Re: [liberationtech] Fwd: [riseup] Space for dissent
So where are these radically new services documented? On 21 August 2013 19:18, Sean Alexandre s...@alexan.org wrote: - Forwarded message from newslet...@lists.riseup.net - Space for dissent It is a mistake to frame the recent US and European massive surveillance revelations in terms of the privacy of individuals. What is at stake is not privacy at all, but the power of the state over its citizenry. What surveillance really is, at its root, is a highly effective form of social control. The knowledge of always being watched changes our behavior and stifles dissent. The inability to associate secretly means there is no longer any possibility for free association. The inability to whisper means there is no longer any speech that is truly free of coercion, real or implied. Most profoundly, pervasive surveillance threatens to eliminate the most vital element of both democracy and social movements: the mental space for people to form dissenting and unpopular views. Many commentators, and Edward Snowden himself, have noted that these surveillance programs represent an existential threat to democracy. This understates the problem. The universal surveillance programs in place now are not simply a potential threat, they are certain to destroy democracy if left unchecked. Democracy, even the shadow of democracy we currently practice, rests on the bedrock foundation of free association, free speech, and dissent. The consequence of the coercive power of surveillance is to subvert this foundation and undermine everything democracy rests on. Within social movements, there is a temptation to say that nothing is really different. After all, governments have always targeted activist groups with surveillance and disruption, especially the successful ones. But this new surveillance is different. What the US government and European allies have built is an infrastructure for perfect social control. By automating the process of surveillance, they have created the ability to effortlessly peer into the lives of everyone, all the time, and thus create a system with unprecedented potential for controlling how we behave and think. True, this infrastructure is not currently used in this way, but it is a technical tool-kit that can easily be used for totalitarian ends. Those who imagine a government can be trusted to police itself when given the ominous power of precise insight into the inner workings of everyday life are betting the future on the ability of a secretive government to show proper self-restraint in the use of their ever-expanding power. If history has shown us anything, it is that the powerful will always use their full power unless they are forced to stop. So, how exactly are we planning on stopping them? We support people working through the legal system or applying political pressure, but we feel our best hope of stopping the technology of surveillance is the technology of encryption. Why? Because the forces that have created this brave new world are unlikely to be uprooted before it is too late to halt the advance of surveillance. Unfortunately, most existing encryption technology is counterproductive. Many people are pushing technology that is proprietary, relies on a central authority, or is hopelessly difficult for the common user. The only technology that has a chance to resist the rise of surveillance will be open source, federated, and incredibly easy to use. In the long run, decentralized peer-to-peer tools might meet this criteria, but for the foreseeable future these tools will not have the features or usability that people have grown accustomed to. In the coming months, the Riseup birds plan to begin rolling out a series of radically new services, starting with encrypted internet, encrypted email, and encrypted chat. These services will be based on 100% open source and open protocols, will be easy to use, and will protect your data from everyone, even Riseup. This is a massive undertaking, made in concert over the last year with several other organizations, and will only work with your support. We need programmers, particularly those experienced in Python, C, Ruby, and Android development, and sysadmins interested in starting their own secure service providers. We also need money. Donations from our amazing Riseup users keep us running on our current infrastructure. But in order to be able to graduate to a new generation of truly secure and easy to use communication technology, we are going to need a lot more money than our users are able to donate. If you have deep pockets and an interest in building this new generation of communication, then we need to hear from you. If you have friends or family who care about the future of democracy and who have deep pockets, we need to hear from them, too. At Riseup, we have felt for the last few years that the window of
Re: [liberationtech] Bradley Manning's sentence: 35 years for exposing us to the truth
On Aug 21, 2013, at 5:32 PM, Shelley shel...@misanthropia.info wrote: Outrageous. http://www.theguardian.com/commentisfree/2013/aug/21/bradley-manning-sentence-birgitta-jonsdottir Bradley Manning's sentence: 35 years for exposing us to the truth From a security perspective the issue is that a soldier of his low rank could do that and apparently it is uncommon in the nation that superiors take political responsibility for critical failures, here of security architecture. What he did was clearly above his pay grade. The whole disproportionate treatment serves deterrence purposes. Puts it in a bad light. See also the piece of Sandra Coliver for OSI, she compares penal sanctions for corresponding crimes in other occidental nations: http://www.opensocietyfoundations.org/voices/sentencing-private-manning Best, A-- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] Is email Dead? Surveillance Inevitable? Introducing Project Caliop
You might find this of interest: /Project Caliop aims at providing tools and a platform for email users can trust, guaranteeing by design the confidentiality of communications. In the context of revelations about PRISM showing that users cannot trust advertisement-based services such as Gmail, and in the wake of the recent shutdown of secure mail services, Caliop aims at rethinking the infrastructure for secure email communications. Caliop founder Laurent Chemla calls on contributions to the initial specifications.// //...// //Citizens from all across the Internet are invited to join the Caliop bootstrap //mailing-list mailto:talks-requ...@caliop.net?subject=subscribe//to discuss the initial specifications before they are published on //http://www.caliop.net//.// / http://www.caliop.net/is-email-dead-surveillance-inevitable-introducing-project-caliop/ Félix -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] Deterministic Builds Part One: Cyberwar and Global Compromise
Hi, I think a lot of people would benefit from reading Mike Perry's latest blog post. He addresses how The Tor Project is working towards the problems referenced by Zooko in his latest open letter to Silent Circle: https://blog.torproject.org/blog/deterministic-builds-part-one-cyberwar-and-global-compromise Current popular software development practices simply cannot survive targeted attacks of the scale and scope that we are seeing today. All the best, Jacob -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] New Zealand
What do you do if the government is caught illegally spying on citizens? Change the laws: http://www.globalpost.com/dispatch/news/afp/130821/new-zealand-passes-law-allowing-domestic-spying?goback=.gde_1836487_member_267577237#! -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] NSA's 100% perfect internal audits...
http://www.techdirt.com/articles/20130820/15441924258/us-still-cant-figure-out-what-snowden-took-what-happened-to-those-perfect-audits.shtml Remember how the NSA's biggest defenders keep insisting that the NSA's perfect audits prevent abuse? Here's Keith Alexander insisting that such audits are perfecthttp://www.theatlantic.com/politics/archive/2013/08/can-nsa-director-keith-alexander-explain-his-contradictory-claims/278394/ : *The assumption is our people are just out there wheeling and dealing. Nothing could be further from the truth. We have tremendous oversight over these programmes. We can audit the actions of our people 100%, and we do that, he said. Addressing the Black Hat convention in Las Vegas, an annual gathering for the information security industry, he gave a personal example: I have four daughters. Can I go and intercept their emails? No. The technical limitations are in there. Should anyone in the NSA try to circumvent that, in defiance of policy, they would be held accountable, he said: There is 100% audibility. Only 35 NSA analysts had the authority to query a database of US phone records, he said.* Yet, many months after the initial leaks, it's being reported that the US government still doesn't know what Snowden tookhttp://investigations.nbcnews.com/_news/2013/08/20/20108770-us-doesnt-know-what-snowden-took-sources-say?lite : *More than two months after documents leaked by former contractor Edward Snowden first began appearing in the news media, the National Security Agency still doesn’t know the full extent of what he took, according to intelligence community sources, and is “overwhelmed” trying to assess the damage.* -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] NSA's 100% perfect internal audits...
On Thu, Aug 22, 2013 at 11:36:37AM -0500, Case Black wrote: Addressing the Black Hat convention in Las Vegas, an annual gathering for the information security industry, he gave a personal example: I have four daughters. Can I go and intercept their emails? No. The technical limitations are in there. Should anyone in the NSA try to circumvent that, Are you actually spending a minute of your time listening to a known liar? The spooks lie all the time. It's their job. Don't fall for it. in defiance of policy, they would be held accountable, he said: There is 100% audibility. Only 35 NSA analysts had the authority to query a database of US phone records, he said.* -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Bradley Manning's sentence: 35 years for exposing us to the truth
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 08/21/2013 04:59 PM, Shelley wrote: Sure, but I think Manning has a zero chance of obtaining a pardon. Examples needed to be made to dissuade anybody else from doing something similar. Manning was the example. There will probably be another such example in four or five years, after most people have forgotten and gone on with their lives. - -- The Doctor [412/724/301/703] [ZS] Developer, Project Byzantium: http://project-byzantium.org/ PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F DD89 3BD8 FF2B 807B 17C1 WWW: https://drwho.virtadpt.net/ It appears my producers set this up. They set /me/ up. --Anthony Bourdain -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.20 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlIWSqcACgkQO9j/K4B7F8FsLgCgvTLia6mx1hXaQ+ZFcHraHGK8 qqMAnRyJykQQLCHMmXEj11e83wO1gESY =miRw -END PGP SIGNATURE- -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] NSA's 100% perfect internal audits...
You are quite correct! Being in the operational side of intelligence requires one to be adept at deception. And clearly the current NSA leadership has fallen far below the standards of such predecessors as Bobby Inman when comes to not injecting open deception into the arena of public policy debate. It's very useful to point out that fact; however, the members of this list are uniquely qualified to influence that policy debate in terms of shaping both hard and soft policy in far more substantial ways. We can shape soft policy by expanding the selectorate[1] willing to influence the political leadership to better circumscribe domestic surveillance capabilities. It's important to keep the focus on capabilities rather than intentions and assurances. And on the long range danger of having these surveillance databases in existence and their inevitable use to warp the political process in dark and dangerous ways[2]. Hard policy is shaped by changing the technological landscape...by altering the very ground surveillance agencies stand on. The support of more and better privacy and encryption projects with less juvenile sniping, less gotcha behavior and more genuine mutual help and support for relevant projects has the chance to fundamentally alter that landscape. It happened during the Crypto Wars of the 1990's[3] and it can happen again. There's massive experience and expertise on this list. Many of us have deep crypto and technology backgrounds and many of us were foot soldiers on the ground during the earlier Crypto Wars. And that war is CLEARLY NOT OVER[4]. --- [1] http://en.wikipedia.org/wiki/Selectorate_theory [2] http://www.salon.com/2011/11/15/the_long_shadows_of_nixon_and_hoover [3] http://wiki.openrightsgroup.org/wiki/Crypto_Wars [4] http://www.fipr.org/press/050525crypto.html On Thu, Aug 22, 2013 at 11:58 AM, Eugen Leitl eu...@leitl.org wrote: On Thu, Aug 22, 2013 at 11:36:37AM -0500, Case Black wrote: Addressing the Black Hat convention in Las Vegas, an annual gathering for the information security industry, he gave a personal example: I have four daughters. Can I go and intercept their emails? No. The technical limitations are in there. Should anyone in the NSA try to circumvent that, Are you actually spending a minute of your time listening to a known liar? The spooks lie all the time. It's their job. Don't fall for it. in defiance of policy, they would be held accountable, he said: There is 100% audibility. Only 35 NSA analysts had the authority to query a database of US phone records, he said.* -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] Open Whisper Systems' neat asynch FPS pre-keying
https://whispersystems.org/blog/asynchronous-security/ ... The TextSecure Protocol TextSecure’s upcoming iOS client (and Android data channel client) uses a simple trick to provide asynchronous messaging while simultaneously providing forward secrecy. At registration time, the TextSecure client preemptively generates 100 signed key exchange messages and sends them to the server. We call these “prekeys.” A client that wishes to send a secure message to a user for the first time can now: 1. Connect to the server and request the destination’s next “prekey.” 2. Generate its own key exchange message half. 3. Calculate a shared secret with the prekey it received and its own key exchange half. 4. Use the shared secret to encrypt the message. 5. Package up the prekey id, the locally generated key exchange message, and the ciphertext. 6. Send it all in one bundle to the destination client. The user experience for the sender is ideal: they type a message, hit send, and an encrypted message is immediately sent. The destination client receives all of this as a single push notification. When the user taps it, the client has everything it needs to calculate the key exchange on its end, immediately decrypt the ciphertext, and display the message. With the initial key exchange out of the way, both parties can then continue communicating with an OTR-style protocol as usual. Since the server never hands out the same prekey twice (and the client would never accept the same prekey twice), we are able to provide forward secrecy in a fully asynchronous environment. -- Joseph Lorenzo Hall Senior Staff Technologist Center for Democracy Technology 1634 I ST NW STE 1100 Washington DC 20006-4011 (p) 202-407-8825 (f) 202-637-0968 j...@cdt.org PGP: https://josephhall.org/gpg-key fingerprint: BE7E A889 7742 8773 301B 4FA1 C0E2 6D90 F257 77F8 -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] Hey Silicon Valley! Not every problem can be solved by giving people internet access or teaching them to code [feedly]
Shared via feedly // published on GigaOM // visit site Hey Silicon Valley! Not every problem can be solved by giving people internet access or teaching them to code This might go without saying, but I’m probably one of the biggest boosters of technology there is, especially when it comes to the benefits of internet access and the startup ecosystem that has grown up around it: it’s what I write about, I use the internet and mobile technology all day, and I think internet access should probably be a human right. But even I know that there are some problems in the world — and some fairly significant ones — that can’t be solved by simply giving people internet access and teaching them how to code. Unfortunately, Facebook founder Mark Zuckerberg and some tech entrepreneurs either don’t know this or are deliberately choosing to ignore it. And by doing so, they are only reinforcing the image of Silicon Valley and the technology-startup scene as a bubble of unrealistic expectations, if not outright blinkered ignorance about the world around it. Zuckerberg’s new venture, known as Internet.org, is a joint project aimed at bringing easy and/or cheap internet access to those who don’t have it — primarily in non-Western countries — and arrived wrapped in a motivational and humanitarian-themed video that was largely based on some sections of a speech by John F. Kennedy (sections that were chosen rather selectively, as Alexis Madrigal notes in a post at The Atlantic). In this vision, internet access pretty much solves everything, and makes people’s lives immeasurably awesome: Homelessness is not a “glitch” The other exhibit in my Silicon Valley bubble-mentality case comes from entrepreneur Patrick McConlogue, who wrote a spectacularly thoughtless post for Medium — not the first one from a young entrepreneur, I should note — about how he believes that homeless people would be a lot better off if they learned how to program (McConlogue is a New Yorker, but I think his viewpoint is an Eastern extension of a common Silicon Valley mindset). He says he plans to conduct an experiment in which he offers a specific homeless man $100 or three books on JavaScript to see which he will take: “I like to think I can see the few times when [a homeless person is] a wayward puzzle piece. It’s that feeling you get when you know the waiter, the cashier, the janitor is in the wrong place—they are smart, brilliant even. This is my attempt to fix one of those lost pieces.” In an interview with the Huffington Post, the writer — a 23-year-old founder of Echo Republic — says that as a software engineer, “I see a glitch and I want to fix the glitch.” If I didn’t know better, I would think that McConlogue had been invented by author and internet gadfly Evgeny Morozov, who has become known for criticizing the technology-based mindset he calls “solutionism,” which sees the internet and gadgets as the answer to virtually any societal problem. McConlogue is like the poster child for this viewpoint. In fact, the “technology will fix you” mentality in the piece was so overwhelming that at least some people in my Twitter stream thought it was a joke — a satire of Silicon Valley’s startup mentality and the focus on programming as the cure for every ill. Within a matter of hours, Harvard law student Sarah Jeong had created a Medium post that consisted of entries from a fictional advice column, where the answer to every personal problem is to learn how to code. After reaching its peak at 117CE, the Roman Empire collapsed due to its total inability to teach its citizens to code.— Anil Dash (@anildash) August 22, 2013 A certain tone-deaf eagerness Jessica Roy at Betabeat told McConlogue that “the homeless are not bit players in your imaginary entrepreneurial novella,” and Ezra Klein at the Washington Post said the most objectionable part of the essay was the writer’s attempt to “absorb this homeless man — a real person, with an actual history that McConlogue can’t really intuit by looking into his eyes — into his precanned, triumphant programmer narrative.” Kevin Roose at New York magazine said “Check back soon for McConlogue’s next post: ‘How Ruby on Rails Fixes Racism.’” In an update and response to the outcry over his original post, McConlogue says he remains undaunted by the criticism he received, and that Leo — the homeless person he mentioned — has accepted his offer of programming instruction manuals and a free Chromebook instead of $100. He also says that he plans a meetup in New York in the future in order to “discuss some of the feedback” to his post and suggests this would be “a good venue for non-profits to connect around the issue of homelessness.” It seems obvious that McConlogue’s heart is in the right place, and that he genuinely wants to help this young homeless man, just as it seems obvious (or at least arguable) that Mark Zuckerberg actually wants to try and improve
Re: [liberationtech] Fwd: [riseup] Space for dissent
On Thu, Aug 22, 2013 at 04:22:17AM -0400, Ben Laurie wrote: So where are these radically new services documented? From what I understand it's this: LEAP Encryption Access Project https://leap.se -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Hey Silicon Valley! Not every problem can be solved by giving people internet access or teaching them to code [feedly]
While I am no great fan of Silicon Valley - Silicon Valley I think does not equal the Internet. What I hope we guard against with this reaction against I guess technological triumphalism is throwing the proverbial baby out with the bathwater. I think joining the church of the savvy (a saying from journalism that I think can be transferred to discussions about the Internet) can be just, or even more dangerous than belief in the Internet as an ultimate problem solver. Maybe to take the example of the homeless man as one example. I had been a member of a group working with homeless youth a few years ago - in the sort of myspace to Facebook era. What we found anecdote wise was that youth who had a presence on social network sites were able to stay more connected. One of the difficulties that homeless youth face is that they lose connection to mainstream society because that is not where their lives take them. This ability to stay at least minimally visible may or may not being a defining circumstance of their lives, but it seemed important. And the reason they were able to do this is because libraries offered computers with free and open Internet access. I have no idea what Mark Zuckerberg's motives are, but there is nothing wrong with Internet access. Homeless youth are different from the adult homeless population. I have seen some very good research suggesting that the most important issue in adult homelessness is, self evidently enough, lack of stable housing. We somehow got this view of most homeless as being homeless because they have other problems. I think it is more likely that these other problems come from lack of stable housing and perceiving there are no avenues to stable housing. There are many reasons for this, but I think one of the reason is that many homeless don't know their rights and/or what might be available to them (less and less in the modern U.S. I admit). The Internet it seems to me can serve as a source of information, available at the same libraries as the youth use (caveat, many homeless youth are homeless because of other often family related problems, but stable housing is still extraordinarily important and at the same time almost completely out of reach for this population). Teaching a homeless man coding may have important benefits. Somebody who is homeless might be better at creating connecting platforms that meet the needs of the homeless as opposed to say upper middle class college students. I don't know where what seems like a snowball of Internet cynicism comes from. Perhaps part of it is that everybody seems to be trying to make a buck off the Internet and it has spawned an awful lot of e-confidence artists. But that doesn't diminish the potential it has for changing the way we live in ways we are just beginning to recognize. Michael From: liberationtech-boun...@lists.stanford.edu [liberationtech-boun...@lists.stanford.edu] on behalf of Amin Sabeti [aminsab...@gmail.com] Sent: Thursday, August 22, 2013 2:05 PM To: liberationtech Subject: [liberationtech] Hey Silicon Valley! Not every problem can be solved by giving people internet access or teaching them to code [feedly] Shared via feedlyhttp://bit.ly/SA6Efh // published on GigaOM // visit sitehttp://feedproxy.google.com/~r/OmMalik/~3/Ra1oB4m44LI/ Hey Silicon Valley! Not every problem can be solved by giving people internet access or teaching them to code This might go without saying, but I’m probably one of the biggest boosters of technology there is, especially when it comes to the benefits of internet access and the startup ecosystem that has grown up around it: it’s what I write about, I use the internet and mobile technology all day, and I think internet access should probably be a human righthttp://gigaom.com/2012/01/05/is-internet-access-a-fundamental-human-right/. But even I know that there are some problems in the world — and some fairly significant ones — that can’t be solved by simply giving people internet access and teaching them how to code. Unfortunately, Facebook founder Mark Zuckerberg and some tech entrepreneurs either don’t know this or are deliberately choosing to ignore it. And by doing so, they are only reinforcing the image of Silicon Valley and the technology-startup scene as a bubble of unrealistic expectations, if not outright blinkered ignorance about the world around it. Zuckerberg’s new venture, known as Internet.orghttp://Internet.org, is a joint project aimed at bringing easy and/or cheap internet accesshttp://gigaom.com/2013/08/20/facebook-launches-internet-org-initiative-to-connect-the-world/ to those who don’t have it — primarily in non-Western countries — and arrived wrapped in a motivational and humanitarian-themed video that was largely based on some sections of a speech by John F. Kennedy (sections that were chosen rather selectively, as Alexis Madrigal notes in a
Re: [liberationtech] Bradley Manning's sentence: 35 years for exposing us to the truth
His statement: The decisions that I made in 2010 were made out of a concern for my country and the world that we live in. Since the tragic events of 9/11, our country has been at war. We’ve been at war with an enemy that chooses not to meet us on any traditional battlefield, and due to this fact we’ve had to alter our methods of combating the risks posed to us and our way of life.I initially agreed with these methods and chose to volunteer to help defend my country. It was not until I was in Iraq and reading secret military reports on a daily basis that I started to question the morality of what we were doing. It was at this time I realized in our efforts to meet this risk posed to us by the enemy, we have forgotten our humanity. We consciously elected to devalue human life both in Iraq and Afghanistan. When we engaged those that we perceived were the enemy, we sometimes killed innocent civilians. Whenever we killed innocent civilians, instead of accepting responsibility for our conduct, we elected to hide behind the veil of national security and classified information in order to avoid any public accountability.In our zeal to kill the enemy, we internally debated the definition of torture. We held individuals at Guantanamo for years without due process. We inexplicably turned a blind eye to torture and executions by the Iraqi government. And we stomached countless other acts in the name of our war on terror.Patriotism is often the cry extolled when morally questionable acts are advocated by those in power. When these cries of patriotism drown our any logically based intentions [unclear], it is usually an American soldier that is ordered to carry out some ill-conceived mission.Our nation has had similar dark moments for the virtues of democracy—the Trail of Tears, the Dred Scott decision, McCarthyism, the Japanese-American internment camps—to name a few. I am confident that many of our actions since 9/11 will one day be viewed in a similar light.As the late Howard Zinn once said, There is not a flag large enough to cover the shame of killing innocent people.I understand that my actions violated the law, and I regret if my actions hurt anyone or harmed the United States. It was never my intention to hurt anyone. I only wanted to help people. When I chose to disclose classified information, I did so out of a love for my country and a sense of duty to others.If you deny my request for a pardon, I will serve my time knowing that sometimes you have to pay a heavy price to live in a free society. I will gladly pay that price if it means we could have country that is truly conceived in liberty and dedicated to the proposition that all women and men are created equal. gpg --keyserver pgp.mit.edu --search-keys EEE5A447http://pgp.mit.edu:11371/pks/lookup?search=0xEEE5A447op=vindex Date: Thu, 22 Aug 2013 13:30:15 -0400 From: dr...@virtadpt.net To: liberationtech@lists.stanford.edu Subject: Re: [liberationtech] Bradley Manning's sentence: 35 years for exposing us to the truth -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 08/21/2013 04:59 PM, Shelley wrote: Sure, but I think Manning has a zero chance of obtaining a pardon. Examples needed to be made to dissuade anybody else from doing something similar. Manning was the example. There will probably be another such example in four or five years, after most people have forgotten and gone on with their lives. - -- The Doctor [412/724/301/703] [ZS] Developer, Project Byzantium: http://project-byzantium.org/ PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F DD89 3BD8 FF2B 807B 17C1 WWW: https://drwho.virtadpt.net/ It appears my producers set this up. They set /me/ up. --Anthony Bourdain -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.20 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlIWSqcACgkQO9j/K4B7F8FsLgCgvTLia6mx1hXaQ+ZFcHraHGK8 qqMAnRyJykQQLCHMmXEj11e83wO1gESY =miRw -END PGP SIGNATURE- -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Deterministic Builds Part One: Cyberwar and Global Compromise
I think a lot of people would benefit from reading Mike Perry's latest blog post. He addresses how The Tor Project is working towards the problems referenced by Zooko in his latest open letter to Silent Circle: Current popular software development practices simply cannot survive targeted attacks of the scale and scope that we are seeing today. NixOS distro[1] takes build reproducibility seriously and build determinism is being worked on. I have patched the most important toolchains to not systematically introduce non-determinism[2]. Some of the patches are in the master branch already, some are in the staging branch and will be merged in a month or two. These patches are sufficient to make a large subset of package builds deterministic. After the merge, I'll do another round this time fixing non-determinism due to quirks of build systems of specific packages. Luckily, there aren't that many packages like Firefox and luckily Firefox has been already tackled by someone else :) I'm committed to making at least installation media, typical desktop and server installs fully deterministic. [1] http://nixos.org/nixos/ [2] http://lists.science.uu.nl/pipermail/nix-dev/2013-June/011357.html -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Open Whisper Systems' neat asynch FPS pre-keying
On Thu, Aug 22, 2013 at 9:03 PM, Joseph Lorenzo Hall j...@cdt.org wrote: TextSecure’s upcoming iOS client (and Android data channel client) uses a simple trick to provide asynchronous messaging while simultaneously providing forward secrecy. Not sure if I understand all iOS-related issues described, but this seems like overcoming engineering problems with a synchronous protocol like OTR on iOS at the expense of exposing the clients to a DOS attack of exhausting the prekeys. However, an asynchronous protocol does not mean that all information must be delivered in one push. In cables communication [1], I chose simple asynchronous messages because I don't trust complex SSL handshakes or the cumbersome OTR protocol, and because I believe that reliable delivery receipts and resilience to DOS attacks are as important as the message itself. The exchange goes similar to the following (each line describes what is sent by sender (s) / receiver (r)) [2]: (s) peer request (r) certificate, signed peer key (s) certificate, signed peer key, encrypted message+MAC (r) receipt+MAC (s) acknowledgement+MAC and is similar to a state machine where each state is retried in sender / receiver until a new state is reached. The exchange above is somewhat implementation-specific for short requests followed by long fetches (implementation is HTTP-based and targeted for .onions), and for generic messages it can be reformulated as: (s) certificate, signed peer key (r) certificate, signed peer key (s) encrypted message+MAC (r) receipt+MAC (s) acknowledgement+MAC (In cables, username is certificate's fingerprint, so MITM'ing the certificate is not an issue.) So, with a centralized DB / prekeys I guess it's possible to shave off the first two messages, but does it really matter if the protocol is asynchronous to begin with? [1] http://dee.su/cables [2] https://github.com/mkdesu/cables/blob/master/doc/cable.txt -- Maxim Kammerer Liberté Linux: http://dee.su/liberte -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Open Whisper Systems' neat asynch FPS pre-keying
On Thu, Aug 22, 2013 at 11:03 AM, Joseph Lorenzo Hall j...@cdt.org wrote: TextSecure’s upcoming iOS client (and Android data channel client) uses a simple trick to provide asynchronous messaging while simultaneously providing forward secrecy. I've seen people want PGP to do this before— have every encrypted and signed message you send include a number of single use ephemeral reply coupons, to be used instead of key agreement with a fixed key... The primary argument against it is that if the receiver changes systems the messages will be undecodable. You can do things to prevent this, like backing up your tokens, but that defeats PFS. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Fwd: [riseup] Space for dissent
On 08/22/2013 01:22 AM, Ben Laurie wrote: So where are these radically new services documented? On 08/22/2013 11:50 AM, Sean Alexandre wrote: From what I understand it's this: LEAP Encryption Access Project https://leap.se You are right to be skeptical, given the steady stream of snake oil announced these days. Here is the overview page for email: https://leap.se/en/services/email Technical details can be found in the links on that page. Constructive criticism warmly encouraged. I would say the things that distinguish the LEAP approach: * free software client and free software turn-key infrastructure * we are taking our time to do things the right way * we are not ignoring the hard problems https://leap.se/en/hard-problems -elijah -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Fwd: [riseup] Space for dissent
On 23/08/13 00:02, elijah wrote: On 08/22/2013 01:22 AM, Ben Laurie wrote: So where are these radically new services documented? On 08/22/2013 11:50 AM, Sean Alexandre wrote: From what I understand it's this: LEAP Encryption Access Project https://leap.se You are right to be skeptical, given the steady stream of snake oil announced these days. Here is the overview page for email: https://leap.se/en/services/email Technical details can be found in the links on that page. Constructive criticism warmly encouraged. I would say the things that distinguish the LEAP approach: * free software client and free software turn-key infrastructure * we are taking our time to do things the right way * we are not ignoring the hard problems https://leap.se/en/hard-problems -elijah I saw you guys before and remembered being impressed with the docs. The comparison of architecture is nice and shows that you understand how your system fits in to existing state-of-the-art solutions. They look a lot expanded from what I remember from last time. Nice work, keep it up! There is indeed a lot of bullshit bandwagon-jumping solutions that are in fact harming the goal by distracting attention away from good proper efforts that involve hard work and thoughtful research. I'm glad to see LEAP taking the slow and steady approach. Let the recent events inspire you, but don't let them ruin your long-term strategy. Stay on target and don't get distracted by politics. I also hope I can join you some time! X -- GPG: 4096R/1318EFAC5FBBDBCE git://github.com/infinity0/pubkeys.git -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Open Whisper Systems' neat asynch FPS pre-keying
https://whispersystems.org/blog/asynchronous-security/ Since these key exchange parts are ephemeral, recording ciphertext traffic doesn’t help a would-be adversary, since there is no durable key for them to compromise in the future. I disagree. PFS traffic today protected with 1024-bit DH will be readable in 10 years, if not sooner, to organizations like the NSA. In twice that time it may be cheap enough to be decryptable on a mass scale. Anyway, that's a nit. My first thought is that the nastiest part of this protocol is that Bob (a client) is trusting the server to give it legitimate keys for Alice (the other client.) The server can lie, and hand out fradulent keys (I'll call one KeyF as opposed to a legit one KeyA). If the server lies, Bob will send a message to Alice, encrypted to KeyF. If the message makes it's way to Alice, she'll be confused, because she can't decrypt it. The server won't see it. If the server colludes with a network attacker, Bob will send a message encrypted to KeyF, which the network attacker sees. The network attacker gives the ciphertext to the server who decrypts it, and the network attacker also blocks the message from being sent to Alice, so Alice is non the wiser. If the server is compelled to provide fraudulent keys for Alice, then the network attacker presumably has the private key, decrypts it, and doesn't deliver it. The server introduces a central component in this network. A component that must be secured quite thoroughly, trusted by all the participants, and ultimately if it's Denial-of-Serviced takes down all users' chats*. It would be possible to build a protocol such that the server is federated (e.g. I run my own server, and there's an open protocol for all OTR apps [or all TextSecure-OTR apps] to know how to query to find my server.) Even if Moxie didn't want to build that into TextSecure, there's no reason other OTR apps couldn't follow a similar prekeying design with a federated prekey server. *Of course there ways to resist DoS, but they add engineering cost. -tom -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
