Re: [liberationtech] Fwd: [riseup] Space for dissent
On Thu, Aug 22, 2013 at 04:22:17AM -0400, Ben Laurie wrote: So where are these radically new services documented? From what I understand it's this: LEAP Encryption Access Project https://leap.se -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] Fwd: [riseup] Space for dissent
- Forwarded message from newslet...@lists.riseup.net - Space for dissent It is a mistake to frame the recent US and European massive surveillance revelations in terms of the privacy of individuals. What is at stake is not privacy at all, but the power of the state over its citizenry. What surveillance really is, at its root, is a highly effective form of social control. The knowledge of always being watched changes our behavior and stifles dissent. The inability to associate secretly means there is no longer any possibility for free association. The inability to whisper means there is no longer any speech that is truly free of coercion, real or implied. Most profoundly, pervasive surveillance threatens to eliminate the most vital element of both democracy and social movements: the mental space for people to form dissenting and unpopular views. Many commentators, and Edward Snowden himself, have noted that these surveillance programs represent an existential threat to democracy. This understates the problem. The universal surveillance programs in place now are not simply a potential threat, they are certain to destroy democracy if left unchecked. Democracy, even the shadow of democracy we currently practice, rests on the bedrock foundation of free association, free speech, and dissent. The consequence of the coercive power of surveillance is to subvert this foundation and undermine everything democracy rests on. Within social movements, there is a temptation to say that nothing is really different. After all, governments have always targeted activist groups with surveillance and disruption, especially the successful ones. But this new surveillance is different. What the US government and European allies have built is an infrastructure for perfect social control. By automating the process of surveillance, they have created the ability to effortlessly peer into the lives of everyone, all the time, and thus create a system with unprecedented potential for controlling how we behave and think. True, this infrastructure is not currently used in this way, but it is a technical tool-kit that can easily be used for totalitarian ends. Those who imagine a government can be trusted to police itself when given the ominous power of precise insight into the inner workings of everyday life are betting the future on the ability of a secretive government to show proper self-restraint in the use of their ever-expanding power. If history has shown us anything, it is that the powerful will always use their full power unless they are forced to stop. So, how exactly are we planning on stopping them? We support people working through the legal system or applying political pressure, but we feel our best hope of stopping the technology of surveillance is the technology of encryption. Why? Because the forces that have created this brave new world are unlikely to be uprooted before it is too late to halt the advance of surveillance. Unfortunately, most existing encryption technology is counterproductive. Many people are pushing technology that is proprietary, relies on a central authority, or is hopelessly difficult for the common user. The only technology that has a chance to resist the rise of surveillance will be open source, federated, and incredibly easy to use. In the long run, decentralized peer-to-peer tools might meet this criteria, but for the foreseeable future these tools will not have the features or usability that people have grown accustomed to. In the coming months, the Riseup birds plan to begin rolling out a series of radically new services, starting with encrypted internet, encrypted email, and encrypted chat. These services will be based on 100% open source and open protocols, will be easy to use, and will protect your data from everyone, even Riseup. This is a massive undertaking, made in concert over the last year with several other organizations, and will only work with your support. We need programmers, particularly those experienced in Python, C, Ruby, and Android development, and sysadmins interested in starting their own secure service providers. We also need money. Donations from our amazing Riseup users keep us running on our current infrastructure. But in order to be able to graduate to a new generation of truly secure and easy to use communication technology, we are going to need a lot more money than our users are able to donate. If you have deep pockets and an interest in building this new generation of communication, then we need to hear from you. If you have friends or family who care about the future of democracy and who have deep pockets, we need to hear from them, too. At Riseup, we have felt for the last few years that the window of opportunity to counter the rise of universal surveillance is slowly shrinking. Now is our chance to establish a new reality where mass numbers of people are using encryption on a daily basis. If you have the skills or
Re: [liberationtech] [cryptography] Reply to Zooko (in Markdown)
- Forwarded message from Jon Callas j...@callas.org - Date: Fri, 16 Aug 2013 23:04:38 -0700 From: Jon Callas j...@callas.org To: Zooko Wilcox-OHearn zo...@leastauthority.com Cc: cryptogra...@randombit.net Subject: [cryptography] Reply to Zooko (in Markdown) -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Also at http://silentcircle.wordpress.com/2013/08/17/reply-to-zooko/ # Reply to Zooko (My friend and colleague, [Zooko Wilcox-O'Hearn](https://leastauthority.com/blog/author/zooko-wilcox-ohearn.html) wrote an open letter to me and Phil [on his blog at LeastAuthority.com](https://leastauthority.com/blog/open_letter_silent_circle.html). Despite this appearing on Silent Circle's blog, I am speaking mostly for myself, only slightly for Silent Circle, and not at all for Phil.) Zooko, Thank you for writing and your kind words. Thank you even more for being a customer. We're a startup and without customers, we'll be out of business. I think that everyone who believes in privacy should support with their pocketbook every privacy-friendly service they can afford to. It means a lot to me that you're voting with your pocketbook for my service. Congratulations on your new release of [LeastAuthority's S4](https://leastauthority.com) and [Tahoe-LAFS](https://tahoe-lafs.org/trac/tahoe-lafs). Just as you are a fan of my work, I am an admirer of your work on Tahoe-LAFS and consider it one of the best security innovations on the planet. I understand your concerns, and share them. One of the highest priority tasks that we're working on is to get our source releases better organized so that they can effectively be built from [what we have on GitHub](https://github.com/SilentCircle/). It's suboptimal now. Getting the source releases is harder than one might think. We're a startup and are pulled in many directions. We're overworked and understaffed. Even in the old days at PGP, producing effective source releases took years of effort to get down pat. It often took us four to six weeks to get the sources out even when delivering one or two releases per year. The world of app development makes this harder. We're trying to streamline our processes so that we can get a release out about every six weeks. We're not there, either. However, even when we have source code to be an automated part of our software releases, I'm afraid you're going to be disappointed about how verifiable they are. It's very hard, even with controlled releases, to get an exact byte-for-byte recompile of an app. Some compilers make this impossible because they randomize the branch prediction and other parts of code generation. Even when the compiler isn't making it literally impossible, without an exact copy of the exact tool chain with the same linkers, libraries, and system, the code won't be byte-for-byte the same. Worst of all, smart development shops use the *oldest* possible tool chain, not the newest one because tool sets are designed for forwards-compatibility (apps built with old tools run on the newest OS) rather than backwards-compatibility (apps built with the new tools run on older OSes). Code reliability almost requires using tool chains that are trailing-edge. The problems run even deeper than the raw practicality. Twenty-nine years ago this month, in the August 1984 issue of Communications of the ACM (Vol. 27, No. 8) Ken Thompson's famous Turing Award lecture, Reflections on Trusting Trust was published. You can find a facsimile of the magazine article at https://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf and a text-searchable copy on Thompson's own site, http://cm.bell-labs.com/who/ken/trust.html. For those unfamiliar with the Turing Award, it is the most prestigious award a computer scientist can win, sometimes called the Nobel Prize of computing. The site for the award is at http://amturing.acm.org. In Thompson's lecture, he describes a hack that he and Dennis Ritchie did in a version of UNIX in which they created a backdoor to UNIX login that allowed them to get access to any UNIX system. They also created a self-replicating program that would compile their backdoor into new versions of UNIX portably. Quite possibly, their hack existed in the wild until UNIX was recoded from the ground up with BSD and GCC. In his summation, Thompson says: The moral is obvious. You can't trust code that you did not totally create yourself. (Especially code from companies that employ people like me.) No amount of source-level verification or scrutiny will protect you from using untrusted code. In demonstrating the possibility of this kind of attack, I picked on the C compiler. I could have picked on any program-handling program such as an assembler, a loader, or even hardware microcode. As the level of program gets lower, these bugs will be harder and harder to detect. A well installed microcode bug will be almost impossible to
[liberationtech] FW: Lavabit down ...
On Thu, Aug 08, 2013 at 09:30:26PM +0200, Trigger Happy wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 what I saw today lavabit.com My Fellow Users, I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit. After significant soul searching, I have decided to suspend operations. I wish that I could legally share with you the events that led to my decision. I cannot. I feel you deserve to know what’s going on--the first amendment is supposed to guarantee me the freedom to speak out in situations like this. Unfortunately, Congress has passed laws that say otherwise. As things currently stand, I cannot share my experiences over the last six weeks, even though I have twice made the appropriate requests. What’s going to happen now? We’ve already started preparing the paperwork needed to continue to fight for the Constitution in the Fourth Circuit Court of Appeals. A favorable decision would allow me resurrect Lavabit as an American company. This experience has taught me one very important lesson: without congressional action or a strong judicial precedent, I would _strongly_ recommend against anyone trusting their private data to a company with physical ties to the United States. Sincerely, Ladar Levison Owner and Operator, Lavabit LLC - -- Trigger Happy jabber: triggerha...@jabber.ccc.de otr: 85e6d794bbf77f6defd7e6648a6e48ebba6f0ffd -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJSA/HMAAoJEEtm9wC9fGLFxDkP/RQiZyIXv3sXHgYoocGEv+w3 K4P+z5o1t7RVJBuSSu3AOwqBvKVZczgJsUJ2u/TT96KAGw/9zflCIqrsFDFHOA1T g2LdZ2qs8jxYEs9DWCNBSOmK964LmRpsJoyncwoXS0BYGD8eM0bN7v8HuR69GNbG IAMnI7WRiiQQnX8wpO0VIA0/V50pgIsFbZJt6swK2emuGRBzDgVedWNPTGpbLHbM +iDVAVGi4OLkT2DVUsne+pJOq3JDtpjASTo7y6VhxxS6v5i6lLbjDto2eXyS1/zM GW4iTLTqM7YY7nj3X4bpjeGM4G5i+gx74paq3o3hqbqwlKs30ehltAJiNpjleUWu FlvD5fuUWEYWjMzddfOFuidVXjRKhcRsuoeGvPIP+AifgKekqnKU1Pjrdx+9oU0q WCVjF4dDl7tebVPrdlNVjCDlUXTPhpCrpuMrjbkk/N44E7E/ik+ObraX0A8JGcDp +gOAXOPT3J/hVFwRm6ksqfi9lXe5HijHNXspuTQ4QLBqhVhS5O+WqnWo8xVCpVF6 VQt0e8YCYrPD34A9WCodHaidy4kGtO2BOJq0VNqrJ/atAtPcBx4IHD9hRhlFJbqJ TCi7WBn++dtbYMiVYjSOq2Y9DDlO9WoSNaWC90Ae86ZnUfKmYTsj7TK+ynxfenR/ X8t6xQ+Mp40MSLueVM8q =tzgx -END PGP SIGNATURE- -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Stability in truly Democratic decision systems
On Sun, Jul 07, 2013 at 12:47:52PM -0700, Peter Lindener wrote: Watching Egypt iteratively attempt to find something that resembles a democratic form government feels quite uncomfortable for me. Not only that in the senseless confusion many lives will be lost, but also, closer to home, here at Stanford, deeper reflections of the human condition seem still to be leaving our institution's interest in promoting forms of democracy that are more likely to function in a state of disarray.. ... While not all seem ready for the rigor of formal methods in information and Game theory towards building our society's better understanding of what it truly means to achieve a more genuine sense of democracy (i.e. a government for the people, by the people)... It would see that to just sit by and watch, as we preach to others that democracy is good, and then fail in any truly meaningful way to show how to achieve it, feels discouraging, at least for me. Here's an article that speaks to this, fwiw... System Failure; Christopher Hayes; 2010-01-14 http://www.thenation.com/article/system-failure From the article: [T]he corporatism on display in Washington is itself a symptom of a broader social illness that I noted above, a democracy that is pitched precariously on the tipping point of oligarchy. In an oligarchy, the only way to get change is to convince the oligarchs that it is in their interest--and increasingly, that's the only kind of change we can get. In 1911 the German democratic socialist Robert Michels faced a similar problem, and it was the impetus for his classic book Political Parties. He was motivated by a simple question: why were parties of the left, those most ideologically committed to democracy and participation, as oligarchical in their functioning as the self-consciously elitist and aristocratic parties of the right? Michels's answer was what he called The Iron Law of Oligarchy. In order for any kind of party or, indeed, any institution with a democratic base to exist, it must have an organization that delegates tasks. As this bureaucratic structure develops, it invests a small group of people with enough power that they can then subvert the very mechanisms by which they can be held to account: the party press, party conventions and delegate votes. It is organization which gives birth to the domination of the elected over the electors, he wrote, of the mandataries over the mandators, of the delegates over the delegators. Who says organization, says oligarchy. Michels recognized the challenge his work presented to his comrades on the left and viewed the task of democratic socialists as a kind of noble, endless, Sisyphean endeavor, which he described by invoking a German fable. In it, a dying peasant tells his sons that he has buried a treasure in their fields. After the old man's death the sons dig everywhere in order to discover the treasure. They do not find it. But their indefatigable labor improves the soil and secures for them a comparative well-being. The treasure in the fable may well symbolize democracy, Michels wrote. Democracy is a treasure which no one will ever discover by deliberate search. But in continuing our search, in laboring indefatigably to discover the undiscoverable, we shall perform a work which will have fertile results in the democratic sense. -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Medill online Digital Safety Guide
At risk for stating the obvious (and getting in the middle of what may be a turf war of sorts), I'd add like to add to this conversation. There are two positions: (1) give journalists (and activists) what's possible today, even though it's not ideal, and (2) create the ideal and give them that instead. Both sides make very strong arguments for both positions: Rich for position (2): https://mailman.stanford.edu/pipermail/liberationtech/2013-June/008565.html Eleanor for position (1): https://mailman.stanford.edu/pipermail/liberationtech/2013-June/008577.html Nadim for position (1): https://mailman.stanford.edu/pipermail/liberationtech/2013-June/008582.html Both positions seek to solve the same problem, and I would say both are right. There's the here and now, and what can be done today (1). And, there's the future and what could ideally be done then (2). The differences between the two positions shouldn't prevent both sides from doing all they can to advance what they feel strongly about. Both sides accomplish great things and advance the overall objective of making journalists, and activists, more effective. I see the situation like this. Today, a journalist has the effectiveness of, let's say, one unit. Anything the libtech community can do to improve that effectiveness is great. Maybe today it's only one unit x10. But maybe tomorrow it's one unit x100 and then the next day one unit x1000. There will be no one unit times infinity, unfortunately. There were always be new 0days, new methods of social engineering, new Blue Coats, more Patriot Acts, and more Constitution busting Attorney Generáles and Presidéntes. All we can do is improve the chances of those that need protection, and make them more effective. So while the debate is spirited, and very interesting (thanks!!), I hope at the end of the day that everyone finds ways to complement each others work. Those on the ground working with journalists and activists now, are probably going to be more focused on (1) while those more removed and probably going to be more focused on (2). Great! Both are desperately needed!! Again, maybe this is the obvious, but it seemed like it needed to be said. The more interesting question might be how to convey to users on the ground now what their threat models are and how they can improve their chances -- to add to the motivation they feel to move from (1) to (2) as quickly as possible. Too much information becomes overwhelming, but the right balance presented in the right way becomes empowering. It seems there's no simple answer, and that the answer varys from user to user depending on the time they have, abilities, interests, etc. -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech