Re: [liberationtech] The world's most secure password for websites, games and private data.

[lists]

Another joke, but it's not a bad suggestion:

https://twitter.com/dcuthbert/status/877469739538407424

More on diceware passwords: https://en.wikipedia.org/wiki/Diceware

--
Rick Valenzuela
Videojournalist
Shanghai, China
--
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change 
to digest, or change password by emailing the moderator at zakwh...@stanford.edu.

Re: [liberationtech] Should we start a new Stanford liberationtech-news list?

[lists]

On Sun, Feb 19, 2017 at 04:36:02PM -0500, Thomas Delrue wrote:

On 02/19/2017 04:25 PM, Rick Valenzuela wrote:

and maybe the URL for the article linked within the tweet.


Please consider santizing this (i.e. remove the redirection that first
hits twatter) so that they doesn't see that you click on/visit the link,
that would be good.
Plus, then people also immediately know where they'll be taken if they
click the link.

Also, avoid HTML, prefer plaintext. Why dazzle them with style, when you
can dazzle them with substance?


Hi Thomas,

I rewrote my script to do that; each tweet would be split into three
lines: the tweet's URL, the tweet text and the expanded link contained
within the tweet. For example:

```
https://twitter.com/Liberationtech/status/833379727691886592
The latest The Liberationtech Daily! https://t.co/WGRVUpKJUC
http://paper.li/Liberationtech?edition_id=853a4330-f6cf-11e6-89dc-0cc47a0d15fd
```

I put it in a repo here: https://github.com/rveeblefetzer/libtech_days_tweets

There is one issue: if the tweet is a retweet or reply, the expanded_url
from the API's 'entities' shows a truncated short URL, like: https://t.co…

And hey Ceci! The script I posted also uses Tweepy. Check it out --
there is of course much more data that could be pulled, but I kept it
minimal, thinking that this is likely best for a plaintext summary.

Best,
Rick

--
Rick Valenzuela
Videojournalist
Shanghai, China

GPG: 0x054124ADD5644029
--
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change 
to digest, or change password by emailing moderator at compa...@stanford.edu.

Re: [liberationtech] Research project on privacy and encryption

[lists]

ha! So much for opsec. Should've looked at the CC line.
--
Rick Valenzuela
Videojournalist
Shanghai, China

+86 185 0177 0138
r...@rickv.com

GnuPG ID: 0xD5644029
--
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change 
to digest, or change password by emailing moderator at compa...@stanford.edu.

Re: [liberationtech] Whistleblower systems in local governments

[Fabio Pietrosanti (naif) - lists]

Hello,

at Hermes Center we got a good set of experience in deploying and
customizing GlobaLeaks for Public Agencies and AntiCorruption NGOs (even
if we're mostly known for uses in media-activism and investigative
journalists).

Since we've started cooperating with TI's national chapters and other
anti-corruption NGOs in 2014, we've started an improvement process of
the GlobaLeaks software to increase information quality coming into the
system, handling different submission workflows, handling multiple team
on the same platforms, integrating in existing websites in
privacy-preserving way and stuff like that.

Btw from what we've learned "on field", the procedural/organizational
part of a whistleblowing project (let's call it "the analog part") is
probably the most important.

I'd really recommend to get support from the national chapter of
Transparency International, that surely knows better also the specific
"legal" requirements that may impact the procedures and workflows for
Whistleblowing.

If we can gives some advice / support in evaluating / deploying
globaleaks in that context, let's fire an email! :-)

-- 
Fabio Pietrosanti (naif)
HERMES - Center for Transparency and Digital Human Rights
http://logioshermes.org - https://globaleaks.org - https://tor2web.org -
https://ahmia.fi

On 3/5/16 5:20 PM, Yosem Companys wrote:
> From: *Joonas Pekkanen* >
> 
> does anyone have any tips to find information on well-working
> whistleblower systems in cities (or other local governments)? 
> 
> The City of Helsinki has now set up a committee
>  (working until June)
> to examine how such a system should be set up. I would like to make sure
> the committee has the best info at hand.
> 
> Thank you in advance!
> 
> Joonas Pekkanen
> http://linkedin.com/in/pekkanen
> 
> 
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

[liberationtech] Email provider enabling enforced SMTP/TLS for inbound MX-received emails

[Fabio Pietrosanti (naif) - lists]

Hi all,

does anyone knows of an email provider enabling enforced SMTP/TLS for
inbound MX-received emails?

Assume that i want my provide to refuse email destinated to me, at
inbound Mail Exchanger level, if they are not coming encrypted with
SMTP/TLS, with a decent TLS version and with a decent cipher.

Ideally, i would like an automatic email to be sent back to the sender
of that email, informing his that his email provider/email server is not
secure and must be updated to enable sending email securely.
It would provide increased security against massive surveillance of my
own email and automatic advocacy and advice for email security to sender
writing me from unsecure email.

Any email provider that enable to do so?

-- 
Fabio Pietrosanti (naif)
HERMES - Center for Transparency and Digital Human Rights
http://logioshermes.org - https://globaleaks.org - https://tor2web.org -
https://ahmia.fi
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

[liberationtech] Open Call for GlobaLeaks Developers

[Fabio Pietrosanti (naif) - lists]

Are you interested in making the world a better place by putting your
development skills to use in a globally used free software project?
Do you feel passionate about using web technologies for developing
highly usable web applications?

Then read on – this may interest you!

GlobaLeaks is the first Open Source Anonymous Whistleblowing software
used for Anti-Corruption, Investigative Journalism and Human Rights Defense

The Hermes Center for Transparency and Digital Human Rights is looking
for talented software developers that can work in response to the ever
increasing demands of the growing GlobaLeaks adopters around the world.

To apply for this job you should be familiar with web technologies and
in particular with the Angular.js and Bootstrap frameworks, as a
Frontend Developer or Full Stack Developer.

You can join a non-profit entity making its platform the most used
whistleblowing tool.

The nature of the role is to be flexible in the way we work, with
developments ranging from a number of whistleblowing projects based on
GlobaLeaks for adopters all around the world up to more structured and
“easy to be planned” roadmap based activities.

You will be given an ideal opportunity to fast-track your skills by
working side by side our senior development team in all areas of the
project lifecycle.

If you are willing to take this challenge, you will be exposed to
GlobaLeaks project using AngularJS, and Bootstrap. Knowledge and
attention to UX design is paramount.

You can know more of our projects at:

Github https://github.com/globaleaks/globaleaks (Code)
Wiki https://github.com/globaleaks/globaleaks/wiki (Documentation)
Website https://globaleaks.org
Our (public) users https://en.wikipedia.org/wiki/GlobaLeaks#Implementations
Skills required

It is required to already have practical experience in software
development practices with Git, especially in the opensource environment
with Github, with a deep focus on modern HTML5/Web technologies.

Key skills:
* Javascript Asynchronous Programming,
* Responsive Design,
* UX Design

Key Technologies:
* AngularJS
* Bootstrap
* Github

Exposure to all the above skills is necessary.The ability to learn
quickly, embrace new technologies and have a good understanding of OO
principles is essential. This role will suit someone who is fresh out of
university, or has a little experience, with a hunger to move into a
senior role.

If you’re a full-stack developer using Python/Twisted, Linux, Debian
Packaging, Sqlite and DevOps ninja skills, we’d really love you!

Linguistic skills:
* English (Required)
* Italian (Preferred)

Location

We used to mostly work remotely with periodic activity bursts carried on
together (“hackatons”), but we are about to move to our own office in
the City Center of Rome (Largo di Torre Argentina, nearby Pantheon) or
Milan (nearby Bovisa) to achieve higher operational efficiency.

We’d prefer if you live or willing to relocate for the time being in
Rome or Milan, but we’d consider remote workers as long as they are
operational within the European timezone day-time (CET/CEST).

About the Hermes Center

The Hermes Center for Transparency and Digital Human Rights is an
international NGO with Headquarter in Italy that develops, promotes and
diffuses technologies for Transparency and Human Rights Defense, with a
particular focus on Whistleblowing and Anonymity.

Since 2012 the Hermes Center works on GlobaLeaks and Tor2web
Whistleblowing software, with support from Open Technology Fund
(Washington), Hivos Foundation (Netherland) and several journalistic,
anticorruption and human rights projects by international organizations
(ie: Transparency International, Amnesty International, Organized Crime
and Corruption Reporting Project, etc).


How you can apply?

To apply send a short notes, a resume, and a link to your Github page to
j...@globaleaks.org.

Part of the recruitment process will require you to hack on GlobaLeaks,
so it will constitute a +100 points if you already fixed some github’s
issues showing you coding skills with a well done pull request! :-)

This job post is available at:
http://logioshermes.org/open-call-for-globaleaks-developers

Contract

The contract depends on your experience, personal needs ranging from a
stage up to an employment contract, from a temporary engagement up to a
consulting agreement.

Hermes is an equal opportunity employer and will not discriminate
against any employee or applicant on the basis of age, color,
disability, gender, national origin, race, religion, sexual orientation,
veteran status, or any classification protected by law.


-- 
Fabio Pietrosanti (naif)
HERMES - Center for Transparency and Digital Human Rights
http://logioshermes.org - https://globaleaks.org - https://tor2web.org -
https://ahmia.fi
-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. 

Re: [liberationtech] Surveillance in Africa?

[Fabio Pietrosanti (naif) - lists]

On 2/19/15 8:23 PM, Yosem Companys wrote:
 From: Hille Koskela hille.kosk...@utu.fi

 Has anybody done research on surveillance in Africa (South of Sahara)?

You may wish to speak to Opennet Africa (http://opennetafrica.org/) that's 
working on that kind of issues too.


-- 
Fabio Pietrosanti (naif)
HERMES - Center for Transparency and Digital Human Rights
http://logioshermes.org - https://globaleaks.org - https://tor2web.org - 
https://ahmia.fi

-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

[liberationtech] The missing tech between TBB , Whoonix and Tails

[Fabio Pietrosanti (naif) - lists]

Hi all,

today when a user need to have some degree of protection for his network
connectivity, for his browser experience, for his data stored and in the
end for his endpoint safety  integrity (his computer) there are few
options:
- Tor Browser Bundle (an App)
- Tails (an operating system replacement)
- Whoonix (a virtual machine)

From a security, technical and usability perspective we acknowledge how
those approach are different each other.

I don't see a usable solutions that provide various advantages of Tails
with the VM approach of Whoonix while behaving with the same usability
of TBB (being an App).

To make it short:
- Tor Browser Bundle is usable, the user does not need to change it's
operating environment
- Tails it's a pain to install and to use, force the user to change it's
operating environment and use it in an exclusive way
- Whoonix it's less a pain to install than Tails, force the user to
change it's operating environment but it can be used in parallel to
the existing operating environment (Windows, MacOS X)

Now, i see that there is something missing among all that various
technologies that can be:
* Deployed as a self-contained app (like TBB)
* Works in parallel with the existing operating environment of the
end-user (Like Whoonix)
* Provide the safety of operating in a Virtual Machine (like Whoonix)
* Be integrate within the user operating environment (like VMWare
integration with Windows App)

The only similar approach i found is this BitBox made by the German
company Sirrix, used by the German Government, that's basically a sort
of Whoonix but usable like-an-app from the end-user perspective:
http://www.sirrix.com/content/pages/BitBox_en.htm

It would be a very interesting and challenging project to see Tails or
Whoonix or TBB to evolve in that direction, opening up tons of new users.

-- 
Fabio Pietrosanti (naif)
HERMES - Center for Transparency and Digital Human Rights
http://logioshermes.org - https://globaleaks.org - https://tor2web.org - 
https://ahmia.fi

-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] The missing tech between TBB , Whoonix and Tails

[Fabio Pietrosanti (naif) - lists]

On 1/19/15 10:05 AM, Eduardo Robles Elvira wrote:
 Hello Fabio:

 Do you know about Qubes OS? http://qubes-os.org/ It might be of interest to 
 you.

 Regards,
 Eduardo Robles Elvira @edulix skype: edulix2
 http://agoravoting.org   @agoravoting +34 634 571 634
Qube-Os it's a great platform, but it require you to install a new
operating system on your computer.

My topic of discussion is on how to provide safe enough applications
in the existing operating environment, that the average
non-computer-proficient user don't want / can't abbandon.

There are many people that use a computer procedurally, the learned
procedure to do stuff, and once those procedure completely because the
entire operating environment change, it's likely too hard .

Sounds like there's no easy-go-solution for that kind of users

-- 
Fabio Pietrosanti (naif)
HERMES - Center for Transparency and Digital Human Rights
http://logioshermes.org - https://globaleaks.org - https://tor2web.org - 
https://ahmia.fi

-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Afrileaks

[Fabio Pietrosanti (naif) - lists]

On 1/14/15 11:51 AM, Marcin de Kaminski wrote:
 Dear all,

 What do you make of Afrileaks?

 http://www.theguardian.com/world/2015/jan/13/wikileaks-for-africa-introducing-afrileaks

 https://afrileaks.org/

Yo, as part of the Hermes Center (GlobaLeaks) that's the technology
partner of AfriLeaks, would like provide a bit of general context of
that kind of initiatives.

GlobaLeaks software is a Whistleblowing Framework being used for
different Whistleblowing initiatives in different sectors and context
such as Journalism, Activism, Anticorruption, Public Agencies control,
Corporate compliance with the goal to be easy to install, configure,
customize, deploy for non-tech people.
More info on https://globaleaks.org + list of globaleaks adopters on
https://en.wikipedia.org/wiki/GlobaLeaks#Implementations .

PubLeaks it's an initiative based on GlobaLeaks that has been launched
in September 2013 in the Netherlands where multiple media joined as a
consortium, enabling Sources to send out tip-off by deciding to who
send the information by stimulating a peculiar mix of collaboration and
competition.
More info on http://publeaks.nl (it's in dutch)

That's what we call Multi Stakeholder Whistleblowing Initiatives (Ie:
Publeaks-like).

We partnered with Hivos Foundation and Free Press Unlimited to work on
pushing more Publeaks-like projects where multiple civil society players
(ie: small media or investigative journalism groups) join together to
provide a safe way for concerned citizens to report malpractices.

The group of NGOs supported ANCIR in organizing, developing and
deploying the AfriLeaks project, that's a very challenging Pan-African
multi-stakeholder Whistleblowing initiative, plenty of potential.

In parallel we are supporting also other organizations that have done
something similar in other area (such as the Spanish
http://www.filtrala.org) or that are preparing similar multi-stakeholder
projects in other areas (such as South America and East Europe) and
other sectors (such as Anti-Corruption).

Each projects have it's own challenge in terms of complexity, capability
building, threat modelling, risks, training, logistics and costs.

It would be interesting to see some kind of funding schema to support
NGOs and activists group willing to setup Whistleblowing initiatives for
Public Interests purposes, in order to give them all the operational and
financial support that they need to be successful in leveraging
Whistleblowing solicitation as a transparency-tool.

It's plenty of *valuable* organization that want to setup Whistleblowing
initiatives for public interests purposes, but often lacks proper
funding and/or the proper organizational capacity.

I think that we would see many country-based PubLeaks-like initiatives
if there would the right approach to push that kind of initiative.

A collaborative leak-site in each country of the world, would be a nice
target for 2017? :-)

-- 
Fabio Pietrosanti (naif) @fpietrosanti
HERMES - Center for Transparency and Digital Human Rights
http://logioshermes.org - https://globaleaks.org - https://tor2web.org - 
https://ahmia.fi

-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

[liberationtech] Registration open: Privacy Enhancing Technology Symposium - July 16-18 2014 Amsterdam

[Caspar Bowden (lists)]

*

Privacy Enhancing Technology Symposium -July 16-18, 2014

Royal Tropical Institute, Amsterdam, The Netherlands

*

The 14th Privacy Enhancing Technologies Symposium addresses the design 
and realization of privacy services for the Internet and other data 
systems and communication networks by bringing together anonymity and 
privacy experts from around the world to discuss recent advances and new 
perspectives. Additional information about the conference can be found 
at http://petsymposium.org/2014.


*Registration is open* at 
https://www.petsymposium.org/2014/registration.php, travel information 
can be found here: https://www.petsymposium.org/2014/travel.php, 
including information for Visa application.


*Important dates*:

Early bird registration:until June 24th

Hotel special rates: until May 30th

The conference will be a 3-day event featuring technical presentations 
of papers, judged based on their quality and relevance through 
double-blind reviewing. The Symposium will include an invited talk by 
Martin Ortlieb (Google Zurich) and the rest of the program can be found 
here: https://www.petsymposium.org/2014/program.php


The third day of the symposium will be devoted to HotPETs — the hottest, 
most exciting research ideas still in a formative state. The program for 
HotPETs includes an invited tal byWilliam Binney, former intelligence 
official with the United States National Security Agency, and 
specialized talks on hot topics related to privacy. The program will be 
announced here: https://www.petsymposium.org/2014/hotpets.php


PETS will be collocated with the GenoPri Workshop 
(https://genomeprivacy.org/workshop) that will take place on July 15th. 
The event will explore the privacy issues raised by genomics and the 
main envisioned solutionsIt will include a keynote and a tutorial on 
genomics for computer scientists by a geneticist.


-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] One third IT managers think can Cloud compute with encrypted data

[Caspar Bowden (lists)]

On 06/05/14 13:37, Fabian Keil wrote:

Caspar Bowden (lists) li...@casparbowden.net wrote:


I downloaded Ponemon/Thales new survey of n=4275 IT managers (United
States, the United Kingdom, Germany, France, Australia, Japan, Brazil,
and Russia)  a couple of days ago by registering here
https://t.co/8rI2Z8vy1j, but they appear to have now pulled the report.

It is remarkable that one third IT managers not only think that it is
possible to compute with encrypted data, but that they are doing so already.

Here's the relevant text (red is my emphasis) and screenshot with graphs

[If they don't understand this, what else don't they understand about
their organization's security?]

CB

 *Who controls the encryption keys*

I don't doubt that (at least) one third of the questioned IT managers
don't understand their organisation's security, but without a definition
of control I'd assume that Ponemon/Thales were merely asking who
legally controls the encryption keys.


that is the root of the trouble, the pre-crypto legal concept of 
processing (e.g. in EU and CoE108) subsumes storage+computing, and 
legal control doesn't pass to a mere data processor even if has 
capability to read and disclose data to a foreign jurisdiction



Otherwise one would also have to mention the people who wrote
the OS, the firmware, the application, people who provide software
and hardware updates, cleaning personal, successful attackers etc.,
even when not looking at cloud environments.


The power of compulsion in e.g. FISA 702 is over a service provider to 
(effectively) backdoor their running stack. Authors of the OS or lower 
in the stack are not in that service provider firing line (and an 
unremarked amendment in FISA 702 in 2008 extended the scope beyond 
telcos/ISPs to Cloud providers)


@CasparBowden
--
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change 
to digest, or change password by emailing moderator at compa...@stanford.edu.

[liberationtech] One third IT managers think can Cloud compute with encrypted data

[Caspar Bowden (lists)]

I downloaded Ponemon/Thales new survey of n=4275 IT managers (United 
States, the United Kingdom, Germany, France, Australia, Japan, Brazil, 
and Russia)  a couple of days ago by registering here 
https://t.co/8rI2Z8vy1j, but they appear to have now pulled the report.


It is remarkable that one third IT managers not only think that it is 
possible to compute with encrypted data, but that they are doing so already.


Here's the relevant text (red is my emphasis) and screenshot with graphs

[If they don't understand this, what else don't they understand about 
their organization's security?]


CB

   *Who controls the encryption keys*

   Figure 24 examines the issue of control over encryption keys in the
   cloud environment for both encryption of data
   at rest and encryption of data at the application level. Thirty-four
   percent of respondents believe their organization
   is in control of encryption keys for *both* data encrypted at the
   *application level* and at rest in the cloud
   environment. Another 28 percent and 29 percent believe control of
   encryption keys is a *shared activity between**
   **the organization and the cloud provider*. Only 19 percent and 17
   percent of respondents, respectively, view the
   cloud provider as having control over encryption keys for either
   encryption at the application level or for data at
   rest

   [Figure 24]

   Figure 25 shows German organizations are the most likely to say
   their organizations have control of encryption
   keys *at the application level *and for data at rest in the cloud.
   Brazilian respondents are the least likely to say their
   organizations have control over encryption keys at the application
   level and for data at rest in the cloud.

   *Figure 25. Percentage of respondents who say their organization is
   in control of encryption keys*
   Consolidated analysis for encryption at *both the application level*
   and for data at rest in the cloud by country
   sample

   [Figure 25]
   screenshot of Fig.24/25 of pdf




-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] One third IT managers think can Cloud compute with encrypted data

[Caspar Bowden (lists)]

On 04/05/14 17:19, Caspar Bowden (lists) wrote:
I downloaded Ponemon/Thales new survey of n=4275 IT managers (United 
States, the United Kingdom, Germany, France, Australia, Japan, Brazil, 
and Russia)  a couple of days ago by registering here 
https://t.co/8rI2Z8vy1j, but they appear to have now pulled the report.


It is remarkable that one third IT managers not only think that it is 
possible to compute with encrypted data, but that they are doing so 
already.


Here's the relevant text (red is my emphasis) and screenshot with graphs

[If they don't understand this, what else don't they understand about 
their organization's security?]


CB

*Who controls the encryption keys*

Figure 24 examines the issue of control over encryption keys in
the cloud environment for both encryption of data
at rest and encryption of data at the application level.
Thirty-four percent of respondents believe their organization
is in control of encryption keys for *both* data encrypted at the
*application level* and at rest in the cloud
environment. Another 28 percent and 29 percent believe control of
encryption keys is a *shared activity between**
**the organization and the cloud provider*. Only 19 percent and 17
percent of respondents, respectively, view the
cloud provider as having control over encryption keys for either
encryption at the application level or for data at
rest

[Figure 24]

Figure 25 shows German organizations are the most likely to say
their organizations have control of encryption
keys *at the application level *and for data at rest in the cloud.
Brazilian respondents are the least likely to say their
organizations have control over encryption keys at the application
level and for data at rest in the cloud.

*Figure 25. Percentage of respondents who say their organization
is in control of encryption keys*
Consolidated analysis for encryption at *both the application
level* and for data at rest in the cloud by country
sample

[Figure 25]



Hmm, that didn't work embedded - trying as attachment

CB
-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] One third IT managers think can Cloud compute with encrypted data

[Caspar Bowden (lists)]

Nope, not attachment either, should have used *link 
https://twitter.com/CasparBowden/status/462967989495558144/photo/1/large* 
in the first place


CB

-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Secure Cloud Computing: Virtualizing the FreedomBox

[Caspar Bowden (lists)]

On 24/04/14 19:21, Zooko Wilcox-OHearn wrote:

On Tue, Apr 22, 2014 at 11:47 AM, Caspar Bowden (lists)
li...@casparbowden.net wrote:

TAHOE is also cool, but doesn't claim to provide confidentiality. A TAHOE
service provider would have no choice but to round-up/backdoor the necessary
keys under existing US (FISA/PATRIOT) or UK (RIPA Pt.3) legislation [or
Indian IT Acts etc. etc.]

Oh, by the way, this part was incorrect. An example of a Tahoe-LAFS
service provider is my company, https://LeastAuthority.com.
LeastAuthority.com does not have any ability to acquire our
customers's keys, nor to backdoor our customers.


This is semantics. If you provide the service to a customer, you can be 
forced to backdoor http://www.wired.com/2007/11/hushmail-to-war/ 
(let's define terms Customer, Provider, user, individual  data 
subject if want to continue, else will get ourselves hopelessly 
confused - or if you point me at the part of the spec you think 
invulnerable will show you how FISA or RIP can round-up keys)


It's in FISA 702 expressly, and as we now know, key disclosure can even 
be forced under S.215. Not saying this to knock TAHOE, but often in 
Cloud discussions, people are looking at a conventional threat model - 
protecting against external attack and insider *un*authorized access. 
But the new part of the threat model, relevant post-Snowden, is 
authorized insider access lawfully required by the jurisdiction to which 
that Cloud is exposed.


The UK law RIPA Pt.3 (2000) was even written with extreme (and correct) 
detail to give powers to round up arbitrary number of key fragments 
(whether this might be defeated by lots and lots of fragments is debatable)
-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Secure Cloud Computing: Virtualizing the FreedomBox

[Caspar Bowden (lists)]

On 24/04/14 21:09, Zooko Wilcox-OHearn wrote:

On 24/04/14 19:21, Zooko Wilcox-OHearn wrote:

Oh, by the way, this part was incorrect. An example of a Tahoe-LAFS
service provider is my company, https://LeastAuthority.com.
LeastAuthority.com does not have any ability to acquire our
customers's keys, nor to backdoor our customers.

On Thu, Apr 24, 2014 at 6:13 PM, Caspar Bowden (lists)
li...@casparbowden.net wrote:

This is semantics. If you provide the service to a customer, you can be
forced to backdoor

No, this is wrong. I can understand why you say this, because you've
looked at dozens — perhaps hundreds — of services which made claims
like those above, and in every case it turned out that the service
actually had the technical capability to backdoor its customers. Am I
right? The Hushmail case that you cite was an early and famous
example, and the recent Lavabit case is an example.

But LeastAuthority.com is different from that, for a very specific
technical reason.

That reason is that not *only* is our operation free from customer
plaintext and customer encryption keys, but *also* we don't deliver
software to our customers.

When new customers sign up at https://LeastAuthority.com, we send them
a nice email explaining that now they need to go acquire the Free and
Open Source software named Tahoe-LAFS. We recommend that they get it
from their operating system provider, e.g. Debian, Ubuntu, or the
pkgsrc system (http://www.pkgsrc.org/).


So I had not realized that and, that is a very good idea generally, for 
these types of legal attack, and would be even better idea if we had 
deterministic compilers



Therefore if a government, or a murderous mafia, compelled us to
cooperate with them, we would then say Well… okay, but… have you
figured out how your target users acquires the software? Because, you
know, if they're getting it from Debian, or from Tails, or something,
then there's not a whole lot we can do to help you backdoor your
target users….

Here's an open letter on this topic that I wrote to the Silent Circle
folks when they shut down their mail service after the Lavabit story
broke:

https://leastauthority.com/blog/open_letter_silent_circle.html


I agree.

Inadvertently, I muddied the waters by referring to Hushmail, since the 
storage providers in your system don't (and don't purport to) provide 
confidentiality


Caspar
--
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change 
to digest, or change password by emailing moderator at compa...@stanford.edu.

Re: [liberationtech] Secure Cloud Computing: Virtualizing the FreedomBox

[Caspar Bowden (lists)]

On 17/04/14 20:29, David Solomonoff wrote:
This blog post was inspired by a recent breakthrough in homomorphic 
encryption at MIT:


In 2010 I asked Professor Eben Moglen 
https://en.wikipedia.org/wiki/Eben_Moglen to speak to the Internet 
Society of New York http://isoc-ny.org about software freedom, 
privacy and security in the context of cloud computing and social 
media. In his Freedom in the Cloud http://isoc-ny.org/?p=1338%20 
talk, he proposed the FreedomBox https://freedomboxfoundation.org 
as a solution 


[Now] data can be encrypted at every point until it is accessed by 
its legitimate owner, combining privacy and security with the 
flexibility and scalability of cloud computing.


No longer confined behind a locked down private data center or hidden 
under the end user's bed, a virtual FreedomBox can finally escape to 
the clouds.


Full article:
http://www.davrola.com/2014/04/17/secure-cloud-computing-virtualizing-the-freedombox/ 



(I am not a cryptographer, but disillusioned former FHE-enthusiast, 
until I realized was irrelevant to real Cloud policy)


Fully homomorphic encryption uses techniques utterly different to 
conventional encryption and is a ~trillion times slower. Even the 
integer version ~million times slower


Apropos the blog, Mylar is cool, but doesn't use FHE. It sends the Cloud 
conventionally encrypted blobs to and fro - and the Client does all the 
work (thus neutralizing main vaunted benefit of Cloud, elastic and 
parallel CPU power). It also uses an encrypted search technique for 
indexing (which is also cool)


TAHOE is also cool, but doesn't claim to provide confidentiality. A 
TAHOE service provider would have no choice but to round-up/backdoor the 
necessary keys under existing US (FISA/PATRIOT) or UK (RIPA Pt.3) 
legislation [or Indian IT Acts etc. etc.]


There are partial homomorphic solutions coming along useful to specific 
scenarios, but using them will be state-of-the-art crypto engineering 
research.microsoft.com/pubs/148825/ccs2011_submission_412.pdf for 
foreseeable future


FHE cannot rescue confidentiality in the Cloud.

Caspar Bowden
-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Secure Cloud Computing: Virtualizing the FreedomBox

[Caspar Bowden (lists)]

On 22/04/14 14:05, Tom Ritter wrote:

On 22 April 2014 07:47, Caspar Bowden (lists) li...@casparbowden.net wrote:

TAHOE is also cool, but doesn't claim to provide confidentiality. A TAHOE
service provider would have no choice but to round-up/backdoor the necessary
keys under existing US (FISA/PATRIOT) or UK (RIPA Pt.3) legislation [or
Indian IT Acts etc. etc.]

I'm pretty sure that TAHOE does provide confidentiality - the keys
don't leave your device (more correctly, the gateway running on your
device) unless you distribute them.  Which you can, you can send the
decryption key granting read-capability to anyone, but you don't have
to.


Yes, the fragments of data are brought together on your device (or a 
gateway someplace), in that sense it is no different from a pure 
storage Cloud (do it yourself crypto) but with better availability


 * Users do not rely on storage servers to provide */confidentiality/*
   nor */integrity/* for their data -- instead all of the data is
   encrypted and integrity-checked by the gateway, so that the servers
   can neither read nor modify the contents of the files.
   (https://tahoe-lafs.org/trac/tahoe-lafs/browser/trunk/docs/about.rst)

It's a storage solution, and therefore not what actually Cloud is about 
in a business/industry sense, who want Cloud compute power to crunch 
usefully on encrypted data.


CB
-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

[liberationtech] European privacy regulators' excellent paper on Anonymisation Techniques

[Caspar Bowden (lists)]

It's been a remarkable few days for the Committee of European privacy 
regulators (the Art.29 Working Party)


In their first opinion on Data Protection law and national security 
http://t.co/itKVGpDI1L, they grudgingly sort of admit it is their job 
to stop NSA spying, but then the next day they approve contracts for 
PRISM's first corporate partner 
https://twitter.com/CasparBowden/status/456366945512599552 for Cloud 
processing (although they aren't really a mere processor at all 
https://twitter.com/CasparBowden/status/456413628392939520)


..and today they issued the highest quality paper I have ever read from 
them - No.216, on Anonymisation Techniques


Storified version *here 
wden/art-29-wp-opinion-216-on-anonymisation-techniques* for gist, full 
text (37 pages) in first tweet


If anyone knows of a regulatory text that comes close on this topic, 
would like to know...


The relevance to LiberationTech is that if they enforce this, then a 
whole bunch of worries about commercial and state spying through BigData 
will go away, in Europe at least


Caspar


-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

[liberationtech] CORRECTION: European privacy regulators' excellent paper on Anonymisation Techniques

[Caspar Bowden (lists)]

Please disregard previous, main highlighted link got mangled
=

It's been a remarkable few days for the Committee of European privacy 
regulators (the Art.29 Working Party)


In their first opinion on Data Protection law and national security 
http://t.co/itKVGpDI1L, they grudgingly sort of admit it is their job 
to stop NSA spying, but then the next day they approve contracts for 
PRISM's first corporate partner 
https://twitter.com/CasparBowden/status/456366945512599552 for Cloud 
processing (although they aren't really a mere processor at all 
https://twitter.com/CasparBowden/status/456413628392939520)


..and today they issued the highest quality paper I have ever read from 
them - No.216, on Anonymisation Techniques


Storified version *here 
https://storify.com/CasparBowden/art-29-wp-opinion-216-on-anonymisation-techniques* 
for gist, full text (37 pages) in first tweet


If anyone knows of a regulatory text that comes close on this topic, 
would like to know...


The relevance to LiberationTech is that if they enforce this, then a 
whole bunch of worries about commercial and state spying through BigData 
will go away, in Europe at least


Caspar
-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

[liberationtech] CFP: IFIP Summer School 2014

[Caspar Bowden (lists)]

I recommend this conference (am on PC) - Caspar

---

CALL FOR PAPERS

Ninth International Summer School organised jointly by the IFIP Working Groups 
9.2, 9.5, 9.6/11.7, 11.4, 11.6, Special Interest Group 9.2.2

IFIP Summer School on Privacy and Identity Management for the Future Internet 
in the Age of Globalisation



Computer Technology Institute and Press Diophantus, Patras , Greece, 7-12 
September 2014
In cooperation with the FP7 EU projects ABC4Trust, A4Cloud,  FutureID, PRISMS.

INTRODUCTION
Much research in privacy and identity in recent years has focused on the 
privacy issues associated with new technologies such as social media, cloud 
computing, big data, ubiquitous and ambient technologies. Due to the fact that 
many of these technologies operate on a global scale their use not only touches 
the countries where they originate (in many cases, the US), but individuals and 
groups around the globe.
The recent revelations regarding the surveillance practices of the National 
Security Agency (NSA), USA, and Government Communications Headquarters (GCHQ), 
UK, (and undoubtedly others that we will hear about since writing this Call for 
Papers) have put state surveillance firmly back on the table. Here, too, the 
operations by agencies in one country affect individuals and groups around the 
globe. Indeed, the NSA is primarily tasked with intercepting and processing the 
communication of non-US citizens, within the US and abroad.
Privacy and identity management issues have hence become global issues 
requiring the attention of multiple disciplines, both technical (computer 
science, cryptography) and non-technical (law, ethics, social sciences, 
philosophy) and the need to look beyond national borders.
Regulators are trying to readjust the legal frameworks in which the information 
society operates, both in Europe (think of the data protection reform that 
should in 2014 culminate in the General Data Protection Regulation), the US 
(the Federal Trade Commission initiatives with respect to big data, Consumer 
Privacy Bill of Rights), and elsewhere. Leading Internet engineers have also 
agreed to upgrade standards to improve Internet privacy and security.
Questions facing the research community include: How can individuals’ privacy 
rights be achieved effectively in a globalising information society in which 
both states and private enterprises exhibit great data hunger? What 
technologies, frameworks and tools do we need to gain, regain and maintain 
informational self-determination and lifelong privacy? Do we have to advance 
the concepts of privacy and identity management in this evolving world?
These questions and many others will be addressed by the IFIP Summer School 
2014 on Privacy and Identity Management for the Future Internet in the Age of 
Globalisation. The Summer School organisation will be a joint effort of IFIP 
(International Federation for Information Processing, Working Groups 9.2, 9.5, 
9.6/11.7, 11.4, 11.6, Special Interest Group 9.2.2) and several European and 
national projects. The IFIP Summer School 2014 will bring together junior and 
senior researchers and practitioners from multiple disciplines to discuss 
important questions concerning privacy and identity management and related 
issues in a global environment.
We are especially inviting contributions from students who are at the stage of 
preparing either a master’s or a PhD thesis. The school is interactive in 
character, and is composed of keynote lectures and workshops with master/PhD 
student presentations. The principle is to encourage young academic and 
industry entrants to the privacy and identity management world to share their 
own ideas, build up a collegial relationship with others, gain experience in 
making presentations, and potentially publish a paper through the resulting 
book proceedings. Students that actively participate, in particular those who 
present a paper, can receive a course certificate which awards 3 ECTS at the 
PhD level. The certificate can certify the topic of the contributed paper so as 
to demonstrate its relation (or non-relation) to the student’s master’s or PhD 
thesis.

BASIC ELEMENTS OF THE SUMMER SCHOOL
The Summer School takes a holistic approach to society and technology and 
supports interdisciplinary exchange through keynote lectures, tutorials, 
workshops, and research paper presentations. In particular, participants’ 
contributions that combine technical, legal, regulatory, socio-economic, social 
or societal, ethical, anthropological, philosophical, or psychological 
perspectives are welcome. The interdisciplinary character of the work is 
fundamental to the school. The research paper presentations and the workshops 
have a particular focus on involving students, and on encouraging the 
publication of high-quality, thorough research papers by students/young 
researchers. To this end, the school has a two-phase review process for 
submitted papers. In the first 

[liberationtech] The state of IM clients (Jitsi / Gajim)?

[ml lists]

hello Liberation Techers

I was wonder what people think is the current state of IM clients,
particularly Jitsi and Gajim

I know both have had problems is past but today seem to be safer option
than libpurple based cients (Pidgin/Adium).   Are they still worth using or
is there anything better?

Wikipedia casts doubt on security^1 of Gajim due to old issue and Jitsi
requreis Java JRE to be install which can be a bigger problam if browser
plugin get install or user does not keep up dated.

What do people think?

1 https://en.wikipedia.org/wiki/Gajim#Security
-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Naive Question

[LISTS]

I wonder if there's a false analogy here. Hypothetically, the
librarian's sign could fall down (maybe the wind blew it over) whereas a
notice on a site would have to be removed via coding. There would be
little other explanation, even in the case where one does not
affirmatively renew the dead man's notice (the countdown that Doctorow
suggests in the article). Such an affirmative act might lead a court to
believe that one has indeed informed the public about an NSL.

- Rob Gehl


On 09/09/2013 12:18 PM, Dan Staples wrote:
 Presumably, if this type of approach became widely adopted, it would be
 a useful service for an independent group to monitor the status of these
 notices and periodically publish a report of which companies had removed
 their notice.

 On 09/09/2013 12:52 PM, Scott Arciszewski wrote:
 Forgot the URL:
 http://www.theguardian.com/technology/2013/sep/09/nsa-sabotage-dead-mans-switch


 On Mon, Sep 9, 2013 at 12:29 PM, Scott Arciszewski
 kobrasre...@gmail.com mailto:kobrasre...@gmail.com wrote:

 Hello,

 I saw this article on The Guardian[1] and it mentioned a librarian
 who posted a sign that looked like this:
 http://www.librarian.net/pics/antipat4.gif and would remove it if
 visited by the FBI. So a naive question comes to mind: If I operated
 an internet service, and I posted a thing that says We have not
 received a request to spy on our users. Watch closely for the
 removal of this text, what legal risk would be incurred?

 If the answer is None or Very little, what's stopping people
 from doing this?

 Thanks,
 Scott





-- 
Liberationtech is a public list whose archives are searchable on Google. 
Violations of list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Call for Tenders SMART 2013/N004 “European Capability for Situational Awareness” (ECSA) - European Federation for cyber-censorship and human rights monitoring

[Caspar Bowden (lists)]

Dear Camino

On 09/04/13 08:39, camino.man...@ec.europa.eu wrote:

It is not out department in charge of blocking Tor users from accessing content 
hosted under Europa,eu.

Conversations with the DG In charge (DG DIGIT) as most of you know, have been 
long and unfruitful so far.

I am on leave now but at my return I will retake conversations with the 
officials in charge of the internal EC security to see the chances to lift the 
ban.


(If you are in a position to answer), this seems like something EU civil 
society should get more focussed on:


*) Is there an official channel (web page? email?) for individuals to 
complain about this policy ? (there's only a general email here 
http://ec.europa.eu/dgs/informatics/contact/index_en.htm and 
@stephen_quest https://twitter.com/stephen_quest did not answer me)


*) does this fall under DIGIT A/B/C (not obvious)?

*) has DG DIGIT made any official public statement so far about Tor 
blocking (apart from this 
https://p10.secure.hostingprod.com/@spyblog.org.uk/ssl/spyblog/2013/02/08/the-great-firewall-of-europe---european-commission-website-blocks-tor-users-just.html)?


many thanks

Caspar
(Tor Board member but not speaking that capacity or representing Tor)
-- 
Liberationtech is a public list whose archives are searchable on Google. 
Violations of list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Sociological studies of covert mass-surveillance organisations

[Caspar Bowden (lists)]

On 09/01/13 21:49, Michael Rogers wrote:

On 01/09/13 10:00, Caspar Bowden (lists) wrote:

AFAIK Deleuze, Foucault et al. did not say anything specifically
about covert (mass-)surveillance, or analyse how the inherently
secret nature of such organizations might be a causal element in
theories of social control. Secret surveillance organizations are
NOT Panoptic in a technical sense - they normally don't want you to
know or fear they are watching (with tactical exceptions).

Is there anyone who's aware of overt surveillance and who doesn't at
least suspect that some form of covert surveillance also exists? And
isn't that suspicion enough to create a panoptic effect?


to some *unconscious* extent yes, but I have never seen any 
psychological studies into this. There ought to be an effect where even 
solid citizens become inhibited from communicating (or thinking! much 
harder experiment) certain ideas, depending on the level of ambient 
NSA-phobia, and this indeed might function as a form of social control. 
Never seen any studies on that idea. [Of course the STASI and others 
would make the surveillance obvious for the purpose of intimidation as a 
standard tactic in particular cases, but in general the watchers don't 
want the watched to know true capabilities]


However on the face of it, that isn't the classical Panopticon, where 
discipline is maintained by fear of detection by the unseen warden



The prisoners don't know whether they're being watched at any moment,
or whether the watchtower is even occupied; the secret surveillance
organisation, the existence of which cannot be confirmed, corresponds
to the warden who may or may not be in the watchtower.


In Jeremy Bentham's original proposal, his idea was that prisoners who 
break discipline wilfully or transgress otherwise are singled out (at 
random possibly) and then publicly punished in the sight of all the rest 
as an example, but only a few days after the transgression, to magnify 
the prisoner's demoralisation after thinking they have got away with it. 
Incidentally, Bentham envisaged this system becoming a dynastic 
livelihood for him and his family, and petitioned the government to 
build a prison, and make him the warder! Nice work if you can get it, 
plenty of time for scholalry pursuits between semi-random episodes of 
exemplary punishment.


However, a possible Waiting-for-Godot variant of this idea would be that 
nasty things happen to prisoners in a more ambiguous way, so that 
prisoners never know if the watching warden even exists at all - it 
might all be random misfortune (of course well-behaved prisoners would 
also have to be punished sometimes randomly to maintain the 
uncertainty). It isn't clear why this is a better strategy for the 
wardens, except perhaps the uncertainty makes it harder for enough 
resentment to crystallize for a rebellion to occur.



Wasn't the NSA closer to the panoptic ideal when it was No Such Agency
than now, when we know we're being watched?


Yes, absolutely, but I don't think NSA wanted that, although a grimly 
conspiratorial interpretation of current events is that it is a vast 
planned PR gambit to effect transition to a global neo-Panoptic society, 
after all civil libertarians have exhausted themselves in protest...


Caspar
--
Liberationtech is a public list whose archives are searchable on Google. 
Violations of list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Sociological studies of covert mass-surveillance organisations

[Caspar Bowden (lists)]

On 09/01/13 22:21, Guido Witmond wrote:

...
Before the revelations and the subsequent confirmations, many people
would rather believe the old truth (having nothing to hide) than to live
with the new truth that they've been misled.

Truth hurts. That's the reason why so many people claim they have
nothing to hide. It's emotional.


And often the people claiming this most loudly are politicians, because 
the clamour for transparency into every detail of a political 
candidate's private life has made this imperative.


We should be afraid of that tendency, because if the only people 
prepared to go into public life are those whose interior life is so dull 
or non-existent that they really have nothing to hide, then it is 
certain we will be ruled by philosophical zombies with a sub-normal 
sense of empathy and self-awareness. I'd rather elect a hypocrite any day


Caspar
--
Liberationtech is a public list whose archives are searchable on Google. 
Violations of list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Sociological studies of covert mass-surveillance organisations

[Caspar Bowden (lists)]

On 09/02/13 08:46, Caspar Bowden (lists) wrote:

On 09/01/13 21:49, Michael Rogers wrote:
...

Wasn't the NSA closer to the panoptic ideal when it was No Such Agency
than now, when we know we're being watched?


Yes, absolutely, but I don't think NSA wanted that, although a grimly 
conspiratorial interpretation of current events is that it is a vast 
planned PR gambit to effect transition to a global neo-Panoptic 
society, after all civil libertarians have exhausted themselves in 
protest...


Sorry I misread, that was a non-seqitur, i.e. the NSA is *now* the 
warden of a Panoptic Internet in consequence of the revelations. When it 
was No Such Agency, the Panoptic effect only occurs with paranoids or 
(as above speculatively) unconsciously


CB
--
Liberationtech is a public list whose archives are searchable on Google. 
Violations of list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Sociological studies of covert mass-surveillance organisations

[Caspar Bowden (lists)]

Many thanks Yosem, Luis Felipe  Greg

On 08/31/13 07:14, Luis Felipe R. Murillo wrote:

On 08/30/2013 01:54 PM, Yosem Companys wrote:

From: Caspar Bowden li...@casparbowden.net

  I realize this is an improbable request (I think), but is anyone aware of
any Surveillance Studies research on the organisations conducting *
covert/secret* mass-surveillance (a securitocracy)

many thanks any pointers

I am not particularly familiar with this literature, but I know of a few
pointers.

This seminar in Brazil brought together researchers studying
surveillance and social control. They had three panels of interest
('Internet and Surveillance', 'New Technologies of Surveillance', and
'Institutional Surveillance'):

http://www2.pucpr.br/ssscla/


Yes - that is in the mainstream Surveillance Studies tradition


These two references are central in the debate (so Caspar must be super
familiar with them):

- Foucault, Michel. Discipline and Punish (redefining the debate on
the nature of power and the nature of state power):

http://www.foucault.info/documents/disciplineandpunish/foucault.disciplineandpunish.panopticism.html

- Deleuze, Gilles. Society of Control (updating Foucault's treatment
of surveillance to the contemporary 'society of control'):


Yes :-)

AFAIK Deleuze, Foucault et al. did not say anything specifically about 
covert (mass-)surveillance, or analyse how the inherently secret nature 
of such organizations might be a causal element in theories of social 
control. Secret surveillance organizations are NOT Panoptic in a 
technical sense - they normally don't want you to know or fear they are 
watching (with tactical exceptions).


In the sense that it aims to remain un-knowable by society, it seems 
academic Surveillance Studies neglects covert surveillance to a large 
extent becuase (a) it's very hard to study (!) , and (b) because it 
doesn't (overtly and ordinarily) interact with Society like overt 
surveillance it is less of interest to Sociologists (!)


To share back, one interesting reference so far:

 *

   Bridget Nolan (PhD thesis) 'Information sharing and collaboration in the 
United States Intelligence Community: An Ethnographic Study of the National 
Counterterrorism Center'

 o est.sandia.gov/consequence/docs/JICRD.pdf

Caspar
-- 
Liberationtech is a public list whose archives are searchable on Google. 
Violations of list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Defund Domestic Spying

[Caspar Bowden (lists)]

So the spying on the rest-of-the-world's data sent to the US, including 
information with respect to a foreign-based political organization _or_ 
foreign territory that _relates_ to the _conduct of the foreign affairs_ 
of the United States, that's totally fine is it? When the US domestic 
spying problem is fixed everyone can go home...


(slide 5) 
https://sigint.ccc.de/schedule/system/attachments/2068/original/How_to_wiretap_the_Cloud_without_anybody_noticing_-_SIGINT_7.7.2013.pdf


CB

On 07/23/13 23:56, Jonathan Wilkes wrote:

To any U.S. citizens out there, this might be a good time to act:

https://www.eff.org/deeplinks/2013/07/tomorrow-congress-votes-amendment-defund-spying-heres-how-you-can-help 



-Jonathan
--
Too many emails? Unsubscribe, change to digest, or change password by 
emailing moderator at compa...@stanford.edu or changing your settings 
at https://mailman.stanford.edu/mailman/listinfo/liberationtech




--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Microsoft Accesses Skype Chats

[Caspar Bowden (lists)]

On 05/17/13 12:31, Rich Kulawiec wrote:

...
And incidentally, the proffered rationale for this doesn't fly, given
that (a) they're only sending HEAD: actually scanning destination URLs
for malware et.al. would require fetching the whole page and (b) they're
only retrieving HTTPS URLs (per Heise) which is not what someone actually
looking for malware would do.  Moreover (c) even if they classified
a URL as malicious, let's sayhttps://example.net/blah, the recipient
of said URL is likely to access it via a data path outside their control,
thus -- unless they blocked it *inside* Skype -- they have no way to
prevent access to it and delivery of whatever malware payload awaits.


(delurking)

A) it would very interesting if a bunch of people filed a complaint with 
the Data Protection Authority of Luxembourg (where Skype is registered 
in Europe) making this argument above in well-crafted detail, and report 
back on response


http://www.cnpd.public.lu/fr/support/contact/index.php
(gotta love their address BTW)
(they have a dumb webform, so suggest use info at cnpd.lu instead)

B) FYI all, in Feb I managed to exercise my right of access to personal 
data from Skype under EU Data Protection Law. They ducked this for 
months, but after 6 emails to Luxembourg DPA, finally complied. Because 
I deliberately did this on an account I hadn't used for a while, it's 
not clear how much Internet call/chat metadata they retain, so I have a 
new request running


If anyone wants a suggested template for how to do (A) and or (B) 
contact me offlist (I'll post details if a lot of interest)


N.B.
1. you don't have to be European to do this (but probably helps if an EU 
resident or can cite chats/calls with those who are). Interesting also 
to what happens if a US-based user tries to get call metadata citing EU 
law (in theory this could work if that data is held in EU)


2. FYI Skype in Europe maintains they aren't a telco 
http://www.itworld.com/networking/347950/french-regulator-says-skype-must-register-telco-or-risk-prosecution, 
and thus not subject to the notorious EU Data Retention Directive. 
However this may actually be worse, becuase they would also not be 
obligated to delete metadata after a some period (6 mths to 2 years 
depending on various vagaries)


3. would be interesting to ask about whether Skype voice crypto is 
(still ?) genuinely end-to-end as well, as this not mentioned in privacy 
statement and finessed in FAQs, becuase will trigger test of whether DPA 
can force Skype to specify that (I did this already - awaiting answers)


4. the Luxembourg DPA website is in French  German but you can write to 
them in English


5. To make a subject access request to Skype, seems like best email is 
cro at skype.net, but also instructive to go through the website and 
see if you can figure out how to contact them electronically in the 
circular maze of their support info. Procedure is then to complain to 
DPA if they ignore of fob off.


Caspar Bowden
@CasparBowden

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] For everyone and their grad students: Fake, pay-to-publish journals conferences

[LISTS]

Indeed, this would be a problem. However, it's already a problem, which 
is to say that poorer universities cannot afford subscriptions to EBSCO 
and whatnot to begin with, and thus their faculty have trouble keeping 
up with research in comparison to those at richer schools. What I'm 
suggesting here could at least alleviate this problem, because richer 
schools would subsidize /access/ to research.


Moreover, I'm imagining that the cost of pay-to-publish would be far 
lower than for-profit schemes like TF and Elsevier, thus enabling 
poorer school's libraries to save money and actually increase their 
faculty's ability to do research (assuming that's their mission). 
However, I don't have numbers on this, so I could be wrong.


- Rob Gehl

On 04/08/2013 11:52 AM, Glassman, Michael wrote:

The problem with this is that faculty from wealthier universities will have 
much more capability to publish than faculty from less wealthy universities.  
And those who can get their work supported by those with money have an upper 
hand of getting more information out than those who do not have their work 
supported.  There is already enough of this in grants perhaps.   Maybe we could 
envision something like low cost subscriptions so that individuals or 
universities could pay a small fee to journals they use a lot.  This works well 
on a number of political blogs.

Michael

From: liberationtech-boun...@lists.stanford.edu 
[liberationtech-boun...@lists.stanford.edu] on behalf of LISTS 
[li...@robertwgehl.org]
Sent: Monday, April 08, 2013 1:45 PM
To: liberationtech@lists.stanford.edu
Subject: Re: [liberationtech] For everyone and their grad students: Fake, 
pay-to-publish journals  conferences

Or, potentially, university libraries could shift from buying
subscriptions to paying for their university faculty's publication fees.
If the ultimate product is an open access publication, then the issue
isn't paying for access, but rather paying to produce the public good.

- Rob Gehl

On 04/08/2013 11:42 AM, michael gurstein wrote:

Publishing may be dirt cheap but any systematic/formal e.g. academic
publishing isn't free... So the problem is that while there is a necessary
and valuable shift from commercial publishing (and outrageous profiteering)
to open access online publishing there really aren't any good business
models yet to cover the (much less but not totally trivial) costs of the new
forms of academic publishing.

If for whatever reason (and there are lots including the issues pointed to
here) one doesn't want to go to a pay for play model that leaves
advertising(???) or donations (???) or...

M

-Original Message-
From: liberationtech-boun...@lists.stanford.edu
[mailto:liberationtech-boun...@lists.stanford.edu] On Behalf Of Richard
Brooks
Sent: Monday, April 08, 2013 9:34 AM
To: liberationtech@lists.stanford.edu
Subject: Re: [liberationtech] For everyone and their grad students: Fake,
pay-to-publish journals  conferences

It's not curious. It is accurate. As the funding model moved from
subscribers paying for access to authors paying for publication, the
financial incentives changed as well. The loosening of standards is an
obvious consequence of this decision.

The question of how best to publish quality academic information is
non-trivial. Like the question of where to get quality current affairs
information. It will take a while for things to adjust to the ability of the
Internet to make publishing dirt-cheap.



On 04/08/2013 12:19 PM, James Losey wrote:

I think it's curious how this article frames the journals as open
access rather than a more appropriate pay to play

On Mon, Apr 8, 2013 at 6:05 PM, Yosem Companys compa...@stanford.edu
mailto:compa...@stanford.edu wrote:

  From: Nathaniel Poor natp...@gmail.com
mailto:natp...@gmail.com


http://www.nytimes.com/2013/04/08/health/for-scientists-an-exploding-w
orld-of-pseudo-academia.html

  The scientists who were recruited to appear at a conference called
  Entomology-2013 thought they had been selected to make a presentation
  to the leading professional association of scientists who study
  insects. But they found out the hard way that they were wrong

  This has been a problem for a while, but now it's big enough to be a
  newspaper story.

  ---
  Nathaniel Poor, Ph.D.
  http://natpoor.blogspot.com/
  https://sites.google.com/site/natpoor/
  --
  Too many emails? Unsubscribe, change to digest, or change password
  by emailing moderator at compa...@stanford.edu
  mailto:compa...@stanford.edu or changing your settings at
  https://mailman.stanford.edu/mailman/listinfo/liberationtech




--
Too many emails? Unsubscribe, change to digest, or change password by
emailing moderator at compa...@stanford.edu or changing your settings
at https://mailman.stanford.edu/mailman/listinfo/liberationtech