsr7nD4ZWj0WNEHtLj6WuCmeBn9l30lav0HBExlQImMecuyE6dH1f1Xnn+s/M xNARwaUZXXYIkTcFQfzleZ1nUaol630SH+BnOeVclU2y/fSR40fCK690qmpyMGr6 auujx1rfpOSrBF7JRmbYm48u7jBLfDE/GqjY4zQ6BKNLymEzxGcXkOgArOyPGhed QcG4LHKxs2vy+6gEFn8TIHyjU17L3JNiJKD51CWG8zRf72RB7tLzj+nI5FYWHzuj Y2Vsw9K+wfjxeM4vPv4V =xsoE -END PGP SIGNATURE- -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] In defense of client-side encryption
On 11/08/13 22:28, Nadim Kobeissi wrote: On 2013-08-11, at 10:36 PM, danimoth danim...@cryptolab.net wrote: On 11/08/13 at 01:10pm, Francisco Ruiz wrote: Twice again, privacy has taken a hit across the land. Lavabit and Silent Mail are gone, and to quote Phil Zimmermann, “the writing is on the wall” for any other encrypted email provider located in US territory. This is sure to be repeated for servers located in Europe and other countries. Is this the end of encrypted email? [cut] IMHO you are making big statements, taking a lot of risks, and a lot of people's life on your back, as we're not playing here. Are you sure to have big enough shoulder? First, it is in Javascript. Who needs cryptography, SHOULD NOT use javascript. Google can help you ([1] for example, [2] if you are coming from a 48h non-stop no-sleep marathon). Second, someone posted about your random number generator, and you ignored it. But this is a minor problem, as all things are in Javascript. Third, you use Javascript. But, wait, I need to sleep. Please stop spamming an insecure-by-design product. I think it's a bit short-sighted to criticize encryption because of the programming language it's implemented in. JavaScript encryption doesn't have problems because of the programming language, but because of the APIs, environment and mechanisms surrounding the language. I've investigated many of the challenges surrounding proper implementation in those contexts, and have written a blog post to this effect. I would be interested in hearing some feedback! http://log.nadim.cc/?p=33 How is it possible to defend against timing attacks in JS? Any language theoretically can be complied into anything, but the JS runtime does not give you much control in what the CPU actually executes. The webcrypto WG you linked to looks interesting, if browsers will provide a native crypto API to JS, preinstalled (at least the mathy bits that you need direct execution control over) as opposed to loaded on-demand by a remote server. Did you ever think about having the cryptocat browser extension using a lower-level language? Firefox at least can run binary extensions; I don't know about Chrome. Also I'll note that investigate many is not sufficient to have security confidence; you have to investigate all - i.e. enumerate all parts that can be compromised, and argue convincingly that you haven't missed anything. This involves knowing the JS spec and browser implementations very very well. NK Last thing: People, please, use PGP instead of these circus things. [1] http://www.matasano.com/articles/javascript-cryptography/ [2] https://www.google.it/search?q=why%20is%20bad%20crypto%20javascript -- GPG: 4096R/1318EFAC5FBBDBCE git://github.com/infinity0/pubkeys.git -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Lavabit and End-point Security
- Forwarded message from coderman coder...@gmail.com - Date: Sun, 11 Aug 2013 13:28:53 -0700 From: coderman coder...@gmail.com To: cypherpu...@cpunks.org Subject: Re: Lavabit and End-point Security one last cautionary tale: some time back i used the techniques discussed to harden some Android phones brought with me into a hostile environment. i had kernel level protections in place, hardened the system configuration and services, pared down apps to the minimum and constrained their access to the file system and network. this was months of effort. the first adversarial encounter went very well in my favor - all of the attempts to exploit my devices were thwarted at these various layers and via these protections, with the sole exception of a Google Voice Search hack that kept voice search active in an open mic night eavesdropping capability. this was quickly nullified via kill -STOP (Android won't re-spawn an app that is already running, and a stopped process proved quite effective at halting this repeated invocation of search used to capture audio.) fast forward to round two, and i doubled down on the kernel, system, and application level protections. even more scrutiny is applied to applications to avoid the misuse of legitimate functionality for malicious purpose. i am feeling confident! ... and then a baseband exploit easily walks under all of my protections at every layer, completely and fully 0wning my devices, with the only hint at anything amiss being the elevated thermal dissipation and power consumption from the radios performing data transmission, all while the Android OS believed the devices were silent in airplane mode. [informative interlude: software defined transceivers should be in every hacker toolbox; radio level attacks are otherwise invisible to you. they are also useful for many other purposes, perhaps one day even providing a solution to the untrustworthy proprietary firmware and baseband systems crammed into every mobile device these days.] --- incidentally, this also demonstrates why IOMMU / VT-d guest isolation of devices on the host bus is very useful, as a vulnerable NIC could otherwise provide complete access to privileged memory and interfaces just like the baseband exploit above... assuming your CPU itself is trustworthy! trusting trust continues to be a persistent and difficult problem, leaving us all vulnerable to some degree or another - it's just a function of cost and skill to compromise. turtles all the way down! ;P - End forwarded message - -- Eugen* Leitl a href=http://leitl.org;leitl/a http://leitl.org __ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] nettime Interview with Lavabit's Ladar Levison
- Forwarded message from nettime's secret court staffer nett...@kein.org - Date: Sat, 10 Aug 2013 23:26:02 +0200 From: nettime's secret court staffer nett...@kein.org To: nettim...@mx.kein.org Subject: nettime Interview with Lavabit's Ladar Levison Reply-To: a moderated mailing list for net criticism nettim...@mail.kein.org On an phone interview with CNET and Jesse Binnall, Levison's Virginia-based attorney, about the decision to shutter Lavabit, Levison spoke about the connection between Lavabit and the Patriot Act, how he thinks the laws regarding privacy ought to change, and how the American government is failing to uphold the U.S. Constitution. http://news.cnet.com/8301-1009_3-57597954-83/lavabit-chief-predicts-long-fight-with-feds-q-a/ __What's the key issue here? Why did you shut down Lavabit? Levison: For me it wasn't about protecting a single user, but protecting the privacy of all my users, coupled with the fact that I wasn't able to discuss it publicly. I believe that people have the right to know what their government is doing. I had an issue with me doing what they wanted me to do without them disclosing it. We've had a couple of dozen court orders served to us over the past 10 years, but they've never crossed the line... __Until now? Levison: I can neither confirm nor deny until now. Are you familiar with the case of Aaron Swartz, familiar with the accusations of prosecutorial misconduct? There may be parallels between that case and this. __If you could write the legislation covering privacy and electronic communication, what would it say? Levison: One of the things that would be nice to come out of this would be that the court shouldn't be able to make binding decisions that are secret. If there's going to be legislation from the bench, so to speak, it needs to be open to review from the American public. Just the idea of secret laws, so to speak, bothers me tremendously. That should almost be a constitutional change. We've shown that some of our most important freedoms can't be trusted to Congress, they need to be placed in the Constitution. Going beyond that, as an Internet service provider, there needs to be a more clear definition of our protections. Right now, as a third-party litigation, we effectively have no rights. There's no legal framework that we can fight with or against anything that is unjust. They're abusing their secrecy to hide their surveillance methods. I think that there's a lot more that will come out, and that needs to come out. I obviously can't tell you what was happening and what I know, and I was uncomfortable with it. I'd rather shut down my service and my primary source of income than be complicit in crimes against the American people. __In the current situation, are there any bright red lines that you wouldn't cross? Levison: It's unfortunate that even our own lawmakers don't have a good understanding of what's going on. Philosophically, I put myself in a position that I was comfortable turning over the information that I had. I built Lavabit in a reaction to the original Patriot Act. I didn't want to be in a position to turn [user data] over without judicial review. Where the government would hypothetically cross the line is to violate the privacy of all of my users. This is not about protecting a single person or persons, it's about protecting all my users. What level of access to this nation does the government have? __How did the Patriot Act influence your e-mail service? It played a big role in how I designed the custom platform. All I needed when somebody registers was a name and a password. I didn't need a real name, address, social security number, credit card number... Why should I collect that info if I didn't need it? [That philosophy] also governed what kind of information I logged. Speaking philosophically, I think people who hold other people's private information and money have an obligation to be more open to the public. That principle of openness has become a key issue. It's definitely become an issue as it relates to some of the recent coverage in the media. The current administration is not being transparent and open about what it is they're doing, even to members of Congress. __How have Lavabit's users reacted? Levison: It's overwhelmingly positive. Some of them are understandably frustrated that I had to shut down without notice. I lost my one and only e-mail account over the past 10 years, as well. I feel my decision was the lesser of two evils. __What happens to your customer's e-mails and data? Levison: I'm looking into setting up a site where users can download their data and set up a forwarding [e-mail] address, but that may take a week or two to set up. That's all I can do until I feel confident that I can resume the service without having to compromise its integrity. I will make it clear that I don't plan to use any encryption for that site.
Re: [liberationtech] In defense of client-side encryption
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 08/11/2013 08:10 PM, Francisco Ruiz wrote: There’s no legal action that can shut down PassLok because it consist of pure code, and pure code is speech, protected from government interference under the 1^st amendment to the US Constitution. For the 95.5% of humans on the planet that are not US citizens the above statement is at best a belly-laugh, at worst a very sick joke. The US government is not restrained by law (of any kind) to do whatever the hell it pleases (or pleases its financiers). The families of 1.5 million dead Iraqi's will back me up on that statement. You did notice that nobody went to jail for that? I mean; you did *notice* that? Because the rest of the planet sure did. To trust *anything* to be 'protected' by US 'law' after the last decade is a denial of reality that borders on psychosis. I still believe there are some places in Europe where things are a little better (= sliding slower) but I may be wrong about that ;-) Client-side encryption means a Free Software code stack running on a machine that is physically under your control at all time. Anything else is BS. - -- Met vriendelijke groet/With kind regards, Arjen Kamphuis Gendo B.V. Main: +31 20 891 0330 mail: ar...@gendo.ch gendo.ch(website) gendo.nl/blog/arjen (Dutch blog) gendo.ch/en/blog/arjen (English blog) about.me/arjenkamphuis (social media) files.gendo.nl/keys/ar...@gendo.ch.asc (public key) PGP fingerprint: 55FB B3B7 949D ABF5 F31B BA1D 237D 4C50 118A 0EC2 Gendo BV Wibautstraat 150, 1091 GR Amsterdam The Netherlands P please consider the environment before printing this email This e-mail message and its attachments are subject to the disclaimer published at the following website of Gendo: http://www.gendo.nl/disclaimer Gendo B.V. is registered with the trade register in The Netherlands under number 28116864. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQIcBAEBAgAGBQJSCMsSAAoJECN9TFARig7ChAwP/j3Ls2HTOBFFnpWC93OXAsB7 +KRWr5sUDGc7HkG6Ui1U4TNeluSmeeglkfn1BFd/aQlM+LgbP8vjsXI+6+ZevzSN WysbzgKXVXa4YJlEOtGvjlaRYKxIW6tH/yQc8XOM9dE8LlZ6kgmznMiT9qbwfI7o eW5nwQuznx+Lp2yahu6/j0xqi4RazEGp0qYa1As7WSCxdD5tncZ3SMhceQ7V4rpK o5ovqzztvg4IY7axlAX5eid4KGqBJenanWu79eSsHV2QBSW4gzB3tmuBeLuJcLz8 8FIIPbYFJxa1zK56MA+ZzZa2EZ0ALtRaWKroS+BWC9pDKdM4FmCer++UdBy9n1gT 9yzw51T2ZOfxoQo7y4FshZjK3/lDaAAbp+HItkcwwx6F18XPTWT+4u70ARpmuuGM SH7ZRBeutMLd7wcePEaDU6RvpdvF1xf7+1posJJeeBrEIWaY5j5ZFzpGEHVjjp5n 03d5VLtArvn2Kcx7ymX1+ZtQoEPpobtNdCTA0N7vUMcKmdLDfsA+YX7Zw2jxVpcI Nk9GJ6HkCTLth7dxpVmz2Iv/o3Chq91X+FXjLTy8titwYrK0UPnwlqd35PApl77C w36eGIcmadWg1eEYEzpF9UicyzBnLmpQFM2Qm9aJanDRHziUL3YsFLxlHfFXs462 CQZlJf1tbCRvS8UTPRnC =wwxV -END PGP SIGNATURE- -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] In defense of client-side encryption
On Mon, Aug 12, 2013 at 01:46:26PM +0200, Arjen Kamphuis wrote: Client-side encryption means a Free Software code stack running on a machine that is physically under your control at all time. Anything else is BS. Indeed. And it can be argued that we even need open, fully inspectable hardware, so that we can in fact can make sure that we're running what we think we're running. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] In defense of client-side encryption
On 12/08/13 14:02, Ben Laurie wrote: On 12 August 2013 06:14, Ximin Luo infini...@gmx.com wrote: How is it possible to defend against timing attacks in JS? Any language theoretically can be complied into anything, but the JS runtime does not give you much control in what the CPU actually executes. The webcrypto WG you linked to looks interesting, if browsers will provide a native crypto API to JS, preinstalled (at least the mathy bits that you need direct execution control over) as opposed to loaded on-demand by a remote server. Did you ever think about having the cryptocat browser extension using a lower-level language? Firefox at least can run binary extensions; I don't know about Chrome. It is possible to defend against timing attacks by writing inherently constant time code. For example: https://github.com/openssl/openssl/commit/a693ead6dc75455f7f5bbbd631b3a0e7ee457965 is full of such code. But does this still necessarily hold after the JS compiler has had its way with it? I can imagine some optimisers perhaps turning code like return a op b into something like if a == 0: return 0; elif b == 0: return 0; else return a op b X -- GPG: 4096R/1318EFAC5FBBDBCE git://github.com/infinity0/pubkeys.git -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] Hayden on 'Internet Freedom' as State Dept. Money Laundering Against US Security Interests
Libtech, A friend passed along little noticed comments by Gen. Hayden in June, which I would suggest are the most direct elaboration on the differences between the American security apparatus and piracy development efforts. The actual interview is long, but there is one statement in particular that would serve everyone to read and share wherein Hayden speaks openly on the intelligence services trying to crack anonymity and criticizes Clinton for supporting such projects. Rough Transcript: *We need to pull the rest of American thinking into this in a relevant way. Secretary Clinton gave two speeches on cyber stuff while she was secretary. And if you're you know you think of the world as security and liberty she broke left literally both times in both of her speeches she came down on on cyber freedom. Society at the same time cyber communities out there are trying to crack the nut on anonymity on the net because you realize that's the root of many many dangers out there as cyber communities just chugging away at that. The secretary of state is laundering money through NGOs to populate software throughout the Arab world to prevent the people in the Arab street from being tracked by their government. Alright so on the one hand we're fighting anonymity on the other hand we're chucking products out there to protect anonymity on the net.* Video: http://youtu.be/9lizGN981Rw Link: http://b.averysmallbird.com/entries/hayden-comments Cordially, Collin -- *Collin David Anderson* averysmallbird.com | @cda | Washington, D.C. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Hayden on 'Internet Freedom' as State Dept. Money Laundering Against US Security Interests
On Mon, Aug 12, 2013 at 7:53 PM, Collin Anderson col...@averysmallbird.comwrote: Alright so on the one hand we're fighting anonymity on the other hand we're chucking products out there to protect anonymity on the net. I've been saying that for years. Except...backwards. -- *Note: *I am slowly extricating myself from Gmail. Please change your address books to: jilliancy...@riseup.net or jill...@eff.org. US: +1-857-891-4244 | NL: +31-657086088 site: jilliancyork.com http://jilliancyork.com/* | * twitter: @jilliancyork* * We must not be afraid of dreaming the seemingly impossible if we want the seemingly impossible to become a reality - *Vaclav Havel* -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Hayden on 'Internet Freedom' as State Dept. Money Laundering Against US Security Interests
On 2013-08-12, at 8:53 PM, Collin Anderson col...@averysmallbird.com wrote: Libtech, A friend passed along little noticed comments by Gen. Hayden in June, which I would suggest are the most direct elaboration on the differences between the American security apparatus and piracy development efforts. The actual interview is long, but there is one statement in particular that would serve everyone to read and share wherein Hayden speaks openly on the intelligence services trying to crack anonymity and criticizes Clinton for supporting such projects. Rough Transcript: We need to pull the rest of American thinking into this in a relevant way. Secretary Clinton gave two speeches on cyber stuff while she was secretary. And if you're you know you think of the world as security and liberty she broke left literally both times in both of her speeches she came down on on cyber freedom. Society at the same time cyber communities out there are trying to crack the nut on anonymity on the net because you realize that's the root of many many dangers out there as cyber communities just chugging away at that. The secretary of state is laundering money through NGOs to populate software throughout the Arab world to prevent the people in the Arab street from being tracked by their government. Alright so on the one hand we're fighting anonymity on the other hand we're chucking products out there to protect anonymity on the net. I really appreciate the honesty here in Gen. Hayden's statement. I wish I had seen this earlier this year when I was writing my term paper for graduation. I was trying to argue that Internet freedom had effectively become a foreign policy warring venue for the United States after Clinton's Freedom to Connect speech in February 2011, which was probably the first speech of the two speeches on cyber stuff that Hayden refers to. The speech itself was likely engendered by things like spikes of Tor usage in Tunisia and Egypt during the Spring (and the speed in which it followed those spikes is quite a testament to the quickness of the think tanks advising Clinton's speechwriters!) What's also interesting is the (perhaps unintentional) distinction between which governments you're trying to protect people from. You're populating the software to Arab citizens to prevent specifically their government from tracking them. This presumably includes other governments that the U.S. wants to encourage revolutions in, such as Iran, and disenfranchised groups such as Tibetans. Here's the thing: you ultimately have two types of software that the U.S. is interested in funding: Software Type A: Software that protects useful dissidents and anyone else from all governments (to an extent), including the U.S. government. Software Type B: Software that protects useful dissidents in certain countries from their own governments (that the U.S. wants overthrown because they are very inconvenient to its foreign affairs, like maybe Iran under Ahmadinejad), but that the U.S. government itself can crack. The scary thing here is that the U.S. would, from a realist standpoint, be more interested in funding type B software than type A software, since type B software would satisfy both its domestic and foreign goals, while type A would only satisfy its foreign goals, leaving General Hayden angry and frustrated with all the money that's being, from his perspective, laundered in order to create a contradictory, troublesome situation. Maybe we should be thinking about this! Personally, I certainly wouldn't call it money laundering, though. A lot of good has come from this NGO funding. NK Video: http://youtu.be/9lizGN981Rw Link: http://b.averysmallbird.com/entries/hayden-comments Cordially, Collin -- Collin David Anderson averysmallbird.com | @cda | Washington, D.C. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Hayden on 'Internet Freedom' as State Dept. Money Laundering Against US Security Interests
Nadim Kobeissi wrote: Here's the thing: you ultimately have two types of software that the U.S. is interested in funding: *Software Type A:* Software that protects useful dissidents and anyone else from all governments (to an extent), including the U.S. government. *Software Type B:* Software that protects useful dissidents in certain countries from their own governments (that the U.S. wants overthrown because they are very inconvenient to its foreign affairs, like maybe Iran under Ahmadinejad), but that the U.S. government itself can crack. *The scary thing here* is that the U.S. would, from a realist standpoint, be more interested in funding type B software than type A software, since type B software would satisfy /both// /its domestic and foreign goals, while type A would only satisfy its foreign goals You're not wrong, but it's also the case that Type A software is typically pitched and funded as though it were Type B software. Software like Tor is frequently touted as helping (for example) the Arab Spring, and while I could be wrong, that's the type of angle that most circumvention projects use when trying to get funding from US entities. There are lots of reasons for this, mostly that funding from nonprofits is project-based -- meaning X app or feature Y that furthers the NGO's long-term goals. When it comes to the US government writ large, yeah, a lot of grants have an interesting global angle. But there are software grants that are hyperlocal as well. In terms of circumvention, government policies hint at the idea that America is always in the right. Americans have nothing to hide, nothing to fear, from their government and therefore don't need circumvention tech. Americans aren't surveilled, no one's privacy is invaded, and no one here is censored. Everything is fine and nothing is broken. With that in mind, it makes a lot of sense that anti-censorship work is mostly funded as it applies elsewhere. But you're just as likely to find a hyperlocal app about where to get a free HIV test being funded as something with global impact like Tor. best, Griffin -- Cypherpunks write code not flame wars. --Jurre van Bergen #Foucault / PGP: 0xAE792C97 / OTR: sa...@jabber.ccc.de My posts, while frequently amusing, are not representative of the thoughts of my employer. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] Bangladeshi activist in trouble
From: Katsiaficas, George katsiafic...@wit.edu I write because my friend and enormously active Bangladeshi human rights lawyer Adilur Rahman Khan was picked up by unmarked cars/police and given 5 days remand in Dhaka—equivalent to 5 days torture. His arrest will no doubt have a chilling effect on all Bangladeshi activists. Adil is an attorney who has argued cases before the country's supreme court. He is the leader of Bangladesh's leading human rights organization, Odhikar, and was a great help to me in my recent research for a book, Asia’s Unknown Uprisings, in which I praised Bangladesh’s transition to democracy in the aftermath of the uprising of 1990. If you could write an email to Prime Minister Hasina and the Minister of Information (see below), you could be of great assistance in securing his safe release in this time of need. I have attached a letter I wrote and faxed. Feel free to use it. Solidarity, George From: odhikar odhikar...@gmail.com Date: Sunday, August 11, 2013 3:55 AM Dear Friends, Thank you so much for your continuous support and working as a pressure group to release Adilur Rahman Khan. Just now (1.40 pm)he has been brought to the CMM court. Police do not let his family or lawyers to go near to him . He is still inside a prison van. Last night after picking him up at 10.20 PM, we tried to file a General Diary at the Gulshan Police station. But Officer in Charge, Mr. Pushpa, didn't take the GD, but confirmed that he was taken by DB police. We are concerned that he shouldn't be taken for remand as remand is synonymous to torture. We came to know police is asking for 10 days remand. Adil, in last 25 years struggled to stop torture, extrajudicial killings, disappearance and uphold the rights of minorities. The Home Minister Mohiuddin Khan Alamgir today stated that ' in order to protect human rights Adilur Rahman Khan has violated human rights'. It's alarming that that government is trying to hide its misdeed and brought a false allegation against him and made him a victim of human rights violation. He was picked up by plainclothes police men without issuing any warrant . He was a victim of illegal arrest and harassment. My friends, please work accordingly. If you would like to issue an urgent appeal, please find the address below.. Sheikh Hasina Honorable Prime Minister Prime Minister's Office Old Sangsad Bhaban Address: Tejgaon, Dhaka-1215, Bangladesh E-mail: i...@pmo.gov.bd Muhiuddin Khan Alamgir Minister Ministry of Home Affairs Government of the People's Republic of Bangladesh Office, Residence Mobile Telephone Numbers Fax: Secretary?s Office: 9573711, PS to Minister: 7169667, Add.Sec. (Police). 7171591, Add. Sec. ( Admin) 7171592 PS to State Minister: 9515541, D.S Admin: 7162753 Hasanul Haq Inu Honorable Minister Ministry of Information Building # 4 (8th floor) Bangladesh Secretariat, Dhaka-1000 Office Telephone No. 9540022, 9573400 E-mail: minis...@moi.gov.bd Ministry of Information- minis...@moi.gov.bd Regards, ASM Nasiruddin Elan Director 01711405166, 01720096053 -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] In defense of client-side encryption
Thanks for a thoughtful and extensive reply. Let me see if I'm understanding your position correctly. Running crypto code in a browser is inherently insecure because we don't really know what the browser is doing with it, regardless of whether it is communicating with a server. Of course, we can't be sure of what a high-level OS is doing, either, but at least it is one step closer to the hardware. Faced with this uncertainty, it seems to me that making compiled code based on NaCL still does not solve the basic problem that the user does not control (and can't even view) the OS. Even if it is shown to be safe today, there's no telling what an update might do to it in the future. Windows seems to get security updates every other day; it would be trivial to slip in one that undoes the security of a browser, as well as any NaCL-based code. I'm saying this without knowing much about NaCL, but I doubt it can withstand a malicious change in the OS. So, trusting the OS but not trusting the browser seems to me a curious case of double standard. They are made by the same companies, after all. The only really secure cryptography, then, would be that which does not use computers at all. Following this logic, I once made a stream cipher based on a calculator. You can see the description here: http://prgomez.com/nonfiction/crypto/17-crypto I tried to extend this work to some sort of public-key functions, but unfortunately calculators don't have the power needed to do the simplest powermod operation on which to base a Diffie-Hellman scheme. And this eventually led to PassLok, which uses the browser strictly as a powerful calculator. Unfortunately, it is written in Javascript. On Mon, Aug 12, 2013 at 5:12 AM, danimoth danim...@cryptolab.net wrote: On 11/08/13 at 09:37pm, Francisco Ruiz wrote: I still have to read through the references you supply, but I can already see a misconception. They refer to the dangers of carrying out cryptography with javascript-containing dynamic pages. My previous posting referred to _perfectly static_ pages [cut] I catched the point about secure delivery of the code, this is an open problem and you suggested a youtube video with a spoken hash, assuming no one could modify it. In this topic branch, let's assume that problem resolved (but in others, specifically in the branch started by Guido Witmond, it isn't). Talking about syntax (and so, the programming language) you and Nadim are correct when sentencing it's not a problem. I know, from my background, that every programming language will finish into assembly code, because it is the only one recognized by my CPU, so it isn't the node of the question. The really interesting thing is the environment where the code is executed, compiled, interpreted: in my point of view (but in many others) browsers aren't the best places to do critical things, because there a lot of points which aren't under our control. Is it Windows XP with a lot of mess installed? Is it a Linux Live CD? I don't know. Maybe the only way is throw away the entire technology stack and go back. But, if I need to choose between browsers and OSes, I choose OSes because they are closer to the CPU. You could have different vision, but please take it in consideration when presenting your product as the non-plus-ultra program of the year. Moving on the semantic aspect of the problem, I want to start saying my model in every crypto thing is NaCL library. Few of us (and few in the world) can safely play with little crypto bricks, joining them in new and fashion protocols. This is clearly not the way of reasoning of the majority of people: let's see for example the draft of Web Cryptography API.. So, you had an idea: making the 20-year old PGP in a new and simple way, to permit inexperienced users to have the same functionality. You used little bricks (AES, elliptic curves..), and provided high level functionalities (Lock, Unlock, Stamp, Verify). What about reverting this paradigm, using NaCL experience as background, and so using something which already provides high level functionalities, focusing on user experience following your ideas (one simple place where doing all things, less buttons, less configurations..) ? And yes, this is only an interface problem, because you already have the background: GPG, NaCL, ... And don't think interface problems are trivial or stupid. They can make differences.. big differences. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Francisco Ruiz Associate Professor MMAE department Illinois Institute of Technology PL13lok=WsH3zTgZn8V3hnIqjdbfPus+5YF5n+LBRPuH9USMMp8izPv+hsLoZKv+jaCFMapJFfiA11Q9yJU1K1Wo0TbjXK/=PL13lok get the PassLok privacy app
Re: [liberationtech] In defense of client-side encryption
Hey Arjen, you make a huge point. Unfortunately the Netherlands aren't any better this way, are they? Looking around, it seems the only safe place for a crypto server these days would be Switzerland. I'm ready to move my stuff over there. Does anybody know of a good, cheap, SSL-enabled web host in Switzerland you can recommend? Gendo, maybe? Thanks! On Mon, Aug 12, 2013 at 6:46 AM, Arjen Kamphuis ar...@gendo.ch wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 08/11/2013 08:10 PM, Francisco Ruiz wrote: There’s no legal action that can shut down PassLok because it consist of pure code, and pure code is speech, protected from government interference under the 1^st amendment to the US Constitution. For the 95.5% of humans on the planet that are not US citizens the above statement is at best a belly-laugh, at worst a very sick joke. The US government is not restrained by law (of any kind) to do whatever the hell it pleases (or pleases its financiers). The families of 1.5 million dead Iraqi's will back me up on that statement. You did notice that nobody went to jail for that? I mean; you did *notice* that? Because the rest of the planet sure did. To trust *anything* to be 'protected' by US 'law' after the last decade is a denial of reality that borders on psychosis. I still believe there are some places in Europe where things are a little better (= sliding slower) but I may be wrong about that ;-) Client-side encryption means a Free Software code stack running on a machine that is physically under your control at all time. Anything else is BS. - -- Met vriendelijke groet/With kind regards, Arjen Kamphuis Gendo B.V. Main: +31 20 891 0330 mail: ar...@gendo.ch gendo.ch(website) gendo.nl/blog/arjen (Dutch blog) gendo.ch/en/blog/arjen (English blog) about.me/arjenkamphuis (social media) files.gendo.nl/keys/ar...@gendo.ch.asc (public key) PGP fingerprint: 55FB B3B7 949D ABF5 F31B BA1D 237D 4C50 118A 0EC2 Gendo BV Wibautstraat 150, 1091 GR Amsterdam The Netherlands P please consider the environment before printing this email This e-mail message and its attachments are subject to the disclaimer published at the following website of Gendo: http://www.gendo.nl/disclaimer Gendo B.V. is registered with the trade register in The Netherlands under number 28116864. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQIcBAEBAgAGBQJSCMsSAAoJECN9TFARig7ChAwP/j3Ls2HTOBFFnpWC93OXAsB7 +KRWr5sUDGc7HkG6Ui1U4TNeluSmeeglkfn1BFd/aQlM+LgbP8vjsXI+6+ZevzSN WysbzgKXVXa4YJlEOtGvjlaRYKxIW6tH/yQc8XOM9dE8LlZ6kgmznMiT9qbwfI7o eW5nwQuznx+Lp2yahu6/j0xqi4RazEGp0qYa1As7WSCxdD5tncZ3SMhceQ7V4rpK o5ovqzztvg4IY7axlAX5eid4KGqBJenanWu79eSsHV2QBSW4gzB3tmuBeLuJcLz8 8FIIPbYFJxa1zK56MA+ZzZa2EZ0ALtRaWKroS+BWC9pDKdM4FmCer++UdBy9n1gT 9yzw51T2ZOfxoQo7y4FshZjK3/lDaAAbp+HItkcwwx6F18XPTWT+4u70ARpmuuGM SH7ZRBeutMLd7wcePEaDU6RvpdvF1xf7+1posJJeeBrEIWaY5j5ZFzpGEHVjjp5n 03d5VLtArvn2Kcx7ymX1+ZtQoEPpobtNdCTA0N7vUMcKmdLDfsA+YX7Zw2jxVpcI Nk9GJ6HkCTLth7dxpVmz2Iv/o3Chq91X+FXjLTy8titwYrK0UPnwlqd35PApl77C w36eGIcmadWg1eEYEzpF9UicyzBnLmpQFM2Qm9aJanDRHziUL3YsFLxlHfFXs462 CQZlJf1tbCRvS8UTPRnC =wwxV -END PGP SIGNATURE- -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Francisco Ruiz Associate Professor MMAE department Illinois Institute of Technology PL13lok=WsH3zTgZn8V3hnIqjdbfPus+5YF5n+LBRPuH9USMMp8izPv+hsLoZKv+jaCFMapJFfiA11Q9yJU1K1Wo0TbjXK/=PL13lok get the PassLok privacy app at: http://passlok.com -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] Does anyone know a celebrity who feels strongly about privacy issues?
Quick request. In comments to a recent post, people seemed to agree that publishing a video of someone reading a hash might be a fairly hard-to-hack way to deliver that hash to the public, and thus assure the authenticity of a piece of code, a public key, or whatnot. The problem is that the sample youtube video I linked had yours truly reading the hash, and people naturally objected that I wasn't Justin Bieber and, consequently, weren't too convinced that the video was authentic. Aside from the fact that an adversary might be able to convince Justin Bieber to make a video reading a fake hash (not that I believe Justin doesn't care; it's just a hypothesis), the idea of getting a celebrity for this kind of video has a lot of merit. I'd like to engage one for the next update of my app. So, here's my question. Does any one know of a celebrity who cares enough about computer security to be persuaded to take one minute of his/her time to read a hash before a camera? Thanks a million! -- Francisco Ruiz Associate Professor MMAE department Illinois Institute of Technology PL13lok=WsH3zTgZn8V3hnIqjdbfPus+5YF5n+LBRPuH9USMMp8izPv+hsLoZKv+jaCFMapJFfiA11Q9yJU1K1Wo0TbjXK/=PL13lok get the PassLok privacy app at: http://passlok.com -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Does anyone know a celebrity who feels strongly about privacy issues?
John Cusack comes to mind - he's on the board of Freedom of the Press Foundation. ~Griffin On 08/12/2013 04:32 PM, Francisco Ruiz wrote: Quick request. In comments to a recent post, people seemed to agree that publishing a video of someone reading a hash might be a fairly hard-to-hack way to deliver that hash to the public, and thus assure the authenticity of a piece of code, a public key, or whatnot. The problem is that the sample youtube video I linked had yours truly reading the hash, and people naturally objected that I wasn't Justin Bieber and, consequently, weren't too convinced that the video was authentic. Aside from the fact that an adversary might be able to convince Justin Bieber to make a video reading a fake hash (not that I believe Justin doesn't care; it's just a hypothesis), the idea of getting a celebrity for this kind of video has a lot of merit. I'd like to engage one for the next update of my app. So, here's my question. Does any one know of a celebrity who cares enough about computer security to be persuaded to take one minute of his/her time to read a hash before a camera? Thanks a million! -- Francisco Ruiz Associate Professor MMAE department Illinois Institute of Technology PL13lok=WsH3zTgZn8V3hnIqjdbfPus+5YF5n+LBRPuH9USMMp8izPv+hsLoZKv+jaCFMapJFfiA11Q9yJU1K1Wo0TbjXK/=PL13lok get the PassLok privacy app at: http://passlok.com -- Cypherpunks write code not flame wars. --Jurre van Bergen #Foucault / PGP: 0xAE792C97 / OTR: sa...@jabber.ccc.de My posts, while frequently amusing, are not representative of the thoughts of my employer. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Does anyone know a celebrity who feels strongly about privacy issues?
Some idle thoughts: Edward Snowden Bradley Manning Julian Assange Gen. Hayden Jacob or Nadim On 08/12/2013 04:32 PM, Francisco Ruiz wrote: Quick request. In comments to a recent post, people seemed to agree that publishing a video of someone reading a hash might be a fairly hard-to-hack way to deliver that hash to the public, and thus assure the authenticity of a piece of code, a public key, or whatnot. The problem is that the sample youtube video I linked had yours truly reading the hash, and people naturally objected that I wasn't Justin Bieber and, consequently, weren't too convinced that the video was authentic. Aside from the fact that an adversary might be able to convince Justin Bieber to make a video reading a fake hash (not that I believe Justin doesn't care; it's just a hypothesis), the idea of getting a celebrity for this kind of video has a lot of merit. I'd like to engage one for the next update of my app. So, here's my question. Does any one know of a celebrity who cares enough about computer security to be persuaded to take one minute of his/her time to read a hash before a camera? Thanks a million! -- Francisco Ruiz Associate Professor MMAE department Illinois Institute of Technology PL13lok=WsH3zTgZn8V3hnIqjdbfPus+5YF5n+LBRPuH9USMMp8izPv+hsLoZKv+jaCFMapJFfiA11Q9yJU1K1Wo0TbjXK/=PL13lok get the PassLok privacy app at: http://passlok.com -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Does anyone know a celebrity who feels strongly about privacy issues?
On 2013-08-12 15:32, Francisco Ruiz wrote: Does any one know of a celebrity who cares enough about computer security to be persuaded to take one minute of his/her time to read a hash before a camera? Hugh Grant has made privacy issues the focus of his Twitter feed. However, he is more focused on for-profit companies (the media) violating people's privacy, at least based on his advocacy. -- Ms. Jayne Cravens MSc Portland, Oregon, USA The web site - http://www.coyotecommunications.com The email - j...@coyotecommunications.com Me on Twitter, other social networks, my blog: http://www.coyotecommunications.com/me/jayneonline.shtml -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Does anyone know a celebrity who feels strongly about privacy issues?
Ashton Kutcher has talked publicly multiple times about the value of privacy, both in his personal life and as an investor. On Aug 12, 2013 4:38 PM, Richard Brooks r...@acm.org wrote: Some idle thoughts: Edward Snowden Bradley Manning Julian Assange Gen. Hayden Jacob or Nadim On 08/12/2013 04:32 PM, Francisco Ruiz wrote: Quick request. In comments to a recent post, people seemed to agree that publishing a video of someone reading a hash might be a fairly hard-to-hack way to deliver that hash to the public, and thus assure the authenticity of a piece of code, a public key, or whatnot. The problem is that the sample youtube video I linked had yours truly reading the hash, and people naturally objected that I wasn't Justin Bieber and, consequently, weren't too convinced that the video was authentic. Aside from the fact that an adversary might be able to convince Justin Bieber to make a video reading a fake hash (not that I believe Justin doesn't care; it's just a hypothesis), the idea of getting a celebrity for this kind of video has a lot of merit. I'd like to engage one for the next update of my app. So, here's my question. Does any one know of a celebrity who cares enough about computer security to be persuaded to take one minute of his/her time to read a hash before a camera? Thanks a million! -- Francisco Ruiz Associate Professor MMAE department Illinois Institute of Technology PL13lok=WsH3zTgZn8V3hnIqjdbfPus+5YF5n+LBRPuH9USMMp8izPv+hsLoZKv+jaCFMapJFfiA11Q9yJU1K1Wo0TbjXK/=PL13lok get the PassLok privacy app at: http://passlok.com -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Does anyone know a celebrity who feels strongly about privacy issues?
On 8/12/13 1:45 PM, Sarah A. Downey wrote: Ashton Kutcher has talked publicly multiple times about the value of privacy, both in his personal life and as an investor. He made some comments today that were sort of unfortunate in that area. http://news.moviefone.com/2013/08/12/ashton-kutcher-steve-jobs-interview/ Thanks, Parker -- Parker Higgins Activist Electronic Frontier Foundation https://eff.org Please note our new address: 815 Eddy Street San Francisco, CA 94109-7701 -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] In defense of client-side encryption
On 12/08/13 at 02:58pm, Francisco Ruiz wrote: Thanks for a thoughtful and extensive reply. Let me see if I'm understanding your position correctly. [snip, snip, snip] So, trusting the OS but not trusting the browser seems to me a curious case of double standard. They are made by the same companies, after all. Trusting the browser in respect to trusting the OS implies adding a lot more hypotesis on the stack, in order to define properties of your software. To be clear, trusting the browser strictly contains trusting the OS, and in my humble point of view, if I need to choose, I choose fewer hypotesis. In my rescue, there is the fact that actually *no state-of-art solutions* exists for web cryptography (is that word right? or it is a no-sense?). To reach this point, proposals should be made, and yours is one approach to evaluate, but (personally) I don't like selling advertisement based on nothing. In conclusion, if you really trust IE x.0 to execute your code, you're welcome; I generally don't trust it even for viewing web sites :-) Users at this point have a lot of resources to check to make their own opinion, I'm feeling fine with myself. Have a nice day -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] Shrimping with the NSA
Prior to XKeyscore, the work of the NSA analysts was comparable with Forrest Gump on his shrimping boat off the coast of Alabama, reads the report from Griesheim. From the ocean of data, the report reads, the analysts pulled in a boot, a toilet seat, seaweed, and, there they are . three shrimp! (ellipse in original) To get to these few shrimp, they were forced to use vast resources, including documents or metadata that expand knowledge about the targets. We deal with tons of toilet seats, the spam and other junk, the report reads. But after the introduction of XKeyscore, the work, the report indicates, became much more efficient, because the tools made it possible to make precise casts, bringing in more shrimp and less by-catch. http://www.spiegel.de/international/world/germany-is-a-both-a-partner-to-and-a-target-of-n sa-surveillance-a-916029.html or http://goo.gl/SQZNwj (The whole article is worth a read.) -- James S. Tyre Law Offices of James S. Tyre 10736 Jefferson Blvd., #512 Culver City, CA 90230-4969 310-839-4114/310-839-4602(fax) jst...@jstyre.com Policy Fellow, Electronic Frontier Foundation https://www.eff.org -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Does anyone know a celebrity who feels strongly about privacy issues?
On 08/12/2013 04:32 PM, Francisco Ruiz wrote: Quick request. In comments to a recent post, people seemed to agree that publishing a video of someone reading a hash might be a fairly hard-to-hack way to deliver that hash to the public, and thus assure the authenticity of a piece of code, a public key, or whatnot. The problem is that the sample youtube video I linked had yours truly reading the hash, and people naturally objected that I wasn't Justin Bieber and, consequently, weren't too convinced that the video was authentic. So, here's my question. Does any one know of a celebrity who cares enough about computer security to be persuaded to take one minute of his/her time to read a hash before a camera? Thanks a million! On 08/12/13 22:41, Richard Brooks wrote: Some idle thoughts: Edward Snowden Bradley Manning Julian Assange Gen. Hayden Jacob or Nadim Dear prof Ruiz, I made the comment about celebrities in jest. I just don't believe that people will validate hashes anyway. But if you manage to convince any of those names to read your hashes, I will certainly use your product. Or never ever, depending on my opinion of the readers' knowledge about computer security. Regards, Guido. PS, I got the name wrong: http://www.classicfm.com/composers/biber/guides/biber-vs-bieber/ -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Does anyone know a celebrity who feels strongly about privacy issues?
Dear professor Ruiz. The real issue is to create an *easy* way to do hash validation correctly. Reading a hash on youtube is not going to make it. You use HTTPS without DNSSEC and DANE. Please use those first. It solves a lot of your server validation issues. At least it allows your users' browsers to validate code44.com. I repeat: Hashes are for computers, not for people. Plugging my own warez: I believe I've come up with a way to do DNSSEC and DANE in combination with a certificate repository. It allows the browser to validate the authenticity of a server certificate. When validated it can be sure that the javascript found at a page is indeed that what the page-author wanted. Please see: http://eccentric-authentication.org/blog/2013/03/23/Cryptographic-same-origin-policy.html And please ask if anything is unclear. I love to receive comments on where I'm right or wrong. Regards, Guido. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Does anyone know a celebrity who feels strongly about privacy issues?
Cory Doctorow - sent from my phone. On Aug 12, 2013 9:33 PM, Francisco Ruiz r...@iit.edu wrote: Quick request. In comments to a recent post, people seemed to agree that publishing a video of someone reading a hash might be a fairly hard-to-hack way to deliver that hash to the public, and thus assure the authenticity of a piece of code, a public key, or whatnot. The problem is that the sample youtube video I linked had yours truly reading the hash, and people naturally objected that I wasn't Justin Bieber and, consequently, weren't too convinced that the video was authentic. Aside from the fact that an adversary might be able to convince Justin Bieber to make a video reading a fake hash (not that I believe Justin doesn't care; it's just a hypothesis), the idea of getting a celebrity for this kind of video has a lot of merit. I'd like to engage one for the next update of my app. So, here's my question. Does any one know of a celebrity who cares enough about computer security to be persuaded to take one minute of his/her time to read a hash before a camera? Thanks a million! -- Francisco Ruiz Associate Professor MMAE department Illinois Institute of Technology PL13lok=WsH3zTgZn8V3hnIqjdbfPus+5YF5n+LBRPuH9USMMp8izPv+hsLoZKv+jaCFMapJFfiA11Q9yJU1K1Wo0TbjXK/=PL13lok get the PassLok privacy app at: http://passlok.com -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] FW: [Dewayne-Net] Are Hackers the Next Bogeyman Used to Scare Americans Into Giving Up More Rights?
-Original Message- From: dewayne-...@warpspeed.com [mailto:dewayne-...@warpspeed.com] On Behalf Of Dewayne Hendricks Sent: Tuesday, August 13, 2013 4:32 AM To: Multiple recipients of Dewayne-Net Subject: [Dewayne-Net] Are Hackers the Next Bogeyman Used to Scare Americans Into Giving Up More Rights? Are Hackers the Next Bogeyman Used to Scare Americans Into Giving Up More Rights? Has terrorism grown a little stale as an all purpose boogeyman? By Digby Aug 12 2013 http://www.alternet.org/are-hackers-next-bogeyman-used-scare-americans-givi ng-more-rights Marcy Wheeler has been speculating for a very long time that the real purpose of all this NSA collection isn't terrorism, it's hacking. These comments last week from Michael Hayden lend a lot of credence to that theory in my eyes: If and when our government grabs Edward Snowden, and brings him back here to the United States for trial, what does this group do? said retired air force general Michael Hayden, who from 1999 to 2009 ran the NSA and then the CIA, referring to nihilists, anarchists, activists, Lulzsec, Anonymous, twentysomethings who haven't talked to the opposite sex in five or six years. They may want to come after the US government, but frankly, you know, the dot-mil stuff is about the hardest target in the United States, Hayden said, using a shorthand for US military networks. So if they can't create great harm to dot-mil, who are they going after? Who for them are the World Trade Centers? The World Trade Centers, as they were for al-Qaida. That's just a tiny bit overwrought for an allegedly serious expert, don't you think? In fact, it sounds like the kind of thing we heard from various members of the Bush administration during the early days after 9/11. And it certainly indicates, as Wheeler has been speculating, that the government is stretching the terrorism laws to include hacking. They certainly are using the same histrionic language to describe it. Under Hayden, the NSA began to collect, among other things, the phone records and internet data of Americans without warrants after 9/11, a drastic departure from its traditional mission of collecting foreign intelligence. A variety of technically sophisticated collection and analysis programs, codenamed Stellar Wind, were the genesis of several of the NSA efforts that Snowden disclosed to the Guardian and the Washington Post. [snip] Dewayne-Net RSS Feed: http://www.warpspeed.com/wordpress -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] In defense of client-side encryption
I'm sorry but aren't we spending a lot of time conflating code quality, secure coding practices, software distribution, .. with ~JavaScript in a browser~? There are alternate pathways, signed and delivered as a Dashboard widget via the Apple App Store for example. I'm not proposing ~that~ as *wipes hands* and we're done. I'm just saying if you think the tool is useful and JavaScript is currently dominating a lot of areas (Gnome's shift is another place) - isn't it prudent to start developing the bullet list of how to make JavaScript applications acceptable for these tasks? Also - didn't Fabio and OpenPGPjs folks put a lot of time into consolidating and suggesting defensible JavaScript practices in various environments on various devices? Also also - there was a conjecture made that The code signing system could require the signature of more than one entity. For example, it could require a signature from the web site owner as well as signatures from any number of reputable security auditing companies and security researchers. - but I'm not sure how this would work in operations practice. Thoughts on that? (Source: https://defuse.ca/web-browser-javascript-cryptography.htm) Anyhow, I'm not suggesting I like the nature of the project or any of this is a good idea - but a lot of the criticisms seem to hold ~everywhere~ with bad practice and not JavaScript itself. So I'm curious.. -Ali On Mon, Aug 12, 2013 at 5:04 PM, danimoth danim...@cryptolab.net wrote: On 12/08/13 at 02:58pm, Francisco Ruiz wrote: Thanks for a thoughtful and extensive reply. Let me see if I'm understanding your position correctly. [snip, snip, snip] So, trusting the OS but not trusting the browser seems to me a curious case of double standard. They are made by the same companies, after all. Trusting the browser in respect to trusting the OS implies adding a lot more hypotesis on the stack, in order to define properties of your software. To be clear, trusting the browser strictly contains trusting the OS, and in my humble point of view, if I need to choose, I choose fewer hypotesis. In my rescue, there is the fact that actually *no state-of-art solutions* exists for web cryptography (is that word right? or it is a no-sense?). To reach this point, proposals should be made, and yours is one approach to evaluate, but (personally) I don't like selling advertisement based on nothing. In conclusion, if you really trust IE x.0 to execute your code, you're welcome; I generally don't trust it even for viewing web sites :-) Users at this point have a lot of resources to check to make their own opinion, I'm feeling fine with myself. Have a nice day -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] TechChange Online Certificate Course - Mobiles for Int'l Development (Sep 30-Oct 25)
Online Certificate Course - TC105 : Mobiles for International Development When: September 30 - October 25, 2013 Can mobile technology transform international development? Mobile technology is everywhere and is being applied in different ways across the world from financial services, public health, education, and more. TechChange’s flagship course, Mobiles for Development, will provide an overview of how the latest mobile technology can be applied in international development with real-world case studies, custom animations, video tutorials, interactive live access to leading experts in the field, and demonstrations of innovative products including FrontlineSMS, GeoPoll, and StoryMaker. We’ve taught the course 7 times now to a total of 500 students in 50 countries representing organizations including Kiva.org, UNICEF Zambia, Winrock, and many others. The curriculum has been totally revamped with upgrades to our platform to allow for better networking, content viewing, and engagement. In you’re interested in mobile applications for development, TC105 is a great starting point; some of our alumni have gone on to work at organizations such as FrontlineSMS and the World Bank’s InfoDev Mobile Innovations group. *Liberationtech mem*bers get a $50 discount off the course. Enter code: * Liberationtech* For more information and to register, please click herehttp://techchange.org/online-courses/mobiles-for-international-development/. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] In defense of client-side encryption
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Francisco, On 08/12/2013 10:04 PM, Francisco Ruiz wrote: Hey Arjen, you make a huge point. Unfortunately the Netherlands aren't any better this way, are they? They are not, being a fully signed up member of the Coalition of the Killing. And that is why I left in 2008. Societies that happily allow themselves to be ruled by warcriminals have a tendency to end in bad places. Germans understand this to some extent from experience. Americans and the Dutch obviously have yet to learn this lesson and I do not want to be there when that happens. Looking around, it seems the only safe place for a crypto server these days would be Switzerland. I'm ready to move my stuff over there. I prefer the Swiss for both their constitution, decentralized government and the principled way in wish the .ch TLD is being run. The other country in Europe would be Germany. They have good infrastructure as well and also a fairly strong constitution designed to defend citizens *against* any overbearing government (and a constitutional court that actually does its job). Regrettably they still have several tens of thousands foreign troops stationed inside their borders so their independence is ultimatly limited. The Netherlands has great bandwith but is a defacto US puppet state who will hand over both citizens and systems to US control on demand. Does anybody know of a good, cheap, SSL-enabled web host in Switzerland you can recommend? Gendo, maybe? We are a pure consultancy and do not sell products or operational services ;-) For some tips and links see my earlier post in this thread. - -- Met vriendelijke groet/With kind regards, Arjen Kamphuis Gendo B.V. Main: +31 20 891 0330 mail: ar...@gendo.ch gendo.ch(website) gendo.nl/blog/arjen (Dutch blog) gendo.ch/en/blog/arjen (English blog) about.me/arjenkamphuis (social media) files.gendo.nl/keys/ar...@gendo.ch.asc (public key) PGP fingerprint: 55FB B3B7 949D ABF5 F31B BA1D 237D 4C50 118A 0EC2 Gendo BV Wibautstraat 150, 1091 GR Amsterdam The Netherlands P please consider the environment before printing this email This e-mail message and its attachments are subject to the disclaimer published at the following website of Gendo: http://www.gendo.nl/disclaimer Gendo B.V. is registered with the trade register in The Netherlands under number 28116864. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQIcBAEBAgAGBQJSCWMKAAoJECN9TFARig7CGkcP/1eRgNDHkTY8nxNERzWNo3RA 73FfjChfUbu+6o4VMFGCMazRh6QEn7wkX60WfA7czO0kpd6s1/yUPQ1XddiOAdZ9 iwaXuB71VeUi8XK9uXcoeGyVNnMxh1/IdPajlp+1xaG6B/9ZEDCAucR3eWMWCz51 wBrEcnGep9dSZjcwpp0DsABZAnzT+PfiETUPlH4LQ3yo/S+aR6RVMuOtKGtA1h5R jTS3V5n5JQc5JmPiJxPJQBKtacG3Ig1zJ9WyfVcA2u7H1n5n1hx0zUaPGnusIrCA LsN4GKreHgOty510/gyj7F4M+Bfyy1cirihKiba7vckbB7bpbtIx58YZk5msvghd vGjV0/EVCa6RgqFPzmM8jSpIdw+M7yT1XTXNSGgQBvJytM+49HC0IBP9Ezhfmhlj HggViXUKmVEnWznr3qM+h/XE48+Z7N/uwLBcRdqVgKEXY4K5Xyy9ux9t6Q2N53Es /KpYw0hS2Cbv1jOgRbouPFa3HsR0o6zVZcMj1vHDleXmhuYWY2XHxG2h0ZO4un9y JBY+x+HA/BwZYSSB1mNp9AM5G4Go/D7VceDwkgGEX0XLEwtzIR3ceFOR0/0h2W1X 5GYW1rQvgc4pV3jjnt+9pxHZHJwOKB6L/EcOcqZnSN83MQQ4cR/7tsFR+Ns5gdrh j8/cMttC1c7A/B2gL0rc =jfFx -END PGP SIGNATURE- -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] In defense of client-side encryption
So re Germany bring the bastion of Internet freedom blah blah, are we all forgetting about the Staatstrojaner? Or have we forgiven them for that now? On Tuesday, August 13, 2013, Arjen Kamphuis wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Francisco, On 08/12/2013 10:04 PM, Francisco Ruiz wrote: Hey Arjen, you make a huge point. Unfortunately the Netherlands aren't any better this way, are they? They are not, being a fully signed up member of the Coalition of the Killing. And that is why I left in 2008. Societies that happily allow themselves to be ruled by warcriminals have a tendency to end in bad places. Germans understand this to some extent from experience. Americans and the Dutch obviously have yet to learn this lesson and I do not want to be there when that happens. Looking around, it seems the only safe place for a crypto server these days would be Switzerland. I'm ready to move my stuff over there. I prefer the Swiss for both their constitution, decentralized government and the principled way in wish the .ch TLD is being run. The other country in Europe would be Germany. They have good infrastructure as well and also a fairly strong constitution designed to defend citizens *against* any overbearing government (and a constitutional court that actually does its job). Regrettably they still have several tens of thousands foreign troops stationed inside their borders so their independence is ultimatly limited. The Netherlands has great bandwith but is a defacto US puppet state who will hand over both citizens and systems to US control on demand. Does anybody know of a good, cheap, SSL-enabled web host in Switzerland you can recommend? Gendo, maybe? We are a pure consultancy and do not sell products or operational services ;-) For some tips and links see my earlier post in this thread. - -- Met vriendelijke groet/With kind regards, Arjen Kamphuis Gendo B.V. Main: +31 20 891 0330 mail: ar...@gendo.ch javascript:; gendo.ch(website) gendo.nl/blog/arjen (Dutch blog) gendo.ch/en/blog/arjen (English blog) about.me/arjenkamphuis (social media) files.gendo.nl/keys/ar...@gendo.ch.asc (public key) PGP fingerprint: 55FB B3B7 949D ABF5 F31B BA1D 237D 4C50 118A 0EC2 Gendo BV Wibautstraat 150, 1091 GR Amsterdam The Netherlands P please consider the environment before printing this email This e-mail message and its attachments are subject to the disclaimer published at the following website of Gendo: http://www.gendo.nl/disclaimer Gendo B.V. is registered with the trade register in The Netherlands under number 28116864. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQIcBAEBAgAGBQJSCWMKAAoJECN9TFARig7CGkcP/1eRgNDHkTY8nxNERzWNo3RA 73FfjChfUbu+6o4VMFGCMazRh6QEn7wkX60WfA7czO0kpd6s1/yUPQ1XddiOAdZ9 iwaXuB71VeUi8XK9uXcoeGyVNnMxh1/IdPajlp+1xaG6B/9ZEDCAucR3eWMWCz51 wBrEcnGep9dSZjcwpp0DsABZAnzT+PfiETUPlH4LQ3yo/S+aR6RVMuOtKGtA1h5R jTS3V5n5JQc5JmPiJxPJQBKtacG3Ig1zJ9WyfVcA2u7H1n5n1hx0zUaPGnusIrCA LsN4GKreHgOty510/gyj7F4M+Bfyy1cirihKiba7vckbB7bpbtIx58YZk5msvghd vGjV0/EVCa6RgqFPzmM8jSpIdw+M7yT1XTXNSGgQBvJytM+49HC0IBP9Ezhfmhlj HggViXUKmVEnWznr3qM+h/XE48+Z7N/uwLBcRdqVgKEXY4K5Xyy9ux9t6Q2N53Es /KpYw0hS2Cbv1jOgRbouPFa3HsR0o6zVZcMj1vHDleXmhuYWY2XHxG2h0ZO4un9y JBY+x+HA/BwZYSSB1mNp9AM5G4Go/D7VceDwkgGEX0XLEwtzIR3ceFOR0/0h2W1X 5GYW1rQvgc4pV3jjnt+9pxHZHJwOKB6L/EcOcqZnSN83MQQ4cR/7tsFR+Ns5gdrh j8/cMttC1c7A/B2gL0rc =jfFx -END PGP SIGNATURE- -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu javascript:;. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] Can JavaScript cryptography be trusted? (was: In defense of client-side encryption)
On Mon, Aug 12, 2013 at 3:07 PM, Ali-Reza Anghaie a...@packetknife.comwrote: I'm sorry but aren't we spending a lot of time conflating code quality, secure coding practices, software distribution, .. with ~JavaScript in a browser~? I think the title of the thread has a lot to do with that. Fixed! ;) -- Tony Arcieri -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] rsync.net Warrant Canary
Nice idea. I would use a trusted timestamp instead of a headline, but anyway. What do you think, should I do this for torservers.net/onion.to? http://www.rsync.net/resources/notices/canary.txt rsync.net will also make available, weekly, a warrant canary in the form of a cryptographically signed message containing the following: - a declaration that, up to that point, no warrants have been served, nor have any searches or seizures taken place - a cut and paste headline from a major news source, establishing date Special note should be taken if these messages ever cease being updated, or are removed from this page. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] Petition Google over banning Servers on Google Fiber?
Hi, Thank you EFF for the well-written reminder: https://www.eff.org/deeplinks/2013/08/google-fiber-continues-awful-isp-tradition-banning-servers [...] No ISP will come forward with a tighter definition of “server” because they want to give themselves leeway to ban users and technologies that they deem to be troublemakers. This strategy of making incredibly broad, vague, and one-sided contracts is deeply problematic and unfair towards users, and it's disheartening to see Google follow this well-trodden path. [...] Servers can be used in all sorts of clever ways. If the ban on running servers were lifted, ordinary Internet users would be able to do a multitude of interesting things with fewer barriers, spurring innovation. We should petition Google to get rid of this. Does anyone know if EFF planning such an action, or do you have contacts to organizational networks to get it going properly? -- Moritz Bartl https://www.torservers.net/ -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Does anyone know a celebrity who feels strongly about privacy issues?
The problem with occasionally looking at Huffington Post is that I'm subjected to such things... Matt Damon: *He broke up with me, the Elysium star said. There are a lot of things that I really question, you know: the legality of the drone strikes, and these NSA revelations they’re, you know, it’s like, they’re, you know, Jimmy Carter came out and said we don’t live in a democracy. That’s, that’s a little, that’s a little intense when an ex-president says that. So, you know, he’s got some, some explaining to do, particularly for a constitutional law professor.* http://www.huffingtonpost.com/2013/08/09/matt-damon-obama-broke-up-with-me_n_3732426.html?utm_hp_ref=entertainment On Mon, Aug 12, 2013 at 11:44 PM, Yishay Mor yish...@gmail.com wrote: Cory Doctorow - sent from my phone. On Aug 12, 2013 9:33 PM, Francisco Ruiz r...@iit.edu wrote: Quick request. In comments to a recent post, people seemed to agree that publishing a video of someone reading a hash might be a fairly hard-to-hack way to deliver that hash to the public, and thus assure the authenticity of a piece of code, a public key, or whatnot. The problem is that the sample youtube video I linked had yours truly reading the hash, and people naturally objected that I wasn't Justin Bieber and, consequently, weren't too convinced that the video was authentic. Aside from the fact that an adversary might be able to convince Justin Bieber to make a video reading a fake hash (not that I believe Justin doesn't care; it's just a hypothesis), the idea of getting a celebrity for this kind of video has a lot of merit. I'd like to engage one for the next update of my app. So, here's my question. Does any one know of a celebrity who cares enough about computer security to be persuaded to take one minute of his/her time to read a hash before a camera? Thanks a million! -- Francisco Ruiz Associate Professor MMAE department Illinois Institute of Technology PL13lok=WsH3zTgZn8V3hnIqjdbfPus+5YF5n+LBRPuH9USMMp8izPv+hsLoZKv+jaCFMapJFfiA11Q9yJU1K1Wo0TbjXK/=PL13lok get the PassLok privacy app at: http://passlok.com -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- *Collin David Anderson* averysmallbird.com | @cda | Washington, D.C. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] In defense of client-side encryption
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 08/13/2013 12:48 AM, Tom O wrote: So re Germany bring the bastion of Internet freedom blah blah, are we all forgetting about the Staatstrojaner? No we are not. But the difference between Germany and many other countries is the outrage and debate such information creates in the country. In the Netherlands when these kinds of things happen everyone just says: 'but I have nothing to hide'. Government assholes can be found in any country. It's how the population responds that makes the difference. When Govenor Bush took power in 2000 almost no-one protested. That was a big mistake. 'Drive it like you stole it' says the bumpersticker. And the Bush team did. I'm not saying everything is fine in Deutschland. Compared to any other western countries the population is just much more aware of the importance to say: stop! to their government every now and then. German churches still bear marks from bombs and bullets to remind them what ultimately happens when they don't. - -- Met vriendelijke groet/With kind regards, Arjen Kamphuis Gendo B.V. Main: +31 20 891 0330 mail: ar...@gendo.ch gendo.ch(website) gendo.nl/blog/arjen (Dutch blog) gendo.ch/en/blog/arjen (English blog) about.me/arjenkamphuis (social media) files.gendo.nl/keys/ar...@gendo.ch.asc (public key) PGP fingerprint: 55FB B3B7 949D ABF5 F31B BA1D 237D 4C50 118A 0EC2 Gendo BV Wibautstraat 150, 1091 GR Amsterdam The Netherlands P please consider the environment before printing this email This e-mail message and its attachments are subject to the disclaimer published at the following website of Gendo: http://www.gendo.nl/disclaimer Gendo B.V. is registered with the trade register in The Netherlands under number 28116864. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQIcBAEBAgAGBQJSCXSgAAoJECN9TFARig7CNGsQAIr3OTYm9KwQUppBb/Kg77Vc uVpDA6zhi2ThQQEnC/7pel7I45rh/6Z/Onwaerw2FfAbZYpTOJDlC1Z8M/ou9CP5 e4zbk17Dmu8UWZovjf5yLg8LyGBf3wPr6rOW2/LafWlQfofkIlUmptiXGWgDcISw A+p9vpUYpDgN3wSjh9IFAAXvxW8MM0dx7Y5s2QBe3jiodHQMoRqX39+BxoArKnr8 K3Cc5JuqaWTjUtZ6H/Va4/ltdUkW8cSF4PJEWKmzf/a47W/RYKRALqqsUUU6LJNE JRTRRgFad0VRQw0b9p/EyeYpow5ppjBMw1HUMWCNduHKjhmjC0uSPwEvyzSoAL2b o9RF5xLfR3TW8wQ/Z5vbQXNoR+ePSZCxB8RjRzfZXQxT27iQ6Z2EflTl7jJNkYH4 G9+pDrZ+EHTOzS97Qp7dZmaSHsDlRVYHdboRuDmulylEXJgMC/wqRkcltYO8rIu0 06nX9u9CLt0+AqN016hg2KpAa2LNBONq0EZ/0jJq1Ze58bLkaX4YojzGM3U8l3Tx gqVKsUiPovkfJgzXR+lkOJaeJJjHmGnTX4q0qixelS/ck3PDWWr4Gc3ns7JEYkIk cFjNRmK9UZmwt2pdPT86D+Ei2QMAzTLw41gyktBdQ3sggNrdXgjkBpMLwDI6cBO1 T1kNkzPdjwP3lfEdgCiF =5gIb -END PGP SIGNATURE- -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] Iran's Internet and the Politics of a New President
Libtech, Some of you might be interested in the latest Small Media Infrastructure report, which covers the time between election day and inauguration. Unlike the prior report, which was heavily technical, this iteration largely focuses on the vibrant policy discussion happening around the state infrastructure monopoly, the cancelation of the official VPN service, the release of the officially banned items list, etc. To promote discourse about the expectations and opportunities under Rouhani's administration, we are planning how to open participation, so if you are interested, please get in touch. http://www.smallmedia.org.uk/sites/default/files/u8/iiipjune.pdf *In our previous, election edition of the Iranian Internet Infrastructure and Policy Report, we document the application and relaxation of controls on Internet connectivity and communications timed with the June 14 Presidential polls. Despite the introduction of new mechanisms to block tools used to bypass the filtering mechanism, by July the Internet had returned to its previous state of affairs that existed before February. From technical assessments and the reports of social media users, VPNs and circumvention software appears to operate normally for many, with specific restrictions still placed on the Tor network and unconfirmed reports of difficulties with Google’s Android services and Viber. Conflicting accounts of blocking (and unblocking), most likely reflect the decentralization of some forms of filtering down to the level of ISPs. Whereas Parsonline may feel legally authorized to remove restrictions on VPNs, Shatel and others may not. This theme follows for throttling, out- ages, attacks against users and the sporadic reports of the unfiltering of social networks that have occurred across the month. Consequently, this report focuses on Iran, the politics leading up to the transition of presidencies after the election and the refocusing of the state on non-technical, legal means of policing content.* Cordially, Collin -- *Collin David Anderson* averysmallbird.com | @cda | Washington, D.C. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] In defense of client-side encryption
Francisco, you assume that all browsers will save a static version of the page identically. This is not the case. I ran a test using 'wget https://passlok.site44.com' and Chrome's Save As. The former will actually match the hash value you've posted, but the latter does not. I spotted at least 5 differences in Chrome's saved output: 1. Unicode: wget returned escaped Unicode characters. Chrome saved output containing actual Unicode characters. Your suggested method of cutting from view-source and pasting into a text editor may be unpredictable, and dependent on a user's OS and locale. 2. Relative link re-writing: wget returned relative links. Chrome replaced them with absolute links, so that links work locally. 3. Whitespace: Chrome stripped out some whitespace. 4. Style rewriting: Chrome replaced some style elements like background-color: #FFA0A0 with rgb(230, 255, 230);. 5. Chrome extensions: I have locally installed extensions that modify page contents, e.g. AdBlock and DoNotTrackMe. My locally saved copy of Passlok had elements that were injected into it by some extensions. Any of these will break your manual hash validation. These are specific to my version of Chrome, but other browsers may alter saved content similarly. To work, you must assume that your user has a local client (say wget or curl) that can save a canonical copy of your page without modification. Browsers do not guarantee this. Then you must assume the user has a locally installed tool to compute the hash, like sha256sum or openssl. Then they would need to point their browser at the locally downloaded file to actually use it. If you depend on locally installed software outside the browser and use local storage, the user is better off just using locally installed software to do the crypto. PS - I noticed some oddness glancing through the source. For example, the makepub() function strips 6 bits of a Base64-encoded leading 0 for no apparent reason. The rest of the code has to remember to keep adding back in the missing Base64 character or else it will break. The only reason I can think of someone doing this is because they didn't understand why the randomly generated Base64 value always started with 'A'. On Sun, Aug 11, 2013 at 7:37 PM, Francisco Ruiz r...@iit.edu wrote: I still have to read through the references you supply, but I can already see a misconception. They refer to the dangers of carrying out cryptography with javascript-containing dynamic pages. My previous posting referred to _perfectly static_ pages, which are supposed to be always the same coming from the server, not modified by the browser in any way, and which, in fact, you can save and store somewhere safe and never again have to get from the server. I believe the intrinsic security of this kind of javascript code is no different from that of compiled code, which also should be checked for tampering, so long as it uses standard functions that are not likely to be modified in browser updates. Sorry about the confusion. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Does anyone know a celebrity who feels strongly about privacy issues?
I didn't know LibTech had become the PassLok development mailing list. On Mon, Aug 12, 2013 at 6:26 PM, Collin Anderson col...@averysmallbird.com wrote: The problem with occasionally looking at Huffington Post is that I'm subjected to such things... Matt Damon: He broke up with me, the Elysium star said. There are a lot of things that I really question, you know: the legality of the drone strikes, and these NSA revelations they’re, you know, it’s like, they’re, you know, Jimmy Carter came out and said we don’t live in a democracy. That’s, that’s a little, that’s a little intense when an ex-president says that. So, you know, he’s got some, some explaining to do, particularly for a constitutional law professor. http://www.huffingtonpost.com/2013/08/09/matt-damon-obama-broke-up-with-me_n_3732426.html?utm_hp_ref=entertainment On Mon, Aug 12, 2013 at 11:44 PM, Yishay Mor yish...@gmail.com wrote: Cory Doctorow - sent from my phone. On Aug 12, 2013 9:33 PM, Francisco Ruiz r...@iit.edu wrote: Quick request. In comments to a recent post, people seemed to agree that publishing a video of someone reading a hash might be a fairly hard-to-hack way to deliver that hash to the public, and thus assure the authenticity of a piece of code, a public key, or whatnot. The problem is that the sample youtube video I linked had yours truly reading the hash, and people naturally objected that I wasn't Justin Bieber and, consequently, weren't too convinced that the video was authentic. Aside from the fact that an adversary might be able to convince Justin Bieber to make a video reading a fake hash (not that I believe Justin doesn't care; it's just a hypothesis), the idea of getting a celebrity for this kind of video has a lot of merit. I'd like to engage one for the next update of my app. So, here's my question. Does any one know of a celebrity who cares enough about computer security to be persuaded to take one minute of his/her time to read a hash before a camera? Thanks a million! -- Francisco Ruiz Associate Professor MMAE department Illinois Institute of Technology PL13lok=WsH3zTgZn8V3hnIqjdbfPus+5YF5n+LBRPuH9USMMp8izPv+hsLoZKv+jaCFMapJFfiA11Q9yJU1K1Wo0TbjXK/=PL13lok get the PassLok privacy app at: http://passlok.com -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Collin David Anderson averysmallbird.com | @cda | Washington, D.C. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- @kylemaxwell -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] In defense of client-side encryption
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 08/13/2013 01:58 AM, Tom O wrote: That's not a good enough reason to trust Germany. And I don't. I trust the German people to stand up when it counts. Because they know the consequence of failing to do so. Ensuring privacy is not a requirement of the state anymore, it's the responsibility of the citizen. A fully agree. But this requires a population cognitivly capable of acknowledging the problem. So it's all about political and historical awareness. In the Netherlands and the UK people think privacy is something you need so you can masturbate without others knowing. In Germany people understand that privacy is needed so people can resist their government if that ever becomes important again. People just have to get used to the counterintuitive idea that one can flee *to* Germany in the face of encroaching corporatism/facism ;-) - -- Met vriendelijke groet/With kind regards, Arjen Kamphuis Gendo B.V. Main: +31 20 891 0330 mail: ar...@gendo.ch gendo.ch(website) gendo.nl/blog/arjen (Dutch blog) gendo.ch/en/blog/arjen (English blog) about.me/arjenkamphuis (social media) files.gendo.nl/keys/ar...@gendo.ch.asc (public key) PGP fingerprint: 55FB B3B7 949D ABF5 F31B BA1D 237D 4C50 118A 0EC2 Gendo BV Wibautstraat 150, 1091 GR Amsterdam The Netherlands P please consider the environment before printing this email This e-mail message and its attachments are subject to the disclaimer published at the following website of Gendo: http://www.gendo.nl/disclaimer Gendo B.V. is registered with the trade register in The Netherlands under number 28116864. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQIcBAEBAgAGBQJSCYEcAAoJECN9TFARig7CsqQP/0nJ07+uQ8Kah8TAfmwhbQHL hkZXMB4nUonufyp0nn/Ld/GfVitjDZuuskFqiNOU+Cj2gm/JyEPHFAToAZANSwjE UBycuCGToqKWS9w/WUZcMF+KFqgNXtSMRvQF5hMj0ldpYE2LLIMS/RwG2BcEK2Lc w80fJabUzZ9ETQfs+PS8SeMcNU+TegFKSrGx0WmOQ1EkrwkW4GFDorDCYU4A4PNW 05uMgIINQCJVg+XDopsorq6GFwE114J8dvlBr6AQUv6rDbbEBlCL4Yy16HgwC2xX QvA/EqmmxD2TfrjNS/DpBxTOA172deH/bnwR430MY21+AFGRXiPZI9FlVf3DOqBr LCWG3epO4l2VNR9Opa9SEe3vZ6X3Fe3aGwlq7N0XPb0Z26fxyPAoGanKJJASRN5H tUm0cIJD8HUPh9vIC2SpLvtpvbFVLlejM34oDEWMx549q+lwQKWRi1Ake81fk6Fa w9mkteG4jIu0kiBOVlG5WHNCcOiPm1s6vbOsahw11fBmC1amhrrA/VQeekhR+/Ds 6nQeueTpRPWy/9Jy2yrqZ/fOnfvlWI6QQX3bAmgrX8nv03jp9lx30TzWBTORUQwg YV9OzxQhdo8VN7J7nBUZqM3Q4fcy58+6Xq5LF7z+83Ficcq+EfpSvJnnr8Hdcrfi JVDvD6zMwoayAta1ski5 =3MQ6 -END PGP SIGNATURE- -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Does anyone know a celebrity who feels strongly about privacy issues?
Penn Jilette On Mon, Aug 12, 2013 at 1:32 PM, Francisco Ruiz r...@iit.edu wrote: Quick request. In comments to a recent post, people seemed to agree that publishing a video of someone reading a hash might be a fairly hard-to-hack way to deliver that hash to the public, and thus assure the authenticity of a piece of code, a public key, or whatnot. The problem is that the sample youtube video I linked had yours truly reading the hash, and people naturally objected that I wasn't Justin Bieber and, consequently, weren't too convinced that the video was authentic. Aside from the fact that an adversary might be able to convince Justin Bieber to make a video reading a fake hash (not that I believe Justin doesn't care; it's just a hypothesis), the idea of getting a celebrity for this kind of video has a lot of merit. I'd like to engage one for the next update of my app. So, here's my question. Does any one know of a celebrity who cares enough about computer security to be persuaded to take one minute of his/her time to read a hash before a camera? Thanks a million! -- Francisco Ruiz Associate Professor MMAE department Illinois Institute of Technology PL13lok=WsH3zTgZn8V3hnIqjdbfPus+5YF5n+LBRPuH9USMMp8izPv+hsLoZKv+jaCFMapJFfiA11Q9yJU1K1Wo0TbjXK/=PL13lok get the PassLok privacy app at: http://passlok.com -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Tony Arcieri -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] rsync.net Warrant Canary
Moritz Bartl: Nice idea. I would use a trusted timestamp instead of a headline, but anyway. What do you think, should I do this for torservers.net/onion.to? http://www.rsync.net/resources/notices/canary.txt rsync.net will also make available, weekly, a warrant canary in the form of a cryptographically signed message containing the following: - a declaration that, up to that point, no warrants have been served, nor have any searches or seizures taken place - a cut and paste headline from a major news source, establishing date Special note should be taken if these messages ever cease being updated, or are removed from this page. Awesome! However euphoric I may be about this... Might there be a chance for getting sued for this? If this is safe, it would be awesome if all major pages could implement this. torservers.net, torproject.org, truecrypt.org, gnupg.org, etc. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] rsync.net Warrant Canary
Moritz Bartl: Nice idea. I would use a trusted timestamp instead of a headline, but anyway. What do you think, should I do this for torservers.net/onion.to? http://www.rsync.net/resources/notices/canary.txt rsync.net will also make available, weekly, a warrant canary in the form of a cryptographically signed message containing the following: - a declaration that, up to that point, no warrants have been served, nor have any searches or seizures taken place - a cut and paste headline from a major news source, establishing date Special note should be taken if these messages ever cease being updated, or are removed from this page. Would it make sense to add a declaration, that no one [more specifically, non-trolls in position to ask] asked to backdoor the server or software? Or to have a separate declaration for this? -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] Adam Curtis on the nature of espionage
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 BBC Blogs (Aug 8) - BUGGER: Maybe The Real State Secret Is That Spies Aren't Very Good At Their Jobs and Don't Know Very Much About The World by Adam Curtis: http://www.bbc.co.uk/blogs/adamcurtis/posts/BUGGER It's really nice to see Adam Curtis weigh in on recent events from his high-bandwidth cybershell plugged directly into the BBC archives mainframe. As usual, the documentary filmmaker and media maestro presents an unconventional take on events in long form that will leave you confused or better informed and often both. In this installment, his long arc points out the manner in which secrecy breeds confusion, suspicion, and treachery; and contrasts that with the open force of love most of us are more familiar with. Or as he puts it, In fact in many cases [the history of spies] is the story of weirdos who have created a completely mad version of the world that they then impose on the rest of us. He also has some trenchant warnings for journalists who tend to enjoy hearing and relaying fantastic stories: they may be serving to reinforce and perpetuate illusions of hidden power and secret knowledge, keeping intelligence budgets high even though the recipients are unable to demonstrate results (that's a state secret). More succinctly, Curtis cites one historian's description of a particularly credulous journalist's relationship with anonymous government sources: [He was a] kind of official urinal in which ministers and intelligence and defence chiefs could stand patiently leaking. I'm reminded of AP reporter Adam Goldman's statement during the confusion sown by the Daily Beast's reporting on a top sekrit AQAP Legion of Doom conference call that turned out not to be a call at all: https://twitter.com/adamgoldmanap/status/365115189709910016 As one former senior CIA official once told me: Who says we can't lie to reporters? It's not a crime. Yet despite the punking, Curtis leaves a piece of cheese for journalists at the end of his maze. HT Eugen Leitl via Cypherpunks (thanks!) gf - -- Gregory Foster || gfos...@entersection.org @gregoryfoster http://entersection.com/ -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.19 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBCgAGBQJSCbRrAAoJEMaAACmjGtgjVvkQAJoofjCKrrvvLjPMDpL+KP/s oxE8CxO6pcS2QNjwvSIW7oTmd3xpPaOrU7SkMerWwxJMay4LoxO9gsZggm60fiho nl1tCYZp+T/rIoTF/fBXUJSQOFpW7eH0NwADv7ofbSfTKLcXNT3qXT50zkFwf09s sldqtzzFPERtJJkcz3YbqjilZA2WFbb4gaCTemEQz2ZnJ+18EnocDl/SyKipje7p xUEKwVgoLeIf0ynOWPNYop0hSsc6Dmsy2iNi02G4e1KdR5T39Qgg99Ucs4K4EseD wbIInqEA05GomOpV1PP5cChZ3sUykIfNxTN0J6ZQcN6iP9k/GxL/pXgfkuMR0j7p Gd333uDL85e+vmH/a7fvXggzXVYo9fJ0WCIgQy3pXbm3BJkm0JAY2Lp3BUbE/9Z6 PzlYkNZmTAUu6MPOBiC0vesxuVlYgMkkbLENBpCLw/NHVh++S/eP3kx2p3jgF8D+ fcyjJQ/3x13Aa/TfrmyoIZlgBGYdC5Ld0lan16de+apSPCPwC6dp+TGvYhsjRio7 lzfEN5eNTEU3nFk4VURB/wPT0ViB0W+0KpSMinL89DqtejVP5aeQP9m3+iue3sKV /ReSq1cyn7vOiOH+aP4gTV7wklQrTlft4TESd/ceMQMQraZOPidRN7R2HW/5Vhf0 y8npV0XyDdwT3vfqg+iF =w36q -END PGP SIGNATURE- -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] Is spideroak really zero-knowledge?
Spideroak claims to use client-side encryption for desktop client but doesn't not use zero-knowledge password proof for mobile Apps or website portal. In light of Lavabit, spideroak could also forced to intercept password if users ever use mobile Apps or website login while being gagged . Then all encrypted data will be retroactively compromised. Percy Alpha(PGP https://en.greatfire.org/contact#alt) GreatFire.org Team -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Is spideroak really zero-knowledge?
Percy From https://spideroak.com/mobile How Mobile Works with SpiderOak’s Zero Knowledge Policy Here's the deal: when accessing your data via the SpiderOak website or on a mobile device you must enter your password. The password will then exist in the SpiderOak server memory for the duration of your browsing session. For this amount of time your password is stored in encrypted memory and never written to an unencrypted disk. The moment your browsing session ends your password is destroyed and no further trace is left. The instance above represents the only situation where your data could potentially be readable to someone with access to the SpiderOak servers. That said, no one except a select number of SpiderOak employees will ever have access to the SpiderOak servers. To fully retain our 'zero-knowledge' privacy, we recommend you always access your data via the SpiderOak desktop application which downloads your data before decrypting it locally. On Tue, Aug 13, 2013 at 3:10 PM, Percy Alpha percyal...@gmail.com wrote: Spideroak claims to use client-side encryption for desktop client but doesn't not use zero-knowledge password proof for mobile Apps or website portal. In light of Lavabit, spideroak could also forced to intercept password if users ever use mobile Apps or website login while being gagged . Then all encrypted data will be retroactively compromised. Percy Alpha(PGP https://en.greatfire.org/contact#alt) GreatFire.org Team -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Is spideroak really zero-knowledge?
@Tom, For this amount of time your password is stored in encrypted memory but to actually use the key, the key has to be in plain-text form for sometime, during which it can be (forced to )intercepted. If they can force Lavabit to intercept users' emails, why can't they ask spideroak to secretly intercept users' moible app login? -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Is spideroak really zero-knowledge?
@Tony, they claim to use zero-knowledge password proof for desktop client, but not for mobile or website. I wonder why, not accepted by App Store? -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Is spideroak really zero-knowledge?
On Tue, Aug 13, 2013 at 1:35 AM, Percy Alpha percyal...@gmail.com wrote: @Tom, For this amount of time your password is stored in encrypted memory but to actually use the key, the key has to be in plain-text form for sometime, during which it can be (forced to )intercepted. If they can force Lavabit to intercept users' emails, why can't they ask spideroak to secretly intercept users' moible app login? They (or somebody else) can. So don't use mobile login. Curious why the regular client logic can't run on mobile. Too intensive to decrypt metadata maybe? -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Is spideroak really zero-knowledge?
On Mon, Aug 12, 2013 at 10:36 PM, Percy Alpha percyal...@gmail.com wrote: @Tony, they claim to use zero-knowledge password proof for desktop client, but not for mobile or website. I wonder why, not accepted by App Store? Can you please link specifically to what you're talking about? Their marketing material is littered with the words zero-knowledge but as far as I have ever seen the intended meaning is we encrypt stuff client-side before it hits the network -- Tony Arcieri -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Is spideroak really zero-knowledge?
I'm not saying they cant. I'm saying they acknowledge it, althought the way they do makes it seem as if its a non-issue. I don't think it is. I prefer tahoe-lafs On Tue, Aug 13, 2013 at 3:35 PM, Percy Alpha percyal...@gmail.com wrote: @Tom, For this amount of time your password is stored in encrypted memory but to actually use the key, the key has to be in plain-text form for sometime, during which it can be (forced to )intercepted. If they can force Lavabit to intercept users' emails, why can't they ask spideroak to secretly intercept users' moible app login? -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.