Re: [liberationtech] Free or Cheap VPN for OS X?
Julian Oliver jul...@julianoliver.com [2015-05-05 16:49:04 +0200]: For all else, I run my own OpenVPN servers. Very easy to set up. Is there any way to do this without linking the server to one's name (through financial records)? I stopped using this method since while this set-up provides security, this would work against providing basic pseudonymity, which is something I desired. ~ Pranesh -- Pranesh Prakash Policy Director, Centre for Internet and Society http://cis-india.org | tel:+91 80 40926283 sip:pran...@ostel.co | xmpp:pran...@cis-india.org twitter:https://twitter.com/pranesh_prakash -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Many VPNs and Psiphon are currently blocked in Iran right now
Brian Conley bri...@smallworldnews.tv [2014-02-22 14:58:22]: Right, but let's not waste our time on people who don't want to help themselves or check for themselves and only believe rumors. Sure tor works slowly, but as Nathan pointed out, we have hard evidence that Iranians are using Tor: That's actually the attitude that is responsible for far fewer people using security-enhancing technologies than should be. It would serve us well to remember that convenience is paramount for the vast majority of users (including the vast majority of journalists and the vast majority of criminals), whether we'd like to pander to convenience or not. A 2012/2013 study by Robinson + Yu (albeit done on a very small sample) on Chinese Internet users showed that speed was amongst the biggest complaints and was the second most important factor while choosing a circumvention tool: http://www.robinsonyu.com/pdfs/CollateralFreedom.pdf Of course I don't intend to suggest we should just ignore uninformed users. What I do suggest is that to work in solidarity we need to have agreed parameters. That means we provide guidelines and we expect people to be willing to try certain things as the process. Good luck finding people who meet your expectations of top-down guideline-followers. -- Pranesh Prakash Policy Director, Centre for Internet and Society T: +91 80 40926283 | W: http://cis-india.org --- Access to Knowledge Fellow, Information Society Project, Yale Law School M: +1 520 314 7147 | W: http://yaleisp.org PGP ID: 0x1D5C5F07 | Twitter: https://twitter.com/pranesh_prakash -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] LUKS Self-Destruct feature introduced in Kali Linux
This might be of interest to some on this list: http://www.kali.org/how-to/nuke-kali-linux-luks/ The LUKS encrypted partition self-destructs if a specific nuke password is used. Our main purpose for introducing this feature in Kali Linux is to simplify the process of securely traveling with confidential client information. While “LUKS Nuking” your drive will result in an inaccessible disk, it is possible to backup your keyslots beforehand and restore them after the fact. What this allows us to do is to “brick” our sensitive laptops before any travel, separate ourselves from the restoration keys (which we encrypt), and then “restore” them to the machines once back in a safe location. This way, if our hardware is lost or otherwise accessed midway through our travels, no one is able to restore the data on it, including ourselves. This above description seems to me to be an extreme case of 2FA. Is it actually useful? By contrast, Guardian Project's ChatSecure has a simple self-destruct button and TrueCrypt allows for hidden volumes that can be accessed through a different password. -- Pranesh Prakash Policy Director, Centre for Internet and Society T: +91 80 40926283 | W: http://cis-india.org --- Access to Knowledge Fellow, Information Society Project, Yale Law School M: +1 520 314 7147 | W: http://yaleisp.org PGP ID: 0x1D5C5F07 | Twitter: https://twitter.com/pranesh_prakash -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] 15 years later, why can't Johnny still not encrypt?
Anders Thoresson and...@thoresson.net [2014-01-15 11:23:04 +0100]: Comparing the findings made by Whittens and compare them to the software available today, not much seems to have happened. But does the conclusion still holds, that a lack of mass-adoption of email encryption is due to problematic UX This reminds me of a recent Ars Technica story[1] with the headline, Encrypted e-mail: How much annoyance will you tolerate to keep the NSA away? Sub-heading: How to to encrypt e-mail, and why most don't bother. – or are there other reasons that today are seen as more important? There was a thread on LibTech titled 10 reasons not to start using PGP[2] that you might be interested in. [1]: http://arstechnica.com/security/2013/06/encrypted-e-mail-how-much-annoyance-will-you-tolerate-to-keep-the-nsa-away/ [2]: https://www.mail-archive.com/liberationtech@lists.stanford.edu/msg07744.html -- Pranesh Prakash Policy Director, Centre for Internet and Society T: +91 80 40926283 | W: http://cis-india.org --- Access to Knowledge Fellow, Information Society Project, Yale Law School M: +1 520 314 7147 | W: http://yaleisp.org PGP ID: 0x1D5C5F07 | Twitter: https://twitter.com/pranesh_prakash -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Group Thinks Anonymity Should Be Baked Into the Internet Itself
Eugen Leitl [2013-11-29 11:47]: The IETF hopes to make such encryption the default for a future Web communications standard known as HTTP 2.0. This is shoddy reporting, imho. There is no IETF consensus on this yet, as one would know by following the ietf and ietf-http-wg lists. Many on those threads have argued vehemently that encryption should be made more convenient and attractive, and even recommended (SHOULD), but not be made mandatory (MUST). Relevant threads: http://lists.w3.org/Archives/Public/ietf-http-wg/2013OctDec/0625.html http://www.ietf.org/mail-archive/web/ietf/current/msg84174.html Regards, Pranesh -- Pranesh Prakash Policy Director Centre for Internet and Society T: +91 80 40926283 | W: http://cis-india.org PGP ID: 0x1D5C5F07 | Twitter: @pranesh_prakash Access to Knowledge Fellow Information Society Project, Yale Law School T: +1 520 314 7147 | W: http://yaleisp.org -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] D-Link Backdoor
http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/ In other words, if your browser’s user agent string is “xmlset_roodkcableoj28840ybtide” (no quotes), you can access the web interface without any authentication and view/change the device settings. It seems it was put in through stupidity, rather than malice. Though, it could be used for malicious purposes too, as seen in this proof-of-concept code: http://pastebin.com/vbiG42VD ~ Pranesh -- Pranesh Prakash Policy Director Centre for Internet and Society T: +91 80 40926283 | W: http://cis-india.org PGP ID: 0x1D5C5F07 | Twitter: @pranesh_prakash Postgraduate Associate Access to Knowledge Fellow Information Society Project, Yale Law School T: +1 520 314 7147 | W: http://yaleisp.org -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] 10 reasons not to start using PGP
all over. None of the existing tools are fully good enough. We have to get used to the fact that new tools will come out twice a year. Mallory has an interest in making us believe encryption isn't going to work anyway - but internal data leaked by Mr Snowden shows that encryption actually works. We should just care to use it the best way. That means, not with PGP. There is no one magic bullet you can learn about. You have to get used to learning new software frequently. You have to teach the basics of encryption independently from any software, especially from the one that does it wrong the most. In the [09]comparison we have listed a few currently existing technologies, that provide a safer messaging experience than PGP. The problem with those frequently is, that they haven't been peer reviewed. You may want to invest time or money in having projects peer reviewed for safety. Pond is currently among the most interesting projects for mail privacy, hiding its padded undetectable crypto in the general noise of Tor. Tor is a good place to hide private communication since the bulk of Tor traffic seems to be anonymized transactions with Facebook and the like. Even better source of cover traffic is file sharing, that's why RetroShare and GNUnet both have solid file sharing functionality to let you hide your communications in. Mallory will try to adapt and keep track of our communications as we dive into cover traffic, but it will be a very hard challenge for him, also because all of these technologies are working to switch to Curve25519. Secushare intends to only support Curve25519 to impede [10]downgrade attacks. Until the next best practice comes out. It's an arms race. Time to lay down your old bayonet while Mallory is pointing a nuclear missile at you. Thank you, PGP. Thank you Mr Zimmermann for bringing encryption technology to the simple people, back in 1991. It has been an invaluable tool for twenty years, we will never forget. But it is overdue to move on. References 01. https://en.wikipedia.org/wiki/Pretty%20Good%20Privacy 02. http://secushare.org/end2end 03. https://en.wikipedia.org/wiki/SMTP 04. https://en.wikipedia.org/wiki/TLS 05. https://en.wikipedia.org/wiki/Off-the-Record_Messaging 06. http://tools.ietf.org/html/rfc4880 07. https://en.wikipedia.org/wiki/Deep_packet_inspection 08. http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security 09. http://secushare.org/comparison 10. http://crypto.stackexchange.com/questions/10493/why-is-tls-susceptible-to-protocol-downgrade-attacks 11. http://en.wikipedia.org/wiki/man-in-the-middle%20attack 12. https://en.wikipedia.org/wiki/Forward_secrecy 13. http://www.heise.de/tr/artikel/Die-Krypto-Apokalypse-droht-1942212.html 14. https://en.wikipedia.org/wiki/Elliptic_curve_cryptography 15. http://www.wired.com/threatlevel/2013/09/rsa-advisory-nsa-algorithm/ 16. https://gnunet.org/curve25519 17. https://en.wikipedia.org/wiki/steganography 18. http://secushare.org/rendezvous P.S. Thanks for feedback to tg, duy and especially Mr Grothoff. -- Pranesh Prakash Policy Director Centre for Internet and Society T: +91 80 40926283 | W: http://cis-india.org PGP ID: 0x1D5C5F07 | Twitter: @pranesh_prakash ---+ Postgraduate Associate Access to Knowledge Fellow Information Society Project, Yale Law School T: +1 520 314 7147 | W: http://yaleisp.org -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Microsoft Accesses Skype Chats
I noticed recently that (all?) URLs sent via Google Hangouts automatically get replaced by a Google URL redirection (the way their search results do if you're logged in). I've not seen any documentation of this on Google's help pages, though. Sure, Google Hangouts doesn't sell itself on its security, and a redirect is more transparent than secret visits from a Microsoft server. That said, how exactly is this different from what Skype is doing? ~ Pranesh -- Pranesh Prakash Policy Director Centre for Internet and Society T: +91 80 40926283 | W: http://cis-india.org PGP ID: 0x1D5C5F07 | Twitter: @pranesh_prakash -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
[liberationtech] Fwd: Police's illegal surveillance of 93, 000 phone numbers in Gujarat
[Permalink](http://asiancorrespondent.com/108044/india-gujarat-phone-snooping-narendra-modi/ Permalink to India: Gujarat phone snooping sparks privacy storm | Asia News – Politics, Media, Education) # India: Gujarat phone snooping sparks privacy storm | Asia News – Politics, Media, Education ***Revelations this week of police surveillance of 93,000 phone numbers are the latest in a long line breaches of privacy in Narendra Modi’s Gujarat*** The top cop of India’s ever-contentious state of Gujarat has stirred the hornets’ nest by scaling down significantly the capacity of the police department to routinely requisition mobile and fixed line phone service providers for Call Detail Records (CDRs) of their subscribers without ascribing any reason. [Reports][1] in the [local press][2] have detailed that the Director General of Police, Amitabh Pathak – appointed to the position in February this year – had stumbled on to the discomforting fact that, over the past six months alone, mobile phone companies had handed over CDRs of almost 100,000 subscribers to police officers at various levels. Most of these details had been requisitioned without necessary documents accompanying the request. What has added fuel to the controversy is the fact that many of the phones for which CDRs were scrutinised over the past six months include those of senior police officers and bureaucrats. The *Hindustan Times* quoted an executive working for a mobile phone company saying that thought rules specify that police should provide details of the case or the First Information Report along with the request. This is rarely done with mobile companies playing along to stay on the right side of law enforcers. Gujarat has a track record of monitoring physical movement and snooping on telephone conversations of political opponents of chief minister Narendra Modi and other detractors of the state government. While I was researching on my [biography][4] of Modi, a source told me of his fascination for the historically recorded spy network of Shivaji, the 17th century Maratha warrior king who waged a relentless battle against the Mughal Empire. Shortly after taking charge as chief minister in October 2001, Modi fine-tuned the intelligence set-up in the state and kept a hawk’s eye on detractors – more so after the Godhra carnage and the riots that followed. One such high-profile adversary was Haren Pandya, a one-time cabinet colleague who was given his marching orders in August 2002. Those who thought that the matter ended with Pandya’s sacking were mistaken: he was gunned down in a busy park in Ahmedabad on a morning in March 2003 when returning home from his morning walk. The media reported then that Pandya’s telephone was tapped and that Modi knew about Pandya’s interactions in real time. These included a deposition before the Concerned Citizens Tribunal – an inquiry instituted by civil society groups. In the past decade or so there have been repeated calls for greater transparency regarding surveillance of telephones. Prior to the recent order of Pathak, the CDRs could be sought by officers as junior as Inspectors. This gave rise to the view that most of these junior officers were asking for the details to satisfy political masters. This apprehension was heightened when it was learnt that the CDRs that were supplied by phone companies include senior officials. Though Pathak issued new guidelines regarding requisitioning of CDRs earlier this week, apprehensions remain regarding the misuse of provisions. The fresh order says that only officers at the level of Superintendent (senior most officers in smaller districts or heads of police districts in bigger cities) could obtain CDRs from mobile service providers. India lacks transparent norms regarding tapping of telephones. New Delhi is currently gripped with a controversy over tracking the mobile phone of senior Bharatiya Janata Party leader, Arun Jaitley. In this case also the CDRs were acquired by a very junior police officer. Details of who ordered the scrutiny of such a large number of phones in Gujarat are not known. But the disclosure does raise questions about violation of privacy of citizens in the state as the administration has not specified reasons behind such large scale snooping. [1]: http://www.hindustantimes.com/India-news/Ahmedabad/Gujarat-DGP-curtails-snooping-on-phone-records/Article1-1063687.aspx [2]: http://articles.timesofindia.indiatimes.com/2013-05-20/ahmedabad/39391788_1_police-officer-police-inspector-gujarat-police -- Pranesh Prakash Policy Director Centre for Internet and Society T: +91 80 40926283 | W: http://cis-india.org PGP ID: 0x1D5C5F07 | Twitter: @pranesh_prakash -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Internet Historiography
Yosem Companys [2013-05-16 22:00]: From: Adam Fish rawb...@gmail.com Anybody know of articles or books analysing 1) the political historiography of the internet. Who has criticized the historiography of the internet as being written for political gain? Kim Veltman's American Visions of the Internet: A Crisis of Trust does just that.[1] But also, to an extent, Ian Peter's History of the Internet.[2] [1]: http://vmmi.sumscorp.com/articles/html/visions_22_dec.htm [2]: http://www.nethistory.info/History%20of%20the%20Internet/ -- Pranesh Prakash Policy Director Centre for Internet and Society T: +91 80 40926283 | W: http://cis-india.org PGP ID: 0x1D5C5F07 | Twitter: @pranesh_prakash -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
[liberationtech] Microsoft Accesses Skype Chats
Heise Security is reporting that Microsoft accesses links sent over Skype chat.[1] Here is the /. lede: A Microsoft server accesses URLs sent in Skype chat messages, even if they are HTTPS URLs and contain account information. A reader of Heise publications notified Heise Security (link to German website, Google translation[2]). They replicated the observation by sending links via Skype, including one to a private file storage account, and found that these URLs are shortly after accessed from a Microsoft IP address. When confronted, Microsoft claimed that this is part of an effort to detect and filter spam and fishing URLs. [1]: http://www.heise.de/newsticker/meldung/Vorsicht-beim-Skypen-Microsoft-liest-mit-1857620.html [2]: http://translate.google.com/translate?sl=autotl=enjs=nprev=_thl=enie=UTF-8eotf=1u=http%3A%2F%2Fwww.heise.de%2Fnewsticker%2Fmeldung%2FVorsicht-beim-Skypen-Microsoft-liest-mit-1857620.html ~ Pranesh -- Pranesh Prakash Policy Director Centre for Internet and Society T: +91 80 40926283 | W: http://cis-india.org PGP ID: 0x1D5C5F07 | Twitter: @pranesh_prakash -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
[liberationtech] Websites blocked in UAE with Netsweeper
Dear all, @Isac_anon and @Juzzy0 who work as Anonymous discovered this while snooping around Netsweeper's products: Main list of sites blocked in the UAE: http://goo.gl/wtxoB Secondary list, with pattern blocking: http://goo.gl/WaAb2 Summary: * There were ALOTT of pornographic, sexual related (even Sex ED!!) * Dating sites and freaking MATRIMONIAL sites !! blocked!! * Any article, website, Facebook group etc. that is critical of the Government... * Sites that help bypass censorship I.E Proxies, VPN providers etc. * Support sites of religion's other than Islam ... eg: biblestudylessons.com etc. * The most shocking lots and lots of VOIP sites the reason is explained below Link to Anon statement: http://goo.gl/jmxd3 Cheers, Pranesh -- Pranesh Prakash · Programme Manager · Centre for Internet and Society @pranesh_prakash · PGP ID 0x1D5C5F07 · http://cis-india.org signature.asc Description: OpenPGP digital signature ___ liberationtech mailing list liberationtech@lists.stanford.edu Should you need to change your subscription options, please go to: https://mailman.stanford.edu/mailman/listinfo/liberationtech If you would like to receive a daily digest, click yes (once you click above) next to would you like to receive list mail batched in a daily digest? You will need the user name and password you receive from the list moderator in monthly reminders. You may ask for a reminder here: https://mailman.stanford.edu/mailman/listinfo/liberationtech Should you need immediate assistance, please contact the list moderator. Please don't forget to follow us on http://twitter.com/#!/Liberationtech