Re: [liberationtech] Meet the 'cowboy' in charge of the NSA
Hi, Am I the only one for whom the page is hidden behind an annoying sign up overlay? axel Le 2013-09-09 05:12, Shava Nerad a écrit : As far as I am concerned it is not. I might have posted the link if you had not brought it to our attention. Thank you. On Sun, Sep 8, 2013 at 9:36 PM, Noah Shachtman noah.shacht...@gmail.com [6] wrote: All: Sorry if this is considered spamming the list - if it is, it won't happen again. At Foreign Policy, we just published what I believe is the first major profile of NSA chief Keith Alexander. It is not a particularly flattering one. One scooplet among many in Shane Harris' nearly 6,000-word story: Even his fellow spies consider Keith Alexander to be a cowboy who's barely concerned with law. Anyway, take a look. Let me know what you think. http://www.foreignpolicy.com/ articles/2013/09/08/the_ cowboy_of_the_nsa_keith_ alexander [1] All the best, nms -- Noah Shachtman Executive Editor for News | Foreign Policy 917-690-0716 noah.shacht...@gmail.com [2] http://www.foreignpolicy.com/author/NoahShachtman [3] encrypted phone: 415-463-4956 -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech [4]. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu [5]. -- Shava Nerad shav...@gmail.com [7] Links: -- [1] http://www.foreignpolicy.com/articles/2013/09/08/the_cowboy_of_the_nsa_keith_alexander [2] mailto:noah.shacht...@gmail.com [3] http://www.foreignpolicy.com/author/NoahShachtman [4] https://mailman.stanford.edu/mailman/listinfo/liberationtech [5] mailto:compa...@stanford.edu [6] mailto:noah.shacht...@gmail.com [7] mailto:shav...@gmail.com -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Meet the 'cowboy' in charge of the NSA
On Mon, 09 Sep 2013 11:23:30 +0200 Axel Simon axelsi...@axelsimon.net wrote: Hi, Am I the only one for whom the page is hidden behind an annoying sign up overlay? axel Nope, I got that too. You can remove it with the developer tools/firebug. A bit disappointing that they go all HEY LINK YOUR TWITTER OR FACEBOOK ACCOUNT TO US!1!! Also that there's this weird limit of 8 articles per month that probably only works on technically illiterate people. :/ These measures seem a tad desperate/indecent; Is money that tight at FP? -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Meet the 'cowboy' in charge of the NSA
Which can be dismissed with a click normally... -- Al Billings http://makehacklearn.org On Monday, September 9, 2013 at 11:23 AM, Axel Simon wrote: Hi, Am I the only one for whom the page is hidden behind an annoying “sign up” overlay? axel Le 2013-09-09 05:12, Shava Nerad a écrit : As far as I am concerned it is not. I might have posted the link if you had not brought it to our attention. Thank you. On Sun, Sep 8, 2013 at 9:36 PM, Noah Shachtman noah.shacht...@gmail.com (mailto:noah.shacht...@gmail.com) wrote: All: Sorry if this is considered spamming the list - if it is, it won't happen again. At Foreign Policy, we just published what I believe is the first major profile of NSA chief Keith Alexander. It is not a particularly flattering one. One scooplet among many in Shane Harris' nearly 6,000-word story: Even his fellow spies consider Keith Alexander to be a cowboy who's barely concerned with law. Anyway, take a look. Let me know what you think. http://www.foreignpolicy.com/ articles/2013/09/08/the_ cowboy_of_the_nsa_keith_ alexander (http://www.foreignpolicy.com/articles/2013/09/08/the_cowboy_of_the_nsa_keith_alexander) All the best, nms -- Noah Shachtman Executive Editor for News | Foreign Policy 917-690-0716 noah.shacht...@gmail.com (mailto:noah.shacht...@gmail.com) http://www.foreignpolicy.com/author/NoahShachtman encrypted phone: 415-463-4956 -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu (mailto:compa...@stanford.edu). -- Shava Nerad shav...@gmail.com (mailto:shav...@gmail.com) -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Meet the 'cowboy' in charge of the NSA
On other sites, yes - that's what I'm used to. But on this site I didn't see anything that even remotely resembles anything approximating a close button; Clicking besides the popup won't do anything either. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Meet the 'cowboy' in charge of the NSA
On Mon, Sep 09, 2013 at 12:50:49PM +0200, phryk wrote: http://cryptome.org/2013/09/nsa-cowboy.htm 9 September 2013 The Cowboy of the NSA Keith Alexander http://www.foreignpolicy.com/articles/2013/09/08/the_cowboy_of_the_nsa_keith_alexander Foreign Policy Magazine The Cowboy of the NSA Inside Gen. Keith Alexander's all-out, barely-legal drive to build the ultimate spy machine. BY SHANE HARRIS | SEPTEMBER 9, 2013 Shane Harris is a senior writer for Foreign Policy and author of The Watchers: The Rise of America's Surveillance State. On Aug. 1, 2005, Lt. Gen. Keith Alexander reported for duty as the 16th director of the National Security Agency, the United States' largest intelligence organization. He seemed perfect for the job. Alexander was a decorated Army intelligence officer and a West Point graduate with master's degrees in systems technology and physics. He had run intelligence operations in combat and had held successive senior-level positions, most recently as the director of an Army intelligence organization and then as the service's overall chief of intelligence. He was both a soldier and a spy, and he had the heart of a tech geek. Many of his peers thought Alexander would make a perfect NSA director. But one prominent person thought otherwise: the prior occupant of that office. Air Force Gen. Michael Hayden had been running the NSA since 1999, through the 9/11 terrorist attacks and into a new era that found the global eavesdropping agency increasingly focused on Americans' communications inside the United States. At times, Hayden had found himself swimming in the murkiest depths of the law, overseeing programs that other senior officials in government thought violated the Constitution. Now Hayden of all people was worried that Alexander didn't understand the legal sensitivities of that new mission. Alexander tended to be a bit of a cowboy: 'Let's not worry about the law. Let's just figure out how to get the job done,' says a former intelligence official who has worked with both men. That caused General Hayden some heartburn. The heartburn first flared up not long after the 2001 terrorist attacks. Alexander was the general in charge of the Army's Intelligence and Security Command (INSCOM) at Fort Belvoir, Virginia. He began insisting that the NSA give him raw, unanalyzed data about suspected terrorists from the agency's massive digital cache, according to three former intelligence officials. Alexander had been building advanced data-mining software and analytic tools, and now he wanted to run them against the NSA's intelligence caches to try to find terrorists who were in the United States or planning attacks on the homeland. By law, the NSA had to scrub intercepted communications of most references to U.S. citizens before those communications can be shared with other agencies. But Alexander wanted the NSA to bend the pipe towards him, says one of the former officials, so that he could siphon off metadata, the digital records of phone calls and email traffic that can be used to map out a terrorist organization based on its members' communications patterns. Keith wanted his hands on the raw data. And he bridled at the fact that NSA didn't want to release the information until it was properly reviewed and in a report, says a former national security official. He felt that from a tactical point of view, that was often too late to be useful. Hayden thought Alexander was out of bounds. INSCOM was supposed to provide battlefield intelligence for troops and special operations forces overseas, not use raw intelligence to find terrorists within U.S. borders. But Alexander had a more expansive view of what military intelligence agencies could do under the law. He said at one point that a lot of things aren't clearly legal, but that doesn't make them illegal, says a former military intelligence officer who served under Alexander at INSCOM. In November 2001, the general in charge of all Army intelligence had informed his personnel, including Alexander, that the military had broad authority to collect and share information about Americans, so long as they were reasonably believed to be engaged in terrorist activities, the general wrote in a widely distributed memo. The general didn't say how exactly to make this determination, but it was all the justification Alexander needed. Hayden's attitude was 'Yes, we have the technological capability, but should we use it?' Keith's was 'We have the capability, so let's use it,' says the former intelligence official who worked with both men. Hayden denied Alexander's request for NSA data. And there was some irony in that decision. At the same time, Hayden was overseeing a highly classified program to monitor Americans' phone records and Internet communications without permission from a court. At least one component of that secret domestic spying
Re: [liberationtech] Meet the 'cowboy' in charge of the NSA
Wired -- my old employer -- did publish a NSA story recently, concentrating on Ft. Meade's new-ish offensive push. But I'm not sure it was really a profile in the classic sense. On Sun, Sep 8, 2013 at 11:20 PM, Joseph Mornin jos...@mornin.org wrote: Wired also did a profile: http://www.wired.com/threatlevel/2013/06/general-keith-alexander-cyberwar/all/ On 9/8/13 8:12 PM, Shava Nerad wrote: As far as I am concerned it is not. I might have posted the link if you had not brought it to our attention. Thank you. On Sun, Sep 8, 2013 at 9:36 PM, Noah Shachtman noah.shacht...@gmail.com mailto:noah.shacht...@gmail.com wrote: All: Sorry if this is considered spamming the list - if it is, it won't happen again. At Foreign Policy, we just published what I believe is the first major profile of NSA chief Keith Alexander. It is not a particularly flattering one. One scooplet among many in Shane Harris' nearly 6,000-word story: Even his fellow spies consider Keith Alexander to be a cowboy who's barely concerned with law. Anyway, take a look. Let me know what you think. http://www.foreignpolicy.com/__articles/2013/09/08/the___cowboy_of_the_nsa_keith___alexander http://www.foreignpolicy.com/articles/2013/09/08/the_cowboy_of_the_nsa_keith_alexander All the best, nms -- Noah Shachtman Executive Editor for News | Foreign Policy 917-690-0716 tel:917-690-0716 noah.shacht...@gmail.com mailto:noah.shacht...@gmail.com http://www.foreignpolicy.com/author/NoahShachtman encrypted phone: 415-463-4956 tel:415-463-4956 -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu mailto:compa...@stanford.edu. -- Shava Nerad shav...@gmail.com mailto:shav...@gmail.com -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- -- Noah Shachtman Executive Editor for News | Foreign Policy 917-690-0716 noah.shacht...@gmail.com http://www.foreignpolicy.com/author/NoahShachtman encrypted phone: 415-463-4956 -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Meet the 'cowboy' in charge of the NSA
Guys: I know the registration wall can be a bit of a pain. Asa reader, I'm not nuts about them, either. But these measures really are important to FP's long-term financial health. Anyway, in the future, let me see if I can get links I post to Libtech white-listed, so you guys don't have to go through that. Can't make any promises, but I'll try. Best, nms On Mon, Sep 9, 2013 at 5:28 AM, phryk in...@phryk.net wrote: On Mon, 09 Sep 2013 11:23:30 +0200 Axel Simon axelsi...@axelsimon.net wrote: Hi, Am I the only one for whom the page is hidden behind an annoying sign up overlay? axel Nope, I got that too. You can remove it with the developer tools/firebug. A bit disappointing that they go all HEY LINK YOUR TWITTER OR FACEBOOK ACCOUNT TO US!1!! Also that there's this weird limit of 8 articles per month that probably only works on technically illiterate people. :/ These measures seem a tad desperate/indecent; Is money that tight at FP? -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- -- Noah Shachtman Executive Editor for News | Foreign Policy 917-690-0716 noah.shacht...@gmail.com http://www.foreignpolicy.com/author/NoahShachtman encrypted phone: 415-463-4956 -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Meet the 'cowboy' in charge of the NSA
On Mon, 09 Sep 2013 11:23:30 +0200 Axel Simon axelsi...@axelsimon.net wrote: Am I the only one for whom the page is hidden behind an annoying sign up overlay? If you disable javascript for the site there is no overlay. If you selectively block javascript from anything not fp.com, the overlay doesn't load either. Trusting users with your revenue model seems an odd choice to me. -- Andrew http://tpo.is/contact pgp 0x6B4D6475 -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Meet the 'cowboy' in charge of the NSA
On Mon, Sep 09, 2013 at 10:15:02AM -0400, liberationt...@lewman.us wrote: On Mon, 09 Sep 2013 11:23:30 +0200 Axel Simon axelsi...@axelsimon.net wrote: Am I the only one for whom the page is hidden behind an annoying sign up overlay? If you disable javascript for the site there is no overlay. If you selectively block javascript from anything not fp.com, the overlay doesn't load either. Trusting users with your revenue model seems an odd choice to me. I'm kind of surprised FP's javascript is the main topic of discussion around this article. Doesn't anyone want to talk about the Army Intelligence and Security Command's Information Dominance Center being designed to mimic the bridge of the Starship Enterprise? Or that Keith Alexander wanted to do domestic surveillance when he was working there, too, and said at one point that a lot of things aren't clearly legal, but that doesn't make them illegal? Or that Rasmussen polls found 68 percent of respondents now believe it's likely the government is listening to their communications and 57 percent said they think it's likely that the government will use NSA intelligence to harass political opponents.? No? Ok, well as long as we're talking about that FP javascript overlay: if you saw it, that means you run JavaScript by default, which means you're vulnerable to a larger number of the arbitrary-code-execution bugs in your web browser (of which there are undoubtedly many more which are not yet fixed, given the frequency with which new ones are discovered [1,2]). In my opinion, if you're using Firefox, you should really be using NoScript. [3] ~leif ps: Thank you FP and Shane Harris for this very informative article! 1: https://www.mozilla.org/security/known-vulnerabilities/firefox.html 2: http://www.cvedetails.com/vulnerability-list/vendor_id-1224/product_id-15031/opec-1/Google-Chrome.html 3: http://noscript.net/ -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Meet the 'cowboy' in charge of the NSA
Have fun tilting that windmill, Mr. Quixote. Like it or not, to fully use websites at this point, you generally need things like Javascript and CSS. The reason that most folks, even security folks like the ones I work with, don't run with NoScript on all the time is that it breaks the net as experienced. -- Al Billings http://www.openbuddha.com http://makehacklearn.org On Monday, September 9, 2013 at 5:43 PM, Leif Ryge wrote: Ok, well as long as we're talking about that FP javascript overlay: if you saw it, that means you run JavaScript by default, which means you're vulnerable to a larger number of the arbitrary-code-execution bugs in your web browser (of which there are undoubtedly many more which are not yet fixed, given the frequency with which new ones are discovered [1,2]). In my opinion, if you're using Firefox, you should really be using NoScript. [3] -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] Naive Question
Hello, I saw this article on The Guardian[1] and it mentioned a librarian who posted a sign that looked like this: http://www.librarian.net/pics/antipat4.gif and would remove it if visited by the FBI. So a naive question comes to mind: If I operated an internet service, and I posted a thing that says We have not received a request to spy on our users. Watch closely for the removal of this text, what legal risk would be incurred? If the answer is None or Very little, what's stopping people from doing this? Thanks, Scott -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Naive Question
On 9 Sep 2013, at 17:29, Scott Arciszewski kobrasre...@gmail.com wrote: Hello, I saw this article on The Guardian[1] and it mentioned a librarian who posted a sign that looked like this: http://www.librarian.net/pics/antipat4.gif and would remove it if visited by the FBI. So a naive question comes to mind: If I operated an internet service, and I posted a thing that says We have not received a request to spy on our users. Watch closely for the removal of this text, what legal risk would be incurred? If the answer is None or Very little, what's stopping people from doing this? Hi Scott, There was a discussion on another list (either Cypherpunks, or The Guardian Project lists) about a similar idea in terms of Lavabit, in the context of putting a header in e-mail messages to warn if an LEA (law enforcement agency) had forced the mail operator to give them access . From memory the person who mentioned them called them canary alerts? No doubt someone will be faster than me in finding said content, but from memory the crux of it was if the operator (in your case the librarian, or more likely the library owner) was served with a NSL, or some secretive order, they would be breaching the secrecy of said order if they alerted the public in anyway. And presumably you'd be in trouble. :) Let me find the original mail if possible. Hope that helps. Bernard -- Bernard / bluboxthief / ei8fdb IO91XM / www.ei8fdb.org -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] [Cryptography] Opening Discussion: Speculation on BULLRUN
On 09/07/2013 02:46 PM, Eugen Leitl wrote: On Sat, Sep 07, 2013 at 12:26:22PM -0400, Jonathan Wilkes wrote: Hi Eugen, When Bruce Schneier made the call for people to come forward and describe being asked to degrade standards or build backdoors I don't think this is what he meant. Bruce is a cool guy, but nobody died, and made him king. Mr. Gilmore seems perfectly happy to give us enough details to be able to find the identity of a suspicious Kernel dev, but he refrains from identifying the NSA employees and their friends. We have evidence that NSA is using social engineering to weaken protocols and implementations. Incidentally, when it comes to IPsec this pattern has been independently corraborated by other parties I happen to trust. This is no proof, but we need to become very careful about preventing such security meltdowns in future. Because this *will* happen, again. If he can write without reservation that he knows someone had longstanding ties to the NSA, he obviously knows who this person is. Deanonymizing the person from the free software world while Come on, that the mainline inclusion is a major political snakepit is pretty well known. I don't know whether spooks are pulling strings behind the scene to fan the flames, but if they don't they're really lousy at their job. granting anonymity to someone with ties to the NSA isn't fair, isn't helpful, and most of all it isn't intellectually responsible. I can tell you that I would be very interested who commited all the crypto regressions into Debian. I really hope that someone is going to review the checkin history, and writes a report about it. I cannot fault people for failing to be perfect heroes, but I can fault them when what may be reasonable fears result in writing that speculates where we need it least and lacks evidence where we need it most. This is a war, and there will be innocent people hurt. This is regrettable, but we didn't start it. The only things the free software community has that its greater than $50 billion a year adversary doesn't are a) its transcendental laziness and b) its history of and propensity for sharing. The way it works is someone looking at mundane work that might take them twenty or thirty minutes instead decides to do ten or twenty months of work so that the _next_ time they need to solve a similar task it takes ten or twenty seconds. Then they give it to everyone else because some other transcendentally lazy developer made it trivial to do so by applying those same principles to the software that automates the process of sharing stuff (Git). Those are the singular strengths of the free software community when pitted against this particular adversary. If you make more obstacles to sharing, you lose. If you hammer down on laziness by wasting mindshare on speculation that one's neighbor may be a spy, you lose. On the second point you actually lose twice, because at least the speculation and bad science within the surveillance industry can be covered up and controled for a limited time. In the free software community-- as was the case in the reddit crowdsourced detective work after the Boston bombing-- it's there in all its transparent ugliness for the world to see, forever. Let it stand there for all time as a reminder of the unnecessary suffering caused when we forgot that we suck as speculating. Then we can get back to one of the two things we do well. What we need to let go is personal sensitivities. If you check in crap code that breaks things, whether you're an NSA mole or just incompetent, it doesn't matter. You need to have your checkin license revoked. If you're smart and compassionate, you'll realize that the free software community could turn its two strengths I mentioned above into three strengths-- give amnesty to anyone with a direct account of being asked to degrade standards or software, or even carrying it out. We're not interested in calling people traitors, digging up dirt on their loved ones, or other such retribution. As with hardware, we're interested in one thing: the specifications. Tell us the details of how the process of undermining happens-- what are the incentives, what are the tactics used. Only then can some frustrated dev look at the borked system and spend ten or twenty months designing a better one so he/she doesn't have to care about whether that guy in the sunglasses is a spook or not. If you're smart but not compassionate, then think in terms of bug reports. I installed a program that I think uses an unstable library that may be making the operating system unstable, isn't a proper bug report. I'm sure you know what you'd say in response to that. It is even more pressing in the domain of human affairs that we demand the same care and attention. -Jonathan Same thing applies to package signing secrets of Debian. Unfortunately, we can no longer afford to be negligent there. -- Liberationtech is a public list whose archives
Re: [liberationtech] Naive Question
Presumably, if this type of approach became widely adopted, it would be a useful service for an independent group to monitor the status of these notices and periodically publish a report of which companies had removed their notice. On 09/09/2013 12:52 PM, Scott Arciszewski wrote: Forgot the URL: http://www.theguardian.com/technology/2013/sep/09/nsa-sabotage-dead-mans-switch On Mon, Sep 9, 2013 at 12:29 PM, Scott Arciszewski kobrasre...@gmail.com mailto:kobrasre...@gmail.com wrote: Hello, I saw this article on The Guardian[1] and it mentioned a librarian who posted a sign that looked like this: http://www.librarian.net/pics/antipat4.gif and would remove it if visited by the FBI. So a naive question comes to mind: If I operated an internet service, and I posted a thing that says We have not received a request to spy on our users. Watch closely for the removal of this text, what legal risk would be incurred? If the answer is None or Very little, what's stopping people from doing this? Thanks, Scott -- Dan Staples Open Technology Institute https://commotionwireless.net OpenPGP key: http://disman.tl/pgp.asc Fingerprint: 2480 095D 4B16 436F 35AB 7305 F670 74ED BD86 43A9 -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Naive Question
I wonder if there's a false analogy here. Hypothetically, the librarian's sign could fall down (maybe the wind blew it over) whereas a notice on a site would have to be removed via coding. There would be little other explanation, even in the case where one does not affirmatively renew the dead man's notice (the countdown that Doctorow suggests in the article). Such an affirmative act might lead a court to believe that one has indeed informed the public about an NSL. - Rob Gehl On 09/09/2013 12:18 PM, Dan Staples wrote: Presumably, if this type of approach became widely adopted, it would be a useful service for an independent group to monitor the status of these notices and periodically publish a report of which companies had removed their notice. On 09/09/2013 12:52 PM, Scott Arciszewski wrote: Forgot the URL: http://www.theguardian.com/technology/2013/sep/09/nsa-sabotage-dead-mans-switch On Mon, Sep 9, 2013 at 12:29 PM, Scott Arciszewski kobrasre...@gmail.com mailto:kobrasre...@gmail.com wrote: Hello, I saw this article on The Guardian[1] and it mentioned a librarian who posted a sign that looked like this: http://www.librarian.net/pics/antipat4.gif and would remove it if visited by the FBI. So a naive question comes to mind: If I operated an internet service, and I posted a thing that says We have not received a request to spy on our users. Watch closely for the removal of this text, what legal risk would be incurred? If the answer is None or Very little, what's stopping people from doing this? Thanks, Scott -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Meet the 'cowboy' in charge of the NSA
It may be outside the mainstream, but so is our interest in-- and understanding of-- security and privacy issues. nbsp;Judging by the millions who download these tools, I am not alone in wanting to block scripts and tracking. I'll save my security researchers using social media (outside of pentesting) makes no sense rant for another time. On Sep 9, 2013 11:56 AM, Al Billings lt;alb...@openbuddha.comgt; wrote: I suggest your use of the net is well outside the mainstream, even amongst security folks. Some of us actually use social networking, for example, or don't want ugly, half broken websites simply because we fear a JavaScript zero day. Al -- Al Billings http://makehacklearn.org On Monday, September 9, 2013 at 8:37 PM, Shelley wrote: gt;gt;Like it or not, to fully use websites at this point, you generally need things like Javascript and CSS. I disagree. nbsp;Not only do I want the protection from .js vulnerabilites and tracking when I browse, I just want the text. nbsp;Not a bunch of useless social media buttons and blinking ads. nbsp;I block it all and very rarely make an exception, and I don't at all mind that I'm getting a bland page with not much more than text. nbsp;I prefer it. gt;gt;The reason that most folks, even security folks like the ones I work with, don't run with NoScript on all the time is that it breaks the net as experienced. Most of my fellow security-conscious friends and colleagues block scripts by default as well. nbsp;Breaking things to make them work the way we want them to is what we do; this is no different. -Shelley On Sep 9, 2013 9:50 AM, Al Billings lt;alb...@openbuddha.comgt; wrote: Have fun tilting that windmill, Mr. Quixote.nbsp; Like it or not, to fully use websites at this point, you generally need things like Javascript and CSS. The reason that most folks, even security folks like the ones I work with, don't run with NoScript on all the time is that it breaks the net as experienced. --nbsp;Al Billingshttp://www.openbuddha.comhttp://makehacklearn.org On Monday, September 9, 2013 at 5:43 PM, Leif Ryge wrote: Ok, well as long as we're talking about that FP javascript overlay: if you sawit, that means you run JavaScript by default, which means you're vulnerable toa larger number of the arbitrary-code-execution bugs in your web browser (ofwhich there are undoubtedly many more which are not yet fixed, given thefrequency with which new ones are discovered [1,2]). In my opinion, if you'reusing Firefox, you should really be using NoScript. [3] -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Naive Question
Forgot the URL: http://www.theguardian.com/technology/2013/sep/09/nsa-sabotage-dead-mans-switch On Mon, Sep 9, 2013 at 12:29 PM, Scott Arciszewski kobrasre...@gmail.comwrote: Hello, I saw this article on The Guardian[1] and it mentioned a librarian who posted a sign that looked like this: http://www.librarian.net/pics/antipat4.gif and would remove it if visited by the FBI. So a naive question comes to mind: If I operated an internet service, and I posted a thing that says We have not received a request to spy on our users. Watch closely for the removal of this text, what legal risk would be incurred? If the answer is None or Very little, what's stopping people from doing this? Thanks, Scott -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Meet the 'cowboy' in charge of the NSA
gt;gt;Like it or not, to fully use websites at this point, you generally need things like Javascript and CSS. I disagree. nbsp;Not only do I want the protection from .js vulnerabilites and tracking when I browse, I just want the text. nbsp;Not a bunch of useless social media buttons and blinking ads. nbsp;I block it all and very rarely make an exception, and I don't at all mind that I'm getting a bland page with not much more than text. nbsp;I prefer it. gt;gt;The reason that most folks, even security folks like the ones I work with, don't run with NoScript on all the time is that it breaks the net as experienced. Most of my fellow security-conscious friends and colleagues block scripts by default as well. nbsp;Breaking things to make them work the way we want them to is what we do; this is no different. -Shelley On Sep 9, 2013 9:50 AM, Al Billings lt;alb...@openbuddha.comgt; wrote: Have fun tilting that windmill, Mr. Quixote.nbsp; Like it or not, to fully use websites at this point, you generally need things like Javascript and CSS. The reason that most folks, even security folks like the ones I work with, don't run with NoScript on all the time is that it breaks the net as experienced. --nbsp;Al Billingshttp://www.openbuddha.comhttp://makehacklearn.org On Monday, September 9, 2013 at 5:43 PM, Leif Ryge wrote: Ok, well as long as we're talking about that FP javascript overlay: if you sawit, that means you run JavaScript by default, which means you're vulnerable toa larger number of the arbitrary-code-execution bugs in your web browser (ofwhich there are undoubtedly many more which are not yet fixed, given thefrequency with which new ones are discovered [1,2]). In my opinion, if you'reusing Firefox, you should really be using NoScript. [3] -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Naive Question
That is genius. On Mon, Sep 9, 2013 at 3:40 PM, Case Black casebl...@gmail.com wrote: There's a more subtle variant to this idea... Regularly state (put up a sign) that you HAVE in fact received an NSL...with the public understanding that it must be a lie (there's no law against falsely making such a claim...yet!). When actually served with an NSL, you would now be bound by law to remove any such notification...thereby signaling the event. Regards, Case On Mon, Sep 9, 2013 at 1:24 PM, LISTS li...@robertwgehl.org wrote: I wonder if there's a false analogy here. Hypothetically, the librarian's sign could fall down (maybe the wind blew it over) whereas a notice on a site would have to be removed via coding. There would be little other explanation, even in the case where one does not affirmatively renew the dead man's notice (the countdown that Doctorow suggests in the article). Such an affirmative act might lead a court to believe that one has indeed informed the public about an NSL. - Rob Gehl On 09/09/2013 12:18 PM, Dan Staples wrote: Presumably, if this type of approach became widely adopted, it would be a useful service for an independent group to monitor the status of these notices and periodically publish a report of which companies had removed their notice. On 09/09/2013 12:52 PM, Scott Arciszewski wrote: Forgot the URL: http://www.theguardian.com/technology/2013/sep/09/nsa-sabotage-dead-mans-switch On Mon, Sep 9, 2013 at 12:29 PM, Scott Arciszewski kobrasre...@gmail.com mailto:kobrasre...@gmail.com wrote: Hello, I saw this article on The Guardian[1] and it mentioned a librarian who posted a sign that looked like this: http://www.librarian.net/pics/antipat4.gif and would remove it if visited by the FBI. So a naive question comes to mind: If I operated an internet service, and I posted a thing that says We have not received a request to spy on our users. Watch closely for the removal of this text, what legal risk would be incurred? If the answer is None or Very little, what's stopping people from doing this? Thanks, Scott -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Naive Question
You are awesome,clever, and full of tricks. :) Should I credit you with this? yrs, On Mon, Sep 9, 2013 at 3:40 PM, Case Black casebl...@gmail.com wrote: There's a more subtle variant to this idea... Regularly state (put up a sign) that you HAVE in fact received an NSL...with the public understanding that it must be a lie (there's no law against falsely making such a claim...yet!). When actually served with an NSL, you would now be bound by law to remove any such notification...thereby signaling the event. Regards, Case On Mon, Sep 9, 2013 at 1:24 PM, LISTS li...@robertwgehl.org wrote: I wonder if there's a false analogy here. Hypothetically, the librarian's sign could fall down (maybe the wind blew it over) whereas a notice on a site would have to be removed via coding. There would be little other explanation, even in the case where one does not affirmatively renew the dead man's notice (the countdown that Doctorow suggests in the article). Such an affirmative act might lead a court to believe that one has indeed informed the public about an NSL. - Rob Gehl On 09/09/2013 12:18 PM, Dan Staples wrote: Presumably, if this type of approach became widely adopted, it would be a useful service for an independent group to monitor the status of these notices and periodically publish a report of which companies had removed their notice. On 09/09/2013 12:52 PM, Scott Arciszewski wrote: Forgot the URL: http://www.theguardian.com/technology/2013/sep/09/nsa-sabotage-dead-mans-switch On Mon, Sep 9, 2013 at 12:29 PM, Scott Arciszewski kobrasre...@gmail.com mailto:kobrasre...@gmail.com wrote: Hello, I saw this article on The Guardian[1] and it mentioned a librarian who posted a sign that looked like this: http://www.librarian.net/pics/antipat4.gif and would remove it if visited by the FBI. So a naive question comes to mind: If I operated an internet service, and I posted a thing that says We have not received a request to spy on our users. Watch closely for the removal of this text, what legal risk would be incurred? If the answer is None or Very little, what's stopping people from doing this? Thanks, Scott -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Shava Nerad shav...@gmail.com -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Naive Question
That, and civil disobedience á la Lavabit. /P On 09 September, 2013 - Matt Johnson wrote: All of the sneaky signs, email headers and web page badges assume the FBI, or whoever the adversary is are incompetent or inept. That does not see like a safe assumption to me. The only prudent approach is to assume your adversary is intelligent and competent. My guess is that the only defense against NSL's and the like is through policy. I realize that may be blasphemy on this list, but there it is. -- Matt Johnson On Mon, Sep 9, 2013 at 1:26 PM, LISTS li...@robertwgehl.org wrote: What are the legal precedents in terms of wink, wink, nudge, nudge, djaknowhatimean? - Rob Gehl On 09/09/2013 02:24 PM, Shava Nerad wrote: You are awesome,clever, and full of tricks. :) Should I credit you with this? yrs, On Mon, Sep 9, 2013 at 3:40 PM, Case Black casebl...@gmail.com wrote: There's a more subtle variant to this idea... Regularly state (put up a sign) that you HAVE in fact received an NSL...with the public understanding that it must be a lie (there's no law against falsely making such a claim...yet!). When actually served with an NSL, you would now be bound by law to remove any such notification...thereby signaling the event. Regards, Case On Mon, Sep 9, 2013 at 1:24 PM, LISTS li...@robertwgehl.org wrote: I wonder if there's a false analogy here. Hypothetically, the librarian's sign could fall down (maybe the wind blew it over) whereas a notice on a site would have to be removed via coding. There would be little other explanation, even in the case where one does not affirmatively renew the dead man's notice (the countdown that Doctorow suggests in the article). Such an affirmative act might lead a court to believe that one has indeed informed the public about an NSL. - Rob Gehl On 09/09/2013 12:18 PM, Dan Staples wrote: Presumably, if this type of approach became widely adopted, it would be a useful service for an independent group to monitor the status of these notices and periodically publish a report of which companies had removed their notice. On 09/09/2013 12:52 PM, Scott Arciszewski wrote: Forgot the URL: http://www.theguardian.com/technology/2013/sep/09/nsa-sabotage-dead-mans-switch On Mon, Sep 9, 2013 at 12:29 PM, Scott Arciszewski kobrasre...@gmail.com mailto:kobrasre...@gmail.com wrote: Hello, I saw this article on The Guardian[1] and it mentioned a librarian who posted a sign that looked like this: http://www.librarian.net/pics/antipat4.gif and would remove it if visited by the FBI. So a naive question comes to mind: If I operated an internet service, and I posted a thing that says We have not received a request to spy on our users. Watch closely for the removal of this text, what legal risk would be incurred? If the answer is None or Very little, what's stopping people from doing this? Thanks, Scott -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Shava Nerad shav...@gmail.com -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Petter Ericson (pett...@acc.umu.se) Telecomix Sleeper Jellyfish -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Naive Question
I absolutely agree with your point...cleverness alone doesn't go very far against ruthless adversaries. To paraphrase a prior post that's quite relevant to this discussion: ...the members of this list are uniquely qualified to influence that policy debate in terms of shaping both hard and soft policy in far more substantial ways. We can shape soft policy by expanding the selectorate willing to influence the political leadership to better circumscribe domestic surveillance capabilities. It's important to keep the focus on capabilities rather than intentions and assurances. And on the long range danger of having these surveillance databases in existence and their inevitable use to warp the political process in dark and dangerous ways. Hard policy is shaped by changing the technological landscape...by altering the very ground surveillance agencies stand on through the support of more and better privacy and encryption projects. It happened during the Crypto Wars of the 1990's and it can happen again. On Mon, Sep 9, 2013 at 3:58 PM, Matt Johnson railm...@gmail.com wrote: All of the sneaky signs, email headers and web page badges assume the FBI, or whoever the adversary is are incompetent or inept. That does not see like a safe assumption to me. The only prudent approach is to assume your adversary is intelligent and competent. My guess is that the only defense against NSL's and the like is through policy. I realize that may be blasphemy on this list, but there it is. -- Matt Johnson On Mon, Sep 9, 2013 at 1:26 PM, LISTS li...@robertwgehl.org wrote: What are the legal precedents in terms of wink, wink, nudge, nudge, djaknowhatimean? - Rob Gehl On 09/09/2013 02:24 PM, Shava Nerad wrote: You are awesome,clever, and full of tricks. :) Should I credit you with this? yrs, On Mon, Sep 9, 2013 at 3:40 PM, Case Black casebl...@gmail.com wrote: There's a more subtle variant to this idea... Regularly state (put up a sign) that you HAVE in fact received an NSL...with the public understanding that it must be a lie (there's no law against falsely making such a claim...yet!). When actually served with an NSL, you would now be bound by law to remove any such notification...thereby signaling the event. Regards, Case On Mon, Sep 9, 2013 at 1:24 PM, LISTS li...@robertwgehl.org wrote: I wonder if there's a false analogy here. Hypothetically, the librarian's sign could fall down (maybe the wind blew it over) whereas a notice on a site would have to be removed via coding. There would be little other explanation, even in the case where one does not affirmatively renew the dead man's notice (the countdown that Doctorow suggests in the article). Such an affirmative act might lead a court to believe that one has indeed informed the public about an NSL. - Rob Gehl On 09/09/2013 12:18 PM, Dan Staples wrote: Presumably, if this type of approach became widely adopted, it would be a useful service for an independent group to monitor the status of these notices and periodically publish a report of which companies had removed their notice. On 09/09/2013 12:52 PM, Scott Arciszewski wrote: Forgot the URL: http://www.theguardian.com/technology/2013/sep/09/nsa-sabotage-dead-mans-switch On Mon, Sep 9, 2013 at 12:29 PM, Scott Arciszewski kobrasre...@gmail.com mailto:kobrasre...@gmail.com wrote: Hello, I saw this article on The Guardian[1] and it mentioned a librarian who posted a sign that looked like this: http://www.librarian.net/pics/antipat4.gif and would remove it if visited by the FBI. So a naive question comes to mind: If I operated an internet service, and I posted a thing that says We have not received a request to spy on our users. Watch closely for the removal of this text, what legal risk would be incurred? If the answer is None or Very little, what's stopping people from doing this? Thanks, Scott -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Shava Nerad shav...@gmail.com -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe,
Re: [liberationtech] Naive Question
All of the sneaky signs, email headers and web page badges assume the FBI, or whoever the adversary is are incompetent or inept. That does not see like a safe assumption to me. The only prudent approach is to assume your adversary is intelligent and competent. My guess is that the only defense against NSL's and the like is through policy. I realize that may be blasphemy on this list, but there it is. -- Matt Johnson On Mon, Sep 9, 2013 at 1:26 PM, LISTS li...@robertwgehl.org wrote: What are the legal precedents in terms of wink, wink, nudge, nudge, djaknowhatimean? - Rob Gehl On 09/09/2013 02:24 PM, Shava Nerad wrote: You are awesome,clever, and full of tricks. :) Should I credit you with this? yrs, On Mon, Sep 9, 2013 at 3:40 PM, Case Black casebl...@gmail.com wrote: There's a more subtle variant to this idea... Regularly state (put up a sign) that you HAVE in fact received an NSL...with the public understanding that it must be a lie (there's no law against falsely making such a claim...yet!). When actually served with an NSL, you would now be bound by law to remove any such notification...thereby signaling the event. Regards, Case On Mon, Sep 9, 2013 at 1:24 PM, LISTS li...@robertwgehl.org wrote: I wonder if there's a false analogy here. Hypothetically, the librarian's sign could fall down (maybe the wind blew it over) whereas a notice on a site would have to be removed via coding. There would be little other explanation, even in the case where one does not affirmatively renew the dead man's notice (the countdown that Doctorow suggests in the article). Such an affirmative act might lead a court to believe that one has indeed informed the public about an NSL. - Rob Gehl On 09/09/2013 12:18 PM, Dan Staples wrote: Presumably, if this type of approach became widely adopted, it would be a useful service for an independent group to monitor the status of these notices and periodically publish a report of which companies had removed their notice. On 09/09/2013 12:52 PM, Scott Arciszewski wrote: Forgot the URL: http://www.theguardian.com/technology/2013/sep/09/nsa-sabotage-dead-mans-switch On Mon, Sep 9, 2013 at 12:29 PM, Scott Arciszewski kobrasre...@gmail.com mailto:kobrasre...@gmail.com wrote: Hello, I saw this article on The Guardian[1] and it mentioned a librarian who posted a sign that looked like this: http://www.librarian.net/pics/antipat4.gif and would remove it if visited by the FBI. So a naive question comes to mind: If I operated an internet service, and I posted a thing that says We have not received a request to spy on our users. Watch closely for the removal of this text, what legal risk would be incurred? If the answer is None or Very little, what's stopping people from doing this? Thanks, Scott -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Shava Nerad shav...@gmail.com -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Meet the 'cowboy' in charge of the NSA
I suggest your use of the net is well outside the mainstream, even amongst security folks. Some of us actually use social networking, for example, or don't want ugly, half broken websites simply because we fear a JavaScript zero day. Al -- Al Billings http://makehacklearn.org On Monday, September 9, 2013 at 8:37 PM, Shelley wrote: Like it or not, to fully use websites at this point, you generally need things like Javascript and CSS. I disagree. Not only do I want the protection from .js vulnerabilites and tracking when I browse, I just want the text. Not a bunch of useless social media buttons and blinking ads. I block it all and very rarely make an exception, and I don't at all mind that I'm getting a bland page with not much more than text. I prefer it. The reason that most folks, even security folks like the ones I work with, don't run with NoScript on all the time is that it breaks the net as experienced. Most of my fellow security-conscious friends and colleagues block scripts by default as well. Breaking things to make them work the way we want them to is what we do; this is no different. -Shelley On Sep 9, 2013 9:50 AM, Al Billings alb...@openbuddha.com wrote: Have fun tilting that windmill, Mr. Quixote. Like it or not, to fully use websites at this point, you generally need things like Javascript and CSS. The reason that most folks, even security folks like the ones I work with, don't run with NoScript on all the time is that it breaks the net as experienced. -- Al Billings http://www.openbuddha.com http://makehacklearn.org On Monday, September 9, 2013 at 5:43 PM, Leif Ryge wrote: Ok, well as long as we're talking about that FP javascript overlay: if you saw it, that means you run JavaScript by default, which means you're vulnerable to a larger number of the arbitrary-code-execution bugs in your web browser (of which there are undoubtedly many more which are not yet fixed, given the frequency with which new ones are discovered [1,2]). In my opinion, if you're using Firefox, you should really be using NoScript. [3] -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Naive Question
On 09/09/2013 03:40 PM, Case Black wrote: There's a more subtle variant to this idea... Regularly state (put up a sign) that you HAVE in fact received an NSL...with the public understanding that it must be a lie (there's no law against falsely making such a claim...yet!). When actually served with an NSL, you would now be bound by law to remove any such notification...thereby signaling the event. Then the company served with an NSL would simply be told _not_ to take down their current notice or they would be prosecuted. Sure, the company could argue that this means they're being forced to break the law, but they'd be forced to argue it in secret, against the gov't who can convince the company it's less work trusting their prosecutorial discretion than it would be to take it to court. Also, we now know how easy it is for the FBI/NSA to have a secret interpretation of the law-- they could simply communicate that secret interpretation to the company under the NSL to reassure them that it's not the notice that breaks the law, but rather the act of signalling the existence of a bonafide NSL to the public. Still, if an entire sector of corporations start feeling the heat, they just lobby Congress for retroactive immunity as the telecoms did after revelations about the Bush wiretapping program. In short I don't think there's a hack for this one, it just requires old fashioned activism and mobilization to reveal what these secret interpretations of the law actually are and try to work to get rid of them. (Well, I guess greater decentralization and privacy-overlays are a good way to get around it but that's a long term thing AFAICT.) Best, Jonathan Regards, Case On Mon, Sep 9, 2013 at 1:24 PM, LISTS li...@robertwgehl.org mailto:li...@robertwgehl.org wrote: I wonder if there's a false analogy here. Hypothetically, the librarian's sign could fall down (maybe the wind blew it over) whereas a notice on a site would have to be removed via coding. There would be little other explanation, even in the case where one does not affirmatively renew the dead man's notice (the countdown that Doctorow suggests in the article). Such an affirmative act might lead a court to believe that one has indeed informed the public about an NSL. - Rob Gehl On 09/09/2013 12:18 PM, Dan Staples wrote: Presumably, if this type of approach became widely adopted, it would be a useful service for an independent group to monitor the status of these notices and periodically publish a report of which companies had removed their notice. On 09/09/2013 12:52 PM, Scott Arciszewski wrote: Forgot the URL: http://www.theguardian.com/technology/2013/sep/09/nsa-sabotage-dead-mans-switch On Mon, Sep 9, 2013 at 12:29 PM, Scott Arciszewski kobrasre...@gmail.com mailto:kobrasre...@gmail.com mailto:kobrasre...@gmail.com mailto:kobrasre...@gmail.com wrote: Hello, I saw this article on The Guardian[1] and it mentioned a librarian who posted a sign that looked like this: http://www.librarian.net/pics/antipat4.gif and would remove it if visited by the FBI. So a naive question comes to mind: If I operated an internet service, and I posted a thing that says We have not received a request to spy on our users. Watch closely for the removal of this text, what legal risk would be incurred? If the answer is None or Very little, what's stopping people from doing this? Thanks, Scott -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu mailto:compa...@stanford.edu. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Meet the 'cowboy' in charge of the NSA
On 09/09/2013 12:50 PM, Al Billings wrote: Have fun tilting that windmill, Mr. Quixote. Like it or not, to fully use websites at this point, you generally need things like Javascript and CSS. The reason that most folks, even security folks like the ones I work with, don't run with NoScript on all the time is that it breaks the net as experienced. That's why NoScript lets you whitelist certain sites. If you're comfortable giving some type of personally identifying credentials to log on to a secure site, then maybe you're ok with letting that site shoot a turing complete language at your browser. On the other hand, maybe you're not, but if the site requires javascript to be on for you to log in then it's a binary thing. Let's call this the stark reality of doing business over the web. But for general _reading_ of content, I see no reason why javascript and third party ads should be reaching the user's eyes by default. The benefits of blocking are: * user learns just how much third party junk websites typically try to shoot at them * user learns just how inconsequential 95% of those scripts are to the experience of displaying readable content * user learns which news sites are the most aggressive about forcing third-party content on the user (i.e., the ones that won't allow to read without javascript turned on) * pages that do load the content load the content faster * user learns how much cpu/electricity/etc. they are saving the moment they turn on javascript to leave a comment and their laptop fan starts whirring crazily because some crankhead cooked up the least efficient way in the world to display blocks of text And with Adblock: * user somehow feels less distracted when the blinking budweiser sign next to their head is turned off. Best, Jonathan -- Al Billings http://www.openbuddha.com http://makehacklearn.org On Monday, September 9, 2013 at 5:43 PM, Leif Ryge wrote: Ok, well as long as we're talking about that FP javascript overlay: if you saw it, that means you run JavaScript by default, which means you're vulnerable to a larger number of the arbitrary-code-execution bugs in your web browser (of which there are undoubtedly many more which are not yet fixed, given the frequency with which new ones are discovered [1,2]). In my opinion, if you're using Firefox, you should really be using NoScript. [3] -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Meet the 'cowboy' in charge of the NSA
I clicked, I got the article no problem, I read the article and enjoyed it with the sick fascination we tend to read these things. Odd to think of FP as sort of tabloid celebrity profile of the monsters of the field, eh? ;) I reposted it on G+ with the comment: === *Foreign Policy frames NSA's Alexander* *like a rhinocerous beetle pinned as a specimen* Not a pretty picture, but a curious and powerful one. === I don't block javascript and such, partly because I also work in marketing and social media and such (THE DARK SIDE, the hell with hacking! :) -- I need to watch things. I regularly sweep for malware when idle and pray a lot. :) will comment further when I'm not fighting health system bureaucracy, perhaps...:) Tilting at different windmills for a bit. Check my G+ for updates. yrs, On Mon, Sep 9, 2013 at 3:11 PM, Shelley shel...@misanthropia.info wrote: It may be outside the mainstream, but so is our interest in-- and understanding of-- security and privacy issues. Judging by the millions who download these tools, I am not alone in wanting to block scripts and tracking. I'll save my security researchers using social media (outside of pentesting) makes no sense rant for another time. -- On Sep 9, 2013 11:56 AM, Al Billings alb...@openbuddha.com wrote: I suggest your use of the net is well outside the mainstream, even amongst security folks. Some of us actually use social networking, for example, or don't want ugly, half broken websites simply because we fear a JavaScript zero day. Al -- Al Billings http://makehacklearn.org On Monday, September 9, 2013 at 8:37 PM, Shelley wrote: Like it or not, to fully use websites at this point, you generally need things like Javascript and CSS. I disagree. Not only do I want the protection from .js vulnerabilites and tracking when I browse, I just want the text. Not a bunch of useless social media buttons and blinking ads. I block it all and very rarely make an exception, and I don't at all mind that I'm getting a bland page with not much more than text. I prefer it. The reason that most folks, even security folks like the ones I work with, don't run with NoScript on all the time is that it breaks the net as experienced. Most of my fellow security-conscious friends and colleagues block scripts by default as well. Breaking things to make them work the way we want them to is what we do; this is no different. -Shelley On Sep 9, 2013 9:50 AM, Al Billings alb...@openbuddha.com wrote: Have fun tilting that windmill, Mr. Quixote. Like it or not, to fully use websites at this point, you generally need things like Javascript and CSS. The reason that most folks, even security folks like the ones I work with, don't run with NoScript on all the time is that it breaks the net as experienced. -- Al Billings http://www.openbuddha.com http://makehacklearn.org On Monday, September 9, 2013 at 5:43 PM, Leif Ryge wrote: Ok, well as long as we're talking about that FP javascript overlay: if you saw it, that means you run JavaScript by default, which means you're vulnerable to a larger number of the arbitrary-code-execution bugs in your web browser (of which there are undoubtedly many more which are not yet fixed, given the frequency with which new ones are discovered [1,2]). In my opinion, if you're using Firefox, you should really be using NoScript. [3] -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Shava Nerad shav...@gmail.com -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Naive Question
Oh yes, but it's funny as hell. There's something to be said for that in times like this. Mouse, meet owl. On Mon, Sep 9, 2013 at 5:07 PM, Case Black casebl...@gmail.com wrote: I absolutely agree with your point...cleverness alone doesn't go very far against ruthless adversaries. To paraphrase a prior post that's quite relevant to this discussion: ...the members of this list are uniquely qualified to influence that policy debate in terms of shaping both hard and soft policy in far more substantial ways. We can shape soft policy by expanding the selectorate willing to influence the political leadership to better circumscribe domestic surveillance capabilities. It's important to keep the focus on capabilities rather than intentions and assurances. And on the long range danger of having these surveillance databases in existence and their inevitable use to warp the political process in dark and dangerous ways. Hard policy is shaped by changing the technological landscape...by altering the very ground surveillance agencies stand on through the support of more and better privacy and encryption projects. It happened during the Crypto Wars of the 1990's and it can happen again. On Mon, Sep 9, 2013 at 3:58 PM, Matt Johnson railm...@gmail.com wrote: All of the sneaky signs, email headers and web page badges assume the FBI, or whoever the adversary is are incompetent or inept. That does not see like a safe assumption to me. The only prudent approach is to assume your adversary is intelligent and competent. My guess is that the only defense against NSL's and the like is through policy. I realize that may be blasphemy on this list, but there it is. -- Matt Johnson On Mon, Sep 9, 2013 at 1:26 PM, LISTS li...@robertwgehl.org wrote: What are the legal precedents in terms of wink, wink, nudge, nudge, djaknowhatimean? - Rob Gehl On 09/09/2013 02:24 PM, Shava Nerad wrote: You are awesome,clever, and full of tricks. :) Should I credit you with this? yrs, On Mon, Sep 9, 2013 at 3:40 PM, Case Black casebl...@gmail.com wrote: There's a more subtle variant to this idea... Regularly state (put up a sign) that you HAVE in fact received an NSL...with the public understanding that it must be a lie (there's no law against falsely making such a claim...yet!). When actually served with an NSL, you would now be bound by law to remove any such notification...thereby signaling the event. Regards, Case On Mon, Sep 9, 2013 at 1:24 PM, LISTS li...@robertwgehl.org wrote: I wonder if there's a false analogy here. Hypothetically, the librarian's sign could fall down (maybe the wind blew it over) whereas a notice on a site would have to be removed via coding. There would be little other explanation, even in the case where one does not affirmatively renew the dead man's notice (the countdown that Doctorow suggests in the article). Such an affirmative act might lead a court to believe that one has indeed informed the public about an NSL. - Rob Gehl On 09/09/2013 12:18 PM, Dan Staples wrote: Presumably, if this type of approach became widely adopted, it would be a useful service for an independent group to monitor the status of these notices and periodically publish a report of which companies had removed their notice. On 09/09/2013 12:52 PM, Scott Arciszewski wrote: Forgot the URL: http://www.theguardian.com/technology/2013/sep/09/nsa-sabotage-dead-mans-switch On Mon, Sep 9, 2013 at 12:29 PM, Scott Arciszewski kobrasre...@gmail.com mailto:kobrasre...@gmail.com wrote: Hello, I saw this article on The Guardian[1] and it mentioned a librarian who posted a sign that looked like this: http://www.librarian.net/pics/antipat4.gif and would remove it if visited by the FBI. So a naive question comes to mind: If I operated an internet service, and I posted a thing that says We have not received a request to spy on our users. Watch closely for the removal of this text, what legal risk would be incurred? If the answer is None or Very little, what's stopping people from doing this? Thanks, Scott -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Shava Nerad shav...@gmail.com --
Re: [liberationtech] Naive Question
There's a more subtle variant to this idea... Regularly state (put up a sign) that you HAVE in fact received an NSL...with the public understanding that it must be a lie (there's no law against falsely making such a claim...yet!). When actually served with an NSL, you would now be bound by law to remove any such notification...thereby signaling the event. Regards, Case On Mon, Sep 9, 2013 at 1:24 PM, LISTS li...@robertwgehl.org wrote: I wonder if there's a false analogy here. Hypothetically, the librarian's sign could fall down (maybe the wind blew it over) whereas a notice on a site would have to be removed via coding. There would be little other explanation, even in the case where one does not affirmatively renew the dead man's notice (the countdown that Doctorow suggests in the article). Such an affirmative act might lead a court to believe that one has indeed informed the public about an NSL. - Rob Gehl On 09/09/2013 12:18 PM, Dan Staples wrote: Presumably, if this type of approach became widely adopted, it would be a useful service for an independent group to monitor the status of these notices and periodically publish a report of which companies had removed their notice. On 09/09/2013 12:52 PM, Scott Arciszewski wrote: Forgot the URL: http://www.theguardian.com/technology/2013/sep/09/nsa-sabotage-dead-mans-switch On Mon, Sep 9, 2013 at 12:29 PM, Scott Arciszewski kobrasre...@gmail.com mailto:kobrasre...@gmail.com wrote: Hello, I saw this article on The Guardian[1] and it mentioned a librarian who posted a sign that looked like this: http://www.librarian.net/pics/antipat4.gif and would remove it if visited by the FBI. So a naive question comes to mind: If I operated an internet service, and I posted a thing that says We have not received a request to spy on our users. Watch closely for the removal of this text, what legal risk would be incurred? If the answer is None or Very little, what's stopping people from doing this? Thanks, Scott -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Meet the 'cowboy' in charge of the NSA
I'm kind of surprised FP's javascript is the main topic of discussion around this article. Thank you FP and Shane Harris for this very informative article! Second that. This is why we regularly tweet FP content because the FP is one of the best sources for liberationtech-like news out there. It's behind a paywall, which can be a pain at times, but at least they're trying to find a freemium balance rather than simply lock up their site. Yosem -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] Freedom not fear, talks at anti surveillance demo in Berlin
I'm writing to pass along some news from Germany - where national elections will take place later this month. Last Saturday, 10,000 (maybe 15,000) people took to the streets of Berlin to demonstrate for Freedom Not Fear. This marks the third (and largest) anti surveillance demonstration the city has seen during the past two months. There were two talks in English, one by Jacob Appelbaum¹, another by Parker Higgins² of EFF. Local activist Anne Roth³ spoke in German - her talk (worth a read) is available in written English: http://annalist.noblogs.org/post/2013/09/07/die-rede-bei-der-demo-freiheit-statt-angst-2013/#english -- Alster ¹ Youtube video ID: KTjQ6Fbp3YE ² Youtube video ID: 9Gj_4khVap8 ³ Anne's family has been under surveillance for at least two years, their apartment was raided by riot cops and her partner was arrested for months on weak (and - as quickly turned out - unfounded) domestic terror suspicions. Youtube video ID: T0WKr-NMf78 -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Matthew D Green
Follow the money. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] Cryptogeddon
Just stumbled across this post and thought it might be of interest to some on the list. In a nutshell, Cryptogeddon is an online cyber security war game. The game consists of various missions, each of which challenges the participant to apply infosec tools to solve technology puzzles – an online scavenger hunt, if you will. Each mission comes with a solution that teaches the participant which tools to use and how to apply the tools to solve the mission. Further on the article describes the tools one may need to use, including but not limited to: * TrueCrypt * Metasploit Kali * Nessus * Amazon Web Services * w3af * Linux, Windows, OS X * Apache, IIS * GitHub * VirtualBox * Sysinternals http://www.softwarehamilton.com/2013/09/06/cryptogeddon-coming-soon/ -- Scott Elcomb @psema4 on Twitter / Identi.ca / Github more Atomic OS: Self Contained Microsystems http://code.google.com/p/atomos/ Member of the Pirate Party of Canada http://www.pirateparty.ca/ -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.