[liberationtech] seeking open wireless projects
Hi libtech, We at EFF are writing up a taxonomy of existing "open wireless" commercial or non-commercial projects that have launched and would love input from folks on this list. So far we are looking at: Fon - http://corp.fon.com/ Comcast - http://corporate.comcast.com/news-information/news-feed/comcast-unveils-plans-for-millions-of-xfinity-wifi-hotspots-through-its-home-based-neighborhood-hotspot-initiative-2 Karma - https://yourkarma.com/ Ruckus - http://www.ruckuswireless.com/ KeyWifi - is this project still active? We're sure there are many more, and wanted to see if people here could help by pointing us towards launched projects to add to the list. It's hard to draw a bright line between what counts as a "launched project" vs, say, a technical solution. For example, we don't want to include a protocol like EAP-SIM or firmware that has optional open wireless as a launched project, but firmware that ships with "default on" guest networking might qualify. Any suggestions you have are great so don't hesitate to let us know about any cool thing related to open wireless, just please don't be offended if we decide not to categorize it as a launched project. Our goal is NOT to promote these solutions, but rather just to give an idea of what's out there, what desirable properties each offering has, and what properties it lacks. For example, we think decentralized solutions that have no captive portals or authentication and are universally available are preferred. We do not want to get into a discussion of the security properties of open wireless, or any discussion about the merits of one solution vs another -- we are simply seeking information on what is out there. Thanks, -- Dan Auerbach Staff Technologist Electronic Frontier Foundation d...@eff.org 415 436 9333 x134 -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Microsoft Releases 2012 Law Enforcement Requests Report
On 03/21/2013 10:37 AM, Jacob Appelbaum wrote:
> Joseph Lorenzo Hall:
>> >
>> >
>> > On Thu Mar 21 12:27:47 2013, Jacob Appelbaum wrote:
>>> >> Joseph Lorenzo Hall:
>>>> >>> Two things seem particularly interesting: apparently zero requests for
>>>> >>> content were fulfilled for Skype and the associated FAQ [1] says CALEA
>>>> >>> (the US law that mandates intercept capability) does not apply to
>>>> >>> Skype.
>>>> >>> That seems particularly encouraging to me.
>>>> >>>
>>>> >>> The FAQ is also interesting in that the non-content question mentions
>>>> >>> "location" but then only lists state, country and ZIP code as fields
>>>> >>> provided (I don't know how MSFT would have access to precise
>>>> >>> geolocation, but that doesn't appear to be something they provide).
>>>> >>> Also
>>>> >>> the NSL reporting in the FAQ is binned in terms of thousands of NSLs...
>>>> >>> so in 2009 they report receiving 0-999 NSLs and in 2010 1000-1999 NSLs
>>>> >>> (hard to tell if that was just one more NSL or a bunch).
>>>> >>>
>>> >>
>>> >> I don't agree with that reading of the report. There is likely a lot of
>>> >> word-smithing here - for example, Does Skype include SkypeIn and
>>> >> SkypeOut or just Peer to Peer video, text and storage of (other)
>>> >> meta-data? Does CALEA happen on the Skype side of things or on the
>>> >> PTSN/VoIP service side of Skype{In,Out}? My guess is the latter rather
>>> >> than the former.
>> >
>> > Ok, I certainly agree there is probably a lot of wordsmithing here.
>> > CALEA certainly applies to PSTN interconnection but then presumably law
>> > enforcement would just go to the phone company which has
>> > CALEA-compliant switching hardware there. (I think.)
>> >
>>> >> Also, note that Microsoft "Provided Guidance to Law Enforcement" - so
>>> >> when they say they didn't provide content, did they provide the
>>> >> credentials? If so, the guidance could have allowed the "Law
>>> >> Enforcement" to simply login and restore the account data. Or perhaps
>>> >> merely disclosing a key?
>> >
>> > They certainly don't describe what that means, which is strange because
>> > for a transparency report with quantitative data, one would want to
>> > bound what the categories of quantitative data are! I would hope that
>> > MSFT would consider providing ciphertext and session keys as "providing
>> > content" and increment the zeros in that column, but there's no
>> > definitive statement in all of this that I can see which would support
>> > that.
> I wrote to them and asked these questions, as well as a few others.
>
> What other questions should we pose to them, I wonder?
Reading quickly through the documents, there seems to be no information
about US FISA court orders, so that might be something to ask them
about. I am concerned about the possibility that FISA is being abused to
access large swaths of user data (esp given FAA provisions and secret
interpretation of section 215 of Patriot Act). You could suggest general
rounded numbers for FISA like for NSLs. Doubt you'll get any info, though.
That said, kudos to MS for releasing this info and to people for pushing
them on Skype!
--
Dan Auerbach
Staff Technologist
Electronic Frontier Foundation
d...@eff.org
415 436 9333 x134
--
Too many emails? Unsubscribe, change to digest, or change password by emailing
moderator at compa...@stanford.edu or changing your settings at
https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Let's make rooting phones a crime
A quick point of clarification: rooting/jailbreaking your phone is indeed legal thanks to a DMCA exemption that was recently won. Unlocking your phone is a different matter. This blog post lays it out: https://www.eff.org/is-it-illegal-to-unlock-a-phone Cheers, Dan On 02/20/2013 03:30 PM, Cooper Quintin wrote: > Forward from the guardian project listserve: > -- > > Oh wait, it already is! Thanks to new DMCA regulations. > > If we get 100,000 petitions on the White House petition site, Obama has > to make a statement about this issue. The good news is that *there are > already 88,457 signatures*! The bad news is that *there are only a few > days left *to reach the goal. > > YOU can take a stand against making rooting phones a crime. Register and > sign the petition here - http://wh.gov/yA9n. I mean, you want to be > more like *Vint Cerf* and *JP Barlow*, right? Well they're on board > <http://www.wired.com/threatlevel/2013/02/mobile-unlocking-petition/>. > For more details, check out this article in the Atlantic > <http://www.theatlantic.com/business/archive/2013/01/the-most-ridiculous-law-of-2013-so-far-it-is-now-a-crime-to-unlock-your-smartphone/272552/> > > At Guardian Project we seek to ensure that everyone is as secure and > private as they want to be when using their phones. Attempts at > installing cops in our phones are a disservice to human rights the world > over. Thanks for listening and doing your part. > > In solidarity,- > > Mark > > P.S. You're at the bottom and haven't signed yet? Click here to get to > 100,000 <http://wh.gov/yA9n>! > > > --_ > @mbelinsky <https://twitter.com/mbelinsky>| guardianproject.info > <https://guardianproject.info/>| phone: +1-347-466-9327| ostel: 1003 __| > pgp: 0xEFBFA7278D8EFFDA > <http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xEFBFA7278D8EFFDA>_ > > > > > -- > Unsubscribe, change to digest, or change password at: > https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Dan Auerbach Staff Technologist Electronic Frontier Foundation d...@eff.org 415 436 9333 x134 -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] What I've learned from Cryptocat
Making an informed decision as a user or a developer when it comes to real-world tradeoffs between usability and security of course hinges upon your threat model. I think this is ultimately an empirical question -- we should be aiming to create a taxonomy of various actual tools packaged and sold by companies like FinFisher, beyond just the brochures. For example, Morgan and Citizen Lab did an excellent analysis recently of FinSpy (in case you missed it: http://citizenlab.org/2012/07/from-bahrain-with-love-finfishers-spy-kit-exposed/). Expanding this research and getting an inside view into the industry will help everyone make non-speculative decisions about threat models. It's a difficult problem -- getting this inside view -- but it seems worthwhile. Is anyone working towards compiling such a list? And I'll just add that I agree with Moxie about recommending gchat over cryptocat for users in jurisdictions where Google is unlikely to hand over information to LE. However, even in this case it may not be so black and white. The FinSpy software mentioned above, for example, may intercept Google's chat traffic because it's a popular service, and may ignore cryptocat because it is relatively unknown. This isn't an argument that cryptocat v1 is a tenable long-term alternative, but just shows that it's very difficult to be maximally protect every single user when it comes to real-world recommendations. Finally, I'll just support the idea that usability is critical and the burden of making something usable should always be on the developer, never on the intelligence or know-how of the user. Although I agree cryptocat v1 has significantly more security issues than v2, I think the sacrifice in usability moving to v2 is significant and I'd hypothesize that installing an extension is much harder for people than visiting a website. Though, again, it's an empirical question that can be answered rigorously through user experience research. On 08/07/2012 08:02 AM, Maxim Kammerer wrote: > On Tue, Aug 7, 2012 at 4:21 AM, Moxie Marlinspike > wrote: >> However, my position is that Google Chat is currently more secure than >> CryptoCat. To be more specific, if I were recommending a chat tool for >> activists to use, *particularly* outside of the United States, I would >> absolutely recommend that they use Google Chat instead of CryptoCat. >> Just as I would recommend that they use GMail instead HushMail. >> >> The security of CryptoCat v1 is reducible to the security of SSL, as >> well as to the security of the server infrastructure serving the page. >> Any attacker who can intercept SSL traffic can intercept a CryptoCat >> chat session, just as any attacker who can compromise the server (or the >> server operator themselves) can intercept a CryptoCat chat session. > Are you equating passive attacks with active attacks? If I understand > how CryptoCat works correctly, it is resistant against passive > interception attacks, whereas Google Chat stores cleartext on Google > servers, which are easily accessible to law enforcement. Active > attacks against SSL can be mitigated by pinning CryptoCat > certificates, so you are left with what, compromise of server > infrastructure? That requires LE jurisdiction where the servers are > located, domain expertise, and dealing with the risk that the > compromise is detected. All that vs. Google servers, which, if I > remember right, provide a friendly interface to user accounts once > served with a simple wiretapping order (and as has been already > mentioned, Google is a multinational corporation, subject to a > multitude of jurisdictions, and is known to bend over for whoever is > in charge). > ___ liberationtech mailing list liberationtech@lists.stanford.edu Should you need to change your subscription options, please go to: https://mailman.stanford.edu/mailman/listinfo/liberationtech If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?" You will need the user name and password you receive from the list moderator in monthly reminders. You may ask for a reminder here: https://mailman.stanford.edu/mailman/listinfo/liberationtech Should you need immediate assistance, please contact the list moderator. Please don't forget to follow us on http://twitter.com/#!/Liberationtech
