Re: [liberationtech] the 14th reason not to start using PGP is out!

[Ali-Reza Anghaie]

On Fri, Nov 22, 2013 at 12:24 PM, carlo von lynX
 wrote:
> On 11/21/2013 05:23 AM, Ali-Reza Anghaie wrote:
>> As it pertains to your response to me from over a month ago (below) -
>> we're just on different pages. I'm not arguing the strategic problem
>> statement, I'm saying you've made a tactical decision that was
>> damaging. *shrug*
>
> History will tell who is damaging the most, those who promote new
> solutions or those who, just like politicians, try to cling to a
> broken status quo.

The status quo could also be said to "our" tendency to flitter from
one magical non-solution to another based on selfish ego and turf wars
and never sticking to the basics we took many years to get right. App
stores and toys. Oh - that would be you in that political anecdote.

See? Two can play at that silly comparison and character argument
assassination. It's not valid ~either~ way.

All I was saying is I disagreed with the tactical approach you took -
which is to declare something dead prematurely and without enough
context.

>> Matters little now - so many new entrants into the ecosystem we're
>> already fighting the good fight against the bad fighters. Good luck,
>> Cheers, -Ali
>
> Fight? I didn't come to fight. I try to reduce the damage being done.

I didn't mean you - I meant the flood of entrants into the "secure
email" or "email replacement" chain that have been enabled by generic
assassinations and false comparisons of other technology.

Going back to my one of my original criticisms is that in the rush to
make this a ~tech~ issue we forgot to remind people that it's
primarily actually an OPSEC issue in most cases. If we're talking
~history~ then you're on the wrong side of that fence at least - again
a ~TACTICAL~ comment because I'm sure you (and in YOU) know that OPSEC
plays heavily into it. I'm talking about the delivery of the message.

I leave our particular sub-thread to you for the last word (should you
need / want it). Cheers and best wishes, -Ali
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] the 14th reason not to start using PGP is out!

[Ali-Reza Anghaie]

As it pertains to your response to me from over a month ago (below) -
we're just on different pages. I'm not arguing the strategic problem
statement, I'm saying you've made a tactical decision that was
damaging. *shrug*

Matters little now - so many new entrants into the ecosystem we're
already fighting the good fight against the bad fighters. Good luck,
Cheers, -Ali


On Wed, Nov 20, 2013 at 10:30 PM, carlo von lynX
 wrote:
>
> On Tue, Oct 15, 2013 at 04:26:34PM -0400, Ali-Reza Anghaie wrote:
>> > The current policy of recommending PGP over more advanced tools is
>> > probably causing damage to our end-users.
>>
>> The current policy of recommending tools that don't readily replace
>> PGP ~in the way end-users user it today~ is causing more damage IMO.
>
> Excuse me, Pond has some oddly aligned buttons but the service it offers
> is way more advanced than SMTP. If you really think you don't want to
> trust a new cryptographic tool - and don't have the money to finance a
> review - then embed PGP encrypted messages into it. Still, the number
> of failures you cannot possibly experience with Pond is so high that
> it is a much safer tool than the above mentioned Enigmail.
>
> Funny.. IMAP works so well, I can even see my unencrypted draft on a
> different mail agent on a different computer...  :-D
>
> And Pond is just an example. I could as well mention PGP over RetroShare
> (although it already does PGP itself) with or without Tor wrapper.
> Or what about Susimail and Liberte Cables? So many alternatives to SMTP!
>
>> That's what I mean - ~you~ aren't pointing people at Snake Oil. You're
>> just delivering a message of impending doom without giving them a
>> flyer on where to go next that also fits where they ~can~ go
>> (supported, COTS, or whatever).
>
> Here's a flyer.. at http://secushare.org/comparison I've been making a
> comparison of the tools that are being developed. The number of problems
> with e-mail are so big that I believe even not fully reviewed software is
> a lesser damage - but as always you are welcome to go bullet proof by
> combining the new technologies with older proven ones.
>
>> In essence I'm saying it's dangerous to make such proclamations -
>> however valid in ~our~ community - to the wide-open spaces of the
>> Internet when "we" also aren't ready at-hand to provide solutions.
>
> The document gave/gives indications on how to interpret it, including
> the opening phrase that said that PGP is better than nothing.
>
>> >> 3) It groups multiple problem sets into the responsibilty domain of
>> >> PGP - when it/they don't have to be, perhaps even undesirable to be so
>> >> (from both technical and sociological viewpoints).
>> >
>> > It's like saying if the mirror in your car is broken it has
>> > nothing to do with driving, because the mirror isn't doing the
>> > driving.
>>
>> No it's not - it's saying the car isn't responsible for the red light
>> camera. It's important to break these things out in domains for which
>> they (in this case PGP) was designed.
>
> If you want me to say PGP isn't so bad. Okay, here I say it: PGP isn't
> so bad. It's actually rather cool. Only few problems like non-repudiability
> are inherent to PGP itself. Most of the problems are caused by SMTP, IMAP
> and the like. How does this make anyone feel better?
>
>> > PGP/mail is so broken that there is a risk that even if there
>> > are bugs in the new software programs they may cause less damage
>> > as PGP. We're at a point that we can't safely argue which of the
>> > two options are safer, and each user would have to take a chance
>> > for himself. That's why I urge you to review the alternatives so
>> > we CAN make reasonable recommendations like we used to do.
>>
>> That's not what you did though - you say that now but there was a
>> broad "viral" proclamation.
>
> To start a debate, and looks like I was successful at that.
> The "PGP" page is about the problems with e-mail and PGP.
> The "comparison" page is about the new tools, and that one warns
> upfront that all of the mentioned tools deserve a proper review.
>
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] espionage as plain old corruption

[Ali-Reza Anghaie]

On Wed, Oct 30, 2013 at 1:50 PM, Lucas Gonze  wrote:
> The shoes left to drop:
>
> 1) NSA insiders using privileged information for investments. It's hard to
> imagine this doesn't happen.
>

I doubt it happens at a rate any different across Government and would
suspect it happens less due to DSS monitoring. They're much more
attuned to credit monitoring, financials, etc. than technical
controls.

And while you don't suggest it - I think changing the angle of the NSA
scope toward blatantly criminal activity actually works against "us"..
indeed that's how the NSA executives want to frame it. Because it'll
be a lot easier for them to address than the general over-broad abuse
that has nothing to do w/ criminal activity. They can "fix" that
so-to-speak without really changing their programs.

> 2) How precisely do businesses get the NSA and CIA to create competitive
> advantages? How do they convince the Trade Representative that they deserve
> government intervention on behalf of their shareholders, and how does the
> Trade Representative then pass back information? How does one business get
> this benefit and not another?
>

Earlier releases have already suggested trade delegations have worked
in that regard (broad trade agreements, offset agreements, etc.) but
the comparisons being drawn to State managed business (e.g. PLA model)
are where it breaks down. So I'm not sure what additional "shoe"
you're looking for here?

As a former insider I find it absurd when people say we can just call
up on our State espionage arms, the number of people conditioned to
break that and work against it in corporate environments is just too
high. And then to take it down into product development cycles when we
can't secure our shoe laces - further strains credulity.

...

So from my perspective the only shoe left to drop is how much
monitoring happens of local, State, and Federal politicians and on
behalf of whom. THAT is the one we want - that is the one that put
it's squarely back into J. Edgar FBI (and then ties the DEA and FBI
back into it).

The rest is basically noise when it comes to actually effecting change
in my view (sad but seems pretty true). -Ali
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

[liberationtech] A webinar and twitter stream for freelance journos w/ digital OPSEC...

[Ali-Reza Anghaie]

Passing this along in case anyone is interested, Cheers, -Ali


http://frontlinefreelance.org/content/safetystream-webinars-freelancers

---
It will kick off at 2:00PM on Tuesday 22 October. The session with be
interactive. You can pose questions and start your own conversations
during each segment by posting to #safetystream on Twitter any time
from now and the conversation will continue after the event.

We’ll be covering:

2:00PM: Doing a risk assessment. We’ll get into the vital task of
assessing the risks you may encounter on assignment. The Rory Peck
Trust’s Risk Assessment resource can get you started.

2:30PM: Creating a communications plan. A rapid response is critical
in a crisis situation, yet it’s often a weak spot in a freelancer’s
preparations. This segment goes over what’s at stake. The Rory Peck
Trust have produced a Communications Plan template that you can access
now.

3:00PM: Digital security preparation. How you’re going to communicate
securely on the ground and protect yourself digitally wraps up our
sessions. We’ll be touching on topics that you can find in the Rory
Peck Trust Digital Security resource.
---
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Google Unveils Tools to Access Web From Repressive Countries | TIME.com

[Ali-Reza Anghaie]

On Mon, Oct 21, 2013 at 6:42 PM, Andrés Leopoldo Pacheco Sanfuentes
 wrote:
> The NSA being part of the Google "partner" landscape, however
> unwillingly on the part of Google..

It was seeded by Google Ideas but we've yet to see how much control
they have over it versus UW and BNS.

For that matter since it is designe to use either the G+ or Facebook
social graph, it is somewhat saying this is for people who are already
doing what they do and want to improve their performance. Considering
how many people in Iran I know who already use social media
extensively - this might be a good approach to just spreading the risk
across MANY more people.

I don't know yet but I think it does something else we're not
considering: It says you already knew I was here - and now you have to
risk even MORE restrictions and such social and technical overhead to
do anything about it. Are you - the State - willing to do that? I say,
at least in Iran's case, that's a GREAT question to put to them in
this seemingly lightweight way.

So - as of now - I see uProxy as a "COME AT ME BRO" statement hoping
to make the cost of doing so - socially and technically - prohibitive
by maing it MUCH easier to use and thus build that installed userbase.

Here is to hope. *shrug* -Ali
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] 13 reasons not to start using PGP

[Ali-Reza Anghaie]

On Sat, Oct 12, 2013 at 2:37 PM, carlo von lynX
 wrote:
>
> On 10/11/2013 08:19 PM, Ali-Reza Anghaie wrote:
>>
>> 1) It puts an over-abundance of faith in toolsets in opening and
>> closing "You have to get used to learning new software frequently."
>> Realistically if this was a toolsets problem then EFF and EPIC
>> wouldn't exist - it's not. It's a problem of State that can only be
>> fought through OPSEC, policy, and risk management. Since it's not
>> entirely reasonable to have end-users living the spook lifesystem then
>> it leaves ~policy~ as the best out for end-users with tools (like PGP)
>> being the defensive linemen.
>
> Currently it is a major toolset problem.
> That doesn't preclude there are other problems, too.

Except that wasn't communicated - as a matter of course you (just
below) said you are too "competent" to make such mistakes. Agreed. And
as another matter of course (above) you said it had gone ~viral~...

This is important when you're presenting something as a broker for
radical change (and it ~is~ radical from 90% of end-users viewpoints).

>> 2) Combined with (1) - then providing no immediate alternative - it
>> creates the environment in which snake oil fills the gaps. Then we're
>> back out fighting the snakeoil because we were too busy eating our
>> young (or old in this case) to pay attention to the collateral damage
>> to our end-users.
>
> I am not recommending any snake oil because I am too competent
> for that. What I am recommending is source codes that give me
> a good impression and deserve a serious review.
>
> And I'm also saying that yet another PGP user interface is useless.
>
> The current policy of recommending PGP over more advanced tools is
> probably causing damage to our end-users.

The current policy of recommending tools that don't readily replace
PGP ~in the way end-users user it today~ is causing more damage IMO.
That's what I mean - ~you~ aren't pointing people at Snake Oil. You're
just delivering a message of impending doom without giving them a
flyer on where to go next that also fits where they ~can~ go
(supported, COTS, or whatever).

In essence I'm saying it's dangerous to make such proclamations -
however valid in ~our~ community - to the wide-open spaces of the
Internet when "we" also aren't ready at-hand to provide solutions.

>> 3) It groups multiple problem sets into the responsibilty domain of
>> PGP - when it/they don't have to be, perhaps even undesirable to be so
>> (from both technical and sociological viewpoints).
>
> It's like saying if the mirror in your car is broken it has
> nothing to do with driving, because the mirror isn't doing the
> driving.

No it's not - it's saying the car isn't responsible for the red light
camera. It's important to break these things out in domains for which
they (in this case PGP) was designed.

>> So in terms of broad proclamations I think it's prudent to keep those
>> at a policy level - and the rest behind transparent but loosely narrow
>> doors until the collective geekdom "we" can get traction on better
>> alternatives. -Ali
>
> PGP/mail is so broken that there is a risk that even if there
> are bugs in the new software programs they may cause less damage
> as PGP. We're at a point that we can't safely argue which of the
> two options are safer, and each user would have to take a chance
> for himself. That's why I urge you to review the alternatives so
> we CAN make reasonable recommendations like we used to do.

That's not what you did though - you say that now but there was a
broad "viral" proclamation.

And it was full of good tasty morsels.

Now I encourage you to course-correct and massage it out a bit more
with more meat, more stay tuned, more don't jump ship yet, etc. That
is if you intend to maintain this course (now w/ thirteen).

Thanks again - that's my last on this topic. Cheers, -Ali
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] EFF Resigns from Global Network Initiative

[Ali-Reza Anghaie]

On Sat, Oct 12, 2013 at 12:23 AM, Andrés Leopoldo Pacheco Sanfuentes
 wrote:
> Yes, of course. BUT!
*snip*

Then the rest is moot - that's my point. Unless you can substantially
change the behavior of the permanents seats of the UN Security Council
- ~where~ the figureheads "meet" changes nothing about the behavior of
the States, espionage, etc.

Symbolic gestures are what get us ~right back where we started~ every few years.

In any case - I hope we see substantive changes in the behavior of the
members of the Security Council as a whole. Which isn't to say I
believe the UN itself has any meaningful bearing to that. -Ali
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] EFF Resigns from Global Network Initiative

[Ali-Reza Anghaie]

On Sat, Oct 12, 2013 at 12:11 AM, Andrés Leopoldo Pacheco Sanfuentes
 wrote:
> yeah, but we have to go further, and get the United Nations HQ The
> Heck out of the USA

If you want an impotent organization to be even moreso - then that's a
good move. The problem is while all this isolate the US creates a lot
of feel-good it entirely ignored the complicity of most "World
Leaders" in the same ~exact~ abuses, duplicity, etc.

So it's a great distraction from actually getting things done.

If you really want to "punish" US arrogance - make it untenable for
peers to play along and really isolate the US at a policy level and
not just repeated symbolic ones.

(Separate of my own political beliefs - I'm speaking tactical efficacy here.)

-Ali
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] 10 reasons not to start using PGP

[Ali-Reza Anghaie]

On Thu, Oct 10, 2013 at 3:23 PM, carlo von lynX
 wrote:
> We had some debate on this topic at the Circumvention Tech
> Summit and I got some requests to publish my six reasons
> not to use PGP. Well, I spent a bit more time on it and now
> they turned into 10 reasons not to. Some may appear similar
> or identical, but actually they are on top of each other.
> Corrections and religious flame wars are welcome. YMMV.

I love the detail put into this but I think it's a poorly delivered
message for multiple reasons:

1) It puts an over-abundance of faith in toolsets in opening and
closing "You have to get used to learning new software frequently."
Realistically if this was a toolsets problem then EFF and EPIC
wouldn't exist - it's not. It's a problem of State that can only be
fought through OPSEC, policy, and risk management. Since it's not
entirely reasonable to have end-users living the spook lifesystem then
it leaves ~policy~ as the best out for end-users with tools (like PGP)
being the defensive linemen.

2) Combined with (1) - then providing no immediate alternative - it
creates the environment in which snake oil fills the gaps. Then we're
back out fighting the snakeoil because we were too busy eating our
young (or old in this case) to pay attention to the collateral damage
to our end-users.

3) It groups multiple problem sets into the responsibilty domain of
PGP - when it/they don't have to be, perhaps even undesirable to be so
(from both technical and sociological viewpoints).

So in terms of broad proclamations I think it's prudent to keep those
at a policy level - and the rest behind transparent but loosely narrow
doors until the collective geekdom "we" can get traction on better
alternatives. -Ali
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

[liberationtech] Fwd: [Announce] Wanted: Lantern Ambassadors

[Ali-Reza Anghaie]

Haven't looked at it myself - passing on for others. Cheers, -Ali


-- Forwarded message --
From: Sandra 
Date: Thu, Oct 10, 2013 at 2:23 PM
Subject: [Announce] Wanted: Lantern Ambassadors
To: annou...@lists.openitp.org


Lantern is a new type of open source censorship circumvention tool. It
uses peer-to-peer (P2P) technology that connects people in censored
regions with those in uncensored regions to create a free internet for
everyone. We see it as a new approach to an increasingly challenging
situation. It provides users in “free” countries with a passive but
effective way to help, while providing censored users with a "trusted
network" from which they can access blocked information.

Currently, we are looking for Lantern Ambassadors, a group of users to
build the Lantern Network, and thus allow the Lantern team to test the
tool with live users. All that is required is to download the open
source tool, which runs seamlessly in the background, and provide the
team with feedback if necessary.

Request an invitation now:  https://www.getlantern.org

While the tool is designed to scale to millions of people, it only works
if enough users share their connections to open the internet with
others.  As a result, we also encourage you to invite friends to
download the tool as well.

In the last few months, the Lantern team has made great progress with
many improvements in usability, stability and censorship resistance.
They recently reach their 1.0 beta milestone and have been focusing on
improving the core software.  As a result, any feedback will be greatly
appreciated.

Join the Lantern movement today and help create a new type of tool that
brings a free internet to everyone. Request an invite now:
http://getlantern.org

Thanks in advance!

-Team Lantern
___
Announce mailing list
annou...@lists.openitp.org
https://lists.openitp.org/mailman/listinfo/announce
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Forcing VPN on Mac OS X

[Ali-Reza Anghaie]

Ah yes - thanks for reminding me.

DNSCrypt has worked well for our end-users and when configured not to
fail over - does the necessary trick on OS X:
http://opendns.github.io/dnscrypt-osx-client/ ..

And something that didn't work well at all (in the context of my last
message) was Radio Silence (http://radiosilenceapp.com/).

Again, this is the "regular end-user" response given the initial query.

If you really want to mitigate against OS wonkiness then your own
router / hw isolation via a Grugq Portal
(https://github.com/grugq/portal) or using pfSense
(http://www.pfsense.org/) or DD-WRT
(http://www.dd-wrt.com/site/index).

Honestly if you're not trying to support it for someone else, then go
straight to the last option moving forward. -Ali


On Tue, Sep 3, 2013 at 2:44 AM, elijah  wrote:
> On 09/02/2013 09:54 PM, Mitar wrote:
>
>> Is there some software which would prevent any outgoing networking on
>> Mac OS X until a VPN to a trusted server is established? So on the
>> system level? I am wary that between me connecting to an untrusted
>> WiFi and establishing a VPN tunnel, there is some window where
>> probably all possible services try to ping home, auto-update and so
>> on.
>
> You should be wary. Since Appelbaum has not mentioned it yet, I will
> mention his paper for him:
>
> "Virtual Pwned networks"
> https://www.usenix.org/conference/foci12/vpwns-virtual-pwned-networks
>
> There are any number of common leaks, including DNS leakage, IPv6
> leakage, failing open, and, as you mention, the time lag between when
> the network comes up and when the default route is changed. You could
> also add poor cipher negotiation, and badly set up VPN gateways that use
> the same IP for both ingress and egress. At LEAP, we are trying to
> prevent all these problems with our free software server platform and
> autoconfiguring OpenVPN client application, but it is not easy or ready
> for production use yet (https://leap.se).
>
> This can be handy for testing DNS leaks (which are really easy to
> accidentally cause on Mac): https://www.dnsleaktest.com/
>
> -elijah
> --
> Liberationtech is a public list whose archives are searchable on Google. 
> Violations of list guidelines will get you moderated: 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
> change to digest, or change password by emailing moderator at 
> compa...@stanford.edu.
-- 
Liberationtech is a public list whose archives are searchable on Google. 
Violations of list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Forcing VPN on Mac OS X

[Ali-Reza Anghaie]

Warning - ~I~ haven't tried this but if I was going to suggest
something to try to one of my regular end-users (someone w/o their own
sysadmin skillset) I'd start by trying to combine one of the
following:

Hands Off - http://www.metakine.com/products/handsoff/
Little Snitch - http://www.obdev.at/products/littlesnitch/index.html

With your VPN application or Viscosity (http://www.sparklabs.com/viscosity/)...

And use the tools to allow only the VPN app / manager and child
processes it launches to make connections.

Again - that would be something I'd try if I didn't sysadmin the box
myself and was trying to help a regular end-user out. Cheers, -Ali


On Tue, Sep 3, 2013 at 1:21 AM, Percy Alpha  wrote:
> I thought OpenVPN will automatically stop traffic if VPN drops.
>
> --
> Liberationtech is a public list whose archives are searchable on Google.
> Violations of list guidelines will get you moderated:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe,
> change to digest, or change password by emailing moderator at
> compa...@stanford.edu.
-- 
Liberationtech is a public list whose archives are searchable on Google. 
Violations of list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Why can’t email be secure? - Silent Circle Blog

[Ali-Reza Anghaie]

On Sun, Aug 25, 2013 at 2:59 PM, katana  wrote:
> And this was the heart of SC's problems and - realistic - fears, not the
> "insecure email" marketing talk. They have used PGP Universal, managed
> and generated the keys for their clients, because of the mobile
> computing demands(?) of their customers - or their incompetence(?) / not
> existing ressources to develop a mobile OpenPGP solution? As Phil said
*snip*

PGP Universal was never meant for this application, we can all agree
there.. but the convenience it allowed in theory from an end-user
standpoint is still something we're trying to replicate everywhere
else. It's obviously not a trivial problem because we have a baker's
dozen variants nobody can agree on at any given time.

How many "solutions" to part of the overall end-user challenge set
have we seen on this list alone in the past two weeks?

We need a libtech retreat that we don't leave from until we code out
and agreeable solution for our massively varied end-user cases. ;-)

-Ali
-- 
Liberationtech is a public list whose archives are searchable on Google. 
Violations of list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Why_can't_email_be_secure

[Ali-Reza Anghaie]

On Sun, Aug 25, 2013 at 3:14 PM, StealthMonger
 wrote:
> Will the other cypherpunks on this list please step forward and help me
> refute this toxic propaganda?  I don't have time to do it all myself.

And herein lies the problem - Silent Circle isn't talking to "us" -
they are talking to the other 99.99% of email users in the world. To
them ~nothing~ you mention is meaningful until it's in webmail with
free storage, rich interface, for mom & dad, always available, etc.

We can argue how big of a problem that "culture" is but we have helped
create it too with poorly railing against commercial services and
software over the years (in tactical terms).

So again, now I think we're stuck that we need to stop using the term
"secure email" ~at all~.. conceptually we need to make people
understand "email" is postal mail at best and someone can come take it
out of your mailbox and peep to their heart's content. If you want
security, don't use email. Whether that's strictly true or not
(obviously it isn't) - it's true in general practice. And having an
OPSEC revolution isn't in the cards.

I think it has to be that binary a solution, and well supported, to
eventually get people to use anything "secure"..

-Ali
-- 
Liberationtech is a public list whose archives are searchable on Google. 
Violations of list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Announcing Scramble.io

[Ali-Reza Anghaie]

I'm conceptually really curious about various aspects but before I
forget - this time - I'd like to ask two broader questions first:

- Is this in any way an officially "backed" project in any way? Part
of a thesis or what-not lets say?

- (To everyone) Why is there almost never a discussion on RFCs and
talking something down the pathway of "what would it take to make a
standard out of this"?

Not endorsing or panning anything, just trying to think about
different aspects first this time.

I will say one thing - I think it's ~perfectly OK~ to "break" certain
aspects of email legacy support (say the POP/IMAP question) because,
any way we cut it, we're going to end up transitioning from a good
chunk of the email paradigm "we" know if we're ever going to get broad
adoption. So I do like the idea of trying to solve the new problems
introduced in different ways and chart out risk measurements in terms
of users "not us".. Cheers, -Ali


On Fri, Aug 23, 2013 at 4:53 AM, DC  wrote:
> Hi everyone,
>
> I'm DC, and I've been lurking here for a few weeks :)
>
> Since the NSA leaks, I've been inspired to work on an old dream: end-to-end
> encrypted email.
>
> One difficult problem in public-key encryption is key exchange: how to get a
> recipient's public key and know it's really theirs.
> My plan is to make make your email the hash of your public key.
> For example, my address is nqkgpx6bqscsl...@scramble.io
> (I borrowed this idea from Tor Hidden Services.)
>
> This lets you build an email system with some nice properties:
> * It's webmail. I want something easy to use and understand, unlike PGP, so
> that nontechnical people can grok it.
> * Webmail has an inherent weakness: if push comes to shove, the NSA can
> compel a Scramble server to serve bad Javascript to their users. I want to
> give users the option to install the app as a Chrome extension. Same HTML,
> CSS, and JS, but served locally, so the server is untrusted.
> * You can look up someone's public key from an untrusted server, and verify
> that it's actually theirs.
> * Anyone can run a Scramble server
> * It's open source
> * All email between Scramble addresses is encrypted. Both Subject and Body
> are encrypted via PGP.
> * With some precautions, it's possible to avoid associating your real
> identity with your email address at all. This means that even From and To
> can be anonymous.
>
> Feel free to try it out! https://scramble.io/
>
> Here's a more thorough description of my design and my motivations:
> https://scramble.io/doc/
> Finally, here's a more thorough description of the technical details:
> https://scramble.io/doc/how.html
>
> Thoughts?
> Best
> DC
>
> --
> Liberationtech is a public list whose archives are searchable on Google.
> Violations of list guidelines will get you moderated:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe,
> change to digest, or change password by emailing moderator at
> compa...@stanford.edu.
-- 
Liberationtech is a public list whose archives are searchable on Google. 
Violations of list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Open letter to Phil Zimmermann & Jon Callas of Silent Circle, re: Silent Mail shutdown

[Ali-Reza Anghaie]

On Fri, Aug 16, 2013 at 7:52 PM, Jacob Appelbaum  wrote:
> Ali-Reza Anghaie:
>> OK. I still disagree - in these threat models they don't care about effort.
>
> Who doesn't?

Any of the bodies we're talking about exerting pressure. They're going
to come at you in all sorts of ways up and until they effectively (or
really) kill you.

>> They dissuade people by killing a few first.
>
> If someone starts harming say, Ubuntu developers, I think very few
> Debian developers will worry. I think very few RHEL developers will
> worry. Or if they all worry, I doubt very few will stop working and if
> they do, someone else, someone anonymously, may continue their work - right?

On that account - probably to perhaps. I meant end-user account. Just
like the State condemning end-use by effectively making it the pattern
for collection. If it comes to bear any other system is being used to
harm the cartels, they'll punish end-users. I'm not sure those fit the
same model. And besides, for the end-user groups we're talking about
most of the time (non-techies in the harshest most in need regions) -
they are WAY more valuable relative to the cause they are representing
than developers. Strange equation yes - but worth considering.

>> The OPSEC model against
>> hostile State or non-State models has very little to do with issues like
>> we're increasing bringing to the forefront. The overlap becomes obscures
>> behind FUD and more obvious problems like connectivity.
>
> I'm not sure that I agree. I think that in the third party model -
> States pose one very specific threat and non-state actors pose another.
> Both would benefit from verification - though in the centralized third
> party model, most verification is practically impossible.

I don't think we disagree on that particular - I'm just stating that
most OPSEC problems haven't even gotten past the basics to worry about
(in this case) Silent Circle's situation.

So when we're redirecting more and more resources to these type of
discussions, we're leaving behind other things that are more pressing
IMO. This debate we've had - no sense re-opening it. I'm not sure
we're that far off except I seem to have taken the tact a bit harsher
than Zooko intended.

>> However, all the power to getting it done "right" across the board and
>> constantly improved.
>>
>
> Ok, so we generally agree on the solution but perhaps not on the models?

We even agree on those when it applies to the proverbial "us" in
geekdom. It's more the social tactic of beating the crap out of each
other in this libtech space and inadvertently chasing people into
actual snake oil solutions.

>> I'm just growing increasingly concerned with dog eat dog bite consumer
>> circles.
>
> I think Zooko wasn't trying to be a jerk and I'm glad he is starting
> these kinds of discussions. It sure is hard to talk about these topics.
> I guess it really took a global spying scandal to make it seem
> reasonable for a lot of people!

I hear you there - suddenly all manner of discussions make a heckuva a
lot more sense.

Cheers, -Ali
-- 
Liberationtech is a public list whose archives are searchable on Google. 
Violations of list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Open letter to Phil Zimmermann & Jon Callas of Silent Circle, re: Silent Mail shutdown

[Ali-Reza Anghaie]

OK. I still disagree - in these threat models they don't care about effort.
They dissuade people by killing a few first. The OPSEC model against
hostile State or non-State models has very little to do with issues like
we're increasing bringing to the forefront. The overlap becomes obscures
behind FUD and more obvious problems like connectivity.

However, all the power to getting it done "right" across the board and
constantly improved.

I'm just growing increasingly concerned with dog eat dog bite consumer
circles.

Thank you for taking the time, - Ali
 On Aug 16, 2013 6:42 PM, "Jacob Appelbaum"  wrote:

> Ali-Reza Anghaie:
> > I understand we're talking about verifiable builds and software
> > distribution but using the Zetas as an example is getting kind of
> > ridiculous.
> >
>
> The point of using the Zetas is perhaps not clear but I think I
> understand well what Zooko means. We've talked about it a few times in
> person and I think it isn't always clear upon first read or the first
> time someone hears the example.
>
> The Zetas represent something totally different from our personal
> relationship with the State - they represent a potentially lawless but
> powerful element in global society, one where we probably can't reason
> with them and in the end, we won't have a lot of leeway in convincing
> them to stop whatever they're planning. So, how does the architecture of
> the system hold up when such an adversary is in your threat model? How
> can you comply with the Zetas? How might one do so without harming
> users? How might you save your own life and hopefully by doing
> everything that they want, everyone other than the attacker is satisfied
> with your actions and the resulting outcomes?
>
> There are very few systems that accomplish this goal or even try to
> tackle this goal.
>
> Distributed, decentralized systems have other issues - though this is
> one place where they tend to do well. Centralized systems without
> external verifiability tend to fail very badly under threat from such an
> adversary.
>
> Yes, the Zetas could go after anyone publishing software. If we walk
> through it - if there is only one person who does the publishing, and
> only one person who can sign and upload the build, we have most of
> today's software. If we have a system where there is an eco system of
> providers, software distributer and so on - we have a few of today's
> systems.
>
> Which system is more likely to fail and fail silently from the Zeta
> threat? Which will fail without notice by anyone, especially an end user?
>
> The centralized system will almost certainly fall first - especially if
> it is a small startup.
>
> All the best,
> Jacob
> --
> Liberationtech is a public list whose archives are searchable on Google.
> Violations of list guidelines will get you moderated:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech.
> Unsubscribe, change to digest, or change password by emailing moderator at
> compa...@stanford.edu.
>
-- 
Liberationtech is a public list whose archives are searchable on Google. 
Violations of list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Open letter to Phil Zimmermann & Jon Callas of Silent Circle, re: Silent Mail shutdown

[Ali-Reza Anghaie]

I understand we're talking about verifiable builds and software
distribution but using the Zetas as an example is getting kind of
ridiculous.

We could also speculate the Zetas declare war on FOSS security
developers too - send them into hiding, kill trust in FOSS projects,
etc. Or, you know, people just make mistakes.

To assert that this is the same level of unreliability of concern as
the architectural one with PGP Universal and Silent Mail is simply not
true. At least clearly delineate problem sets. Otherwise we're just
confusing consumers across the board (not just SC) ~too~...

I can't help but think we're getting further and further away from the
problems that need solving in a big picture sense and into problems
that only need solving for "us" sense.

-Ali


On Fri, Aug 16, 2013 at 5:59 PM, Yosem Companys  wrote:
> From: Zooko Wilcox-OHearn 
>
> also posted here: 
> https://leastauthority.com/blog/open_letter_silent_circle.html
>
> This open letter is in response to the `recent shutdown of Lavabit`_ ,
> the ensuing `shutdown of Silent Circle's “Silent Mail” product`_, `Jon
> Callas's posts about the topic on G+`_, and `Phil Zimmermann's
> interview in Forbes`_. Also, of course, all of this is unfolding in
> the context of the `2013 Mass Surveillance Scandal`_.
>
>
>
> Dear Phil and Jon: Hello there! It is good to have a chance to chat
> with you in public.
>
> Please accept the following in the spirit of constructive criticism in
> which it is intended.
>
> For those readers who don't know, I've known you both, personally and
> professionally for decades. You've each written texts that I've
> learned from, inspired me to follow your example, we've worked
> together successfully, and you've mentored me. I have great respect
> for your technical abilities, your integrity, and your general
> reasonableness. Thank you for the all of that and for holding fast to
> your principles today, when we need it more than ever.
>
> Now:
>
> Your job is not yet done. Your customers are currently vulnerable to
> having all of their communications secretly monitored.
>
> I just subscribed to the service at https://SilentCircle.com, and
> after I paid $120 for one year of service, it directed me to install
> the Silent Text app from Silent Circle on my android phone, which I
> did. Now, when I use that Silent Circle app to send text messages to
> other Silent Circle customers, I have no way of verifying whether it
> is really encrypting my message on my own phone, and if it is really
> keeping the encryption key only for me, or if it is leaking the
> contents of my messages or my encryption keys to you or to others.
>
> If some attacker, for example the U.S. Federal Government — or to pick
> a different example the Zetas Mexican drug cartel — were to coerce
> Silent Circle into cooperating with them, then that attacker would
> simply require Silent Circle to distribute an update to the app,
> containing a backdoor.
>
> There is no way for me to verify that any given version of Silent
> Text, including the one that I just installed, is correctly generating
> strong encryption keys and is protecting those keys instead of leaking
> them.
>
> Therefore, how are your current products any safer for your users that
> the canceled Silent Mail product was? The only attacker against whom
> your canceled Silent Mail product was vulnerable but against whom your
> current products are safe is an attacker who would require you to
> backdoor your server software but who wouldn't require you to backdoor
> your client software.
>
> Does that constraint apply to the U.S. Federal Government entities who
> are responsible for PRISM, for the shut-down of Lavabit, and so much
> else? No, that constraint does not apply to them. This was
> demonstrated in the Hushmail case in which the U.S. DEA asked Hushmail
> (a Canadian company) to turn over the plaintext of the email of one of
> its customers. Hushmail complied, shipping a set of CDs to the DEA
> containing the customer's messages.
>
> The President of Hushmail `emphasized`_ in interviews with journalists
> at the time that Hushmail would be able to comply with such orders
> regardless of whether the customer used Hushmail's “client-to-server”
> (SSL) encryption or its “end-to-end” (Java applet) encryption.
>
> .. _emphasized: http://www.wired.com/threatlevel/2007/11/hushmail-to-war/
>
> Phil had been Chief Cryptographer of Hushmail years earlier, and was
> still a member of the Advisory Board of Hushmail at the time of that
> case. He commented about the case at that time, and he also `stated`_,
> correctly, that the Hushmail model of *unverified* end-to-end
> encryption was vulnerable to government coercion. That's the same
> model that Silent Circle uses today.
>
> .. _stated: http://www.wired.com/threatlevel/2007/11/pgp-creator-def/
>
> You have just taken the courageous act of publicly shutting down the
> Silent Mail product, and publicly stating your reasons for doing so.
> This, 

Re: [liberationtech] rsync.net Warrant Canary

[Ali-Reza Anghaie]

On Mon, Aug 12, 2013 at 10:53 PM, adrelanos  wrote:
> Awesome! However euphoric I may be about this...
>
> Might there be a chance for getting sued for this?
>
> If this is safe, it would be awesome if all major pages could implement
> this. torservers.net, torproject.org, truecrypt.org, gnupg.org, etc.

My thoughts are that if you're interesting enough to an authority -
they would likely be aware of such canary in use. And ppl have to be
aware of it for it to be useful.

If you don't publicize it as a "feature" until after you've been
served papers, they'll call it obstruction.

And I would think a NSL that could tell you to preserve anything -
could also tell you to keep this file in a running state.

I think it's a neat idea but I anticipate just this thread alone
triggered someone to add this warning to a SOP somewhere to mitigate
against in legalese. -Ali
-- 
Liberationtech is a public list whose archives are searchable on Google. 
Violations of list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] In defense of client-side encryption

[Ali-Reza Anghaie]

I'm sorry but aren't we spending a lot of time conflating code
quality, secure coding practices, software distribution, .. with
~JavaScript in a browser~?

There are alternate pathways, signed and delivered as a Dashboard
widget via the Apple App Store for example.

I'm not proposing ~that~ as *wipes hands* and we're done. I'm just
saying if you think the tool is useful and JavaScript is currently
dominating a lot of areas (Gnome's shift is another place) - isn't it
prudent to start developing the bullet list of how to make JavaScript
applications acceptable for these tasks?

Also - didn't Fabio and OpenPGPjs folks put a lot of time into
consolidating and suggesting defensible JavaScript practices in
various environments on various devices?

Also also - there was a conjecture made that "The code signing system
could require the signature of more than one entity. For example, it
could require a signature from the web site owner as well as
signatures from any number of reputable security auditing companies
and security researchers." - but I'm not sure how this would work in
operations practice. Thoughts on that? (Source:
https://defuse.ca/web-browser-javascript-cryptography.htm)

Anyhow, I'm not suggesting I like the nature of the project or any of
this is a good idea - but a lot of the criticisms seem to hold
~everywhere~ with bad practice and not JavaScript itself. So I'm
curious.. -Ali


On Mon, Aug 12, 2013 at 5:04 PM, danimoth  wrote:
> On 12/08/13 at 02:58pm, Francisco Ruiz wrote:
>> Thanks for a thoughtful and extensive reply. Let me see if I'm
>> understanding your position correctly.
>
> [snip, snip, snip]
>
>> So, trusting the OS but not trusting the browser seems to me a curious case
>> of double standard. They are made by the same companies, after all.
>
> Trusting the browser in respect to trusting the OS implies adding a lot
> more hypotesis on the stack, in order to define properties of your
> software. To be clear, trusting the browser strictly contains
> trusting the OS, and in my humble point of view, if I need to choose,
> I choose fewer hypotesis. In my rescue, there is the fact that actually
> *no state-of-art solutions* exists for web cryptography (is that word
> right? or it is a no-sense?). To reach this point, proposals should be
> made, and yours is one approach to evaluate, but (personally) I don't
> like selling advertisement based on nothing.
>
> In conclusion, if you really trust IE x.0 to execute your code,
> you're welcome; I generally don't trust it even for viewing
> web sites :-)
>
> Users at this point have a lot of resources to check to make their own
> opinion, I'm feeling fine with myself.
>
> Have a nice day
> --
> Liberationtech is a public list whose archives are searchable on Google. 
> Violations of list guidelines will get you moderated: 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
> change to digest, or change password by emailing moderator at 
> compa...@stanford.edu.
-- 
Liberationtech is a public list whose archives are searchable on Google. 
Violations of list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] [guardian-dev] An email service that requires GPG/PGP?

[Ali-Reza Anghaie]

Griffin,

The more this gets fleshed out on list - the more it departs from any
vestige of email and then you're basically talking about shoe-horning
a different architectural beast into a transport protocol we happen to
know. (I'm not saying ~you~ are planning that - just making an
observation of nuanced list evolution.)

You're going to end up in a place that it might be more tenable to
pursue building out better transport options for a RetroShare or Kolab
environment. Usability for new users is going to take a massive hit
with any proposal that seems to catch interest above. I therefore I
think it may be prudent to consider an encapsulated secure environment
(using RetroShare as an example) with a bridge ingress/egress to the
outside world services that gets handled like a PGP Universal setup.
Using x509 or PGP, not sure we'd care as long as the CA model of today
had nothing to do with it - or minimally involved in the external
bridging.

In a sense what I'm saying is stop even considering "secure email" an
option - we need to start having people think about their
communications and security models entirely different. And I'm afraid
that even attempting to maintain vestiges of the old environment and
~terminology~ actually does more harm than good.

This isn't to say abandon security of email - but lets tackle the
new-fangled solutions on one leg (leaving behind as much legacy as
possible) - and use political means to continue to attack the
"Internet of old" problems (e.g. email) on the other leg.

That made total sense in my head. *grimace* Cheers, -Ali
-- 
Liberationtech is a public list whose archives are searchable on Google. 
Persistent violations of list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] From Snowden's email provider. NSL???

[Ali-Reza Anghaie]

On Fri, Aug 9, 2013 at 4:26 AM, Nadim Kobeissi  wrote:
> For what it's worth, and even though I think it's pretty unlikely that 
> Cryptocat will receive such an order,
*snip*

You're right but that should provide little comfort - when they come
after the non-business platform libtech to cypherpunk services - they
don't use legal orders. It gets much worse. -Ali
--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Why ~not~ S/MIME?

[Ali-Reza Anghaie]

On Tue, Jul 30, 2013 at 4:49 AM, Guido Witmond  wrote:
> My biggest beef with S/MIME is the certificates of the CA's.
>
> The CA's validation policy requires you to prove your real world
> identity to them. Which they then write into the certificate.
>
> It means that each and every email is tagged with your true identity for
> life. No thanks

Self-signed S/MIME certs work just fine - however, you lose part of
the ease-of-use. I'm really talking about in the context of today's
PRISM (and friends) discussions with ~everyone~...

Also - I'm still not sure "we" can't solve that between the various
organizations that are pushing these privacy issues and the browser
vendors. A community trusted CA that conforms to whatever rules EFF
and EPIC come up with (as one suggestion).

To confirm - so far the object (the main one) - is the CA
dependency... I get that. Alright.

-Ali
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Why ~not~ S/MIME?

[Ali-Reza Anghaie]

On Tue, Jul 30, 2013 at 4:20 AM, Ralph Holz  wrote:
> I am not sure I agree with the OPSEC issue. There are a bunch of
> synchronised SKS key servers. As for people's capability to judge
> others' accuracy in determining identity, well... is that so much worse
> than a CA system, where a CA does only an e-mail check, but no EV?
>
> Furthermore:
> * With the current weakness of the CA system (all CAs are equal), I
> trust PGP a whole lot more

*snip*

For "us" that's meaningful - is it for most people? Even 1%?

Also - I wasn't clear at all - when I cited OPSEC I also meant if you
want to use S/MIME in a PGP self-generated and distributed fashion you
can do so. So what's not to say that a community or lets say EFF
managed S/MIME issuing server w/ the Mozilla Foundation involved or
what-not isn't, in practical terms, a much faster pathway to encrypted
email adoption?

That's what I'm getting at. Do we have a way to end-route the problem
we're not taking advantage of?

> What makes PGP more attractive to me is the higher degree of control I
> can exercise.

Exactly - agreed. Entirely. Also the problem w/ the adoption. Higher
degree of ~responsibility~ also...

So I'm trying to figure out if this is another situation where the
people doing the advocating (the proverbial "us") aren't thinking
about the end-user reality. And - in this case - if we have a
perfectly acceptable security model within reach that requires tweaks
to S/MIME or tweaks to PGP. And are the "tweaks" to S/MIME such that
it's more readily attainable on a broad organizationally supported
basis (again giving EFF and Mozilla Foundation as sponsoring
suggestions)...

Thank you for the time of your response, Cheers, -Ali
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

[liberationtech] Why ~not~ S/MIME?

[Ali-Reza Anghaie]

For obvious reasons we're in another spike of "everyone should PGP"
discussions - pretty much every direction you look. This always tugs
at the back of my mind - why not push S/MIME a bit more?

In my own experience the most common adoption problems with PGP for
the uninitiated is getting the software to work where they want it and
managing keys (including finding another person's key).

Taking this from a push for adoption approach and not "our" ideal
solution approaches, consider:

- S/MIME is implemented in more places stock
- S/MIME has at least one well supported Gmail option in
https://www.penango.com/
- S/MIME directories are generally more apt to "just work" for the
end-user once setup
- S/MIME certificate management is more intuitive for first-timers IMO

The two big objections to S/MIME I see more frequently are downloading
your certificate from third-party and cost to get certificate. Both
problems I think can be more easily solved than the adoption problems
(on a wider bases) with PGP. Security and OPSEC failures can be
posited between the two solutions at all levels - *shrug* ..

So - broadly - why not work on the gaps in getting S/MIME more widely
deployed? Why is it so often entirely disregarded? -Ali
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Blackberry 10 Sends Full Email Account Credentials To RIM

[Ali-Reza Anghaie]

This is only ~mildly~ new - this is how they're service always worked
for most non-BEM addresses. From their design standpoint, for the
delivery mode they were promising, it made more sense than having your
device poll constantly (battery).

Obviously it's still not cool - I'm just failing to see why the actual
biggest-breakage here is "new"? -Ali

On Thu, Jul 18, 2013 at 10:25 AM, staticsafe  wrote:
> Might be of interest to this list:
> http://frank.geekheim.de/?p=2379 [source]
> http://www.heise.de/newsticker/meldung/BlackBerry-spaeht-Mail-Login-aus-1919718.html
> http://yro.slashdot.org/story/13/07/18/1249236/blackberry-10-sends-full-email-account-credentials-to-rim
>
> Why, RIM, why?
> --
> staticsafe
> O< ascii ribbon campaign - stop html mail - www.asciiribbon.org
> Please don't top post.
> Please don't CC! I'm subscribed to whatever list I just posted on.
> --
> Too many emails? Unsubscribe, change to digest, or change password by 
> emailing moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Help with Privacy online

[Ali-Reza Anghaie]

Justin,

I'd suggest you start by studying the options presented at
http://prism-break.org/ for alternative solutions.

In terms of hardening your Ubuntu install there are vary resources
available from a web search but you may consider the Tails
distribution or Whonix - both referred in the OS section of the link
above. Good luck, Cheers, -Ali


On Wed, Jul 3, 2013 at 5:33 PM, Justin Breithaupt
 wrote:
> I would like to know what services are available for e-mail that don't share
> my private information, like Gmail does when it shares my info.
>
> I would also like to know the best way to secure a Ubuntu based PC against
> privacy and security problems that allow the government and other people
> into your PC.
>
>
>
> --
> Too many emails? Unsubscribe, change to digest, or change password by
> emailing moderator at compa...@stanford.edu or changing your settings at
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] US wiretap statistics (was re: a privacy preserving and resilient social network)

[Ali-Reza Anghaie]

On Sat, Jun 29, 2013 at 1:52 AM, Alireza Mahdian
 wrote:
> I really hope all your other facts are not based on this link you sent. as
> Matt rightfully put it we don't know the kind of cipher that was used it
> could have been a  very primitive one. you are making a very bold statement
> based on a very incomplete data. it is as if you are claiming that if one

Actually the link and data do not say - nor was it her assertion -
that they attacked the crypto itself. And that goes back to the whole
of her original response (which was a broader call to arms /
perspective). Many are often missing the broader picture on how these
systems are attacked by capable bodies and Governments if that is,
indeed, one of the adversary bodies you've identified.

> pointed out that it does not even aim for it. As the creator of MyZone I did
> not felt the need for unlinkability as deniability is provided to a needed
> degree. You probably are not going to give my app even a try but I would
> certainly give your "Bullet proof" solution if it ever sees the light of the
> day a try and read its documentation in full before criticizing it. I have

I think you're jumping to conclusions much the same way you suggest
any question to you is. Your first response to any input was "this is
to prevent modifications that would render it as a malware" in regards
to the Open Source aspect. Which makes no sense - at all. It's not
even defensible. You could include a license with your codebase that
has nothing to do with the offered service as-is.

So take a step back and, seriously, ask yourself did you want input or
did you just want praise?

> tried SO MANY of these solutions that you mentioned in a very restrictive
> environment (I come from Iran and I have first hand experience on whatever
> you are mentioning here) and trust me they are often so slow (you have to
> consider dial up bandwidth) that you prefer to avoid them in the first
> place. I will consider any "constructive" criticism of my work and
> appreciate it very much but telling me that I have solved the "wrong"
> problem is just your opinion. I certainly wouldn't consider my self such
> expert enough in the field to make a blunt statement like that towards
> anybody's work. I will not respond to any of your comments from this point
> on until I see reasonable signs that you have read my thesis and at the very
> least understand my design choices. I owe you a thank you for the time you
> have put to write those emails regarding my work.

Wait - are you telling someone not to make such bold statements while
making.. wait for it.. a number of your own?

Also - as an Iranian transplant with continued involvement I'm not at
all sure you can relate those circumstances as comprehensive to the
rest of the world. Actually - I'd say you flat-out can't. It's not
even that homogenous within Iran anymore.

Usability is a BIG debate point on the list - often - with some of us
(myself included) feeling that falling within a broken system and
being covered by regular "noise" is often better than an unusable
system.

However - going back to what you started with - you asserted a context
within current events and against Government. That has a big weighty
goal attached to it and raises hackles.

So let's all start over.

Hello Alireza. I'm.. err. Ali-Reza. Congratulations on your recent
Doctorate and welcome to Libtech.

Cheers, -Ali


>
> On Jun 28, 2013, at 11:28 PM, Matt Johnson  wrote:
>
> Well that is good news, thanks for the pointer!
>
> Now all we need is for the court to report what cipher and which
> encryption tools were used...
>
> --
> Matt Johnson
>
>
>
> On Fri, Jun 28, 2013 at 10:21 PM, Eleanor Saitta  wrote:
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> On 2013.06.29 01.18, Matt Johnson wrote:
>
> " Encryption meaningfully prevented a wiretap for the first time
> ever in *2012* (or so we're told, for non-intelligence domestic US
> wiretaps), and has only ever worked five times."
>
> What are you referring to? Do you have a pointer to more
> information? I am very curious.
>
>
> http://www.uscourts.gov/Statistics/WiretapReports/wiretap-report-2012.aspx#sa5
>
> E.
>
> - --
> Ideas are my favorite toys.
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2.0.17 (MingW32)
>
> iF4EAREIAAYFAlHObssACgkQQwkE2RkM0wpJvgD9FMiYpwatSomo+sCOr2JQxPnU
> nUC3+yZzHJ1Uyh1+23gA/0tijTIRQnh5kZzIP9Fw6uUm9JiweuRXSv4mHhhPC/Gq
> =Lw8s
> -END PGP SIGNATURE-
>
> --
> Too many emails? Unsubscribe, change to digest, or change password by
> emailing moderator at compa...@stanford.edu or changing your settings at
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
>
>
> --
> Alireza Mahdian
> Department of Computer Science
> University of Colorado at Boulder
> Email: alireza.mahd...@gmail.com
>
>
> --
> Too many emails? Unsubscribe, change to digest, or change password by
> emailing moderator at compa...@stanford.edu or changing your settings at
> https://mailman.stanford.edu

Re: [liberationtech] a privacy preserving and resilient social network

[Ali-Reza Anghaie]

In your resources section - you're not drawing a direct comparison but
do note model shortcomings. No worries there.. I'm trying to
understand what your design is in the context of your opening email to
the list:

"military grade encryption and no authority can have any control over
it. one design goal behind it was actually to make it resilient
towards government imposed censorship and filtering"

Which is why I brought up I2P's existing stack for example.

I'll leave it be, I'm not trying to stir you up. I'm just trying to
understand the decisions made in that statement's context. Cheers,
-Ali


On Fri, Jun 28, 2013 at 4:19 AM, Alireza Mahdian
 wrote:
> MyZone is not addressing the same issues as Tor and I2P. I have never
> compared them to MyZone in any part of my thesis. I was also never critical
> of those systems as they are not relevant to what MyZone tries to achieve
> with the exception of Diaspora which is not a peer to peer application and
> requires its users to set up their own servers. I also specifically point
> out the security limitations of our approach in section 7.3. If the CA is
> compromised then the security of all users is jeopardized as for any PKI.
> Even if the CA is attacked (DDoS attack not a private key hijacking) the
> existing users are not affected since the public key of the CA is already
> shipped with the software.
>
> On Jun 28, 2013, at 1:56 AM, Ali-Reza Anghaie  wrote:
>
> Thank you - I read your comments on Diaspora, Tor, I2P, etc. and
> through section 4.2.2 (Adversary Model) of your thesis. I find it
> curious that some of the issues you're critical of in those systems
> you've actually implemented into your own design (e.g. you do have a
> central server/trust dependency with the CA). I may go back and
> continue reading 5 later as I'm interested in how you implement your
> CA model (4.2.1 / 6.1). My questions of the earlier sections probably
> would only be addressed further in the thesis. Until next time - good
> luck. Cheers, -Ali
>
>
> On Fri, Jun 28, 2013 at 3:37 AM, Alireza Mahdian
>  wrote:
>
> First of all anonymity is not a goal here. I have to be clear on that. A
> structure similar to I2P or Tor that uses overlay network would be very
> inefficient due to network delays). as for using a Jetty stack we chose Java
> as the language to implement this software in order to have a platform
> independent application in one code base and at it is also supported on
> Android as we are developing an smartphone app as well. Using Java has saved
> us a lot of time getting this app ready for different platforms. The jetty
> is a lightweight Java based web server that also installs on android so
> seemed like a good choice to use to serve the UIs and we chose to use web
> interface to implement the UIs as it feels more like common social networks
> like facebook and google+ also future UI enhancements are easier on a web
> app. as for the user, they are not even aware that a web server is being run
> on their computer as no installation or configuration has been done by the
> user. they only run the MyZone launcher and it opens up the browser loading
> their feed page. We have considered a lot of user feedbacks when we designed
> MyZone. this software has a somewhat complex design and there are so many
> small details involved as well so if you have any further questions
> regarding our design choices I would like to refer you to
> http://joinmyzone.com/Thesis.pdf
>
> On Jun 28, 2013, at 1:17 AM, Ali-Reza Anghaie  wrote:
>
> *nod* Yeah, that's was the hint I got.. but the bits about relay
> servers, registration, etc. Lets set those aside.
>
> How do you ~intend~ for this to behave in the wild? Every single
> client w/ a Jetty stack? And - given that footprint - why not start
> within a framework like I2P? (I'm not recommending anything, I'm
> trying to understand without going too far off-kilter.)
>
> -Ali
>
>
> On Fri, Jun 28, 2013 at 3:09 AM, Alireza Mahdian
>  wrote:
>
> those are all to protect our organization (CU Boulder) from any liability.
> also the contents that can be shared on this social network can be pretty
> much anything and since we can't control or monitor any of the contents
> being shared we had to have a strict terms of use agreement just to be clear
> that if the terms of use agreement is violated we are not gonna be liable.
>
> On Jun 28, 2013, at 1:06 AM, Ali-Reza Anghaie  wrote:
>
> I had similar confusion when I first started poking around - couldn't
> find a proper LICENSE file and then the ToUs including things that
> read an awful lot like Facebook instead of a distrubuted
> privacy-centric system.
>
> Including:
>
>

Re: [liberationtech] a privacy preserving and resilient social network

[Ali-Reza Anghaie]

Thank you - I read your comments on Diaspora, Tor, I2P, etc. and
through section 4.2.2 (Adversary Model) of your thesis. I find it
curious that some of the issues you're critical of in those systems
you've actually implemented into your own design (e.g. you do have a
central server/trust dependency with the CA). I may go back and
continue reading 5 later as I'm interested in how you implement your
CA model (4.2.1 / 6.1). My questions of the earlier sections probably
would only be addressed further in the thesis. Until next time - good
luck. Cheers, -Ali


On Fri, Jun 28, 2013 at 3:37 AM, Alireza Mahdian
 wrote:
> First of all anonymity is not a goal here. I have to be clear on that. A
> structure similar to I2P or Tor that uses overlay network would be very
> inefficient due to network delays). as for using a Jetty stack we chose Java
> as the language to implement this software in order to have a platform
> independent application in one code base and at it is also supported on
> Android as we are developing an smartphone app as well. Using Java has saved
> us a lot of time getting this app ready for different platforms. The jetty
> is a lightweight Java based web server that also installs on android so
> seemed like a good choice to use to serve the UIs and we chose to use web
> interface to implement the UIs as it feels more like common social networks
> like facebook and google+ also future UI enhancements are easier on a web
> app. as for the user, they are not even aware that a web server is being run
> on their computer as no installation or configuration has been done by the
> user. they only run the MyZone launcher and it opens up the browser loading
> their feed page. We have considered a lot of user feedbacks when we designed
> MyZone. this software has a somewhat complex design and there are so many
> small details involved as well so if you have any further questions
> regarding our design choices I would like to refer you to
> http://joinmyzone.com/Thesis.pdf
>
> On Jun 28, 2013, at 1:17 AM, Ali-Reza Anghaie  wrote:
>
> *nod* Yeah, that's was the hint I got.. but the bits about relay
> servers, registration, etc. Lets set those aside.
>
> How do you ~intend~ for this to behave in the wild? Every single
> client w/ a Jetty stack? And - given that footprint - why not start
> within a framework like I2P? (I'm not recommending anything, I'm
> trying to understand without going too far off-kilter.)
>
> -Ali
>
>
> On Fri, Jun 28, 2013 at 3:09 AM, Alireza Mahdian
>  wrote:
>
> those are all to protect our organization (CU Boulder) from any liability.
> also the contents that can be shared on this social network can be pretty
> much anything and since we can't control or monitor any of the contents
> being shared we had to have a strict terms of use agreement just to be clear
> that if the terms of use agreement is violated we are not gonna be liable.
>
> On Jun 28, 2013, at 1:06 AM, Ali-Reza Anghaie  wrote:
>
> I had similar confusion when I first started poking around - couldn't
> find a proper LICENSE file and then the ToUs including things that
> read an awful lot like Facebook instead of a distrubuted
> privacy-centric system.
>
> Including:
>
> ---
> a. You will not provide any false personal information on MyZone, or
> create an account for anyone other than yourself without permission.
>
> b. You will not create more than one personal profile.
> ---
>
> My guess is this is because of the Uni affiliation right now..
>
> Architecture right now I'm not going to comment on. Going to
> reconsider past biases first.. -Ali
>
>
> On Fri, Jun 28, 2013 at 2:59 AM, Alireza Mahdian
>  wrote:
>
> this is to prevent modifications that would render it as a malware. I
> haven't signed the code yet so I am just protecting myself from such
> liabilities.
>
> On Jun 28, 2013, at 12:51 AM, John Sullivan  wrote:
>
> I like the idea, so I was checking it out. I was confused by this
> statement in the download terms:
>
> Since MyZone Client Application is open source, you will not change any
> part of MyZone’s code without the written approval of MyZone’s copyright
> owner Alireza Mahdian reached at (alireza.mahdian at colorado dot edu).
>
>
> Can you explain what you mean? Usually, something called "open source"
> can be modified without any additional written approval.
>
> -john
>
> --
> John Sullivan | Executive Director, Free Software Foundation
> GPG Key: 61A0963B | http://status.fsf.org/johns | http://fsf.org/blogs/RSS
>
> Do you use free software? Donate to join the FSF and support freedom at
> <http://www.fsf.org/register_form?referrer=8096>.
> --
> Too many ema

Re: [liberationtech] a privacy preserving and resilient social network

[Ali-Reza Anghaie]

*nod* Yeah, that's was the hint I got.. but the bits about relay
servers, registration, etc. Lets set those aside.

How do you ~intend~ for this to behave in the wild? Every single
client w/ a Jetty stack? And - given that footprint - why not start
within a framework like I2P? (I'm not recommending anything, I'm
trying to understand without going too far off-kilter.)

-Ali


On Fri, Jun 28, 2013 at 3:09 AM, Alireza Mahdian
 wrote:
> those are all to protect our organization (CU Boulder) from any liability.
> also the contents that can be shared on this social network can be pretty
> much anything and since we can't control or monitor any of the contents
> being shared we had to have a strict terms of use agreement just to be clear
> that if the terms of use agreement is violated we are not gonna be liable.
>
> On Jun 28, 2013, at 1:06 AM, Ali-Reza Anghaie  wrote:
>
> I had similar confusion when I first started poking around - couldn't
> find a proper LICENSE file and then the ToUs including things that
> read an awful lot like Facebook instead of a distrubuted
> privacy-centric system.
>
> Including:
>
> ---
> a. You will not provide any false personal information on MyZone, or
> create an account for anyone other than yourself without permission.
>
> b. You will not create more than one personal profile.
> ---
>
> My guess is this is because of the Uni affiliation right now..
>
> Architecture right now I'm not going to comment on. Going to
> reconsider past biases first.. -Ali
>
>
> On Fri, Jun 28, 2013 at 2:59 AM, Alireza Mahdian
>  wrote:
>
> this is to prevent modifications that would render it as a malware. I
> haven't signed the code yet so I am just protecting myself from such
> liabilities.
>
> On Jun 28, 2013, at 12:51 AM, John Sullivan  wrote:
>
> I like the idea, so I was checking it out. I was confused by this
> statement in the download terms:
>
> Since MyZone Client Application is open source, you will not change any
> part of MyZone’s code without the written approval of MyZone’s copyright
> owner Alireza Mahdian reached at (alireza.mahdian at colorado dot edu).
>
>
> Can you explain what you mean? Usually, something called "open source"
> can be modified without any additional written approval.
>
> -john
>
> --
> John Sullivan | Executive Director, Free Software Foundation
> GPG Key: 61A0963B | http://status.fsf.org/johns | http://fsf.org/blogs/RSS
>
> Do you use free software? Donate to join the FSF and support freedom at
> <http://www.fsf.org/register_form?referrer=8096>.
> --
> Too many emails? Unsubscribe, change to digest, or change password by
> emailing moderator at compa...@stanford.edu or changing your settings at
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
>
>
> --
> Alireza Mahdian
> Department of Computer Science
> University of Colorado at Boulder
> Email: alireza.mahd...@gmail.com
>
>
> --
> Too many emails? Unsubscribe, change to digest, or change password by
> emailing moderator at compa...@stanford.edu or changing your settings at
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
> --
> Too many emails? Unsubscribe, change to digest, or change password by
> emailing moderator at compa...@stanford.edu or changing your settings at
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
>
>
> --
> Alireza Mahdian
> Department of Computer Science
> University of Colorado at Boulder
> Email: alireza.mahd...@gmail.com
>
>
> --
> Too many emails? Unsubscribe, change to digest, or change password by
> emailing moderator at compa...@stanford.edu or changing your settings at
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] a privacy preserving and resilient social network

[Ali-Reza Anghaie]

I had similar confusion when I first started poking around - couldn't
find a proper LICENSE file and then the ToUs including things that
read an awful lot like Facebook instead of a distrubuted
privacy-centric system.

Including:

---
a. You will not provide any false personal information on MyZone, or
create an account for anyone other than yourself without permission.

b. You will not create more than one personal profile.
---

My guess is this is because of the Uni affiliation right now..

Architecture right now I'm not going to comment on. Going to
reconsider past biases first.. -Ali


On Fri, Jun 28, 2013 at 2:59 AM, Alireza Mahdian
 wrote:
> this is to prevent modifications that would render it as a malware. I
> haven't signed the code yet so I am just protecting myself from such
> liabilities.
>
> On Jun 28, 2013, at 12:51 AM, John Sullivan  wrote:
>
> I like the idea, so I was checking it out. I was confused by this
> statement in the download terms:
>
> Since MyZone Client Application is open source, you will not change any
> part of MyZone’s code without the written approval of MyZone’s copyright
> owner Alireza Mahdian reached at (alireza.mahdian at colorado dot edu).
>
>
> Can you explain what you mean? Usually, something called "open source"
> can be modified without any additional written approval.
>
> -john
>
> --
> John Sullivan | Executive Director, Free Software Foundation
> GPG Key: 61A0963B | http://status.fsf.org/johns | http://fsf.org/blogs/RSS
>
> Do you use free software? Donate to join the FSF and support freedom at
> .
> --
> Too many emails? Unsubscribe, change to digest, or change password by
> emailing moderator at compa...@stanford.edu or changing your settings at
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
>
>
> --
> Alireza Mahdian
> Department of Computer Science
> University of Colorado at Boulder
> Email: alireza.mahd...@gmail.com
>
>
> --
> Too many emails? Unsubscribe, change to digest, or change password by
> emailing moderator at compa...@stanford.edu or changing your settings at
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

[liberationtech] Preso on Gmail vs PGP ..

[Ali-Reza Anghaie]

Before I recreate the wheel - anyone have a good reference on material
explaining to people what a Gmail security model vs a PGP end-to-end model
"looks like" to the ~outside~?

It's be easy to make slight of it in NSA terms but I'm trying to get a
realistic depiction of what the "designed" models were to then explain how
they break down to various user sets. Thanks, -Ali
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

[liberationtech] Twitter "reappearing" message documentation..

[Ali-Reza Anghaie]

It became "common" knowledge (read: oft-cited conspiracy) that
reappearing Direct Messages in Twitter were the result of an
investigation.

A few minutes ago it came up again and the EFF was mentioned but
particular citation could not be found. I figured I would ask here.

Do we have any real documentation or transcripts that indicate that
reappearing messages are actually indicative of anything? And to that
matter - why would compliance be broken in that way if it was anyway
(tipping someone off effectively)?

I'm just curious if there was any real body of work on this or it's
just become repeated speculation over time. Thank you, Cheers, -Ali
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] list reply-all

[Ali-Reza Anghaie]

Strange how so many are citing security norms for (say) encryption but not
the one that systems should always fail to the safest setting. (Which isn't
always the most "functional".)

I actually prefer it the way it is. Yet I certainly appreciate the
alternative concern and would support the change in deference to ..

-Ali
 On Mar 20, 2013 1:52 PM, "Gregory Foster"  wrote:

 If we're going to require people to use their brains, perhaps its not too
much to ask that individuals take responsibility for paying attention to
who they are speaking to.

This is not a personally configurable setting on the mailing list software,
and we're relegated to a dualistic choice that cannot satisfy all
participants, yet we still must choose and have previously chosen.  If this
will be a recurring issue, perhaps we should structure a yearly survey/vote.

gf



On 3/20/13 12:37 PM, Matt Mackall wrote:

On Wed, 2013-03-20 at 18:02 +0200, Maxim Kammerer wrote:

 Isn't that a valid point?


No, it's a useless imaginary construct. A valid point would be an
example (preferably, more than one) of such an email on this list,
where it would be possible to debate whether the person actually
deserved losing his job / life for hastily sending said email.


Am I reading this correctly? You need to personally witness someone make
a potentially fatal mistake before you'll take a risk seriously?

If you're unwilling to employ foresight as a decision-making aide, you
may not be taking full advantage of your prefrontal cortex.



-- 
Gregory Foster || gfos...@entersection.org
@gregoryfoster <> http://entersection.com/


--
Too many emails? Unsubscribe, change to digest, or change password by
emailing moderator at compa...@stanford.edu or changing your settings at
https://mailman.stanford.edu/mailman/listinfo/liberationtech
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] EFF: National Security Letters Are Unconstitutional, Federal Judge Rules

[Ali-Reza Anghaie]

Travis, while your sentiment is a familiar feeling to a lot of people -
this is still a significant step. The harder this is pushed, the more
exposure it gets, the more difficult it is to continue to extend the airs
of secrecy in every direction. Indeed you get a sense with the verbiage in
rulings (this, the CIA Drones ruling) that Judges themselves are
increasingly fed up.

These wins, even if not permanent, are very meaningful.

Well done. Well done indeed. -Ali



On Sat, Mar 16, 2013 at 12:29 AM, Travis McCrea  wrote:

> While I would love to cheer this on as a victory, this will be appealed
> and then my only assumption is that the government will keep crying "state
> secrets" until a judge listens and complies stopping all further progress.
> I want to be optimistic, but have watched this happen so many times that
> it's really hard to be.
>
> That being said, congratulations to the EFF and everyone working on this
> because it was (and will continue to be) an uphill battle.
>
> *Travis McCrea*
> Pirate Party of Canada
> The Ultimate Ebook Library
>
> Phone: 1(206)552-8728 US Call/Text
> IRC: irc.freenode.net, irc.pirateirc.net (TeamColtra or TravisMcCrea)
> Web: travismccrea.com
> IM: teamcol...@451.im (jabber) teamcoltra (AIM)
>
> On 2013-03-15, at 8:30 PM, Katitza Rodriguez  wrote:
>
>
>
> Electronic Frontier Foundation Media Release
>
> For Immediate Release: Friday, March 15, 2013
>
> Contact:
>
> Matt Zimmerman
>  Senior Staff Attorney
>  Electronic Frontier Foundation
>  ma...@eff.org
>  +1 415 436-9333 x127
>
> Cindy Cohn
>  Legal Director
>  Electronic Frontier Foundation
>  ci...@eff.org
>  +1 415 436-9333 x108 (office), +1 415 307-2148 (cell)
>
> Kurt Opsahl
>  Senior Staff Attorney
>  Electronic Frontier Foundation
>  k...@eff.org
>  +1 415 436-9333 x106
>
> National Security Letters Are Unconstitutional, Federal
> Judge Rules
>
> Court Finds NSL Statutes Violate First Amendment and
> Separation of Powers
>
> San Francisco - A federal district court judge in San
> Francisco has ruled that National Security Letter (NSL)
> provisions in federal law violate the Constitution.  The
> decision came in a lawsuit challenging a NSL on behalf of
> an unnamed telecommunications company represented by the
> Electronic Frontier Foundation (EFF).
>
> In the ruling publicly released today, Judge Susan Illston
> ordered that the Federal Bureau of Investigation (FBI) stop
> issuing NSLs and cease enforcing the gag provision in this
> or any other case.  The landmark ruling is stayed for 90
> days to allow the government to appeal.
>
> "We are very pleased that the court recognized the fatal
> constitutional shortcomings of the NSL statute," said EFF
> Senior Staff Attorney Matt Zimmerman.  "The government's
> gags have truncated the public debate on these
> controversial surveillance tools.  Our client looks forward
> to the day when it can publicly discuss its experience."
>
> The controversial NSL provisions EFF challenged on behalf
> of the unnamed client allow the FBI to issue administrative
> letters -- on its own authority and without court approval
> -- to telecommunications companies demanding information
> about their customers.  The controversial provisions also
> permit the FBI to permanently gag service providers from
> revealing anything about the NSLs, including the fact that
> a demand was made, which prevents providers from notifying
> either their customers or the public.  The limited judicial
> review provisions essentially write the courts out of the
> process.
>
> In today's ruling, the court held that the gag order
> provisions of the statute violate the First Amendment and
> that the review procedures violate separation of powers.
> Because those provisions were not separable from the rest
> of the statute, the court declared the entire statute
> unconstitutional.  In addressing the concerns of the
> service provider, the court noted: "Petitioner was adamant
> about its desire to speak publicly about the fact that it
> received the NSL at issue to further inform the ongoing
> public debate."
>
> "The First Amendment prevents the government from silencing
> people and stopping them from criticizing its use of
> executive surveillance power," said EFF Legal Director
> Cindy Cohn.  "The NSL statute has long been a concern of
> many Americans, and this small step should help restore
> balance between liberty and security."
>
> EFF first brought this challenge on behalf of its client in
> May of 2011.
>
> For the full order:
> https://www.eff.org/document/nsl-ruling-march-14-2013
>
> For more on this case:
> https://www.eff.org/cases/re-matter-2011-national-security-letter
>
> For this release:
>
> https://www.eff.org/press/releases/national-security-letters-are-unconstitutional-federal-judge-rules
>
> About EFF
>
> The Electronic Frontier Foundation is the leading
> organization protecting civil liberties in the digital
> world. Founded in 1990, we defend free speech online, fight
> ille

Re: [liberationtech] Iranian Internet Infrastructure and Policy Report - Feb 2013

[Ali-Reza Anghaie]

To your knowledge 
I
s anyone tracking the disparate efforts that regional pockets of (likely)
Basij are doing? Besides their regular intelligence assistance upstream -
I've heard increasingly different blocking and interference stories from
outside the major population centers.

Excellent report - thank you, -Ali



On Mon, Mar 11, 2013 at 7:49 AM, Collin Anderson
wrote:

> Colleagues,
>
> Early last week, Small Media released the second iteration of its "Iranian
> Internet Infrastructure and Policy Report," which seems particularly
> relevant at this point, especially the comment:
>
> *Where the Supreme Council of Cyberspace promotes new policies on the
> registration of VPNs, we can expect that unregistered VPN connection will
> be blocked and throttled. As VPNs have been one of the most popular
> anti-filtering mechanisms, this rhetoric also highlights the necessity of
> educating users on the new and differing types of anti-filtering
> technologies freely avail- able. *
>
>
> http://smallmedia.org.uk/content/78
>
> For the sake of congruence between past works, I would also point out the
> isolation of the VPN registration site in Iran's private domestic network.
>
> vpn.ir. 3342 IN A 10.201.22.74
>
>
> In the few days since the report was released, a lot has changed, and
> there has been progress in identifying the mechanism for Tor blocking.
>
> https://trac.torproject.org/projects/tor/ticket/8443
>
> I suspect that Tor is not the only service that is subject to these new
> SSL DPI rules and service filtering, however, the extent is not fully clear
> yet.
>
> Cordially,
> Collin
>
> --
> *Collin David Anderson*
> averysmallbird.com | @cda | Washington, D.C.
>
> --
> Too many emails? Unsubscribe, change to digest, or change password by
> emailing moderator at compa...@stanford.edu or changing your settings at
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Tor Exit Nodes Mapped and Located | HackerTarget.com

[Ali-Reza Anghaie]

Jacob also shared his map tool (updated every 5m):

http://freehaven.net/~ioerror/maps/v3-tormap.html

-Ali



On Sun, Mar 10, 2013 at 9:23 PM,  wrote:

> On Sun, 10 Mar 2013 11:32:20 -0700
> Yosem Companys  wrote:
>
> > http://hackertarget.com/tor-exit-node-visualization/
> >
> > Tor Exit Nodes Located and Mapped
>
> Tor includes a Network Map which also maps nodes across a Mercator
> projection of the globe. I don't understand this fetish with Google
> mapping everything (why not openstreetmap? why not doing lat/long
> coordinate mapping on your own map?). However, it apparently exists. Ok,
> moving on.
>
> The usage of blutmagie is an interesting choice, when
> https://metrics.torproject.org/ and https://compass.torproject.org/ and
> https://atlas.torproject.org/ all exist with gobs more data, including
> the raw source data on which all of those sites are built. Freegeoip.net
> uses the same MaxMind GeoList database we do. Google has it's own GeoIP
> database as well. I wonder which one is most accurate.
>
> What's more valuable to me is the list of exit relays by ISP.
> Intuitively, it makes sense. Cheap, well-connected server providers are
> going to be attractive to those running Tor relays (exits or not). I
> take this list to mean, "this is the list of ISPs who care about
> Internet freedom". It sure seems small.
>
> The other implication here is that Tor exits can be monitored. Yes, we
> know. We've been saying this for a decade. Here's one blog post about
> it, https://blog.torproject.org/blog/plaintext-over-tor-still-plaintext.
> It's part of the reason the EFF and Tor write HTTPS Everywhere for
> Chrome and Firefox, https://www.eff.org/https-everywhere.
>
> Your ISP can watch your traffic too, and inject ads or redirect DNS. In
> fact, there's a billion dollar market for traffic management at ISPs.
> I'm assuming this means the providers are looking to manage Tor traffic
> as well.
>
> For me, the visualization is a cool map, a product pitch for
> hackertarget llc, and just raises some implications for operational
> security.
>
> Larger questions it raises in my mind are about AS-aware routing,
> what does it mean to have a large concentration of exit relays in
> pro-freedom ISPs, and what about legal jurisdictions and MLATs?
>
> There is some on-going work on the AS-awareness question, see
> http://freehaven.net/anonbib/bibtex.html#DBLP:conf:ccs:EdmanS09 and
> http://freehaven.net/anonbib/bibtex.html#oakland2012-lastor and
> http://freehaven.net/anonbib/bibtex.html#ndss13-lira
>
> As for some measurement of anonymity and risk modulo concentration of
> exit relays? Who knows. Sounds like a fine project.
>
> And I know of at least one group working on the MLAT and legal
> arbitrage question as it relates to tor circuits and relays.
>
> I look forward to more analysis and proposed research theories to
> improve the Tor network in the future.
>
> --
> Andrew
> http://tpo.is/contact
> pgp 0x6B4D6475
> --
> Too many emails? Unsubscribe, change to digest, or change password by
> emailing moderator at compa...@stanford.edu or changing your settings at
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Mailvelope: OpenPGP Encryption for Webmail

[Ali-Reza Anghaie]

Looks like voices were heard - and other work was done -

http://www.mailvelope.com/blog/security-audit-and-v0.6-release

-Ali



On Mon, Dec 17, 2012 at 5:27 AM, Karel Bílek  wrote:

> Because Thomas (the original developer of Mailvelope) wanted to let
> the extension work as it was, with the unsecure encryption inside DOM,
> I decided to fork his project and make a new one, which both encrypts
> and decrypts in a secure chrome pop-up.
>
> It's here, it's called ChromeGP.
> https://cryptoparty.cz/ChromeGP/
>
> Available on chrome web store here
>
> https://chrome.google.com/webstore/detail/chromegp/pebhdbojdpjfidjbneklefmpojncdpmf
>
> and on github here
> https://github.com/runn1ng/ChromeGP
>
> There are two big issues with it - first is missing signing/signature
> control (which should be easy to implement, but we will see) and the
> second is OpenPGP's trouble with zip compression inside PGP (which,
> unfortunately, causes the default Thunderbird/Enigmail encryption fail
> to decrypt, I think).
>
> Feel free to share and/or criticize :)
>
> K
>
> On Thu, Dec 13, 2012 at 1:24 PM, Eugen Leitl  wrote:
> > - Forwarded message from StealthMonger 
> -
> >
> > From: StealthMonger 
> > Date: Wed, 12 Dec 2012 23:22:28 + (GMT)
> > To: liberationtech 
> > Subject: Re: [liberationtech] Mailvelope: OpenPGP Encryption for Webmail
> > Reply-To: liberationtech 
> >
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA1
> >
> > Uncle Zzzen  writes:
> >
> >> [Weighty argument compelling closer study.]
> >
> > So unless and until the Mailvelope author(s) remedy this, support for
> > Mailvelope has to be muted.
> >
> > However, comparison with Cryptocat is still unfitting because
> > Cryptocat does not even pretend to do store-and-forward authenticated
> > email using public key cryptography.  In fact, its author asserts [1]
> >
> >2. Cryptocat does not mean to compete with GPG, it means to replace *
> >plaintext.*
> >
> > [1] Date: Mon, 6 Aug 2012 18:14:33 -0700 Message-ID:
> > 
> >
> > - --
> >
> >
> >  -- StealthMonger 
> > Long, random latency is part of the price of Internet anonymity.
> >
> >anonget: Is this anonymous browsing, or what?
> >
> http://groups.google.ws/group/alt.privacy.anon-server/msg/073f34abb668df33?dmode=source&output=gplain
> >
> >stealthmail: Hide whether you're doing email, or when, or with whom.
> >mailto:stealthsu...@nym.mixmin.net?subject=send%20index.html
> >
> >
> > Key: mailto:stealthsu...@nym.mixmin.net?subject=send%20stealthmonger-key
> >
> > -BEGIN PGP SIGNATURE-
> > Version: GnuPG v1.4.10 (GNU/Linux)
> > Comment: Processed by Mailcrypt 3.5.9  >
> >
> > iEYEARECAAYFAlDI34wACgkQDkU5rhlDCl7RugCggOoq0oclCcZ/F2LPjUs3BIb5
> > AcUAnjeOtCVCLKzyqETqPvU1kFsgPnRk
> > =d7cd
> > -END PGP SIGNATURE-
> >
> > --
> > Unsubscribe, change to digest, or change password at:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> >
> > - End forwarded message -
> > --
> > Eugen* Leitl http://leitl.org";>leitl http://leitl.org
> > __
> > ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
> > 8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE
> --
> Unsubscribe, change to digest, or change password at:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Can HAM radio be used for communication between health workers in rural areas with no cell connectivity?

[Ali-Reza Anghaie]

Dr. Dey,

It appears you let the list off the response to me. Likewise it appears you
have been dropped from the list discussion. You can see everyone's
responses at:

https://mailman.stanford.edu/pipermail/liberationtech/2013-March/thread.html(Scroll
toward bottom for thread)

The Android HAM option is software control of an external HAM receiver or a
web-site that relays HAM radio groups. It is not an actual radio solution
and will require the regular cellular data network to function - which
defeats the purpose of what you require.

Good luck, Cheers, -Ali



On Wed, Mar 6, 2013 at 7:39 PM, Dr.Tusharkanti Dey <
dr.tusharkanti...@gmail.com> wrote:

> Dear All,
>
> Thank you very much for your inputs.
>
> Transmission of voice communication in tribal inhabitated hilly areas  is
> really difficult as the strength of the signals from mobile transmission
> towers are almost nil. I thougt that, the solution in this situation can be
>
> 1. Setting up of mobile signal strength boosters.
>
> 2. Setting up mid range wifi system .
>
> Both this options are not suitable for our organisation as our resources
> are limited to bear the cost.
>
> Android phones are avilable in Indian Markets at a price of Rs. 3000/- to
> 4000/- ( approximately) ., where as HAM radio transrecivers are more
> costly. Also, HAM radio operators transmit valuable voice communications in
> timre of emergencies. Why this can not be used for voice communication in
> difficult areas while HAM radio transreceivers can be installed on android
> phones. Will any body pl reply in details?
>
> If HAM radio can not applied what is the other low cost solutions ? My
> intension is that voice communication will be trans mitted between
> headquarters to health workers and amongst health workers. I would like to
> transmit vioce over an area of 10-20 sq. Km.
>
> Thanks,
>
> Dr.Tusharkanti Dey
> On Mar 7, 2013 1:38 AM, "Ali-Reza Anghaie"  wrote:
>
>> I'm assuming privacy issues are of minimal concern given the other
>> problems at play here - I could be wrong but bear with me.
>>
>> Trying to think of lowest-cost, reliable, easiest to expand and re-deploy
>> without a telco or other licensing.
>>
>> I wonder is a low-bandwidth text HF APRS (
>> http://www.aprs.org/aprs-messaging.html) option with a laminated deck of
>> shorthand medical terms would be a reasonable remote field option? About
>> as rudimentary as you get but considering a worst case scenario - it
>> might just work. -Ali
>>
>>
>>
>> On Tue, Mar 5, 2013 at 9:15 PM, Sky (Jim Schuyler)  wrote:
>>
>>> Since "HAM" (amateur radio) is real radio, not phone, an Android app
>>> wouldn't use it directly. The app might -control- an amateur radio
>>> remotely, and there is software available to do this. However, I'm not sure
>>> what benefit it would bring to this project.
>>>
>>> In the US, amateur radio operators must send all information in "clear
>>> text," and encryption is illegal, thus you would not want to try to
>>> exchange medical info because you'd need to encrypt it. In other countries
>>> it -should- be illegal to transmit medical info in the clear, so I'd
>>> suggest avoiding this.
>>>
>>> Also, "high frequency" amateur radio doesn't have sufficient bandwidth
>>> to transfer much digital information. VHF/UHF does in theory, but in
>>> general amateur radio operators restrict their bandwidth and the maximum
>>> usable transfer rate is under 9600 baud. i.e. very slow.
>>>
>>> -Sky  AA6AX
>>>
>>>  - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
>>> - - - -
>>> Sky (Jim Schuyler, PhD)
>>> -We work backstage so you can be the star
>>> Blog: http://blog.red7.com/
>>> Phone: +1.415.759.7337
>>> PGP Keys: http://web.red7.com/pgp
>>>
>>> On Mar 5, 2013, at 5:47 PM, ITechGeek  wrote:
>>>
>>> Depends on what information you might be transmitting and the specific
>>> laws of the local country/countries involved.
>>>
>>> HAMs have to be licensed through the local countries licensing
>>> authority (in the case of the US would be the FCC).
>>>
>>> Under US you could probably get away with allowing them to coordinate
>>> if it is non-profit in nature, but you would not be able to discuss
>>> any medical information that would allow a third party to possibly
>>> identify the patient.
>>>
>>> And some countries are very restrictive on who can get HAM licenses
>

Re: [liberationtech] Can HAM radio be used for communication between health workers in rural areas with no cell connectivity?

[Ali-Reza Anghaie]

I'm assuming privacy issues are of minimal concern given the other problems
at play here - I could be wrong but bear with me.

Trying to think of lowest-cost, reliable, easiest to expand and re-deploy
without a telco or other licensing.

I wonder is a low-bandwidth text HF APRS (
http://www.aprs.org/aprs-messaging.html) option with a laminated deck of
shorthand medical terms would be a reasonable remote field option? About
as rudimentary as you get but considering a worst case scenario - it might
just work. -Ali



On Tue, Mar 5, 2013 at 9:15 PM, Sky (Jim Schuyler)  wrote:

> Since "HAM" (amateur radio) is real radio, not phone, an Android app
> wouldn't use it directly. The app might -control- an amateur radio
> remotely, and there is software available to do this. However, I'm not sure
> what benefit it would bring to this project.
>
> In the US, amateur radio operators must send all information in "clear
> text," and encryption is illegal, thus you would not want to try to
> exchange medical info because you'd need to encrypt it. In other countries
> it -should- be illegal to transmit medical info in the clear, so I'd
> suggest avoiding this.
>
> Also, "high frequency" amateur radio doesn't have sufficient bandwidth to
> transfer much digital information. VHF/UHF does in theory, but in general
> amateur radio operators restrict their bandwidth and the maximum usable
> transfer rate is under 9600 baud. i.e. very slow.
>
> -Sky  AA6AX
>
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> Sky (Jim Schuyler, PhD)
> -We work backstage so you can be the star
> Blog: http://blog.red7.com/
> Phone: +1.415.759.7337
> PGP Keys: http://web.red7.com/pgp
>
> On Mar 5, 2013, at 5:47 PM, ITechGeek  wrote:
>
> Depends on what information you might be transmitting and the specific
> laws of the local country/countries involved.
>
> HAMs have to be licensed through the local countries licensing
> authority (in the case of the US would be the FCC).
>
> Under US you could probably get away with allowing them to coordinate
> if it is non-profit in nature, but you would not be able to discuss
> any medical information that would allow a third party to possibly
> identify the patient.
>
> And some countries are very restrictive on who can get HAM licenses
> due to the potential to get around their propaganda controls.  Also
> rules can change based on frequencies being used cause lower
> frequencies can transmit further.
>
> Can you provide the country or countries involved?
>
>
> ---
> -ITG (ITechGeek)
> i...@itechgeek.com
> https://itg.nu/
> GPG Keys: https://itg.nu/contact/gpg-key
> Preferred GPG Key: Fingerprint: AB46B7E363DA7E04ABFA57852AA9910A DCB1191A
> Google Voice: +1-703-493-0128 / Twitter: ITechGeek / Facebook:
> http://fb.me/Jbwa.Net
>
>
> On Tue, Mar 5, 2013 at 8:07 PM, Yosem Companys 
> wrote:
>
> From: Dr. Tusharkanti Dey 
>
> Dear All,
>
> I am proposing to set up a ICT based health project in tribal areas with
> poor infrastructural facilities with poor cell phone connectivity due to
> unstable signal strengths. i have learnt that HAM radio software from
> HamSphere is downloadable on android phones.I would like to know whether
> these android phones with HAM radio software installed can be used for
> communication used for voice communication between health workers
> themselves and with head quarter staff. Will it be legally permissible and
> what technical requirements will be needed to set up such system. The other
> alternative of setting up of mobile signal boosters or long distance WiFi
> hubs are currently not affordable to our limited resource organisation
>
> Thanks,
> Dr.Tusharkanti Dey
> --
> Too many emails? Unsubscribe, change to digest, or change password by
> emailing moderator at compa...@stanford.edu or changing your settings at
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
> --
> Too many emails? Unsubscribe, change to digest, or change password by
> emailing moderator at compa...@stanford.edu or changing your settings at
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
>
>
> --
> Too many emails? Unsubscribe, change to digest, or change password by
> emailing moderator at compa...@stanford.edu or changing your settings at
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

[liberationtech] Silent Circle for human rights orgs..

[Ali-Reza Anghaie]

I believe this is new from them and perhaps in response to libtech's
ongoing discussions.

https://silentcircle.com/web/human-rights/

"*If you are a leader, executive or organizer within an active human rights
group, which we can gather information on to establish bona fides, then
please fill out the form below. We are interested in providing you with a
limited number of free subscription packages for dissemination amongst your
network in order to protect individual privacy and anonymity. We would like
to build a relationship with you in order to best understand your
constraints and requirements. We will use the information that you provide
in this form to conduct open-source research upon your organization, its
affiliates, your areas of activity and your open-source history.*"

Cheers, -Ali
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

[liberationtech] Fwd: Answers to some of your questions (Silent Circle responds..)

[Ali-Reza Anghaie]

Mr. Jon Callas of Silent Circle was kind enough to field questions on
another list and also pay attention to the Pastebit of the pad everyone was
commenting on before things went awry.

See the below - complete with an invitation for cool ideas w/ resumes.

Thank you VERY much to Mr. Callas for entering the fray and helping tune
the accuracy of the overall discussion. Cheers, -Ali


-- Forwarded message --
From: Jon Callas 
Date: Thu, Feb 14, 2013 at 11:28 AM
Subject: Answers to some of your questions
To: Ali-Reza Anghaie 
Cc: Jon Callas 


Hi, Ali-Reza.

I saw your pastebit with some questions, and let me answer. You may repost
this mail to liberation tech or anywhere else.

* A Latvian company wrote most of the software, not SilentCircle

When we formed Silent Circle, we looked around for people to partner with.
We selected Tivi because they're really cool people -- I used their
ZRTP-enabled VOIP client back in the days when I had a Nokia N95. We picked
them in part because they were willing to release source code. (Other
potential partners were not willing.)

Our partnership with them includes that code base, and that they work for
us full-time now. They're some of our main developers now.

I have a bit of a raised eyebrow at this comment. (Yes, I know it's not
your words, you're also explaining.) It sounds to me like whoever is making
that comment is implying that there's something wrong with Latvia. Riga was
for many, many years a center of European high-tech until the dark days of
WWII and Soviet occupation. It's a lovely place filled with incredibly
smart, friendly people. It is a part of the EU, and also a NATO nation. Our
team in Riga. We picked them because they rock.

Perhaps the comment comes from the fact that they were in business before
our partnership. It's relatively common in high-tech that companies enter
into partnerships with others. Google, Microsoft, Apple, Facebook, and
others often use some sort of relationship like this to get software or
technologies that they didn't have, so that it speeds up development. We
are hardly unique in this.

Perhaps I don't understand. If someone could explain the objection to me,
I'm happy to address it further.

* Application is designed for VoIP, not specifically for Security

It's a secure VOIP client. Because of its history, there's a lot of latent
capability in it that is VOIP related. Is there an actual question or
objection?

* It does use an outdated SSL library (PolarSSL 1.1.1) with some known
security vulnerabilities ?

No, we're using PolarSSL 1.1.4. We did not include the PolarSSL code in the
drop because we didn't want to figure out the licensing details.

* It does not use LibZRTP by Philip Zimmermann used in Zfone but ZRTPCPP

That is correct. We're using Werner Dittmann's library. We like it. We like
it so much that Werner is working for us. Werner rocks.

* It does use an outdated version of ZRTPCPP library?

I don't believe so. If anything, we're using a version of it that is newer
than anyone else's; Werner works for us, now.

Should we need release a new version, we will.

* It does reveal their test/development server?

- "I wonder if they are hiring new iOS devs now?"

Yes, we are. We also need Android devs, and need them more than iOS devs.
Feel free to send résumés to . Note that we are a
highly-distributed company with developers and staff stretched from Latvia
to Greece, to the Pacific West. Location almost does not matter. 31337
skillz do.

I will also note that the code of the VOIP system is the same across all
our apps. It gets compiled for iOS and Android, as well as Windows (Silent
Eyes). Each OS has its own UX skin on top of the code VOIP system.

- "I'd say anything that gets Silent Circle to actually answer questions
proper is useful, if that is the result."

Feel free to send questions to me, or to "secur...@silentcircle.com"

* In ./silentphone/tiviengine/prov.cpp there is some kind of provisioning
protocols, used probably to auto-configure the voip clients.

Good catch! Yes, indeed, we provision the clients ourselves. Silent Circle
is a *SERVICE* not an app.

* It should be evaluated the capability for a government
censoring/filtering host to block the user out by blocking
accounts.silentcircle.com or sccps.silentcircle.com. Maybe some dynamic
methods is in place?

We'd love to hear suggestions. If someone's suggestion is particularly
clever, feel free to attach a résumé.

* It should be asked what are the privacy handling for those data and if
those can be additionally "privacy enforced" .

Feel free to ask. I don't understand the question, myself.

* QUESTION: What this certificate is used for ?
TODO: We should check to see if this certificate is used for TLS
Validation? If so that's cool, that it does not rely on third party CA.

G

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Ali-Reza Anghaie]

Nadim,

While I ~entirely~ agree this sucks and you're been mercilessly and
tastelessly trolled - if you're inferring there was any relation to the SC
code being swapped out - that's an irrelevant and unnecessary stretch.

Lets look at it from the other side w/ the same irrelevant
and unnecessary stretching..

Early in the pad you admitted to jumping the gun and people were already
calling you out. You even, if you recall, said there may be a point to
criticizing you for all the LOLing comments and such. You were - for all
intents and purposes - an ass early on. You did admit that in a lengthy
back-and-forth with one of the anonymous parties before the whole
conversation and your LOLing were deleted. I think deleted by you with
humility and the intention of drawing attention back to the task at hand -
or one could speculate you just don't want any evidence you were a jerk
(and that would be unfair I think you'd agree). Whoever (or how many ever)
are/were trolling you were bringing up Slashdot, the CSIS incident,
Cryptocat, etc. etc. and seems to have it out for you. I'm not convinced
that's at all related to SC itself - just mostly pissing on you for
behavior.

I only write that narrative out because you repeatedly exclude yourself
from ~any~ criticism when it comes to "reporting back" to the list. This
too, like the mysterious trolling, can lead to conspiracy chains of
thoughts. And I'm certain you don't appreciate that unfounded inference
than any other party does. So don't further promote that cycle.

Regarding the SC code swap itself - as I pointed out (but has also been
lost in the noise) there were two different github profiles to the same
person and it appeared that all that really happened (besides a codebase
update) was that the acct he was using for non-SC stuff was used to
initially upload silent-phone-base and that whole account's worth of stuff
was pulled and re-uploaded under the account that originally setup all the
SC stuff. Occam's Razor applies here.

-Ali



On Thu, Feb 14, 2013 at 9:43 AM, Nadim Kobeissi  wrote:

> The collaborative platform which we've been using to inspect Silent
> Circle's code (and where we were making good progress) has been
> continuously vandalized for the past seven hours straight. Yes, that's
> someone who's been on that pad for literally seven hours trying to prevent
> collaboration. They've specifically been flooding the pad with insults
> directed at me, and nothing else. This happened shortly after Silent Circle
> code was taken offline for around 20 minutes.
>
> This really makes me wonder who would have the tenacity to attempt to stop
> collaborative auditing of Silent Circle for seven straight hours, and would
> coincidentally happen to have some apparently very real hatred towards me.
>
>
> NK
>
>
> On Thu, Feb 14, 2013 at 8:54 AM, Joseph Lorenzo Hall  wrote:
>
>>
>> On Feb 14, 2013, at 7:35, Petter Ericson  wrote:
>>
>> > And various license headers (BSD-style afaict - not a license expert)
>>
>> I'm no licensing expert but do think about them a lot... it looks like a
>> non-commercial-uses version of a BSD-style license. That's much better than
>> what I've seen before with code released for "review and testing only"-like
>> licenses. best, Joe
>> --
>> Unsubscribe, change to digest, or change password at:
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>
>
>
> --
> Unsubscribe, change to digest, or change password at:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Ali-Reza Anghaie]

Before the pad was ruined we also found out that:

- TiViPhone seems to be part of Silent Circle, (c) and all.. the lead
developers are listed on SC's founding page.
- Likewise the libraries notes, except PolarSSL, also seem to be develop
led by people now working for Silent Circle.
- Nadim admittingly jumped the gun on snprintf() issue
- We can't verify the libraries used or any of the code against the binary
builds

Etc.

So the skewering was premature. The pad, with other commentary, before it
was ruined is DLable at http://pastebit.com/pastie/12001 .. the revision
history slider still works but who knows how long as someone is mercilessly
trolling Nadim through it now. -Ali



On Wed, Feb 13, 2013 at 11:51 PM, Nadim Kobeissi  wrote:

> So to recap:
> It hasn't been a few hours since Silent Circle released *some* of their
> source code, and we already know that:
>
>
>1. Silent Circle isn't in built to be a secure communications
>platform, but is simply a rebranding of TiviPhone, a latvian-made VoIP
>software, with added encryption libraries,
>2. The encryption libraries are themselves not developed by Silent
>Circle, but are third party libraries,
>3. The third party librares are in some cases outdated, even in the
>face of security advisories,
>4. There's a good possibility of a buffer overflow being there
>somewhere, with over 40 uses of snprintf().
>
> I know what I'm doing this weekend! :D
>
>
> NK
>
>
> On Wed, Feb 13, 2013 at 11:33 PM, Nathan of Guardian <
> nat...@guardianproject.info> wrote:
>
>> Fabio Pietrosanti (naif):
>> > Here some notes i collected with a quick review of the source code:
>>
>> I can see the headlines now...
>>
>> "Cryptography super-group more like a cover band"
>> "Cryptography Boy Band covers Latvian super-group"
>> "Cryptography super-group? More like Milli Vanilli!"
>>
>> or perhaps simply:
>> "SilentCircle's premiere product was outsourced, and based on
>> out-of-date security libraries with known bugs"
>>
>> Finally, just to be clear, I have nothing against re-using code,
>> especially open-source projects that are complimentary. This is exactly
>> what we have done for our work on OSTN/OStel.
>>
>> I do have a problem with people representing software they license from
>> someone else as their own brilliant, weaved-by-the-gods invention.
>>
>> +n
>>
>> --
>> Unsubscribe, change to digest, or change password at:
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>
>
>
> --
> Unsubscribe, change to digest, or change password at:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Ali-Reza Anghaie]

The last useful version of the Silent Circle pad before troll-erasing is at
http://pastebit.com/pastie/12001 if you want to DL it..

Useful has varying definitions. Cheers, -Ali



On Thu, Feb 14, 2013 at 12:30 AM, Nadim Kobeissi  wrote:

> Who is light green on the etherpad??
>
>
> NK
>
>
> On Thu, Feb 14, 2013 at 12:13 AM, Ali-Reza Anghaie 
> wrote:
>
>> The TiVi rebranding page is gone but the cache:
>>
>>
>> https://webcache.googleusercontent.com/search?q=cache:http://rebrand.tiviphone.com/
>>
>> It would be utterly bizarre if Silent Circle started as a $199 euro
>> investment. I just can't swallow that. Not, by default, a negative
>> attribute - just - whacky.
>>
>> I really hope they start responding more specifically soon. -Ali
>>
>>
>>
>> On Thu, Feb 14, 2013 at 12:01 AM, Fabio Pietrosanti (naif) <
>> li...@infosecurity.ch> wrote:
>>
>>> Wait, wait, i just read some code around but without taking care much
>>> about the logic of the code itself.
>>>
>>> So there are stuff that should be checked more in details by someone
>>> else, notes also by other people ended up on that sort of
>>> collaborative/caotic pad https://pad.riseup.net/p/silentcircle .
>>>
>>> -naif
>>>
>>> On 2/14/13 5:54 AM, Nadim Kobeissi wrote:
>>> > Fabio just discovered that Silent Phone derives device IDs by hashing
>>> > the device IMEI with MD5...
>>> >
>>> > WOW
>>> >
>>> >
>>> > NK
>>> >
>>> --
>>> Unsubscribe, change to digest, or change password at:
>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>>
>>
>>
>> --
>> Unsubscribe, change to digest, or change password at:
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>
>
>
> --
> Unsubscribe, change to digest, or change password at:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Ali-Reza Anghaie]

The TiVi rebranding page is gone but the cache:

https://webcache.googleusercontent.com/search?q=cache:http://rebrand.tiviphone.com/

It would be utterly bizarre if Silent Circle started as a $199 euro
investment. I just can't swallow that. Not, by default, a negative
attribute - just - whacky.

I really hope they start responding more specifically soon. -Ali



On Thu, Feb 14, 2013 at 12:01 AM, Fabio Pietrosanti (naif) <
li...@infosecurity.ch> wrote:

> Wait, wait, i just read some code around but without taking care much
> about the logic of the code itself.
>
> So there are stuff that should be checked more in details by someone
> else, notes also by other people ended up on that sort of
> collaborative/caotic pad https://pad.riseup.net/p/silentcircle .
>
> -naif
>
> On 2/14/13 5:54 AM, Nadim Kobeissi wrote:
> > Fabio just discovered that Silent Phone derives device IDs by hashing
> > the device IMEI with MD5...
> >
> > WOW
> >
> >
> > NK
> >
> --
> Unsubscribe, change to digest, or change password at:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Ali-Reza Anghaie]

I do have to wonder why they've twice mentioned embargoes countries they
couldn't sell to legally anyway.

Is there something I'm missing about ~selling~ dissidents solutions in Iran
and NK? US Government have an exception for that? -Ali
On Feb 7, 2013 4:38 PM, "Nadim Kobeissi"  wrote:

> “I tell them go ahead and use Skype — I don’t even want to talk to you.
> This is for serious people interested in serious cryptography,” Zimmermann
> said. “We are not Facebook. We are the opposite of Facebook.”
>
> http://bits.blogs.nytimes.com/2013/02/05/security-pioneer-creates-service-to-encrypt-phone-calls-and-text-messages/
>
>
> NK
>
>
> On Thu, Feb 7, 2013 at 4:32 PM, Nadim Kobeissi  wrote:
>
>> The latest "unbreakable even by a supercomputer" article includes
>> artistic, black and white photographs of Phil Zimmermann and John Callas:
>>
>> http://www.dailymail.co.uk/sciencetech/article-2274597/How-foil-eavesdroppers-The-smartphone-encryption-app-promises-make-communications-private-again.html#axzz2KDR1XKE6
>>
>>
>> NK
>>
>>
>> On Thu, Feb 7, 2013 at 4:15 PM, Ali-Reza Anghaie wrote:
>>
>>> And even the "proponents" already have. Here, elsewhere, .. Nobody is
>>> happy at technically ignorant gee-whiz journalism.
>>>
>>> The discussion has been, a few times now, how we tend to speak out about
>>> it. And what busses people on the same side seem willing to throw each
>>> other under. Gods know why. -Ali
>>>  On Feb 7, 2013 3:46 PM, "Jillian C. York" 
>>> wrote:
>>>
>>>> I'm not going to get into the politics or pettiness of this because
>>>> frankly, I don't care.
>>>>
>>>> But this 
>>>> headline<http://www.extremetech.com/mobile/147714-cryptography-super-group-creates-unbreakable-encryption-designed-for-mass-market>and
>>>>  the accompanying claims of unbreakability are so incredibly egregious
>>>> that I would expect *every single person on this list* to speak out
>>>> against those (claims, that is), regardless of their feelings on the actual
>>>> product.
>>>>
>>>>
>>>>
>>>> On Thu, Feb 7, 2013 at 12:20 PM, Yosem Companys 
>>>> wrote:
>>>>
>>>>> Just as a reminder, please let's all try to refrain from engaging in
>>>>> any personal attacks.  We're all build and use liberationtech to make a
>>>>> difference in various ways, and we're bound to have disagreements.  But
>>>>> let's not forget that we're all working toward the same broad goal of
>>>>> making people's lives better.  Otherwise, we would likely not be on this
>>>>> list.
>>>>>
>>>>> Best,
>>>>>
>>>>> YC
>>>>>
>>>>> On Thu, Feb 7, 2013 at 11:21 AM, Ali-Reza Anghaie >>>> > wrote:
>>>>>
>>>>>> Douglas, I'm not sure many people are disagreeing with the end-goals
>>>>>> and even Zimmerman acknolwedges the window for verifiable source proof is
>>>>>> closing fast (longer than many would have liked as-is).
>>>>>>
>>>>>> My comments to Nadim are coming from a tact perspective - if the goal
>>>>>> is to gain wider adoption and recognition for all the community work, 
>>>>>> good
>>>>>> projects, verified projects, etc. etc. then it helps when you play in the
>>>>>> sanboxes occupied by more than the hackers and programmers making it 
>>>>>> happen.
>>>>>>
>>>>>> It's not uncommon to have people, who need solutions the most, to be
>>>>>> afraid of projects because of the "main name" associated with them after
>>>>>> some cursory rant reading. Nadim = Cryptocat, Jacob = TOR, Theo = 
>>>>>> OpenBSD,
>>>>>> etc. etc.
>>>>>>
>>>>>> It's easy to tell everyone else to pound sand or to roll all activist
>>>>>> causes into one for the collective libtech "us" - it's not so each when 
>>>>>> we
>>>>>> take it elsewhere. Just trying to see how we can promote things that look
>>>>>> less like personal grips and trolls - and more like building something
>>>>>> useful. -Ali
>>>>>>
>>>>>>
>>>>>>
>>>>&g

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Ali-Reza Anghaie]

And even the "proponents" already have. Here, elsewhere, .. Nobody is happy
at technically ignorant gee-whiz journalism.

The discussion has been, a few times now, how we tend to speak out about
it. And what busses people on the same side seem willing to throw each
other under. Gods know why. -Ali
 On Feb 7, 2013 3:46 PM, "Jillian C. York"  wrote:

> I'm not going to get into the politics or pettiness of this because
> frankly, I don't care.
>
> But this 
> headline<http://www.extremetech.com/mobile/147714-cryptography-super-group-creates-unbreakable-encryption-designed-for-mass-market>and
>  the accompanying claims of unbreakability are so incredibly egregious
> that I would expect *every single person on this list* to speak out
> against those (claims, that is), regardless of their feelings on the actual
> product.
>
>
>
> On Thu, Feb 7, 2013 at 12:20 PM, Yosem Companys wrote:
>
>> Just as a reminder, please let's all try to refrain from engaging in any
>> personal attacks.  We're all build and use liberationtech to make a
>> difference in various ways, and we're bound to have disagreements.  But
>> let's not forget that we're all working toward the same broad goal of
>> making people's lives better.  Otherwise, we would likely not be on this
>> list.
>>
>> Best,
>>
>> YC
>>
>> On Thu, Feb 7, 2013 at 11:21 AM, Ali-Reza Anghaie 
>> wrote:
>>
>>> Douglas, I'm not sure many people are disagreeing with the end-goals and
>>> even Zimmerman acknolwedges the window for verifiable source proof is
>>> closing fast (longer than many would have liked as-is).
>>>
>>> My comments to Nadim are coming from a tact perspective - if the goal is
>>> to gain wider adoption and recognition for all the community work, good
>>> projects, verified projects, etc. etc. then it helps when you play in the
>>> sanboxes occupied by more than the hackers and programmers making it happen.
>>>
>>> It's not uncommon to have people, who need solutions the most, to be
>>> afraid of projects because of the "main name" associated with them after
>>> some cursory rant reading. Nadim = Cryptocat, Jacob = TOR, Theo = OpenBSD,
>>> etc. etc.
>>>
>>> It's easy to tell everyone else to pound sand or to roll all activist
>>> causes into one for the collective libtech "us" - it's not so each when we
>>> take it elsewhere. Just trying to see how we can promote things that look
>>> less like personal grips and trolls - and more like building something
>>> useful. -Ali
>>>
>>>
>>>
>>> On Thu, Feb 7, 2013 at 11:36 AM, Douglas Lucas  wrote:
>>>
>>>> Can Silent Circle promoters explain why Zimmerman is excused from
>>>> Kerckhoffs's principle?
>>>>
>>>> Is it because something unverifiable is allegedly better than nothing?
>>>> Even if we had divine knowledge to tell us Silent Circle is secure,
>>>> isn't it an overriding problem to encourage lock-in of closed source
>>>> being acceptable for something as common as text-messaging?
>>>>
>>>> It is good to have a scrappy talented young person such as Nadim being
>>>> pesky to older, accepted people.
>>>>
>>>>
>>>> On 02/07/2013 09:45 AM, Julien Rabier wrote:
>>>> > Hello all,
>>>> >
>>>> > I'm no sec expert but to me, it's so obvious that Nadim is right on
>>>> this.
>>>> > Perhaps the form is not perfect, but if he's the only one fighting
>>>> for our
>>>> > own sanity here, as he says, that's no surprise.
>>>> >
>>>> > We should all be asking Silent Circle to commit to their statement
>>>> and show
>>>> > us the source code of their so-called unbreakable encryption tools.
>>>> >
>>>> > Again, I'm no sec expert and I won't be the guy who will do the hard
>>>> task of
>>>> > auditing and reviewing this code. But as a user, as a citizen and
>>>> perhaps an
>>>> > activist, I want the source code of such tools to be reviewed widely
>>>> and
>>>> > publicly before using and promoting it.
>>>> >
>>>> > My 2 euro cents,
>>>> > Julien
>>>> >
>>>> > Le 07 févr. - 10:31, Nadim Kobeissi a écrit :
>>>> >> Small follow-up:
>&g

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Ali-Reza Anghaie]

Douglas, I'm not sure many people are disagreeing with the end-goals and
even Zimmerman acknolwedges the window for verifiable source proof is
closing fast (longer than many would have liked as-is).

My comments to Nadim are coming from a tact perspective - if the goal is to
gain wider adoption and recognition for all the community work, good
projects, verified projects, etc. etc. then it helps when you play in the
sanboxes occupied by more than the hackers and programmers making it happen.

It's not uncommon to have people, who need solutions the most, to be afraid
of projects because of the "main name" associated with them after some
cursory rant reading. Nadim = Cryptocat, Jacob = TOR, Theo = OpenBSD, etc.
etc.

It's easy to tell everyone else to pound sand or to roll all activist
causes into one for the collective libtech "us" - it's not so each when we
take it elsewhere. Just trying to see how we can promote things that look
less like personal grips and trolls - and more like building something
useful. -Ali



On Thu, Feb 7, 2013 at 11:36 AM, Douglas Lucas  wrote:

> Can Silent Circle promoters explain why Zimmerman is excused from
> Kerckhoffs's principle?
>
> Is it because something unverifiable is allegedly better than nothing?
> Even if we had divine knowledge to tell us Silent Circle is secure,
> isn't it an overriding problem to encourage lock-in of closed source
> being acceptable for something as common as text-messaging?
>
> It is good to have a scrappy talented young person such as Nadim being
> pesky to older, accepted people.
>
>
> On 02/07/2013 09:45 AM, Julien Rabier wrote:
> > Hello all,
> >
> > I'm no sec expert but to me, it's so obvious that Nadim is right on this.
> > Perhaps the form is not perfect, but if he's the only one fighting for
> our
> > own sanity here, as he says, that's no surprise.
> >
> > We should all be asking Silent Circle to commit to their statement and
> show
> > us the source code of their so-called unbreakable encryption tools.
> >
> > Again, I'm no sec expert and I won't be the guy who will do the hard
> task of
> > auditing and reviewing this code. But as a user, as a citizen and
> perhaps an
> > activist, I want the source code of such tools to be reviewed widely and
> > publicly before using and promoting it.
> >
> > My 2 euro cents,
> > Julien
> >
> > Le 07 févr. - 10:31, Nadim Kobeissi a écrit :
> >> Small follow-up:
> >> Maybe it's true I look like my goal here is just to foam at the mouth at
> >> Silent Circle. Maybe it looks like I'm just here to annoy Chris, and I'm
> >> truly sorry. These are not my goals, even if my method seems forced.
> >>
> >> I've tried writing multiple blog posts about Silent Circle, contacting
> >> Silent Circle, asking journalists to *please* mention the importance of
> >> free, open source in cryptography, and so on. All of this has failed. It
> >> has simply become clear to me that Silent Circle enjoys a double
> standard
> >> because of the reputation of those behind it.
> >>
> >> Silent Circle may be developed by Gods, but this is just quite plainly
> >> unfair. If someone repeatedly claims, towards activists, to have
> developed
> >> "unbreakable encryption", markets it closed-source for money, and
> receives
> >> nothing but nods of recognition and applause from the press and even
> >> from *security
> >> experts* (?!) then something is seriously wrong! No one should be
> allowed
> >> to commit these wrongs, not even Silent Circle.
> >>
> >> I feel like I'm fighting for our own sanity here. Look at what you're
> >> allowing to happen!
> >>
> >>
> >> NK
> >>
> >>
> >> On Thu, Feb 7, 2013 at 10:15 AM, Nadim Kobeissi  wrote:
> >>
> >>> On Thu, Feb 7, 2013 at 4:11 AM, Christopher Soghoian <
> ch...@soghoian.net>wrote:
> >>>
> 
>  It is clear that you seem to have developed a foaming-in-the-mouth,
>  irrational hate of Silent Circle. As such, anyone who fails to
> denounce
>  Phil Zimmermann as the great Satan is, in your eyes, some kind of
> corrupt
>  shill.
> 
> >>>
> >>> Chris,
> >>> You have repeatedly stood up asking VoIP software to be more
> transparent
> >>> about their encryption. You have repeatedly stood up when the media
> >>> overblew coverage into hype.
> >>>
> >>> However, Silent Circle remains *the only case* where you remain
> mentioned
> >>> regularly in articles on the company, where you make a point to
> completely
> >>> ignore that they are posting everywhere on their social media that
> they are
> >>> developing "unbreakable encryption", and marketing it, closed-source,
> >>> towardsactivists. When I confront you about this, you publicly accuse
> me of
> >>> "soliciting a hit piece" (!!) against Silent Circle.
> >>>
> >>> That is what I have a problem with: A huge, clear, obvious double
> standard
> >>> strictly made available for Silent Circle.
> >>>
> >>>
> 
>  I proudly stand by every single statement quoted in that Verge story.
> 
>  Chris
> 
> 
> >>

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Ali-Reza Anghaie]

Inline below..


On Thu, Feb 7, 2013 at 11:34 AM, scarp  wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> Jens Christian Hillerup:
> > Hear-hear. They don't need to open-source their software to
> > convince me, as long as they are open about their protocol at
> > least.
>
> And what if there's a second set of decryption master keys? You're
> willing to trust them because they say "We're famous guys, we won't do
> anything bad, and plus we hate naughty governments."
>

We need to verify everything they say is true - keys aren't generated on
servers (with the PGP Universal option for email they allow it but
discourage it). Sure, yes, absolutely we all want to verify it from source
to wire.. no argument.

The fact you can't buy into this service anonymously, so at least
> payment credentials will be available. Even if Phil says he won't be
> bad what is to stop Apple revealing your iTunes account purchased this
> application in AppStore when the necessary legal screws are applied to
> them.
>

They do offer the Ronin option for anonymous purchasing of the provisioning
keys - the App is free itself.

-Ali
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Ali-Reza Anghaie]

I'm not sure it's been all for naught, even the article Christian is quoted
in refers to Red Phone and TextSecure, .. is it a link-list of FOSS tools
and teams? No but, really, that doesn't actually get people to go ~use~
something.

I'm also not sure unbreakable is core to SC's marketing at all - I think
that's the type of thing some tech. journalists go with. SC's own site
talks about all sorts of things they ~can't~ do - they're not telling
people they are the best line of defense even (they talk about lifestyle
OPSEC too for example).

Here is the way I look at it - the easiest to use introduces more and more
people to the whole roll of things. It DRIVES people to search and write
about what else is out there once they "know" they don't want to be without
the tools anymore. SC is a win for everyone in this case.

I know, for a fact, SC has introduced a lot more people to FOSS solutions
that otherwise wouldn't have ever considered it after dalliances in GnuPG
years ago. Once bad privacy user experience - always bad privacy user
experience sort of thing.

Cheers, -Ali



On Thu, Feb 7, 2013 at 10:31 AM, Nadim Kobeissi  wrote:

> Small follow-up:
> Maybe it's true I look like my goal here is just to foam at the mouth at
> Silent Circle. Maybe it looks like I'm just here to annoy Chris, and I'm
> truly sorry. These are not my goals, even if my method seems forced.
>
> I've tried writing multiple blog posts about Silent Circle, contacting
> Silent Circle, asking journalists to *please* mention the importance of
> free, open source in cryptography, and so on. All of this has failed. It
> has simply become clear to me that Silent Circle enjoys a double standard
> because of the reputation of those behind it.
>
> Silent Circle may be developed by Gods, but this is just quite plainly
> unfair. If someone repeatedly claims, towards activists, to have developed
> "unbreakable encryption", markets it closed-source for money, and receives
> nothing but nods of recognition and applause from the press and even from
> *security experts* (?!) then something is seriously wrong! No one should
> be allowed to commit these wrongs, not even Silent Circle.
>
> I feel like I'm fighting for our own sanity here. Look at what you're
> allowing to happen!
>
>
> NK
>
>
> On Thu, Feb 7, 2013 at 10:15 AM, Nadim Kobeissi  wrote:
>
>> On Thu, Feb 7, 2013 at 4:11 AM, Christopher Soghoian 
>> wrote:
>>
>>>
>>> It is clear that you seem to have developed a foaming-in-the-mouth,
>>> irrational hate of Silent Circle. As such, anyone who fails to denounce
>>> Phil Zimmermann as the great Satan is, in your eyes, some kind of corrupt
>>> shill.
>>>
>>
>> Chris,
>> You have repeatedly stood up asking VoIP software to be more transparent
>> about their encryption. You have repeatedly stood up when the media
>> overblew coverage into hype.
>>
>> However, Silent Circle remains *the only case* where you remain
>> mentioned regularly in articles on the company, where you make a point to
>> completely ignore that they are posting everywhere on their social media
>> that they are developing "unbreakable encryption", and marketing it,
>> closed-source, towardsactivists. When I confront you about this, you
>> publicly accuse me of "soliciting a hit piece" (!!) against Silent Circle.
>>
>> That is what I have a problem with: A huge, clear, obvious double
>> standard strictly made available for Silent Circle.
>>
>>
>>>
>>> I proudly stand by every single statement quoted in that Verge story.
>>>
>>> Chris
>>>
>>>
>>> On Wed, Feb 6, 2013 at 8:56 PM, Nadim Kobeissi  wrote:
>>>
 Chris Soghoian gives Silent Circle's unbreakable encryption an entire
 article's worth of lip service here, it must be really unbreakable:

 http://www.theverge.com/2013/2/6/3950664/phil-zimmermann-wants-to-save-you-from-your-phone


 NK


 On Wed, Feb 6, 2013 at 10:49 PM, Brian Conley >>> > wrote:

> I heard they have a super secret crypto clubhouse in the belly of an
> extinct volcano.
>
> Other rumors suggest they built their lab in the liberated tunnels
> beneath bin ladens secret lair in Pakistan...
>
> Sent from my iPad
>
> On Feb 6, 2013, at 19:42, Nadim Kobeissi  wrote:
>
> Actual headline.
>
>
> http://www.extremetech.com/mobile/147714-cryptography-super-group-creates-unbreakable-encryption-designed-for-mass-market
>
>
> NK
>
> --
> Unsubscribe, change to digest, or change password at:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
>
> --
> Unsubscribe, change to digest, or change password at:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>


 --
 Unsubscribe, change to digest, or change password at:
 https://mailman.stanford.edu/mailman/listinfo/liberationtech

>>>
>>>
>>> --
>>> Unsubscribe, change to digest, or change password at:
>>> https://mailman.stanford.edu/

Re: [liberationtech] Chromebooks for Risky Situations?

[Ali-Reza Anghaie]

A VZW employee was nice enough to reach out off list - wanted to remain
anonymous - says that the international SIMs they send for you to put in
overseas Nexus devices won't tether. Ever. No matter what I'm told
otherwise.

Anyhow.. enough of that. Cheers, -Ali



On Wed, Feb 6, 2013 at 3:52 PM, Ali-Reza Anghaie wrote:

> Always Nexus Verizon stock. My alternate ROMs don't travel with me.
> Verizon contacted ahead of time per their suggestions. Tethering in US and
> Canada fine. UK or elsewhere is no-joy.
>
> I gave up after a while and just carry my wipe'a'router and but use local
> WiFi. My advantage being I'm in tent data centers and hotels. I'll give the
> activist shuffle a try again next trip. -Ali
>  On Feb 6, 2013 3:31 PM, "Brian Conley"  wrote:
>
>> What Android OS are you using, Ali?
>>
>> It's a snap with Google Nexus running 4.0. Perhaps its an OS version or
>> carrier-rolled OS that is the problem?
>>
>> Brian
>>
>> On Wed, Feb 6, 2013 at 12:26 PM, Ali-Reza Anghaie 
>> wrote:
>>
>>> I'm glad people have had luck with tethering their Android phones
>>> internationally. I've had absolutely zero - I'll have to give it another
>>> run with a locally renter provider I suppose.
>>>
>>> Anyone try in the UAE recently? Provider, hardware? Egypt? Curious. -Ali
>>>  On Feb 6, 2013 3:19 PM, "Griffin Boyce"  wrote:
>>>
>>>>
>>>>
>>>> On Wed, Feb 6, 2013 at 1:28 AM, Nathan of Guardian <
>>>> nat...@guardianproject.info> wrote:
>>>>
>>>>> On 02/06/2013 01:22 PM, Ali-Reza Anghaie wrote:
>>>>> >
>>>>> > How can projects like Privly play into it? Carrying a Tor Router
>>>>> along
>>>>> > with you or building one on-site. None of the operational matters
>>>>> will
>>>>> > ever be squarely addressed by one platform but it all can be
>>>>> > decision-treed out nicely.
>>>>>
>>>>> You could also use Orbot with wifi-tether on Android phone. It can
>>>>> transparent proxy all the wifi hotspot traffic over Tor.
>>>>>
>>>>
>>>> Using an android phone as a tether seems much more normal and fits the
>>>> profile of an international traveler. Carrying a router around might not be
>>>> the best option for staying low-profile.
>>>>
>>>> I like Chrome OS but am addicted to Pidgin with OTR. It's really the
>>>> only thing keeping me from trying out a Chromebook. (Even Photoshop is
>>>> available 'in the cloud'). If you need to install a few programs locally
>>>> but like the overall idea and features, JoliOS looks to be a good option:
>>>> http://www.jolicloud.com/jolios
>>>>
>>>> Somewhat off-topic: I reject the idea that because something isn't
>>>> right for Syrians, that it's not useful. There is an incredible spectrum of
>>>> threat models to consider. And usability is a factor. It's worth
>>>> considering that state-sponsored Windows spyware is a major problem. But
>>>> people still use it because the realistic alternative is more difficult to
>>>> use (even Ubuntu has a sharp learning curve).
>>>>
>>>> Best,
>>>> Griffin Boyce
>>>>
>>>> --
>>>> Unsubscribe, change to digest, or change password at:
>>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>>>
>>>
>>> --
>>> Unsubscribe, change to digest, or change password at:
>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>>
>>
>>
>>
>> --
>>
>>
>>
>> Brian Conley
>>
>> Director, Small World News
>>
>> http://smallworldnews.tv
>>
>> m: 646.285.2046
>>
>> Skype: brianjoelconley
>>
>>
>>
>> --
>> Unsubscribe, change to digest, or change password at:
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>
>
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Chromebooks for Risky Situations?

[Ali-Reza Anghaie]

Always Nexus Verizon stock. My alternate ROMs don't travel with me. Verizon
contacted ahead of time per their suggestions. Tethering in US and Canada
fine. UK or elsewhere is no-joy.

I gave up after a while and just carry my wipe'a'router and but use local
WiFi. My advantage being I'm in tent data centers and hotels. I'll give the
activist shuffle a try again next trip. -Ali
 On Feb 6, 2013 3:31 PM, "Brian Conley"  wrote:

> What Android OS are you using, Ali?
>
> It's a snap with Google Nexus running 4.0. Perhaps its an OS version or
> carrier-rolled OS that is the problem?
>
> Brian
>
> On Wed, Feb 6, 2013 at 12:26 PM, Ali-Reza Anghaie wrote:
>
>> I'm glad people have had luck with tethering their Android phones
>> internationally. I've had absolutely zero - I'll have to give it another
>> run with a locally renter provider I suppose.
>>
>> Anyone try in the UAE recently? Provider, hardware? Egypt? Curious. -Ali
>>  On Feb 6, 2013 3:19 PM, "Griffin Boyce"  wrote:
>>
>>>
>>>
>>> On Wed, Feb 6, 2013 at 1:28 AM, Nathan of Guardian <
>>> nat...@guardianproject.info> wrote:
>>>
>>>> On 02/06/2013 01:22 PM, Ali-Reza Anghaie wrote:
>>>> >
>>>> > How can projects like Privly play into it? Carrying a Tor Router along
>>>> > with you or building one on-site. None of the operational matters will
>>>> > ever be squarely addressed by one platform but it all can be
>>>> > decision-treed out nicely.
>>>>
>>>> You could also use Orbot with wifi-tether on Android phone. It can
>>>> transparent proxy all the wifi hotspot traffic over Tor.
>>>>
>>>
>>> Using an android phone as a tether seems much more normal and fits the
>>> profile of an international traveler. Carrying a router around might not be
>>> the best option for staying low-profile.
>>>
>>> I like Chrome OS but am addicted to Pidgin with OTR. It's really the
>>> only thing keeping me from trying out a Chromebook. (Even Photoshop is
>>> available 'in the cloud'). If you need to install a few programs locally
>>> but like the overall idea and features, JoliOS looks to be a good option:
>>> http://www.jolicloud.com/jolios
>>>
>>> Somewhat off-topic: I reject the idea that because something isn't right
>>> for Syrians, that it's not useful. There is an incredible spectrum of
>>> threat models to consider. And usability is a factor. It's worth
>>> considering that state-sponsored Windows spyware is a major problem. But
>>> people still use it because the realistic alternative is more difficult to
>>> use (even Ubuntu has a sharp learning curve).
>>>
>>> Best,
>>> Griffin Boyce
>>>
>>> --
>>> Unsubscribe, change to digest, or change password at:
>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>>
>>
>> --
>> Unsubscribe, change to digest, or change password at:
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>
>
>
>
> --
>
>
>
> Brian Conley
>
> Director, Small World News
>
> http://smallworldnews.tv
>
> m: 646.285.2046
>
> Skype: brianjoelconley
>
>
>
> --
> Unsubscribe, change to digest, or change password at:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Chromebooks for Risky Situations?

[Ali-Reza Anghaie]

I'm glad people have had luck with tethering their Android phones
internationally. I've had absolutely zero - I'll have to give it another
run with a locally renter provider I suppose.

Anyone try in the UAE recently? Provider, hardware? Egypt? Curious. -Ali
 On Feb 6, 2013 3:19 PM, "Griffin Boyce"  wrote:

>
>
> On Wed, Feb 6, 2013 at 1:28 AM, Nathan of Guardian <
> nat...@guardianproject.info> wrote:
>
>> On 02/06/2013 01:22 PM, Ali-Reza Anghaie wrote:
>> >
>> > How can projects like Privly play into it? Carrying a Tor Router along
>> > with you or building one on-site. None of the operational matters will
>> > ever be squarely addressed by one platform but it all can be
>> > decision-treed out nicely.
>>
>> You could also use Orbot with wifi-tether on Android phone. It can
>> transparent proxy all the wifi hotspot traffic over Tor.
>>
>
> Using an android phone as a tether seems much more normal and fits the
> profile of an international traveler. Carrying a router around might not be
> the best option for staying low-profile.
>
> I like Chrome OS but am addicted to Pidgin with OTR. It's really the only
> thing keeping me from trying out a Chromebook. (Even Photoshop is available
> 'in the cloud'). If you need to install a few programs locally but like the
> overall idea and features, JoliOS looks to be a good option:
> http://www.jolicloud.com/jolios
>
> Somewhat off-topic: I reject the idea that because something isn't right
> for Syrians, that it's not useful. There is an incredible spectrum of
> threat models to consider. And usability is a factor. It's worth
> considering that state-sponsored Windows spyware is a major problem. But
> people still use it because the realistic alternative is more difficult to
> use (even Ubuntu has a sharp learning curve).
>
> Best,
> Griffin Boyce
>
> --
> Unsubscribe, change to digest, or change password at:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Pressure Increases On Silent Circle To Release Application Source Code (Transactional data)

[Ali-Reza Anghaie]

Their existing policies indicate they don't store transactional data
between SC users but they do store login and business data from an
individual customer to SC. They have not yet released the email solution
and haven't expanded their statements to include that data.

They state they currently hold any logs for seven days and "are working" to
reduce that to 24 hours. They have other statements on CALEA already but
I'm not sure how anyone can address, at least ahead of time, NSLs
specifically (by nature).

They also offer anonymous purchasing options.

All of this has gaps I'm sure we can all ponder on - but for now where they
stand, which in relation to their peers sounds pretty good, is all at:

https://silentcircle.com/web/law-compliance/
https://silentcircle.com/web/what-we-do-dont-do/
https://silentcircle.com/web/privacy/
https://silentcircle.com/web/ronin/

Will be interesting to see how it evolves and their first reports to
customers about Government requests. -Ali



On Wed, Feb 6, 2013 at 1:43 PM, Fabio Pietrosanti (naif) <
li...@infosecurity.ch> wrote:

>  Please remind that for a service-based model the risks are not also
> related to the "transactional data" :
>
> http://privacysos.org/transactional_records
>
> It would be really nice to know which is the data-retention policy for:
> - connection logs
> - phone call logs
> - email logs (as they will provide also secure email)
>
> Additionally it would be very useful to know, being a service based
> business model (and not a software based one):
> - which is the policy related to the handling and to the publicity of NSL
> (National Security Letters) and other kind of inquiry (connection logs,
> phone call logs) from governmental's security agencies?
>
> Fabio
>
> On 2/6/13 5:20 PM, Brian Conley wrote:
>
> LOL!
>
> At least it implies that one of Silent Circle's customers or their
> consultants may support open sourcing the code.
> On Feb 6, 2013 8:09 AM, "Nathan of Guardian" 
> wrote:
>
>> On 02/06/2013 10:06 PM, Nadim Kobeissi wrote:
>> >
>> http://www.forbes.com/sites/jonmatonis/2013/02/06/pressure-increases-on-silent-circle-to-release-application-source-code/
>>
>> "[Disclosure: Author is consultant for a Silent Circle reseller based in
>> Japan.]"
>>
>> That is one of the strangest disclosures I have ever seen.
>>
>> +n
>>
>> --
>> Unsubscribe, change to digest, or change password at:
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>
>
>
> --
> Unsubscribe, change to digest, or change password at: 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
>
>
> --
> Unsubscribe, change to digest, or change password at:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Chromebooks for Risky Situations?

[Ali-Reza Anghaie]

It's something we've explored as an option in the Executive Protection
space - and paired with Google two-factor it's a marked improvement over
anything most of these end-users were doing before. There is at least one
3G radio version too - more almost certainly coming at better price points.

As I've thought about it, some really disagreeable security risks of using
certain types of security related Chrome plugins (e.g. recent Mailvelope,
DOM, OpenPGP.js discussions), might be more tenable risks in a Chromebook
deployment. Obviously that doesn't fix anything "back home" but it's
another part of the risk equation.

How can projects like Privly play into it? Carrying a Tor Router along with
you or building one on-site. None of the operational matters will ever
be squarely addressed by one platform but it all can be decision-treed out
nicely.

The Google ecosystem risk is real and reasonable to consider - but weighed
against other realities? And while I don't expect any vendor to fight our
Government battles for us - Google has been more ally than foe IMO.

It's a worthwhile discussion that could lead to a fork or three down the
road. -Ali



On Tue, Feb 5, 2013 at 10:29 PM, Nadim Kobeissi  wrote:

> Dear LibTech,
> I'm frankly not sure about this idea, it may certainly be a bad one, but
> I've been using a Chromebook for almost a week now, and I've had some
> observations regarding this device. I'd like to discuss whether it's a good
> idea to hypothetically have Chromebooks used by activists, journalists,
> human rights workers and so on, as opposed to laptops with either Windows
> or Mac OS X running on top.
>
> First, the security and operational models are very interesting. In fact,
> I think this is probably the most secure end-user laptop OS currently on
> the mainstream market. Namely, Chromebooks use verified boot, disk
> encryption (with hardware-level tamper-resistance,) and sandboxing. This
> compounds with a transparent automatic update schedule from Google's Chrome
> team, which already has (from my experience) a truly superb reputation for
> security management. I'm looking at you, Adam Langley!
>
> The operating system itself is minimal. There is *much* less room for
> malware to be executed or for spyware to embed itself on the OS level. The
> difference in attack vector size between Chromebooks and Mac OS/Windows
> appears phenomenal to me. Of course, Chromebooks still have a filesystem
> and users are allowed to plug in USB drives, but due to the minimal nature
> of the operating system, its highly unusual strength of focus on security,
> and its relatively new nature, even malware delivered from these mediums
> may end up being much less common than in other platforms (Windows/Mac).
>
> I also feel that the minimal nature of Chromebooks leaves security
> considerations out of the way while offering an interface that is
> accessible to activists and journalists around the world. This
> accessibility is also a security feature! (I've long argued that
> accessibility should be considered a security feature.)
>
> Now, for the obvious (and unfortunate!) downsides: Chromebooks natively
> encourage users to store all of their data on Google, leaving the company
> with an unbalanced amount of control over these machines, and attracting
> itself as a compromise target relevant to Chromebook users. Another
> downside: No Tor. No PGP. No encryption software. Cryptocat is available
> for Chrome OS, but I can hardly say that's enough at all!
>
> The restricted, minimal nature of the operating system and the
> security-focused design of both the hardware and boot process are really
> appealing to me, and are the brunt of what makes me write this email.
> Should Chromebooks be recommended for activists and journalists in
> dangerous situations?
>
> As I've disclaimed above, this is only a theoretical discussion, please
> feel free to disagree and don't take me seriously just yet. :-)
>
> NK
>
> --
> Unsubscribe, change to digest, or change password at:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

[liberationtech] Silent Circle is reading the list. ;-)

[Ali-Reza Anghaie]

They're agile about their coverage. ;-)

-Ali


https://threatpost.com/en_us/blogs/phil-zimmermann-we-really-really-dont-have-keys-020513

---
The other thing that Silent Circle doesn't do is hold any user encryption
keys, not even for a second, because the keys never pass through the
company's servers. The crypto operations are done on the client side.

That's an important point, because it prevents the company from having to
deal with any demands from law enforcement agencies looking for encryption
keys.

"We really, really don't have the keys," he said. "This is for serious
people in serious situations. I think probably it's not a good idea to
trust crypto software if they don't publish the source code. It's not just
[to look for] back doors, but what if they screw up and make a mistake?"

Silent Circle also has secure email and text apps. The company has
published the source code for its VOIP app and plans to do the same for its
text app next week. Zimmermann said that there is no chance that the
company will include any back doors or law-enforcement access mechanisms
for its products.

"We're not going to build in any back doors in our service. I've spent my
whole career on the principle of no back doors, so I'm not going to start
now. One thing we won't do is cave in."
---
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Latest article on silent circle

[Ali-Reza Anghaie]

Yeah. It's thinly veiled marketing and pats on the back. And while I
appreciate Silent Circle - this is a bit much. Sheesh. -Ali
 On Feb 5, 2013 12:37 PM, "Axel Simon"  wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> I was expecting you to simply point to
> http://issilentcircleopensourceyet.com/ Nadim. :)
>
> Another great quote from the article: “The cryptographers behind this
> innovation may be the only ones who could have pulled it off.”
>
> Now, while I agree there is something to be said for ease-of-use of
> cryptographic tools, and many on this list have done so eloquently many
> times already, this article just simplifies too much to not be guilty of
> giving people a false sense of security, IMHO.
>
> Btw, I believe this is my first post to the list, so hello everyone!
> I'm axel, I help out (and have worked for) La Quadrature du Net and I'm
> from/in Paris, should anyone find that piece of information useful. I've
> found lurking this list to be highly interesting, so thanks everyone for
> your great contributions.
>
> axel
>
>
>
> Le 2013-02-05 17:46, Nadim Kobeissi a écrit :
> > “This has never been done before,” boasts Mike Janke, Silent
> > Circle’s CEO. “It’s going to revolutionize the ease of privacy
> > and security.”
> >
> > NK
> >
> > On Tue, Feb 5, 2013 at 11:29 AM, Brian Conley
> >  wrote:
> >
> >>
> >
> >
> http://mobile.slate.com/articles/technology/future_tense/2013/02/silent_circle_s_latest_app_democratizes_encryption_governments_won_t_be.html?original_referrer=http%3A%2F%2Ft.co%2FIm1pnCXk
> >> [1]
> >> --
> >> Unsubscribe, change to digest, or change password at:
> >> https://mailman.stanford.edu/mailman/listinfo/liberationtech [2]
> >
> >
> >
> > Links:
> > --
> > [1]
> >
> >
> http://mobile.slate.com/articles/technology/future_tense/2013/02/silent_circle_s_latest_app_democratizes_encryption_governments_won_t_be.html?original_referrer=http%3A%2F%2Ft.co%2FIm1pnCXk
> > [2] https://mailman.stanford.edu/mailman/listinfo/liberationtech
> > [3] mailto:bri...@smallworldnews.tv
>
> - --
> Axel Simon
> - --
> Axel Simon
>
> - --
> mail/Jabber/Gtalk: axelsi...@axelsimon.net
> mobile: +33 (0)6 08 04 01 44
> twitter/identi.ca: @AxelSimon
> -BEGIN PGP SIGNATURE-
> Version: APG v1.0.8
>
> iQJCBAEBCgAsBQJREUMsJRxBeGVsIFNpbW9uIDxheGVsc2ltb25AYXhlbHNpbW9u
> Lm5ldD4ACgkQ94LtC1k/WHbK6w/9GbdD1t4AynswF+KcBtBra9CUJcpo0szQ1r0G
> UfskeagnYKU4bVq5bzr7CzBgtaJd0vMUtlovbQvQdvP9Fh69lge9jK2tZ1KB3NnV
> hy04/m52loQK9qBnzbnCeSykQbVvpa7PCjQYGCi6KuW2u5TXZw+5tWJ8bMH/Atvo
> 2uilZPoGsnhQZx9wlwbSD7YImQj3YIzA/t/L2dSoUSM9URTWSBEPBrYwA07EUCFJ
> bcCtnalRw9pZH6/TVPmOfSE0KLOse/JgE12j78WNFy4Fv3DVsaHoERfLVgWJpfyG
> umSXSYRpAv6H4wlgFslIf2N+5jYi6K490iVb8McWBruwrIfX6ypN04HnK/DU4vPm
> Afh6Ch5Bp+afI6JHwU3KLUfj06zkKh+xy84SGR26KqvJpavPG7FvfjzMWgQkHIag
> e8bZkhamdBuipdlCSJSDRMEa4PhL4mKXHCuZ9J0h1PeDHt39H3KIkGH6Wbxv7rc4
> l+hy0p8eMKvzp6HNL4oZK3/P4i7G6lzcX6l/X0EjcjyKCxCYYg1Mg3VJCTBLGa6X
> megxU1iY7Y2LQJatv2aikWOHi7O1oB9pFsiBEv05dU21UlaNd8rP4xbgVcmz2BXV
> MKCkcl69RWMn6J+Y/p0nd3FjOsW9KQU4bCghOkUKHNrc9FUFj/jZ/C1bqKXXhSge
> 7bwLWis=
> =iv7r
> -END PGP SIGNATURE-
>
> --
> Unsubscribe, change to digest, or change password at:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Skype letter strategy

[Ali-Reza Anghaie]

There is no harm in taking Kate's advice to heart - they also do care, you
may perceive a complete lack of care through their
legal wrangling and maneuverings and I wouldn't suggest anyone there is a
"warm heart" about these issues - but just like Security issues and Linux
before, they care because the sysadmins and cloud architects of tomorrow
care - and Microsoft needs them (just like a period before when concerns
about Office licensing waiving).

Targeting the Board, major journalists, major Fortune 100 companies that
use the services - it's all sound and worthwhile and costs nothing. Worst
case, nothing changes - everything from there is an improvement. -Ali



On Thu, Jan 17, 2013 at 11:46 AM, André Rebentisch wrote:

> Am 17.01.2013 15:31, schrieb Maxim Kammerer:
> > Could you please be more specific?
> Hiring the worst "tobaccos", disrespectful communication about
> competition authorities, mass-taking over standard committees by ISV,
> unreasonable communication, undue interference in non-domestic nations,
> bullying tactics.
>
> Just take DCI as an example.
> http://www.sourcewatch.org/index.php?title=DCI_Group
> It became wider known to a general audience when the McCain campaign was
> alluded to their lobbying for Burma.
>
> --- A
>
>
> --
> Unsubscribe, change to digest, or change password at:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Fighting over-zealous investigators (Re: Petition to remove DA Ortiz)

[Ali-Reza Anghaie]

I wanted to chime in on one aspect of your call to action - in particular
around *"**And I am equally sick of seeing the community shy away from them
when that happens."*..

As you already noted that is, in part, the hoped for effect - however, I am
not sure how many people realize exactly how many different ways people are
punished for showing support. Not just in these type of activist situations
but in any Federal Prosecution.

A good starting point on the wider topic is
http://www.harveysilverglate.com/Books/ThreeFeloniesaDay.aspx ..

I'd like to see more people share their stories about harassment they faced
just for providing a legal reference, or character testimony at sentencing,
donations, even room-and-board..

Cheers, -Ali



On Tue, Jan 15, 2013 at 4:02 PM, Griffin Boyce wrote:

>   There is also a petition to remove Assistant U.S. Attorney Steve Heymann
> for his heavy-handed tactics.[1] In addition to Aaron Swartz, he also led
> the case against Jonathan James, who tragically passed away at age 24. Two
> weeks after his home was raided by Heymann's team.
>
>   I know that there is insistence to not vilify these people, but they
> must be shown that they are not above reproach. These tactics are not only
> ineffective, they are designed precisely to make life harder for people.
> Jonathan James proclaimed his innocence until the day he died, but was
> denied his day in court because of harsh treatment and the history of
> fiercely one-sided conspiracy cases.
>
>   I am absolutely *sick* of seeing the best minds of my generation being
> put through the spin cycle by overzealous investigators. And I am equally
> sick of seeing the community shy away from them when that happens. When
> AIDS activists go to jail, they organize from within.  When they get out of
> jail, they are supported by friends and allies and are able to continue
> their work.  This paranoia that pervades our community hinders people who
> might want to organize effectively -- which is exactly the point. Do not
> think for a moment that this is not intentional.
>
>   Some of the most successful companies in America have been founded by
> hackers, and yet the climate is such that legal activities like
> cryptography, anonymity, or high-level computer science make people
> nervous.  Why is that something we've been putting up with?
>
>   So yes, sign these petitions, but also write letters in support of your
> stance. Call people. Send faxes. Talk to the media. Hold vigils. Make
> trouble. Do not let these people take away your rights of protest and
> intellectual curiosity.
>
> Stay safe out there,
> Griffin Boyce
>
> [1] Heymann petition:
> https://petitions.whitehouse.gov/petition/fire-assistant-us-attorney-steve-heymann/RJKSY2nb
>
> On Tue, Jan 15, 2013 at 2:50 PM, Jordan McCarthy 
> wrote:
>
>>
>> https://petitions.whitehouse.gov/petition/remove-united-states-district-attorney-carmen-ortiz-office-overreach-case-aaron-swartz/RQNrG1Ck
>>
>> The probably efficacy of this effort is questionable, of course.  But it
>> seems like a somewhat more appropriately-targeted effort than the
>> petition being aimed at MIT
>> (http://open.scripts.mit.edu/blog/petition/), which has already showed
>> clear signs of contrition (http://www.bbc.co.uk/news/technology-21011663
>> ).
>>
>> < Jordan
>>
>> --
>> Sent from a computer running Free and Open Source Software
>> My GPG Public Key (0xDE1C1B53) 
>> --
>> Unsubscribe, change to digest, or change password at:
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>
>
>
>
> --
> "What do you think Indians are supposed to look like?
> What's the real difference between an eagle feather fan
> and a pink necktie? Not much."
> ~Sherman Alexie
>
> PGP Key etc: https://www.noisebridge.net/wiki/User:Fontaine
>
> --
> Unsubscribe, change to digest, or change password at:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Mailvelope: OpenPGP Encryption for Webmail

[Ali-Reza Anghaie]

On Mon, Dec 17, 2012 at 5:28 PM, Thomas Oberndörfer wrote:

> Does the whole situation regarding mass surveillance of email traffic
> improve, zero effect, gets worse?
>

This question gets bounced around regularly - and there will likely never
be reasonable agreement. The explicit position of security professionals
versus the implicit disagreement of people who continue ~not~ to use "our"
solutions.

The new fork will be the explicit "fail safe" model (presuming there aren't
other glaring problems soon) and you'll offer a user-configurable model. It
would be nice to see it reconciled but if it isn't - it won't be the first
FOSS projects out there like that.

All I can really say is good on you for getting into this murky fast moving
waters. Well done. -Ali
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Mailvelope: OpenPGP Encryption for Webmail

[Ali-Reza Anghaie]

You just jogged my memory w/ the clipboard bit..

http://safegmail.com/

Another project in the mix. -Ali



On Wed, Dec 12, 2012 at 12:38 AM, Uncle Zzzen  wrote:

> The reason why FireGPG no longer ships with tails is that the DOM of a web
> app is not a safe place for plaintext
>
> https://tails.boum.org/doc/encryption_and_privacy/FireGPG_susceptible_to_devastating_attacks/
> Any architecture where plaintext is stored inside a web app's DOM is
> dangerous. Especially a webmail app that can be expected to save drafts,
> but not only. Web apps can be MITMed, XSSed, etc. If it came via the web,
> it's a suspect.
>
> I'd expect a crypto add-on to only accept plaintext (and other sensitive)
> information via separate GUI that can only be launched manually (not via
> javascript in an app's DOM) and has a hard-to-imitate look-and-feel (to
> discourage phishing). The only communication between this add-on and the
> rest of the browser should be via the clipboard. Users who can't handle
> copy/paste shouldn't be trusted with a key pair :)
>
> From what I see at the http://www.mailvelope.com/ slide-show, it seems to
> provide even more shooting-yourself-in-the-leg firepower than FireGPG.
>
>
>
> On Wed, Dec 12, 2012 at 3:21 AM, Nadim Kobeissi  wrote:
>
>> Cryptocat is a local browser plugin served over SSL, installed locally,
>> loads/executes no external code, and communicates only via SSL. It does not
>> rely on server integrity with regards to these parameters.
>>
>> Regarding Mailvelope — does its operation depend on the Gmail DOM? What
>> happens if the Gmail DOM is modified, can that be used to damage the
>> integrity of Mailvelope operations? There's a reason Cryptocat operates in
>> its own browser tab separate from other sites.
>>
>> NK
>>
>> On 2012-12-11, at 6:54 PM, Andy Isaacson  wrote:
>>
>> > On Mon, Dec 10, 2012 at 10:07:23PM +, StealthMonger wrote:
>> >> "Fabio Pietrosanti (naif)"  writes:
>> >>> for whose who has still not see that project, i wanted to send a
>> notice
>> >>> about MailVelope, OpenPGP encryption for webmail:
>> http://www.mailvelope.com
>> >>
>> >>> It's a client-side, plug-in based (similar to CryptoCat), OpenPGP
>> email
>> >>> encryption plugin available for Chrome and Firefox.
>> >>
>> >> To compare it with CryptoCat is unfair to MailVelope.  As I understand
>> >> things, CryptoCat has an ongoing reliance on server integrity.  On the
>> >> other hand, MailVelope is self-contained once securely installed,
>> >
>> > I'm not sure why you claim that.  It was true for Cryptocat v1 which was
>> > a browser app and could be compromised at any time with new JS from a
>> > compromised server.  Cryptocat v2 is a downloadable + installable plugin
>> > which at least doesn't immediately execute code served to it.
>> >
>> > In both the JS and plugin versions, Cryptocat (with uncompromised code)
>> > does not depend on server integrity for message confidentiality.
>> >
>> > Now, both CryptoCat and MailVelope probably have an upgrade
>> > vulnerability where a compromised server can tell the app "there's a new
>> > version available, plese ask the user to install it".  And since the
>> > compromised server could refuse to provide service to the secure version
>> > of the app, there's a powerful functional reason for the user to accept
>> > the upgrade.
>> >
>> > Ah, perhaps you're referring to the fact that MailVelope layers on top
>> > of another server (Gmail) for its transport layer, rather than depending
>> > on a "MailVelope server" which could selectively deny service to the
>> > uncompromised version of the product.  In that respect, MailVelope might
>> > be more secure-by-design than Cryptocat.
>> >
>> > -andy
>> > --
>> > Unsubscribe, change to digest, or change password at:
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>
>> --
>> Unsubscribe, change to digest, or change password at:
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>
>
>
> --
> Unsubscribe, change to digest, or change password at:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Mailvelope: OpenPGP Encryption for Webmail

[Ali-Reza Anghaie]

I'm not finding a lot of information since the end of ~last year~ on the
status of OpenPGP.js checks. Perhaps an inquiry on their mailing list is in
order - I didn't see archives. I would guess Mailvelope uses whatever
keystore options OpenPGP.js offers which as of now (as near as I can tell)
doesn't include GnuPG compatibility (with already noted limitations as good
reasons).

Will be interested to see how both evolve. -Ali



On Tue, Dec 11, 2012 at 9:31 AM, Petter Ericson  wrote:

> I would claim that the expected behaviour would be to use any available
> keystore by default, or alternatively (if none is found) to install its
> own in a "default" location. On *nix, this is usually ~/.gnupg, and if
> GPG4Win is "widely" used on windows, I would expect one such keystore to
> be implemented.
>
> However, I am unsure how much of this can be done from browser plugins.
>
> Still, with the caveats mentioned further down the thread, I have to
> say this is a great thing, at first glance. More (and better) encryption
> tools make more (and better) encryption!
>
> Cheers
>
> /P
>
> On 11 December, 2012 - Robbie MacKay wrote:
>
> > "1. Mailvelope appears to use its own keystore (at least on Windows), and
> > not the
> >GPG keystore.  Specifically, it doesn't use the GPG4Win keystore,
> which
> > is
> >the one I'd expect it to use."
> >
> > In some ways this is great: it means novice users don't have to worry
> about
> > getting GPG4Win or any other keystore installed first. Simplifying
> > encryption for end users is definitely better, though I can't speak to
> the
> > quality of their implementation. For those of us who already have a GPG
> > keystore set up (and existing keys) I'd definitely rather it used those.
> >
> > On Tue, Dec 11, 2012 at 9:16 AM, Nick Daly 
> wrote:
> >
> > > On Mon, Dec 10, 2012 at 1:42 PM, Fabio Pietrosanti (naif)
> > >  wrote:
> > > > Hi all,
> > > >
> > > > for whose who has still not see that project, i wanted to send a
> notice
> > > > about MailVelope, OpenPGP encryption for webmail:
> > > http://www.mailvelope.com
>
>
> > > >
> > > > It's a client-side, plug-in based (similar to CryptoCat), OpenPGP
> email
> > > > encryption plugin available for Chrome and Firefox.
> > > >
> > > > Source code is available under AGPL on
> > > > https://github.com/toberndo/mailvelope
>
> .
> > > >
> > > > Does anyone ever security reviewed it?
> > > > --
> > > > Unsubscribe, change to digest, or change password at:
> > > https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
>
> > >
> > > This (could finally be) email encryption done right: encryption is
> > > performed on the user's browser, so that the server storing the
> > > communication never sees the contents of the message.
> > >
> > > However, after installing it on Chrome, I have a few concerns:
> > >
> > > 1. Mailvelope appears to use its own keystore (at least on Windows),
> and
> > > not the
> > >GPG keystore.  Specifically, it doesn't use the GPG4Win keystore,
> which
> > > is
> > >the one I'd expect it to use.
> > >
> > > 2. When creating a new PGP key in Mailvelope, it has some pretty poor
> > > defaults.
> > >
> > >A. Keys are set to 1024 bits, instead of 2048 (or 4096).  Anything
> > >   under 2048 is probably insufficient.
> > >
> > >B. Keys are set to never expire, and that can't be configured.
> > >   Different keys should be used for different purposes and should
> > >   expire differently.  It's not a bad idea to cause email-signing
> > >   keys to expire after 3 - 5 years.
> > >
> > > Both 2.A and 2.B can be fixed through GPA or another frontend, but
> > > that's still bad key-creation practice.
> > >
> > > However, it *does* show the long-form key ID (the last 8 bytes of the
> > > fingerprint), which is probably the minimum necessary to avoid most
> > > collision attacks.
> > >
> > > Nick
> > > --
> > > Unsubscribe, change to digest, or change password at:
> > > https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
>
> > >
> >
> >
> >
> > --
> > Robbie Mackay
> >
> > Software Developer, External Projects
> > Ushahidi Inc
> > m: +64 27 576 2243
> > e: rob...@ushahidi.com
> > skype: robbie.mackay
>
> > --
> > Unsubscribe, change to digest, or change password at:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
>
>
> --
> Petter Ericson (pett...@acc.umu.se)
>
> Telecomix Sleeper Jellyfish
> --
> Unsubscribe, change to digest, or change password at:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
>
>
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Silent Circle Going Open Source

[Ali-Reza Anghaie]

Separately I think the most susceptible CALEA component is Silent Mail -
because it's not using a peer-to-peer model by default. So, as of now, I
don't think CALEA can force the software to be poisoned unless SC is also
does store-and-fwd of the message. This has always been a point of
confusion between attorneys and actual companies complying in my
experience. I trust other people here know exactingly how this all works.

Either way, I want some verbiage clarification from SC on the topic anyhow.
Cheers, -Ali



On Wed, Nov 21, 2012 at 2:45 PM, Ali-Reza Anghaie wrote:

> They have a bit about what they can and will turn over at:
>
> https://silentcircle.com/web/law-compliance/
>
>
>
> And make mention of CALEA. There is some ambiguity IMO I'm not thrilled
> with so I'm reaching out about that. I know it's not enough for you but I
> still think that given the target audiences using nothing, this is still a
> huge (potential) win fi they hit a stride. -Ali
>
> Key quotes:
>
> "We retain the following information as part of our normal business
> functions:
>
> Authentication information — your user name and hashed password. We hash
> passwords with a twelve-character random salt and 20,000 iterations of
> HMAC-SHA256 via PBKDF2.
>
> Your contact email address.
>
> Your Silent Phone number that we issue you
>
> Server IP Logs for login only. We currently retain these for 7 days, and
> are working to reduce this to 24 hours"
>
> "We are a law-abiding company, and US law (the Communications Assistance
> for Law Enforcement Act, CALEA) makes it clear that communications service
> providers can deliver products to their customers that use encryption to
> protect their communications without having the ability to decrypt those
> communications. This means no Government-mandated backdoors. Indeed,
> history has shown that backdoors created for law enforcement interception
> are themselves a security liability, and present an irresistible target for
> hackers and state sponsored attackers."
>
> And
>
> "We must and will comply with valid legal demands for the very limited
> information we hold. Thus, we want to make it clear that when legally
> compelled to do so, we will turn over the little information we hold,
> described above. Before turning it over, however, we will evaluate the
> request to make sure it complies with the letter and spirit of the law.
> And, consistent with best privacy practices followed by other companies,
> when possible and legally permissible, we will notify the user in order to
> give him or her the opportunity to object to the disclosure."
>
>
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Silent Circle Going Open Source

[Ali-Reza Anghaie]

They have a bit about what they can and will turn over at:

https://silentcircle.com/web/law-compliance/

And make mention of CALEA. There is some ambiguity IMO I'm not thrilled
with so I'm reaching out about that. I know it's not enough for you but I
still think that given the target audiences using nothing, this is still a
huge (potential) win fi they hit a stride. -Ali

Key quotes:

"We retain the following information as part of our normal business
functions:

Authentication information — your user name and hashed password. We hash
passwords with a twelve-character random salt and 20,000 iterations of
HMAC-SHA256 via PBKDF2.

Your contact email address.

Your Silent Phone number that we issue you

Server IP Logs for login only. We currently retain these for 7 days, and
are working to reduce this to 24 hours"

"We are a law-abiding company, and US law (the Communications Assistance
for Law Enforcement Act, CALEA) makes it clear that communications service
providers can deliver products to their customers that use encryption to
protect their communications without having the ability to decrypt those
communications. This means no Government-mandated backdoors. Indeed,
history has shown that backdoors created for law enforcement interception
are themselves a security liability, and present an irresistible target for
hackers and state sponsored attackers."

And

"We must and will comply with valid legal demands for the very limited
information we hold. Thus, we want to make it clear that when legally
compelled to do so, we will turn over the little information we hold,
described above. Before turning it over, however, we will evaluate the
request to make sure it complies with the letter and spirit of the law.
And, consistent with best privacy practices followed by other companies,
when possible and legally permissible, we will notify the user in order to
give him or her the opportunity to object to the disclosure."
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] UN Body Wants Control over Internet Governance

[Ali-Reza Anghaie]

My own personal view is the worst thing about this is it won't actually add
transparency to any give Nation-State's policies/oppression and it's still
not going to stop the tide of attempted Nation-State Intranets.

So, at best, it's all the overhead with no benefit.

The global situation can evolve badly enough without this meddling. -Ali



On Mon, Nov 12, 2012 at 11:12 AM, Nadim Kobeissi  wrote:

> "Experts claim that political and religious websites could disappear if
> the Federal Government backs a plan  to hand control over the internet to
> the UN's International Telecommunications Union (ITU).
>
> A draft of the proposal, formulated in secret and only recently posted on
> the ITU website for public perusal, reveal that if accepted, the changes
> would allow government restriction or blocking of information disseminated
> via the internet and create a global regime of monitoring internet
> communications - including the demand that those who send and receive
> information identify themselves."
>
>
> http://www.news.com.au/news/united-nations-wants-control-of-web-kill-switch/story-fnejlrpu-1226515234163
>
> This sounds pretty bad, I've been hearing about this proposal for a while
> and now it's making the news.
>
> NK
>
> --
> Unsubscribe, change to digest, or change password at:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] China just blocked Google.com

[Ali-Reza Anghaie]

I'd expect in either case it wasn't a mistake and probably not a test -
they already know they can do it. I'm guessing it was at least in-part to
flush some usage and networks of people out. -Ali



On Sat, Nov 10, 2012 at 12:22 PM, Martin Johnson wrote:

> Google unblocked again - was it a mistake or a test?
>
> https://en.greatfire.org/blog/2012/nov/google-unblocked-again-was-it-mistake-or-test
>
> Adam - you can test Google Talk and any URL at https://en.greatfire.org
>
> On Sat, Nov 10, 2012 at 2:29 PM, Adam Fisk wrote:
>
>> Thanks Martin. Do you know if Google Talk is still accessible (
>> talk.google.com)?
>>
>> -Adam
>>
>>
>> On Friday, November 9, 2012, Martin Johnson wrote:
>>
>>> Today, Nov 9, 2012, http://www.google.com was blocked in China. It's
>>> the first time since we started tracking online censorship in China in
>>> February last year that this has happened. Here's what we know:
>>>
>>>- The subdomains www.google.com, mail.google.com,
>>>google-analytics.com, docs.google.com, drive.google.com,
>>>maps.google.com, play.google.com and perhaps many more are all
>>>currently DNS poisoned in China. Instead of the real IP addresses, any
>>>lookups from China to any of these domains result in the following IP:
>>>59.24.3.173. That IP address is located in Korea and doesn't serve any
>>>website at all.
>>>- This means that none of these websites, including Google Search,
>>>currently work in China, unless you have a VPN or other cirumvention 
>>> tool.
>>>- Using a DNS server outside of China doesn't help. A lookup of
>>>www.google.com to 8.8.8.8 is also distorted, by the Great Firewall.
>>>- So far you can still access other country versions of Google such
>>>as www.google.co.uk.
>>>
>>> You can see an overview of different Google sites here:
>>> https://en.greatfire.org/search/google-sites. You can choose any of
>>> them and test them in real time to stay updated.
>>>
>>> Affecting more users than ever
>>>
>>> Facebook, Twitter and YouTube were all blocked before they attracted
>>> more than a small number of users in China. We've argued before that the
>>> authorities didn't dare to fully block GMail since it has too many users
>>> already. Fully blocking Google goes much further. Google Search is only the
>>> second search engine in China (after Baidu) but with an online population
>>> of more than 500 million that still leaves it with many millions of daily
>>> users. According to Alexa, it's the Top 5 most used website in China. Never
>>> before have so many people been affected by a decision to block a website.
>>> If Google stays blocked, many more people in China will become aware of the
>>> extent of censorship. How will they react? Will there be protests? Check
>>> out reactions by Weibo users on FreeWeibo.
>>>
>>> Temporary or permanent?
>>>
>>> The Communist Party of China is currently holding its 18th Party
>>> Congress in which new leaders of the party and the country are formally
>>> chosen. The fact that Google is blocked now is surely no coincidence. The
>>> big question is whether it will be unblocked again once the congress is
>>> over. We will closely monitor developments.
>>>
>>> By the way.. Analytics
>>>
>>> The fact that http://www.google-analytics.com is blocked doesn't just
>>> mean that you can't access the web interface in China. It means that visits
>>> by Chinese users won't be tracked by Google anymore. Foreign websites using
>>> Google Analytics to track their visitors will currently track 0 users
>>> coming from China, whether or not their website itself is blocked.
>>>
>>> What to do?
>>>
>>> Many VPNs and other circumvention tools have been working poorly or not
>>> at all in the last few days. The free iPhone app OpenDoor is still working,
>>> though it has also suffered glitches recently. Another method of accessing
>>> Google Search is to use one of their other country versions such as
>>> www.google.co.uk or www.google.ca. These may also be blocked of course.
>>>
>>> You can also access Google directly using one of their IP addresses.
>>> These don't appear to be blocked (yet). Here are some:
>>>
>>> http://74.125.228.64
>>> http://74.125.228.65
>>> http://74.125.228.66
>>> http://74.125.228.67
>>> http://74.125.228.68
>>> http://74.125.228.69
>>> http://74.125.228.70
>>> http://74.125.228.71
>>> http://74.125.228.72
>>> http://74.125.228.73
>>> http://74.125.228.78
>>>
>>> From: https://en.greatfire.org/blog/2012/nov/googlecom-blocked-china
>>>
>>> --
>>> Best
>>> Martin Johnson
>>> ---
>>> https://FreeWeibo.com - Uncensored, Anonymous Sina Weibo Search.
>>> https://GreatFire.org - Monitoring Online Censorship In China.
>>> https://Unblock.cn.com - We Can Unblock Your Website In China.
>>>
>>>
>> --
>> Unsubscribe, change to digest, or change password at:
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>
>
>
>
> --
> Best
> Martin Johnson
> ---
> https://FreeWeibo.com - Uncensored, Anony

Re: [liberationtech] issilentcircleopensourceyet.com

[Ali-Reza Anghaie]

The full response in the FAQ is: "Yes it is. Silent Phone uses
Device-to-Device encryption technology so that only the users have the keys
exchanged on their device for each call peer-to-peer….the keys are not held
on a server. Silent Phone uses TLS and the ZRTP protocols to encrypt the
packets of the phone call across the internet. Silent Phone uses our secure
Silent Network to facilitate our service and provide for complete security."

Also they have a whole section for what they do and don't -
https://silentcircle.com/web/what-we-do-dont-do/ ..

That's leaps and bounds beyond what most people will ever see or even
attempt to look for elsewhere. Most people click a few times, create
entropy, type in a password, and that's it. End of it.

If they said just "Yes it is" and didn't go through some extra steps (like
even their setup step pointing the end-user to the more usable vs more
secure options) - then I'd be WTF all over the place.

Anyhow - I agree with your last sentiment. Some ecosystems make it much
easier to sleep at night than others. -Ali



On Tue, Nov 6, 2012 at 4:14 PM, Roger Dingledine  wrote:

> On Tue, Nov 06, 2012 at 02:28:36PM -0500, Nadim Kobeissi wrote:
> > I believe that releasing closed-source, unreviewed and centralized crypto
> > software and then marketing it as secure to be malpractice. That is
> simply
> > my point.
>
> I stopped looking at SilentCircle when I was looking through their
> FAQ: https://silentcircle.com/web/faq/
> and clicked on the question "Is Silent Phone secure?" expecting an answer
> like "well, it depends what you mean by secure, but here's what it does
> and doesn't do for you" and instead got the answer "Yes it is."
>
> I'm sure we can have a debate about the relative merits of misleading
> your users for their own good ("if we didn't say that, they'd go use
> an even worse system that does say it"), but it's times like this that
> I'm glad I work for a non-profit that doesn't have to make a business
> tradeoff to decide how much to lie to its users.
>
> --Roger
>
> --
> Unsubscribe, change to digest, or change password at:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] issilentcircleopensourceyet.com

[Ali-Reza Anghaie]

Nadim is biased - and that matters little IMO.

That puts him in the company of, oh, 100% of other professionals. ;-)

My complaint is that if there is an agenda, and I take him at his word for
what he wrote, are these repeated and targeted nits at an accessible and
usable player who does use standards, has good written policy, who does
have history on it's staff and founder's side, has "Government" blood on
its hands, etc. a ~good~ idea for the wider goals?

Or could Nadim, and others in his highly visible position, be a bit more
diplomatic and show potential support with the caveats that they will only
wait so long to see the promises fulfilled or to be engaged directly.

This isn't unique to Nadim, not by a long shot, as I noted earlier in
thread it's a cultural divide that I think continues to widen the gap
between the enablers and those most in need of solutions.

-Ali



On Tue, Nov 6, 2012 at 2:25 PM, Nadim Kobeissi  wrote:

> Greg,
> If you can see anything that is biased in my blog post, please let me know
> so I can fix it ASAP.
>
>
> NK
>
>
>
> On Tue, Nov 6, 2012 at 2:23 PM, Greg Norcie  wrote:
>
>> Nadim,
>>
>> I am aware of your blog post - especially since this is the third time
>> you have posted it in this thread :)
>>
>> I am simply cautioning you that you could be creating the appearance of
>> a bias.
>> --
>> Greg Norcie (g...@norcie.com)
>> GPG key: 0x1B873635
>>
>> On 11/6/12 2:13 PM, Nadim Kobeissi wrote:
>> > Greg,
>> > I don't intend to be anonymous. Why would I? I intend for Silent Circle
>> > to open their source code for review, because as it stands they are
>> > being dangerous to the methodology of security software development. I
>> > have already written a blog post about this under my own
>> > name: http://log.nadim.cc/?p=89
>> >
>> >
>> > NK
>> >
>> >
>> > On Tue, Nov 6, 2012 at 2:11 PM, Greg Norcie > > <mailto:g...@norcie.com>> wrote:
>> >
>> > Nadim,
>> >
>> > You are correct - the website (nor the whois) mention you. But your
>> post
>> > on this mailing list does.
>> >
>> > You seem like a very intelligent guy - if you had intended this to
>> be an
>> > anonymous critique, I doubt you'd have used your real name to post
>> the
>> > link :)
>> > --
>> > Greg Norcie (g...@norcie.com <mailto:g...@norcie.com>)
>> > GPG key: 0x1B873635
>> >
>> > On 11/6/12 2:06 PM, Nadim Kobeissi wrote:
>> > > Greg,
>> > > The website does not mention me at all, it's purely meant as a
>> > complaint
>> > > against Silent Circle's policy. I've already written a lengthy
>> post
>> > > regarding Silent Circle (http://log.nadim.cc/?p=89) and yet have
>> > > received no reply.
>> > >
>> > >
>> > > NK
>> > >
>> > >
>> > > On Tue, Nov 6, 2012 at 2:04 PM, Greg Norcie > > <mailto:g...@norcie.com>
>> > > <mailto:g...@norcie.com <mailto:g...@norcie.com>>> wrote:
>> > >
>> > > Nadim
>> > >
>> > > I understand your position, but actions like this website
>> > won't help
>> > > your cause.
>> > >
>> > > Can you understand how actions like setting up this web site
>> > might be
>> > > viewed as a way to call attention to oneself, rather than
>> > champion the
>> > > (respectable) ideals of the open source movement?
>> > > --
>> > > Greg Norcie (g...@norcie.com <mailto:g...@norcie.com>
>> > <mailto:g...@norcie.com <mailto:g...@norcie.com>>)
>> > > GPG key: 0x1B873635
>> > >
>> > > On 11/6/12 1:53 PM, Nadim Kobeissi wrote:
>> > > > Ali,
>> > > > The issue is trust. Security software verifiability should
>> > not have to
>> > > > depend on Silent Circle (or who they hire to audit, for
>> example
>> > > Veracode.)
>> > > >
>> > > >
>> > > > NK
>> > > >
>> > > >
>> > > > On Tue, Nov 6, 2012 at 1:51 PM, Ali-Reza Anghaie
>>

Re: [liberationtech] issilentcircleopensourceyet.com

[Ali-Reza Anghaie]

OK - now we actually have a detail disagreement.

Please show me evidence of Silent Circle "malpractice"..

That's a big leap from disagreeing with a practice or declaring a best
practice as you see fit and negligence or even blatant disregard.

Context matters.

-Ali



On Tue, Nov 6, 2012 at 2:22 PM, Nadim Kobeissi  wrote:

> Ali,
> Of course I would publicize my complaints. That's how you get your voice
> heard. I repeat that my only concern here if Silent Circle shipping
> questionably secure software and going against the open sourcing of
> cryptography software. I don't care if it's, as you say "a bit of 'look at
> me!'", This is not my concern. My concern is for Silent Circle to stop its
> malpractice. When Bruce Schneier critiques software, it's not because he
> wants people to pay attention to him, it's because he wants the software to
> be fixed. I am trying to follow his example as much as I can here.
>
> Also, to answer your question: I have no problem with who funds or founds
> Silent Circle. This is not the source of my complaint.
>
>
> NK
>
>
>
> On Tue, Nov 6, 2012 at 2:16 PM, Ali-Reza Anghaie wrote:
>
>> It's not just me who interprets it that way - the only reason I responded
>> was that after Nadim's first post I was approached by former colleagues who
>> are still in the DoD circles. They all wondered if these complaints, that
>> seemed awfully specific to ~one~ player in the industry, were born from
>> Anonymous or other political movements because of the Navy SEALs involved
>> in the founding.
>>
>> I explained I trusted people would judge Silent Circle more on actions
>> and the history of PZ and Jon Callas but hey, that's still my speculation..
>>
>> Nadim also posted this on his Twitter timeline - it's hardly a "without
>> publicity" move, and he quickly engaged CSoghoian too. It's not a stretch
>> to say it was a bit of "look at me!"..
>>
>> However, with all that said, it WOULD be a stretch to say that Nadim is
>> ~wrong~ in his eventual technocratic position here. I'm just arguing the
>> tactical value of it given the very wide problem sets we all have.
>>
>> -Ali
>>
>>
>>
>> On Tue, Nov 6, 2012 at 2:11 PM, Greg Norcie  wrote:
>>
>>> Nadim,
>>>
>>> You are correct - the website (nor the whois) mention you. But your post
>>> on this mailing list does.
>>>
>>> You seem like a very intelligent guy - if you had intended this to be an
>>> anonymous critique, I doubt you'd have used your real name to post the
>>> link :)
>>> --
>>> Greg Norcie (g...@norcie.com)
>>> GPG key: 0x1B873635
>>>
>>> On 11/6/12 2:06 PM, Nadim Kobeissi wrote:
>>> > Greg,
>>> > The website does not mention me at all, it's purely meant as a
>>> complaint
>>> > against Silent Circle's policy. I've already written a lengthy post
>>> > regarding Silent Circle (http://log.nadim.cc/?p=89) and yet have
>>> > received no reply.
>>> >
>>> >
>>> > NK
>>> >
>>> >
>>> > On Tue, Nov 6, 2012 at 2:04 PM, Greg Norcie >> > <mailto:g...@norcie.com>> wrote:
>>> >
>>> > Nadim
>>> >
>>> > I understand your position, but actions like this website won't
>>> help
>>> > your cause.
>>> >
>>> > Can you understand how actions like setting up this web site might
>>> be
>>> > viewed as a way to call attention to oneself, rather than champion
>>> the
>>> > (respectable) ideals of the open source movement?
>>> > --
>>> > Greg Norcie (g...@norcie.com <mailto:g...@norcie.com>)
>>> > GPG key: 0x1B873635
>>> >
>>> > On 11/6/12 1:53 PM, Nadim Kobeissi wrote:
>>> > > Ali,
>>> > > The issue is trust. Security software verifiability should not
>>> have to
>>> > > depend on Silent Circle (or who they hire to audit, for example
>>> > Veracode.)
>>> > >
>>> > >
>>> > > NK
>>> > >
>>> > >
>>> > > On Tue, Nov 6, 2012 at 1:51 PM, Ali-Reza Anghaie
>>> > mailto:a...@packetknife.com>
>>> > > <mailto:a...@packetknife.com <mailto:a...@packetknife.com>>>
>>> wrote:
&

Re: [liberationtech] issilentcircleopensourceyet.com

[Ali-Reza Anghaie]

It's not just me who interprets it that way - the only reason I responded
was that after Nadim's first post I was approached by former colleagues who
are still in the DoD circles. They all wondered if these complaints, that
seemed awfully specific to ~one~ player in the industry, were born from
Anonymous or other political movements because of the Navy SEALs involved
in the founding.

I explained I trusted people would judge Silent Circle more on actions and
the history of PZ and Jon Callas but hey, that's still my speculation..

Nadim also posted this on his Twitter timeline - it's hardly a "without
publicity" move, and he quickly engaged CSoghoian too. It's not a stretch
to say it was a bit of "look at me!"..

However, with all that said, it WOULD be a stretch to say that Nadim is
~wrong~ in his eventual technocratic position here. I'm just arguing the
tactical value of it given the very wide problem sets we all have.

-Ali



On Tue, Nov 6, 2012 at 2:11 PM, Greg Norcie  wrote:

> Nadim,
>
> You are correct - the website (nor the whois) mention you. But your post
> on this mailing list does.
>
> You seem like a very intelligent guy - if you had intended this to be an
> anonymous critique, I doubt you'd have used your real name to post the
> link :)
> --
> Greg Norcie (g...@norcie.com)
> GPG key: 0x1B873635
>
> On 11/6/12 2:06 PM, Nadim Kobeissi wrote:
> > Greg,
> > The website does not mention me at all, it's purely meant as a complaint
> > against Silent Circle's policy. I've already written a lengthy post
> > regarding Silent Circle (http://log.nadim.cc/?p=89) and yet have
> > received no reply.
> >
> >
> > NK
> >
> >
> > On Tue, Nov 6, 2012 at 2:04 PM, Greg Norcie  > <mailto:g...@norcie.com>> wrote:
> >
> > Nadim
> >
> > I understand your position, but actions like this website won't help
> > your cause.
> >
> > Can you understand how actions like setting up this web site might be
> > viewed as a way to call attention to oneself, rather than champion
> the
> > (respectable) ideals of the open source movement?
> > --
> > Greg Norcie (g...@norcie.com <mailto:g...@norcie.com>)
> > GPG key: 0x1B873635
> >
> > On 11/6/12 1:53 PM, Nadim Kobeissi wrote:
> > > Ali,
> > > The issue is trust. Security software verifiability should not
> have to
> > > depend on Silent Circle (or who they hire to audit, for example
> > Veracode.)
> > >
> > >
> > > NK
> > >
> > >
> > > On Tue, Nov 6, 2012 at 1:51 PM, Ali-Reza Anghaie
> > mailto:a...@packetknife.com>
> > > <mailto:a...@packetknife.com <mailto:a...@packetknife.com>>> wrote:
> > >
> > > Nobody would dispute that - that's not quite the same thing as
> > FOSS
> > > default positions or some of the other criticisms.
> > >
> > > For example, I'd contend a paid Veracode audit would in all
> > > likelihood be better than any typical FOSS audit. Had they
> > done that
> > > (heck, they might have but I doubt it) and still announced the
> > > intent of opening the codebase - I wager that would not have
> > stopped
> > > the criticism.
> > >
> > > It appears to be a deep-seeded cultural divide more than any
> > of the
> > > other factors combined.
> > >
> > > -Al
> > >
> > >
> > >
> > > On Tue, Nov 6, 2012 at 1:43 PM, Yosem Companys
> > > mailto:compa...@stanford.edu>
> > <mailto:compa...@stanford.edu <mailto:compa...@stanford.edu>>>
> wrote:
> > >
> > > Security audits are always important, especially when
> people's
> > > lives are at risk.
> > >
> > > On Tue, Nov 6, 2012 at 10:37 AM, Nadim Kobeissi
> >  > > <mailto:na...@nadim.cc <mailto:na...@nadim.cc>>> wrote:
> > >
> > > Hi Ali,
> > > There is no "agenda," and there needn't be one if you
> > are to
> > > critique security software. No need to be so
> aggressive.
> > > My qualms against Silent Circle are detailed
> > > here: http://log.nadim.cc/?p=8

Re: [liberationtech] issilentcircleopensourceyet.com

[Ali-Reza Anghaie]

Trust isn't a simple matter of FOSS or not. It just isn't - you know that
as well. The code isn't often the biggest limiting factor although the code
availability provides a degree of mobility not otherwise available.
Additionally
~availability~ and ~usability~ matter too. The standoff position from the
outset doesn't exactly endear anybody to anybody here (you to them, them to
you).

We're not disagreeing ont he ultimate goals - at all I don't believe. I'm
disagreeing on the tactical approaches to get us to the strategic vision of
people expecting and using, carriers understanding and allowing, and
Governments simply not interfering.

I can already hear echoes of mailing lists threads past coming back.

I'll stand down, the back and forth is already echoing in my head. I'll
continue to deal with the reality on the ground for the "have nots" - and
you keep up the good fight in your corner of the World as well. Be well,
Cheers, -Ali



On Tue, Nov 6, 2012 at 1:53 PM, Nadim Kobeissi  wrote:

> Ali,
> The issue is trust. Security software verifiability should not have to
> depend on Silent Circle (or who they hire to audit, for example Veracode.)
>
>
> NK
>
>
>
> On Tue, Nov 6, 2012 at 1:51 PM, Ali-Reza Anghaie wrote:
>
>> Nobody would dispute that - that's not quite the same thing as FOSS
>> default positions or some of the other criticisms.
>>
>>  For example, I'd contend a paid Veracode audit would in all likelihood
>> be better than any typical FOSS audit. Had they done that (heck, they might
>> have but I doubt it) and still announced the intent of opening the codebase
>> - I wager that would not have stopped the criticism.
>>
>> It appears to be a deep-seeded cultural divide more than any of the other
>> factors combined.
>>
>> -Al
>>
>>
>>
>> On Tue, Nov 6, 2012 at 1:43 PM, Yosem Companys wrote:
>>
>>> Security audits are always important, especially when people's lives are
>>> at risk.
>>>
>>> On Tue, Nov 6, 2012 at 10:37 AM, Nadim Kobeissi  wrote:
>>>
>>>> Hi Ali,
>>>> There is no "agenda," and there needn't be one if you are to critique
>>>> security software. No need to be so aggressive.
>>>> My qualms against Silent Circle are detailed here:
>>>> http://log.nadim.cc/?p=89
>>>>
>>>>
>>>> NK
>>>>
>>>>
>>>>
>>>> On Tue, Nov 6, 2012 at 1:34 PM, Ali-Reza Anghaie 
>>>> wrote:
>>>>
>>>>> Seriously - what's your agenda?
>>>>>
>>>>> Where are the domains for the other tens of providers who charge arms
>>>>> and legs based on closed protocols even?
>>>>>
>>>>> What's the nit with Silent Circle specifically? Because they're
>>>>> accessible? Because it's easier to use? Because the founders have good
>>>>> track records of standing up to Government too?
>>>>>
>>>>> Being absolutist about everything isn't helping anyone who ~needs~ it
>>>>> - it's a privilege of the "haves" that we can have these conversations 
>>>>> over
>>>>> and over again.
>>>>>
>>>>> Shouldn't we have taken the "fight" to carriers, Apple iOS T&Cs, etc.
>>>>> harder and longer ago? And why do we keep expecting private entities to
>>>>> fight our Government battles for us? It's a losing proposition and
>>>>> increases the costs-per-individual to untenable levels when we mix
>>>>> absolutely all their enterprise with civil liberty issues.
>>>>>
>>>>> There has got to be a better way than this ridiculous trolling and
>>>>> bickering. Someone? Anyone?
>>>>>
>>>>> Again, seriously, what's the agenda against Silent Circle specifically?
>>>>>
>>>>> -Ali
>>>>>
>>>>>
>>>>>
>>>>> On Tue, Nov 6, 2012 at 1:20 PM, Nadim Kobeissi  wrote:
>>>>>
>>>>>> http://issilentcircleopensourceyet.com/
>>>>>>
>>>>>> NK
>>>>>>
>>>>>> --
>>>>>> Unsubscribe, change to digest, or change password at:
>>>>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Unsubscribe, change to digest, or change password at:
>>>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>>>>
>>>>
>>>>
>>>> --
>>>> Unsubscribe, change to digest, or change password at:
>>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>>>
>>>
>>>
>>> --
>>> Unsubscribe, change to digest, or change password at:
>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>>
>>
>>
>> --
>> Unsubscribe, change to digest, or change password at:
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>
>
>
> --
> Unsubscribe, change to digest, or change password at:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] issilentcircleopensourceyet.com

[Ali-Reza Anghaie]

I read them before - I followed the thread before. I too have written that
Silent Circle needs to follow-through on their promises. I also highlighted
some of the challenges of being a commercial entity in this space.

I wasn't being aggressive - hardly.

I'm disillusioned with the state of hacktivism when it's continuing to
force people to "come to us" instead of making it out to the people. I
meant what I said - I have a deep concern we're moving the discussion
further and further into the domain of the "haves".

And I ask about agenda because even when RedPhone and TextSecure were in
the exact, if not worse, boat - where were the domains and nits? I'm not
asking you as in ~you~ are the gamekeeper for all that - it's just a
dynamic in the community as a whole that's less than admirable. Or the far
more dangerous and opaque solutions than SC that exist that haven't gotten
a peep as much criticism at the same level-scale (of course they hit the WL
circle).

It's going full circle to are we helping or hurting the availability of
solutions when the default position is absolute disregard for any history
or written intent. At all. "If it's not ideal and idealistic - it's just
not worth using".. ??

*shrug* I appreciate your answer - it's crisp at least. -Ali



On Tue, Nov 6, 2012 at 1:37 PM, Nadim Kobeissi  wrote:

> Hi Ali,
> There is no "agenda," and there needn't be one if you are to critique
> security software. No need to be so aggressive.
> My qualms against Silent Circle are detailed here:
> http://log.nadim.cc/?p=89
>
>
> NK
>
>
>
> On Tue, Nov 6, 2012 at 1:34 PM, Ali-Reza Anghaie wrote:
>
>> Seriously - what's your agenda?
>>
>> Where are the domains for the other tens of providers who charge arms and
>> legs based on closed protocols even?
>>
>> What's the nit with Silent Circle specifically? Because they're
>> accessible? Because it's easier to use? Because the founders have good
>> track records of standing up to Government too?
>>
>> Being absolutist about everything isn't helping anyone who ~needs~ it -
>> it's a privilege of the "haves" that we can have these conversations over
>> and over again.
>>
>> Shouldn't we have taken the "fight" to carriers, Apple iOS T&Cs, etc.
>> harder and longer ago? And why do we keep expecting private entities to
>> fight our Government battles for us? It's a losing proposition and
>> increases the costs-per-individual to untenable levels when we mix
>> absolutely all their enterprise with civil liberty issues.
>>
>> There has got to be a better way than this ridiculous trolling and
>> bickering. Someone? Anyone?
>>
>> Again, seriously, what's the agenda against Silent Circle specifically?
>>
>> -Ali
>>
>>
>>
>> On Tue, Nov 6, 2012 at 1:20 PM, Nadim Kobeissi  wrote:
>>
>>> http://issilentcircleopensourceyet.com/
>>>
>>> NK
>>>
>>> --
>>> Unsubscribe, change to digest, or change password at:
>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>>
>>
>>
>> --
>> Unsubscribe, change to digest, or change password at:
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>
>
>
> --
> Unsubscribe, change to digest, or change password at:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] issilentcircleopensourceyet.com

[Ali-Reza Anghaie]

Seriously - what's your agenda?

Where are the domains for the other tens of providers who charge arms and
legs based on closed protocols even?

What's the nit with Silent Circle specifically? Because they're accessible?
Because it's easier to use? Because the founders have good track records of
standing up to Government too?

Being absolutist about everything isn't helping anyone who ~needs~ it -
it's a privilege of the "haves" that we can have these conversations over
and over again.

Shouldn't we have taken the "fight" to carriers, Apple iOS T&Cs, etc.
harder and longer ago? And why do we keep expecting private entities to
fight our Government battles for us? It's a losing proposition and
increases the costs-per-individual to untenable levels when we mix
absolutely all their enterprise with civil liberty issues.

There has got to be a better way than this ridiculous trolling and
bickering. Someone? Anyone?

Again, seriously, what's the agenda against Silent Circle specifically?

-Ali



On Tue, Nov 6, 2012 at 1:20 PM, Nadim Kobeissi  wrote:

> http://issilentcircleopensourceyet.com/
>
> NK
>
> --
> Unsubscribe, change to digest, or change password at:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] What I've learned from Cryptocat

[Ali-Reza Anghaie]

On Tue, Aug 7, 2012 at 7:19 PM, Jacob Appelbaum  wrote:

> Ali-Reza Anghaie:
> >
> > I don't think it's they don't get it - once explained to even the most
> > jaded they accept the expertise - it's that in the time period with
> > immediate windows of opportunity present people are looking for a usable
> > solution for ~their~ definition of usable (not "ours"). And they want it
> > ~now~ on systems they actually have access to.
> >
>
> I regularly explain this to people. Many people have a normal
> psychological reaction where they decide they're not important, not a
> target, targeting is too hard and so on. Generally, they then say,
> "well, whatever" and go on with their lives. It's a heavy burden to
> consider the weight of the NSA's warrant-less wiretapping abilities and
> ongoing realities.


To be clear - you and I can afford to worry about NSA and IRGC - the people
I'm talking about have more pressing issues right then. That week. And no
recourse, ACLU, or EFF to goto. They want a quick and clean solution and
sometimes that's just to say "here is where our money is, take care of my
family in [OTHER_COUNTRY]"..

(Extreme example intentional.)

And thank you - I at least understand where you're at better than Tweets
express. -Ali
___
liberationtech mailing list
liberationtech@lists.stanford.edu

Should you need to change your subscription options, please go to:

https://mailman.stanford.edu/mailman/listinfo/liberationtech

If you would like to receive a daily digest, click "yes" (once you click above) 
next to "would you like to receive list mail batched in a daily digest?"

You will need the user name and password you receive from the list moderator in 
monthly reminders. You may ask for a reminder here: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Should you need immediate assistance, please contact the list moderator.

Please don't forget to follow us on http://twitter.com/#!/Liberationtech

Re: [liberationtech] What I've learned from Cryptocat

[Ali-Reza Anghaie]

On Tue, Aug 7, 2012 at 7:06 PM, Jacob Appelbaum  wrote:

> It's interesting because one outcome seems to be that almost everyone
> agrees that plaintext should not be considered reasonable. That's a
> great outcome so far - I remember a time when people felt that it was
> fine, most of the time, to have unencrypted communications as the norm.
>
> I look forward to the day when those same people start to get the big
> picture on general social graph style traffic analysis.
>

I don't think it's they don't get it - once explained to even the most
jaded they accept the expertise - it's that in the time period with
immediate windows of opportunity present people are looking for a usable
solution for ~their~ definition of usable (not "ours"). And they want it
~now~ on systems they actually have access to.

That's their acceptable risk standard even if we entirely disagree.

Breaking that dynamic isn't something you or I can fix per se. Is it? -Ali
___
liberationtech mailing list
liberationtech@lists.stanford.edu

Should you need to change your subscription options, please go to:

https://mailman.stanford.edu/mailman/listinfo/liberationtech

If you would like to receive a daily digest, click "yes" (once you click above) 
next to "would you like to receive list mail batched in a daily digest?"

You will need the user name and password you receive from the list moderator in 
monthly reminders. You may ask for a reminder here: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Should you need immediate assistance, please contact the list moderator.

Please don't forget to follow us on http://twitter.com/#!/Liberationtech

Re: [liberationtech] What I've learned from Cryptocat

[Ali-Reza Anghaie]

Sounds great - I'd love a copy. I'm trying to consolidate experiences
against experience levels and in my case ~regional~ options under disparate
groups of IRGC monitoring and control.

Thanks for the offer - look forward to it. And will report back thoughts on
the use-cases I was thinking on. -Ali


On Tue, Aug 7, 2012 at 8:39 AM, Eric S Johnson wrote:

> The donor-funded Information Security Coalition is the largest
> digital-security-for-activists project, so its mentors / cybersecurity
> officers are among the best repositories of activists & journos’
> experiential information that is key to outlining an online-freedom threat
> model for each target country. But it would be hard to get consensus among
> all the possible actors in this field; the techsec training I recently held
> for Zim activists might lead me to different conclusions than those of the
> (at least two, just counting folks on LibTech) others who were there,
> independently of each other and me, doing similar work just in the last
> couple months. And that’s just one country. (Or maybe we’d agree. There’s a
> surprising lack of cooperation/communication among the main players, even
> though their absolute number is rather small.)
>
>It’s my impression that the biggest disagreement is over
> whether we should be trying to teach everyone the maximum (on the
> assumption that the bad guys are practically omnipotent, or could be), or
> whether we should come to terms with the fact that if the solutions we
> provide are too hard, no one will use them, which leads us to settling for
> some version of “good enough.” (A classic example might be IM: some insist
> we teach Pidgin+OTR (or Psi+OpenPGP, or whatever), which is the nuclear
> option but which trainees, practically speaking, don’t end up using; others
> settle for Skype, for which we can describe theoretical attacks but which,
> in practice, has so far proved secure from inline interception, and which
> trainees do use because its UI’s great one’s interlocutors are probably
> also on it (Metcalfe’s law).)
>
> ** **
>
> I know of about two dozen “guides for activists to stay safe online” (by
> RSF, CPJ, EFF, RSF, etc.; they’re enumerated in my own 8p 30-point
> cheat-sheet aggregation of data on this topic (aka “the SIDA PDF”), which
> I’m happy to share with anyone who requests it—many of you have seen /
> contributed to it), but the leading one is probably “Security in a Box”
> (aka SiaB, by TTC+FLD) (currently (constantly?) being updated). Most of
> these guides are informed by a lot of field experience (e.g. I’ve worked
> in/on almost all the hostile countries—I even live in one of them).
>
> ** **
>
> Best,
>
> Eric
>
> PGP<http://keyserver.pgp.com/vkd/DownloadKey.event?keyid=0xE0F58E0F1AF7E6F2>
> 
>
> ** **
>
> *From:* liberationtech-boun...@lists.stanford.edu [mailto:
> liberationtech-boun...@lists.stanford.edu] *On Behalf Of *Ali-Reza Anghaie
> *Sent:* Tuesday, 07 August 2012 04:40
> *To:* Luke Allnutt
> *Cc:* liberationtech-boun...@lists.stanford.edu;
> liberationtech@lists.stanford.edu
>
> *Subject:* Re: [liberationtech] What I've learned from Cryptocat
>
> ** **
>
> On Tue, Aug 7, 2012 at 4:25 AM, Luke Allnutt  wrote:**
> **
>
>
> With Frank's message in mind, do list members have thoughts about the best
> dumbed-down guide for activists to stay safer online?
>
> I know EFF, MobileActive, and Movements.org have done some good work in
> this field, but wondered whether there is a consensus on a good short,
> easy-to-understand document for activists? 
>
> ** **
>
> If there is an existing consensus - it's bound to be part of the problem..
> 
>
> ** **
>
> Snark aside, I'm serious.
>
> ** **
>
> The biggest problem I've seen w/ any of these is the total lack of
> understanding how all of these same target users dealt with Government
> surveillance ~before~ us and what carryover behaviors still work for them
> now.
>
> ** **
>
> Set aside the Cryptocat project, where do the list managers or various
> Faculty and Staff suggest we can gather the "requirements" from all of our
> personal experiences. At least we have them to then start categorizing and
> consolidating into a "message" for those trying to help the activists under
> fire. -Ali
>
> ___
> liberationtech mailing list
> liberationtech@lists.stanford.edu
>
> Should you need to change your subscription options, please go to:
>
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
> If you would like to receive a daily digest, clic

Re: [liberationtech] What I've learned from Cryptocat

[Ali-Reza Anghaie]

On Tue, Aug 7, 2012 at 4:25 AM, Luke Allnutt  wrote:

>
> With Frank's message in mind, do list members have thoughts about the best
> dumbed-down guide for activists to stay safer online?
>
> I know EFF, MobileActive, and Movements.org have done some good work in
> this field, but wondered whether there is a consensus on a good short,
> easy-to-understand document for activists?
>

If there is an existing consensus - it's bound to be part of the problem..

Snark aside, I'm serious.

The biggest problem I've seen w/ any of these is the total lack of
understanding how all of these same target users dealt with Government
surveillance ~before~ us and what carryover behaviors still work for them
now.

Set aside the Cryptocat project, where do the list managers or various
Faculty and Staff suggest we can gather the "requirements" from all of our
personal experiences. At least we have them to then start categorizing and
consolidating into a "message" for those trying to help the activists under
fire. -Ali
___
liberationtech mailing list
liberationtech@lists.stanford.edu

Should you need to change your subscription options, please go to:

https://mailman.stanford.edu/mailman/listinfo/liberationtech

If you would like to receive a daily digest, click "yes" (once you click above) 
next to "would you like to receive list mail batched in a daily digest?"

You will need the user name and password you receive from the list moderator in 
monthly reminders. You may ask for a reminder here: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Should you need immediate assistance, please contact the list moderator.

Please don't forget to follow us on http://twitter.com/#!/Liberationtech

Re: [liberationtech] What I've learned from Cryptocat

[Ali-Reza Anghaie]

On Mon, Aug 6, 2012 at 9:51 PM, Jillian C. York  wrote:
> Actually, I think it almost only applies in the US.  I know you said you
> were only talking about security, but since you bring up warrants...
>
> Because of that, I'd recommend Riseup over Google for most activists outside
> the US.  Whereas Google may not do the legwork around resisting an order
> from say, the Indian government (I'm intentionally choosing a middle-ground
> country; I suspect Google would go to bat for a Chinese activist at this
> point), Riseup doesn't have to think about that.  They have no reason to
> respond to a legal order from a country in which they have neither servers
> nor employees.
>
> Just wanted to be clear about that, for the sake of the list.

Yeah, I definitely need to put that table together.

This works out well in places there is enough visibility (or care)
from the outside. On the other hand a Baha'i touching Riseup at all is
enough in Iran - well, being Baha'i is enough in Iran - ..

So aside from the technical I still think there is value for hiding in
plain sight. And regular old web services that can be deployed at
domains not "hey my name is foo" are really valuable.

This branches off the Cryptocat thread - I'll send my thoughts separate. -Ali
___
liberationtech mailing list
liberationtech@lists.stanford.edu

Should you need to change your subscription options, please go to:

https://mailman.stanford.edu/mailman/listinfo/liberationtech

If you would like to receive a daily digest, click "yes" (once you click above) 
next to "would you like to receive list mail batched in a daily digest?"

You will need the user name and password you receive from the list moderator in 
monthly reminders. You may ask for a reminder here: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Should you need immediate assistance, please contact the list moderator.

Please don't forget to follow us on http://twitter.com/#!/Liberationtech

Re: [liberationtech] What I've learned from Cryptocat

[Ali-Reza Anghaie]

On Mon, Aug 6, 2012 at 9:21 PM, Moxie Marlinspike
 wrote:
> However, my position is that Google Chat is currently more secure than
> CryptoCat.  To be more specific, if I were recommending a chat tool for
> activists to use, *particularly* outside of the United States, I would
> absolutely recommend that they use Google Chat instead of CryptoCat.
> Just as I would recommend that they use GMail instead HushMail.

Separate of the technical issues THIS - I've seen far far more people
"caught" in these overseas hostile environment because they were using
the nuance tool that clearly stood out. -Ali
___
liberationtech mailing list
liberationtech@lists.stanford.edu

Should you need to change your subscription options, please go to:

https://mailman.stanford.edu/mailman/listinfo/liberationtech

If you would like to receive a daily digest, click "yes" (once you click above) 
next to "would you like to receive list mail batched in a daily digest?"

You will need the user name and password you receive from the list moderator in 
monthly reminders. You may ask for a reminder here: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Should you need immediate assistance, please contact the list moderator.

Please don't forget to follow us on http://twitter.com/#!/Liberationtech

Re: [liberationtech] What I've learned from Cryptocat

[Ali-Reza Anghaie]

On Mon, Aug 6, 2012 at 9:08 PM, Jacob Appelbaum  wrote:
> Ali-Reza Anghaie:
>>
>> Except you're trying to solve a resource and environmental OPSEC
>> problem while effectively reducing the available exfiltration surface
>> (as it were) to a point where the adversary Nation-State (one use
>> case) can shut it down even easier. And you're still not addressing
>> the whole of the problem set an end-user in these hostile environments
>> will face.
>
> Huh?
>
> If your internet cafe has a key logging or a screen logging system,
> they're equal. If they can break SSL, you lose on the network.

Let me try this again - sorry.

If Cryptocat only works on fewer available systems because it's trying
to build in more technical resiliency then it also becomes easier to
shutdown in hostile environments (e.g. Iran). On top of that it also
reduces the number of people capable of using it at all.

I think I have to throw together a table w/ real-world use/region
examples from say Iran to communicate it better. -Ali
___
liberationtech mailing list
liberationtech@lists.stanford.edu

Should you need to change your subscription options, please go to:

https://mailman.stanford.edu/mailman/listinfo/liberationtech

If you would like to receive a daily digest, click "yes" (once you click above) 
next to "would you like to receive list mail batched in a daily digest?"

You will need the user name and password you receive from the list moderator in 
monthly reminders. You may ask for a reminder here: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Should you need immediate assistance, please contact the list moderator.

Please don't forget to follow us on http://twitter.com/#!/Liberationtech

Re: [liberationtech] What I've learned from Cryptocat

[Ali-Reza Anghaie]

On Mon, Aug 6, 2012 at 8:51 PM, Jacob Appelbaum  wrote:
> The problem is that the little bit is effectively zero.
>
> What's the difference between Facebook chat over SSL and Cryptocat over SSL?
>
> Without a browser extension/plugin - there is little to no difference.
>
> You have to trust the server and the server operator to not be a bad
> actor in both cases.

Except you're trying to solve a resource and environmental OPSEC
problem while effectively reducing the available exfiltration surface
(as it were) to a point where the adversary Nation-State (one use
case) can shut it down even easier. And you're still not addressing
the whole of the problem set an end-user in these hostile environments
will face.

I think a "step back" needs to be taken and look at the sum of
problems the various tiers of activists encounter - and which ones we
can truly solve remotely. Unfortunately almost none of them start w/
technical solutions. -Ali
___
liberationtech mailing list
liberationtech@lists.stanford.edu

Should you need to change your subscription options, please go to:

https://mailman.stanford.edu/mailman/listinfo/liberationtech

If you would like to receive a daily digest, click "yes" (once you click above) 
next to "would you like to receive list mail batched in a daily digest?"

You will need the user name and password you receive from the list moderator in 
monthly reminders. You may ask for a reminder here: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Should you need immediate assistance, please contact the list moderator.

Please don't forget to follow us on http://twitter.com/#!/Liberationtech

Re: [liberationtech] What I've learned from Cryptocat

[Ali-Reza Anghaie]

On Mon, Aug 6, 2012 at 8:43 PM, Jillian C. York  wrote:
> It's difficult.  I'm not a technologist, but I understand the issues and the
> user needs well.  My "type," I'd surmise, is few and far between.

The problem isn't that your type is few and far between - the problem
is that InfoSec has almost wholly ignored ESTABLISHED activists. As if
the techniques, acceptable risk levels, etc. are new issues. They're
simply not.

> Security experts have obvious reasons for being conservative, and I get
> that.  Nevertheless, there are a lot of users who would benefit from a
> little bit of added security.  The question, then, as I see it, is:
>
> How do we provide that little bit while still making users aware of risks?

It's been my experience that providing these risks in-band is just not
doable - and the target end-users don't have time to worry about it.
So OPSEC has to be something that tools like Cryptocat don't assume
responsibility for. These is InfoSec sacrilege but it's the way
activists have traditionally had to work in the first place. As an
example, lets say w/ Iran, you're never - ever - going to be able to
address the OPSEC concerns of a given Internet cafe. What you can do
instead is provide a tool that works from every possible cafe and
trust the end-user to manage the OPSEC of their surroundings such that
perimeter controls, MITM risks, etc. are mitigated another way.

If that's not tenable for Nadim or his particular crowd then a shift
from developer to activist needs to be made. Just like any other
process, the product isn't out their for product's sake - it has
"customers".. and it's not those people who think they need an easier
lazier option to setting up OTR or PGP.

BTW, you're not without understanding and support in the Security
community. Meredith Patterson among others have batted this around
with me on Twitter - and understand the economics of the situation
fine.

Good luck Nadim and friends, -Ali
___
liberationtech mailing list
liberationtech@lists.stanford.edu

Should you need to change your subscription options, please go to:

https://mailman.stanford.edu/mailman/listinfo/liberationtech

If you would like to receive a daily digest, click "yes" (once you click above) 
next to "would you like to receive list mail batched in a daily digest?"

You will need the user name and password you receive from the list moderator in 
monthly reminders. You may ask for a reminder here: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Should you need immediate assistance, please contact the list moderator.

Please don't forget to follow us on http://twitter.com/#!/Liberationtech