Re: [liberationtech] From Snowden's email provider. NSL???

[John Sullivan]

Tom Ritter  writes:

> I *think* that app stores take a binary you upload and run their
> static and dynamic checks on that.  They then publish that binary
> without modification.  (Indeed, how could they modify it?  You sign it
> with your key.)  In that case, I think a verifiable build system ala
> Gitian would work well.
>
> The trust web is such that knowledgeable users can replicate a build
> to a hash.  That hash is what anyone downloads via the App Store, and
> less knowledgeable users, but users running rooted phones, can pull
> the binary off and check the hash.  That hash is what's signed by the
> developer's private signing key.  The app store can't substitute a
> different binary (no developer signing key), users can verify that the
> app was what the developer produced (via pulling the binary and
> checking the hash), and advanced users can verify that what the
> developer produced is what they produce via the replicable build
> process.

That's not my understanding of how the Apple store works. Apple does
modify the app before distribution (they have to apply their DRM for
example), and so the user cannot verify against the original signing
key. The developer signing key is for purposes of testimony to Apple,
not to the later user. Also, it arguably violates the App Store
distribution agreement for a developer to distribute her source or
binary from any other place -- the App Store distribution agreement is
designed to be an exclusive one. (Obviously a lot of people do
distribute their iOS app source from their own sites, but this is what
the apparently unenforced agreement said last I looked.)

I could be wrong about this, as I haven't gone over the details lately,
but I'm pretty sure that's right.

See for example
:
 

"A server error caused the FairPlay DRM encoding to fail, which resulted
in users receiving corrupted binaries when applying any recent updates
via the iOS App Store or the Mac App Store. These corrupt binaries would
crash on launch, failing to authenticate properly as a legitimate
download. Arment had identified as many as 120 apps that had been
affected by the issue as of Thursday."

-john

-- 
John Sullivan | Executive Director, Free Software Foundation
GPG Key: 61A0963B | http://status.fsf.org/johns | http://fsf.org/blogs/RSS

Do you use free software? Donate to join the FSF and support freedom at
.
-- 
Liberationtech is a public list whose archives are searchable on Google. 
Violations of list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] From Snowden's email provider. NSL???

[Reed Black]

On Sun, Aug 11, 2013 at 4:46 AM, Michael Rogers
 wrote:
>> The app store can't substitute a different binary (no developer signing 
>> key), users
>> can verify that the app was what the developer produced (via pulling the 
>> binary and
>> checking the hash), and advanced users can verify that what the developer
>> produced is what they produce via the replicable build process.
>
> I don't know how the Apple or Chrome app stores work, but on Android the user
> doesn't have a standard way to obtain the developer's key, so the app store 
> could
> sign a modified binary with any key.

Signing isn't sufficient without some means of invalidation under the
developer's control. Even putting aside users who are slow to update,
select users can be served older versions of apps with known
vulnerabilities intact.
-- 
Liberationtech is a public list whose archives are searchable on Google. 
Violations of list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] From Snowden's email provider. NSL???

[Michael Rogers]

> The app store can't substitute a different binary (no developer signing key), 
> users can verify that the app was what the developer produced (via pulling 
> the binary and checking the hash), and advanced users can verify that what 
> the developer produced is what they produce via the replicable build process.

I don't know how the Apple or Chrome app stores work, but on Android the user 
doesn't have a standard way to obtain the developer's key, so the app store 
could sign a modified binary with any key.

In any case, verifying a signature or hash against a public key or expected 
hash (obtained how?) is currently a manual process that non-experts can't be 
expected to carry out, let alone understand. What I'm looking for is a way to 
automate that process to protect non-experts.

As far as I can see, locked-down platforms like iOS and ChromeOS make it 
impossible in theory to tell whether the trust root (Apple/Google) is providing 
binaries built from published source code, because there's no way to get a 
verifier onto the device unless it's also approved (and potentially tampered 
with) by the trust root. But I think the situation for browser-downloaded 
software and Android apps might be less bleak.

One aspect that concerns me is rollback attacks: if the verifier accepts 
binaries that aren't listed in the public log, can the adversary tamper with 
the identifying attributes of the tampered binary (name, URL, etc) so the 
verifier doesn't realise there's a log entry that the binary should match?

Cheers,
Michael
-- 
Liberationtech is a public list whose archives are searchable on Google. 
Violations of list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] From Snowden's email provider. NSL???

[Tom Ritter]

On 10 August 2013 11:43, Michael Rogers  wrote:
> If we assume that app stores aren't going away any time soon, we need
> to address this problem: How can a user who downloads an app from an
> app store be satisfied that it was built from published source code?
>
> We might also think about how to solve the problem for apps downloaded
> through browsers.
>
> Verifiable builds are necessary but not sufficient here - they allow
> an expert auditor to tell whether the binary she downloaded was built
> from the published source, but an attacker might target the binaries
> downloaded by certain other users without alerting the auditor. So we
> also need a way for a non-expert user to tell whether the binary she
> downloaded matches the one that was audited.


Not having published in any app store, I'd like to know if my
assumptions here are incorrect.

I *think* that app stores take a binary you upload and run their
static and dynamic checks on that.  They then publish that binary
without modification.  (Indeed, how could they modify it?  You sign it
with your key.)  In that case, I think a verifiable build system ala
Gitian would work well.

The trust web is such that knowledgeable users can replicate a build
to a hash.  That hash is what anyone downloads via the App Store, and
less knowledgeable users, but users running rooted phones, can pull
the binary off and check the hash.  That hash is what's signed by the
developer's private signing key.  The app store can't substitute a
different binary (no developer signing key), users can verify that the
app was what the developer produced (via pulling the binary and
checking the hash), and advanced users can verify that what the
developer produced is what they produce via the replicable build
process.

-tom
-- 
Liberationtech is a public list whose archives are searchable on Google. 
Violations of list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] From Snowden's email provider. NSL???

[Ben Laurie]

On 10 August 2013 16:43, Michael Rogers  wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On 09/08/13 17:43, Reed Black wrote:
>> CryptoCat is served up by the Chrome app store. Do you have
>> control over what binary gets distributed to who? Does any assurace
>> exist beyond the app store's own signing validation?
>>
>> I thought this was like webmasters and third-party script
>> inclusions. They will be blind if Google or DoubleClick are
>> compelled to selectively swap out the scripts they serve to
>> millions of third-party sites.
>
> If we assume that app stores aren't going away any time soon, we need
> to address this problem: How can a user who downloads an app from an
> app store be satisfied that it was built from published source code?
>
> We might also think about how to solve the problem for apps downloaded
> through browsers.
>
> Verifiable builds are necessary but not sufficient here - they allow
> an expert auditor to tell whether the binary she downloaded was built
> from the published source, but an attacker might target the binaries
> downloaded by certain other users without alerting the auditor. So we
> also need a way for a non-expert user to tell whether the binary she
> downloaded matches the one that was audited.
>
> PGP signatures and hashes aren't currently usable by non-experts, and
> signatures or hashes published through the same channel as the binary
> can be tampered with in the same way as the binary.
>
> Something along the lines of Certificate Transparency might be useful
> here: a public log of software names, versions, and hashes, which a
> browser or other download tool can use to verify downloaded binaries
> without any manual steps needing to be taken by the user. Software
> publishers would be responsible for adding entries to the log for
> their own software and monitoring the log for entries added by anyone
> else.

FWIW, the Certificate Transparency code already has (primitive)
support for Binary Transparency:
https://code.google.com/p/certificate-transparency/source/browse/src/server/blob-server.cc.

Patches, as always, welcome.

>
> Cheers,
> Michael
>
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.10 (GNU/Linux)
>
> iQEcBAEBAgAGBQJSBl+QAAoJEBEET9GfxSfMlVAIAJ/JEwbbZBdihiuUT6PEas9v
> Bs/eOnr/+/oTvjVJc/OJvcSHXWr8ne97N3kGzBrQsS6HdiDoxZdUMC/9S+WGLQuG
> boMD1MJH2qpPQzA7yG0ZDKWUodg+IvHZosC50ahC+su6zZ176Ic/8v4zzDDxnzF5
> zLqtY/jhZSrvmdaWixx4yznmrWbOXo1zxb+ulSDZWZ4TIHZKC+890d4CVGDzFNjY
> Yzyz0E3BRX7Ctkbt2dW/EqhBPKsG0FtMzwCsFMa6xPIUp5Ykf0YpQ0WF4n/sTJaO
> 8bY3HyAtxBAma/gZccDLP1OEkjPdaf27cxJNbcSoAYeKy4cqCOMWWXL/gLbuZqo=
> =QkIa
> -END PGP SIGNATURE-
> --
> Liberationtech is a public list whose archives are searchable on Google. 
> Violations of list guidelines will get you moderated: 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
> change to digest, or change password by emailing moderator at 
> compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
-- 
Liberationtech is a public list whose archives are searchable on Google. 
Violations of list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] From Snowden's email provider. NSL???

[Michael Rogers]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 09/08/13 17:43, Reed Black wrote:
> CryptoCat is served up by the Chrome app store. Do you have
> control over what binary gets distributed to who? Does any assurace
> exist beyond the app store's own signing validation?
> 
> I thought this was like webmasters and third-party script
> inclusions. They will be blind if Google or DoubleClick are
> compelled to selectively swap out the scripts they serve to
> millions of third-party sites.

If we assume that app stores aren't going away any time soon, we need
to address this problem: How can a user who downloads an app from an
app store be satisfied that it was built from published source code?

We might also think about how to solve the problem for apps downloaded
through browsers.

Verifiable builds are necessary but not sufficient here - they allow
an expert auditor to tell whether the binary she downloaded was built
from the published source, but an attacker might target the binaries
downloaded by certain other users without alerting the auditor. So we
also need a way for a non-expert user to tell whether the binary she
downloaded matches the one that was audited.

PGP signatures and hashes aren't currently usable by non-experts, and
signatures or hashes published through the same channel as the binary
can be tampered with in the same way as the binary.

Something along the lines of Certificate Transparency might be useful
here: a public log of software names, versions, and hashes, which a
browser or other download tool can use to verify downloaded binaries
without any manual steps needing to be taken by the user. Software
publishers would be responsible for adding entries to the log for
their own software and monitoring the log for entries added by anyone
else.

Cheers,
Michael

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJSBl+QAAoJEBEET9GfxSfMlVAIAJ/JEwbbZBdihiuUT6PEas9v
Bs/eOnr/+/oTvjVJc/OJvcSHXWr8ne97N3kGzBrQsS6HdiDoxZdUMC/9S+WGLQuG
boMD1MJH2qpPQzA7yG0ZDKWUodg+IvHZosC50ahC+su6zZ176Ic/8v4zzDDxnzF5
zLqtY/jhZSrvmdaWixx4yznmrWbOXo1zxb+ulSDZWZ4TIHZKC+890d4CVGDzFNjY
Yzyz0E3BRX7Ctkbt2dW/EqhBPKsG0FtMzwCsFMa6xPIUp5Ykf0YpQ0WF4n/sTJaO
8bY3HyAtxBAma/gZccDLP1OEkjPdaf27cxJNbcSoAYeKy4cqCOMWWXL/gLbuZqo=
=QkIa
-END PGP SIGNATURE-
-- 
Liberationtech is a public list whose archives are searchable on Google. 
Violations of list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] From Snowden's email provider. NSL??? (Recipe for Secure Audio, Video, Chat, File Transfer)

[Brian Conley]

of course!!! Ready and waiting captain!
On Aug 9, 2013 10:37 AM, "Griffin Boyce"  wrote:

> Thanks for volunteering to help me test the service ;3
>
> Brian Conley wrote:
> >
> > Griffin, make it so!!
> >
> > On Aug 9, 2013 7:31 AM, "Griffin Boyce"  > > wrote:
> >
> > Fabio Pietrosanti (naif) wrote:
> > > If someone want to make this recipie working, i think that the
> world
> > > would appreciate with an "easy to be setup, independently run,
> > audio,
> > > video, file transfer, chat infrastructure accessible with a web
> > > browser" .
> > Welp, there goes my weekend. Dangit, naif! ;-)
> >
> > ~Griffin
> >
>
> --
> Liberationtech list is public and archives are searchable on Google. Too
> many emails? Unsubscribe, change to digest, or change password by emailing
> moderator at compa...@stanford.edu or changing your settings at
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
--
Liberationtech is a public list whose archives are searchable on Google. 
Persistent violations of list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] From Snowden's email provider. NSL??? (Recipe for Secure Audio, Video, Chat, File Transfer)

[Griffin Boyce]

Thanks for volunteering to help me test the service ;3

Brian Conley wrote:
>
> Griffin, make it so!!
>
> On Aug 9, 2013 7:31 AM, "Griffin Boyce"  > wrote:
>
> Fabio Pietrosanti (naif) wrote:
> > If someone want to make this recipie working, i think that the world
> > would appreciate with an "easy to be setup, independently run,
> audio,
> > video, file transfer, chat infrastructure accessible with a web
> > browser" .
> Welp, there goes my weekend. Dangit, naif! ;-)
>
> ~Griffin
>

--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] From Snowden's email provider. NSL???

[adrelanos]

Moritz Bartl:
> On 09.08.2013 13:15, Nadim Kobeissi wrote:
>> Yup, Cryptocat has had build assurance for quite some time.
>> "Sorry, not possible to backdoor without people noticing"
>> is still a valid line of defence and has been one for a while.
> 
> You should think about splitting Cryptocat software development and
> service operation into two separate legal entities. Service operation
> could legally be based in whatever country, say, Antigua.
> 
> There was at least one wiki meant to collect information regarding the
> legal requirements per country, but I don't remember where.
> 

Sounds good to me. The Tor Project also doesn't run any Tor servers
themselves, and rightfully so.
--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] From Snowden's email provider. NSL???

[Reed Black]

On Fri, Aug 9, 2013 at 1:26 AM, Nadim Kobeissi  wrote:
>
> On 2013-08-08, at 11:53 PM, Mike Perry  wrote:
>
>> It is profoundly encouraging to see that people of such courage and
>> integrity as the Lavabit staff exist, and are willing to put everything
>> on the line to stand up against this madness.
>
> +1.
> For what it's worth, and even though I think it's pretty unlikely that 
> Cryptocat will receive such an order, I've posted a pledge on our Twitter 
> feed:
> https://twitter.com/cryptocatapp/status/365733575351480321

Is that helpful though?

CryptoCat is served up by the Chrome app store. Do you have control
over what binary gets distributed to who? Does any assurace exist
beyond the app store's own signing validation?

I thought this was like webmasters and third-party script inclusions.
They will be blind if Google or DoubleClick are compelled to
selectively swap out the scripts they serve to millions of third-party
sites.
--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] From Snowden's email provider. NSL???

[Petter Ericson]

On 09 August, 2013 - Moritz Bartl wrote:

> On 09.08.2013 13:15, Nadim Kobeissi wrote:
> > Yup, Cryptocat has had build assurance for quite some time.
> > "Sorry, not possible to backdoor without people noticing"
> > is still a valid line of defence and has been one for a while.
> 
> You should think about splitting Cryptocat software development and
> service operation into two separate legal entities. Service operation
> could legally be based in whatever country, say, Antigua.
> 
> There was at least one wiki meant to collect information regarding the
> legal requirements per country, but I don't remember where.

That would be the Digital Rights Watch, I believe (http://diriwa.org), though
it is/was much more ambitious, and aims to collect all available relevant
information about information and security legalities and realities.

Best

/P

-- 
Petter Ericson (pett...@acc.umu.se)
Telecomix Sleeper Jellyfish
--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] From Snowden's email provider. NSL??? (Recipe for Secure Audio, Video, Chat, File Transfer)

[Brian Conley]

Griffin, make it so!!
On Aug 9, 2013 7:31 AM, "Griffin Boyce"  wrote:

> Fabio Pietrosanti (naif) wrote:
> > If someone want to make this recipie working, i think that the world
> > would appreciate with an "easy to be setup, independently run, audio,
> > video, file transfer, chat infrastructure accessible with a web
> > browser" .
> Welp, there goes my weekend. Dangit, naif! ;-)
>
> ~Griffin
> --
> Liberationtech list is public and archives are searchable on Google. Too
> many emails? Unsubscribe, change to digest, or change password by emailing
> moderator at compa...@stanford.edu or changing your settings at
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] From Snowden's email provider. NSL???

[Nicholas Merrill]

On 8/9/13 5:34 AM, Nadim Kobeissi wrote:
> Also, weren't NSLs ruled unconstitutional recently? NK

Yes.  However...

NSLs have been ruled unconstitutional several times beginning in 2004
[1] with my case ( Doe v. Ashcroft / Doe v. Gonzalez / Doe v. Mukasey /
Doe v. Holder ) and then again in 2007 [2] in my case after the law was
amended, and then more recently in the case that Jillian cited.  But
none of these cases were ever able to make it to the Supreme Court to be
decided upon in a way that was binding nation-wide and final.

best,
-Nick

[1] 
http://articles.philly.com/2004-09-30/news/25376716_1_national-security-letters-gag-order-fbi-summons
[2] 
http://www.washingtonpost.com/wp-dyn/content/article/2007/09/06/AR2007090601438.html

-- 
Nicholas Merrill
Executive Director
The Calyx Institute
287 Spring Street
New York, NY 10013


--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] From Snowden's email provider. NSL???

[Frederic Jacobs]

Thankfully Cryptocat can be used with a custom server. They can shut down a 
server but they can't prevent new servers being configured. 
Hence the importance of decentralized open-source software.

On Aug 9, 2013, at 10:48 AM, Nadim Kobeissi  wrote:

> 
> On 2013-08-09, at 11:31 AM, Ali-Reza Anghaie  wrote:
> 
>> On Fri, Aug 9, 2013 at 4:26 AM, Nadim Kobeissi  wrote:
>>> For what it's worth, and even though I think it's pretty unlikely that 
>>> Cryptocat will receive such an order,
>> *snip*
>> 
>> You're right but that should provide little comfort - when they come
>> after the non-business platform libtech to cypherpunk services - they
>> don't use legal orders. It gets much worse. -Ali
> 
> Well at least now they know how to shut Cryptocat down :P
> 
> NK
> 
>> --
>> Liberationtech list is public and archives are searchable on Google. Too 
>> many emails? Unsubscribe, change to digest, or change password by emailing 
>> moderator at compa...@stanford.edu or changing your settings at 
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 
> --
> Liberationtech list is public and archives are searchable on Google. Too many 
> emails? Unsubscribe, change to digest, or change password by emailing 
> moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] From Snowden's email provider. NSL???

[Moritz Bartl]

On 09.08.2013 13:15, Nadim Kobeissi wrote:
> Yup, Cryptocat has had build assurance for quite some time.
> "Sorry, not possible to backdoor without people noticing"
> is still a valid line of defence and has been one for a while.

You should think about splitting Cryptocat software development and
service operation into two separate legal entities. Service operation
could legally be based in whatever country, say, Antigua.

There was at least one wiki meant to collect information regarding the
legal requirements per country, but I don't remember where.

-- 
Moritz Bartl
https://www.torservers.net/
--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] From Snowden's email provider. NSL??? (Recipe for Secure Audio, Video, Chat, File Transfer)

[Griffin Boyce]

Fabio Pietrosanti (naif) wrote:
> If someone want to make this recipie working, i think that the world
> would appreciate with an "easy to be setup, independently run, audio,
> video, file transfer, chat infrastructure accessible with a web
> browser" . 
Welp, there goes my weekend. Dangit, naif! ;-)

~Griffin
--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] From Snowden's email provider. NSL??? (Recipe for Secure Audio, Video, Chat, File Transfer)

[Joseph Lorenzo Hall]

On Fri Aug  9 09:42:49 2013, Fabio Pietrosanti (naif) wrote:
> To be true, i invested 4 weeks of trolling on IETF WebRTC mailing list
> sustaining the need to support "also SDES" in order to provide
> interoperability with existing VoIP world from day 1.

::) I think I'm solidly with EKR on this... and this is a valuable 15 
minute presentation on the "no SDES" argument: 
http://recordings.conf.meetecho.com/Recordings/watch.jsp?recording=IETF87_RTCWEB&chapter=part_4

> When i unsubscribed from the DTLS-SRTP mailing, the WebRTC standard was
> WITH "end-to-end" encryption but WITHOUT end-to-end-authentication
> (relying on the server to provide authentication means for user
> fingerprint, de-facto allowing MITM).
>
> Which is the current status for fingerprint verification of DTLS-SRTP
> calls? Does it still rely on server?

Alas, I have lost track of this... maybe someone else close to how it's 
evolved can chime in? best, Joe

--
Joseph Lorenzo Hall
Senior Staff Technologist
Center for Democracy & Technology
1634 I ST NW STE 1100
Washington DC 20006-4011
(p) 202-407-8825
(f) 202-637-0968
j...@cdt.org
PGP: https://josephhall.org/gpg-key
fingerprint: BE7E A889 7742 8773 301B 4FA1 C0E2 6D90 F257 77F8



--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] From Snowden's email provider. NSL??? (Recipe for Secure Audio, Video, Chat, File Transfer)

[Fabio Pietrosanti (naif)]

Il 8/9/13 3:29 PM, Joseph Lorenzo Hall ha scritto:
> On Fri Aug  9 06:55:12 2013, Fabio Pietrosanti (naif) wrote:
>> This is because with OpenFire + Chrome you can also do end-to-end
>> encrypted WebRTC Audio/Video call.
> Firefox nightlies, as far as I'm aware, also provide WebRTC capability 
> these days (based on DTLS-SRTP... they voted down at last week's IETF 
> 87 WebRTC/RTCweb support for SDES (which channels keying material 
> through the signaling server. bad!).)
To be true, i invested 4 weeks of trolling on IETF WebRTC mailing list
sustaining the need to support "also SDES" in order to provide
interoperability with existing VoIP world from day 1.

The relevant point still was to still have DTLS-SRTP (that's still
inside) in place but to ADD a a modular / end-user-verifidable
(appropriate JS API) security fingerprint / security model.

When i unsubscribed from the DTLS-SRTP mailing, the WebRTC standard was
WITH "end-to-end" encryption but WITHOUT end-to-end-authentication
(relying on the server to provide authentication means for user
fingerprint, de-facto allowing MITM).

Which is the current status for fingerprint verification of DTLS-SRTP
calls? Does it still rely on server?

-- 
Fabio Pietrosanti (naif)
HERMES - Center for Transparency and Digital Human Rights
http://logioshermes.org - http://globaleaks.org - http://tor2web.org

--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] From Snowden's email provider. NSL??? (Recipe for Secure Audio, Video, Chat, File Transfer)

[Joseph Lorenzo Hall]

On Fri Aug  9 06:55:12 2013, Fabio Pietrosanti (naif) wrote:
>
> This is because with OpenFire + Chrome you can also do end-to-end
> encrypted WebRTC Audio/Video call.

Firefox nightlies, as far as I'm aware, also provide WebRTC capability 
these days (based on DTLS-SRTP... they voted down at last week's IETF 
87 WebRTC/RTCweb support for SDES (which channels keying material 
through the signaling server. bad!).)

best, Joe

--
Joseph Lorenzo Hall
Senior Staff Technologist
Center for Democracy & Technology
1634 I ST NW STE 1100
Washington DC 20006-4011
(p) 202-407-8825
(f) 202-637-0968
j...@cdt.org
PGP: https://josephhall.org/gpg-key
fingerprint: BE7E A889 7742 8773 301B 4FA1 C0E2 6D90 F257 77F8



--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] From Snowden's email provider. NSL??? (Recipe for Secure Audio, Video, Chat, File Transfer)

[Nadim Kobeissi]

On 2013-08-09, at 1:55 PM, Fabio Pietrosanti (naif)  
wrote:

> Il 8/9/13 10:59 AM, Julien Rabier ha scritto:
>> Le 09 août - 11:48, Nadim Kobeissi a écrit :
>>> On 2013-08-09, at 11:31 AM, Ali-Reza Anghaie  wrote:
>>> 
 On Fri, Aug 9, 2013 at 4:26 AM, Nadim Kobeissi  wrote:
> For what it's worth, and even though I think it's pretty unlikely that 
> Cryptocat will receive such an order,
 *snip*
 
 You're right but that should provide little comfort - when they come
 after the non-business platform libtech to cypherpunk services - they
 don't use legal orders. It gets much worse. -Ali
>>> Well at least now they know how to shut Cryptocat down :P
>>> 
>>> NK
>> One good way to reduce the impact of such an order would be to call for moar
>> cryptocat instances. Decentralize, spread datalove, <3
>> 
>> https://github.com/cryptocat/cryptocat/wiki/Server-Deployment-Instructions
>> I think I'm going to try to deploy a cryptocat server in the next days and
>> see how it goes.
> You should consider testing CryptoCat with OpenFire XMPP Server.

Here, you get issue 404 :-)
https://github.com/cryptocat/cryptocat/issues/404

NK

> 
> This is because with OpenFire + Chrome you can also do end-to-end
> encrypted WebRTC Audio/Video call.
> 
> So the right Recipie is:
> - OpenFire as XMPP server http://www.igniterealtime.org/projects/openfire/
> - CryptoCat as a Chat+Filetransfer client Client (for Chrome Plugin)
> - Chrome as a Secure Audio/Video client with WebRTC
> 
> Everything can be setup by a Poweruser with no specific ninja Linux skills.
> 
> If someone want to make this recipie working, i think that the world
> would appreciate with an
> 
> "easy to be setup, independently run, audio, video, file transfer, chat
> infrastructure accessible with a web browser" .
> 
> 
> -- 
> Fabio Pietrosanti (naif)
> HERMES - Center for Transparency and Digital Human Rights
> http://logioshermes.org - http://globaleaks.org - http://tor2web.org
> 
> --
> Liberationtech list is public and archives are searchable on Google. Too many 
> emails? Unsubscribe, change to digest, or change password by emailing 
> moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] From Snowden's email provider. NSL???

[Nadim Kobeissi]

On 2013-08-09, at 1:24 PM, Nick  wrote:

> On Fri, Aug 09, 2013 at 11:26:21AM +0300, Nadim Kobeissi wrote:
>> On 2013-08-08, at 11:53 PM, Mike Perry  wrote:
>>> It is profoundly encouraging to see that people of such courage and
>>> integrity as the Lavabit staff exist, and are willing to put everything
>>> on the line to stand up against this madness.
>> 
>> +1.
>> For what it's worth, and even though I think it's pretty unlikely that 
>> Cryptocat will receive such an order, I've posted a pledge on our Twitter 
>> feed:
>> https://twitter.com/cryptocatapp/status/365733575351480321
> 
> Would implementing some sort of build assurance thing like Tor have
> done recently help here? So if the government said "please put a
> back door for us", you could legitimately say "sorry, not possible
> without people noticing". That's an even better option than
> "crypto.cat is now closed, you may like to complain to the US
> government about that."

Yup, Cryptocat has had build assurance for quite some time. "Sorry, not 
possible to backdoor without people noticing" is still a valid line of defence 
and has been one for a while.

But I guess it was still worth it to tweet that in the event that even that 
line of defence is somehow circumvented, in the (unlikely, I know) circumstance 
that we get some sort of legal order that's definitely beyond our capacity to 
swerve around, then yeah, Cryptocat would rather cease development. It's just a 
simple extra assurance.

NK

> 
> Note that I haven't yet had a chance to read about the verified build
> stuff in any detail, and I'm not sure how easy it would be to verify
> such a build against what's on one of the browser extension / addon
> stores. So maybe I'm talking nonsense ;)
> --
> Liberationtech list is public and archives are searchable on Google. Too many 
> emails? Unsubscribe, change to digest, or change password by emailing 
> moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] From Snowden's email provider. NSL??? (Recipe for Secure Audio, Video, Chat, File Transfer)

[Fabio Pietrosanti (naif)]

Il 8/9/13 10:59 AM, Julien Rabier ha scritto:
> Le 09 août - 11:48, Nadim Kobeissi a écrit :
>> On 2013-08-09, at 11:31 AM, Ali-Reza Anghaie  wrote:
>>
>>> On Fri, Aug 9, 2013 at 4:26 AM, Nadim Kobeissi  wrote:
 For what it's worth, and even though I think it's pretty unlikely that 
 Cryptocat will receive such an order,
>>> *snip*
>>>
>>> You're right but that should provide little comfort - when they come
>>> after the non-business platform libtech to cypherpunk services - they
>>> don't use legal orders. It gets much worse. -Ali
>> Well at least now they know how to shut Cryptocat down :P
>>
>> NK
> One good way to reduce the impact of such an order would be to call for moar
> cryptocat instances. Decentralize, spread datalove, <3
>
> https://github.com/cryptocat/cryptocat/wiki/Server-Deployment-Instructions
> I think I'm going to try to deploy a cryptocat server in the next days and
> see how it goes.
You should consider testing CryptoCat with OpenFire XMPP Server.

This is because with OpenFire + Chrome you can also do end-to-end
encrypted WebRTC Audio/Video call.

So the right Recipie is:
- OpenFire as XMPP server http://www.igniterealtime.org/projects/openfire/
- CryptoCat as a Chat+Filetransfer client Client (for Chrome Plugin)
- Chrome as a Secure Audio/Video client with WebRTC

Everything can be setup by a Poweruser with no specific ninja Linux skills.

If someone want to make this recipie working, i think that the world
would appreciate with an

"easy to be setup, independently run, audio, video, file transfer, chat
infrastructure accessible with a web browser" .


-- 
Fabio Pietrosanti (naif)
HERMES - Center for Transparency and Digital Human Rights
http://logioshermes.org - http://globaleaks.org - http://tor2web.org

--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] From Snowden's email provider. NSL???

[Nick]

On Fri, Aug 09, 2013 at 11:26:21AM +0300, Nadim Kobeissi wrote:
> On 2013-08-08, at 11:53 PM, Mike Perry  wrote:
> > It is profoundly encouraging to see that people of such courage and
> > integrity as the Lavabit staff exist, and are willing to put everything
> > on the line to stand up against this madness.
> 
> +1.
> For what it's worth, and even though I think it's pretty unlikely that 
> Cryptocat will receive such an order, I've posted a pledge on our Twitter 
> feed:
> https://twitter.com/cryptocatapp/status/365733575351480321

Would implementing some sort of build assurance thing like Tor have
done recently help here? So if the government said "please put a
back door for us", you could legitimately say "sorry, not possible
without people noticing". That's an even better option than
"crypto.cat is now closed, you may like to complain to the US
government about that."

Note that I haven't yet had a chance to read about the verified build
stuff in any detail, and I'm not sure how easy it would be to verify
such a build against what's on one of the browser extension / addon
stores. So maybe I'm talking nonsense ;)
--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] From Snowden's email provider. NSL???

[Randolph D.]

Use this p2p email  http://bitmail.sf.net
Am 09.08.2013 11:57 schrieb "Jillian C. York" :

> I think Nadim is referring to this:
>
>
> https://www.eff.org/press/releases/national-security-letters-are-unconstitutional-federal-judge-rules
>
>
> On Fri, Aug 9, 2013 at 11:34 AM, Nadim Kobeissi  wrote:
>
>>
>> On 2013-08-09, at 11:59 AM, Julien Rabier  wrote:
>>
>> > Le 09 août - 11:48, Nadim Kobeissi a écrit :
>> >>
>> >> On 2013-08-09, at 11:31 AM, Ali-Reza Anghaie 
>> wrote:
>> >>
>> >>> On Fri, Aug 9, 2013 at 4:26 AM, Nadim Kobeissi 
>> wrote:
>>  For what it's worth, and even though I think it's pretty unlikely
>> that Cryptocat will receive such an order,
>> >>> *snip*
>> >>>
>> >>> You're right but that should provide little comfort - when they come
>> >>> after the non-business platform libtech to cypherpunk services - they
>> >>> don't use legal orders. It gets much worse. -Ali
>> >>
>> >> Well at least now they know how to shut Cryptocat down :P
>> >>
>> >> NK
>> >
>> > One good way to reduce the impact of such an order would be to call for
>> moar
>> > cryptocat instances. Decentralize, spread datalove, <3
>> >
>> >
>> https://github.com/cryptocat/cryptocat/wiki/Server-Deployment-Instructions
>> > I think I'm going to try to deploy a cryptocat server in the next days
>> and
>> > see how it goes.
>>
>> +1! Awesome!
>>
>> Also, weren't NSLs ruled unconstitutional recently?
>>
>> NK
>>
>> >
>> > taziden
>> > --
>> > Liberationtech list is public and archives are searchable on Google.
>> Too many emails? Unsubscribe, change to digest, or change password by
>> emailing moderator at compa...@stanford.edu or changing your settings at
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>
>> --
>> Liberationtech list is public and archives are searchable on Google. Too
>> many emails? Unsubscribe, change to digest, or change password by emailing
>> moderator at compa...@stanford.edu or changing your settings at
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>
>
>
>
> --
> *Note: *I am slowly extricating myself from Gmail. Please change your
> address books to: jilliancy...@riseup.net or jill...@eff.org.
>
> US: +1-857-891-4244 | NL: +31-657086088
> site:  jilliancyork.com * | *
> twitter: @jilliancyork* *
>
> "We must not be afraid of dreaming the seemingly impossible if we want the
> seemingly impossible to become a reality" - *Vaclav Havel*
>
> --
> Liberationtech list is public and archives are searchable on Google. Too
> many emails? Unsubscribe, change to digest, or change password by emailing
> moderator at compa...@stanford.edu or changing your settings at
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] From Snowden's email provider. NSL???

[Jillian C. York]

I think Nadim is referring to this:

https://www.eff.org/press/releases/national-security-letters-are-unconstitutional-federal-judge-rules


On Fri, Aug 9, 2013 at 11:34 AM, Nadim Kobeissi  wrote:

>
> On 2013-08-09, at 11:59 AM, Julien Rabier  wrote:
>
> > Le 09 août - 11:48, Nadim Kobeissi a écrit :
> >>
> >> On 2013-08-09, at 11:31 AM, Ali-Reza Anghaie 
> wrote:
> >>
> >>> On Fri, Aug 9, 2013 at 4:26 AM, Nadim Kobeissi  wrote:
>  For what it's worth, and even though I think it's pretty unlikely
> that Cryptocat will receive such an order,
> >>> *snip*
> >>>
> >>> You're right but that should provide little comfort - when they come
> >>> after the non-business platform libtech to cypherpunk services - they
> >>> don't use legal orders. It gets much worse. -Ali
> >>
> >> Well at least now they know how to shut Cryptocat down :P
> >>
> >> NK
> >
> > One good way to reduce the impact of such an order would be to call for
> moar
> > cryptocat instances. Decentralize, spread datalove, <3
> >
> >
> https://github.com/cryptocat/cryptocat/wiki/Server-Deployment-Instructions
> > I think I'm going to try to deploy a cryptocat server in the next days
> and
> > see how it goes.
>
> +1! Awesome!
>
> Also, weren't NSLs ruled unconstitutional recently?
>
> NK
>
> >
> > taziden
> > --
> > Liberationtech list is public and archives are searchable on Google. Too
> many emails? Unsubscribe, change to digest, or change password by emailing
> moderator at compa...@stanford.edu or changing your settings at
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
> --
> Liberationtech list is public and archives are searchable on Google. Too
> many emails? Unsubscribe, change to digest, or change password by emailing
> moderator at compa...@stanford.edu or changing your settings at
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>



-- 
*Note: *I am slowly extricating myself from Gmail. Please change your
address books to: jilliancy...@riseup.net or jill...@eff.org.

US: +1-857-891-4244 | NL: +31-657086088
site:  jilliancyork.com * | *
twitter: @jilliancyork* *

"We must not be afraid of dreaming the seemingly impossible if we want the
seemingly impossible to become a reality" - *Vaclav Havel*
--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] From Snowden's email provider. NSL???

[Jason Gulledge]

> Also, weren't NSLs ruled unconstitutional recently?
> 
> NK


I don't remember that, but I do remember hearing the FISC ruled some of the 
NSA's activities unconstitutional….in 2011. 

http://www.ibtimes.com/fisc-will-not-object-release-2011-court-opinion-confirmed-nsas-illegal-surveillance-1305023

The ruling was classified. Funny how that works. 

-Jason
--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] From Snowden's email provider. NSL???

[Nadim Kobeissi]

On 2013-08-09, at 11:59 AM, Julien Rabier  wrote:

> Le 09 août - 11:48, Nadim Kobeissi a écrit :
>> 
>> On 2013-08-09, at 11:31 AM, Ali-Reza Anghaie  wrote:
>> 
>>> On Fri, Aug 9, 2013 at 4:26 AM, Nadim Kobeissi  wrote:
 For what it's worth, and even though I think it's pretty unlikely that 
 Cryptocat will receive such an order,
>>> *snip*
>>> 
>>> You're right but that should provide little comfort - when they come
>>> after the non-business platform libtech to cypherpunk services - they
>>> don't use legal orders. It gets much worse. -Ali
>> 
>> Well at least now they know how to shut Cryptocat down :P
>> 
>> NK
> 
> One good way to reduce the impact of such an order would be to call for moar
> cryptocat instances. Decentralize, spread datalove, <3
> 
> https://github.com/cryptocat/cryptocat/wiki/Server-Deployment-Instructions
> I think I'm going to try to deploy a cryptocat server in the next days and
> see how it goes.

+1! Awesome!

Also, weren't NSLs ruled unconstitutional recently?

NK

> 
> taziden
> --
> Liberationtech list is public and archives are searchable on Google. Too many 
> emails? Unsubscribe, change to digest, or change password by emailing 
> moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] From Snowden's email provider. NSL???

[Eugen Leitl]

On Fri, Aug 09, 2013 at 04:31:10AM -0400, Ali-Reza Anghaie wrote:

> You're right but that should provide little comfort - when they come
> after the non-business platform libtech to cypherpunk services - they
> don't use legal orders. It gets much worse. -Ali

"They" better be global then. And "they" better be able to deal
with distributed systems, where seizure of a fraction of a system
does not produce any actionable items, nor clues about physical
whereabouts or monetary streams to trace.
--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] From Snowden's email provider. NSL???

[Julien Rabier]

Le 09 août - 11:48, Nadim Kobeissi a écrit :
> 
> On 2013-08-09, at 11:31 AM, Ali-Reza Anghaie  wrote:
> 
> > On Fri, Aug 9, 2013 at 4:26 AM, Nadim Kobeissi  wrote:
> >> For what it's worth, and even though I think it's pretty unlikely that 
> >> Cryptocat will receive such an order,
> > *snip*
> > 
> > You're right but that should provide little comfort - when they come
> > after the non-business platform libtech to cypherpunk services - they
> > don't use legal orders. It gets much worse. -Ali
> 
> Well at least now they know how to shut Cryptocat down :P
> 
> NK

One good way to reduce the impact of such an order would be to call for moar
cryptocat instances. Decentralize, spread datalove, <3

https://github.com/cryptocat/cryptocat/wiki/Server-Deployment-Instructions
I think I'm going to try to deploy a cryptocat server in the next days and
see how it goes.

taziden
--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] From Snowden's email provider. NSL???

[Nadim Kobeissi]

On 2013-08-09, at 11:31 AM, Ali-Reza Anghaie  wrote:

> On Fri, Aug 9, 2013 at 4:26 AM, Nadim Kobeissi  wrote:
>> For what it's worth, and even though I think it's pretty unlikely that 
>> Cryptocat will receive such an order,
> *snip*
> 
> You're right but that should provide little comfort - when they come
> after the non-business platform libtech to cypherpunk services - they
> don't use legal orders. It gets much worse. -Ali

Well at least now they know how to shut Cryptocat down :P

NK

> --
> Liberationtech list is public and archives are searchable on Google. Too many 
> emails? Unsubscribe, change to digest, or change password by emailing 
> moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] From Snowden's email provider. NSL???

[Ali-Reza Anghaie]

On Fri, Aug 9, 2013 at 4:26 AM, Nadim Kobeissi  wrote:
> For what it's worth, and even though I think it's pretty unlikely that 
> Cryptocat will receive such an order,
*snip*

You're right but that should provide little comfort - when they come
after the non-business platform libtech to cypherpunk services - they
don't use legal orders. It gets much worse. -Ali
--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] From Snowden's email provider. NSL???

[Nadim Kobeissi]

On 2013-08-08, at 11:53 PM, Mike Perry  wrote:

> It is profoundly encouraging to see that people of such courage and
> integrity as the Lavabit staff exist, and are willing to put everything
> on the line to stand up against this madness.

+1.
For what it's worth, and even though I think it's pretty unlikely that 
Cryptocat will receive such an order, I've posted a pledge on our Twitter feed:
https://twitter.com/cryptocatapp/status/365733575351480321

NK

> 
> David Johnson:
>> https://lavabit.com/
>> 
>> My Fellow Users,
>> I have been forced to make a difficult decision: to become complicit in
>> crimes against the American people or walk away from nearly ten years of
>> hard work by shutting down Lavabit. After significant soul searching, I
>> have decided to suspend operations. I wish that I could legally share with
>> you the events that led to my decision. I cannot. I feel you deserve to
>> know what’s going on--the first amendment is supposed to guarantee me the
>> freedom to speak out in situations like this. Unfortunately, Congress has
>> passed laws that say otherwise. As things currently stand, I cannot share
>> my experiences over the last six weeks, even though I have twice made the
>> appropriate requests.
>> What’s going to happen now? We’ve already started preparing the paperwork
>> needed to continue to fight for the Constitution in the Fourth Circuit
>> Court of Appeals. A favorable decision would allow me resurrect Lavabit as
>> an American company.
>> This experience has taught me one very important lesson: without
>> congressional action or a strong judicial precedent, I would _strongly_
>> recommend against anyone trusting their private data to a company with
>> physical ties to the United States.
>> Sincerely,
>> Ladar Levison
>> Owner and Operator, Lavabit LLC
>> Defending the constitution is expensive! Help us by donating to the Lavabit
>> Legal Defense Fund
>> here
>> .
> 
>> --
>> Liberationtech list is public and archives are searchable on Google. Too 
>> many emails? Unsubscribe, change to digest, or change password by emailing 
>> moderator at compa...@stanford.edu or changing your settings at 
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 
> 
> -- 
> Mike Perry
> --
> Liberationtech list is public and archives are searchable on Google. Too many 
> emails? Unsubscribe, change to digest, or change password by emailing 
> moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] From Snowden's email provider. NSL???

[James S. Tyre]

And now Silent Circle's Silent Mail service.

 

https://silentcircle.wordpress.com/2013/08/09/to-our-customers/

 

(They say that they have not received any warrants, NSL letters, etc, but are 
shutting
sown that service before they do.)

 

--

James S. Tyre

Law Offices of James S. Tyre

10736 Jefferson Blvd., #512

Culver City, CA 90230-4969

310-839-4114/310-839-4602(fax)

jst...@jstyre.com

Policy Fellow, Electronic Frontier Foundation

https://www.eff.org

 

From: liberationtech-boun...@lists.stanford.edu
[mailto:liberationtech-boun...@lists.stanford.edu] On Behalf Of David Johnson
Sent: Thursday, August 08, 2013 1:31 PM
To: Liberation Technologies
Subject: [liberationtech] From Snowden's email provider. NSL???

 

 

 

 

 
<https://mail.aljazeera.net/owa/redir.aspx?C=C-JjrgIYEEuVtop4L5ekkprZkHoJaNAI1emSTsdeFmPgX
a3gmIunVE-6BLYJ-qLs7Uy3YNIHo0k.&URL=https%3a%2f%2flavabit.com%2f> 
https://lavabit.com/

My Fellow Users,

I have been forced to make a difficult decision: to become complicit in crimes 
against the
American people or walk away from nearly ten years of hard work by shutting 
down Lavabit.
After significant soul searching, I have decided to suspend operations. I wish 
that I
could legally share with you the events that led to my decision. I cannot. I 
feel you
deserve to know what's going on--the first amendment is supposed to guarantee 
me the
freedom to speak out in situations like this. Unfortunately, Congress has 
passed laws that
say otherwise. As things currently stand, I cannot share my experiences over 
the last six
weeks, even though I have twice made the appropriate requests.

What's going to happen now? We've already started preparing the paperwork 
needed to
continue to fight for the Constitution in the Fourth Circuit Court of Appeals. 
A favorable
decision would allow me resurrect Lavabit as an American company.

This experience has taught me one very important lesson: without congressional 
action or a
strong judicial precedent, I would _strongly_ recommend against anyone trusting 
their
private data to a company with physical ties to the United States.

Sincerely,
Ladar Levison
Owner and Operator, Lavabit LLC

Defending the constitution is expensive! Help us by donating to the Lavabit 
Legal Defense
Fund
<https://mail.aljazeera.net/owa/redir.aspx?C=C-JjrgIYEEuVtop4L5ekkprZkHoJaNAI1emSTsdeFmPgX
a3gmIunVE-6BLYJ-qLs7Uy3YNIHo0k.&URL=https%3a%2f%2fwww.paypal.com%2fcgi-bin%2fwebscr%3fcmd%
3d_s-xclick%26hosted_button_id%3d7BCR4A5W9PNN4> here.

 

--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] From Snowden's email provider. NSL???

[Kyle Maxwell]

I find it unlikely that it's an NSL per se. That would compel Lavabit
to produce existing business records, and shutting down doesn't
provide any defense against that.

But if the FBI (likely the lead agency on this) tried to compel
Lavabit to weaken its implementation so that they could conduct
ongoing, future surveillance, that might be a different matter. My
guess is that the actual issue lies more in this direction.

On Thu, Aug 8, 2013 at 5:12 PM, Shava Nerad  wrote:
> http://boingboing.net/2013/08/08/lavabit-email-service-snowden.html
>
> has the link to the correct paypal donation page.
>
>
> On Thu, Aug 8, 2013 at 4:31 PM, David Johnson 
> wrote:
>>
>>
>>
>>
>> https://lavabit.com/
>>
>> My Fellow Users,
>> I have been forced to make a difficult decision: to become complicit in
>> crimes against the American people or walk away from nearly ten years of
>> hard work by shutting down Lavabit. After significant soul searching, I have
>> decided to suspend operations. I wish that I could legally share with you
>> the events that led to my decision. I cannot. I feel you deserve to know
>> what’s going on--the first amendment is supposed to guarantee me the freedom
>> to speak out in situations like this. Unfortunately, Congress has passed
>> laws that say otherwise. As things currently stand, I cannot share my
>> experiences over the last six weeks, even though I have twice made the
>> appropriate requests.
>> What’s going to happen now? We’ve already started preparing the paperwork
>> needed to continue to fight for the Constitution in the Fourth Circuit Court
>> of Appeals. A favorable decision would allow me resurrect Lavabit as an
>> American company.
>> This experience has taught me one very important lesson: without
>> congressional action or a strong judicial precedent, I would _strongly_
>> recommend against anyone trusting their private data to a company with
>> physical ties to the United States.
>> Sincerely,
>> Ladar Levison
>> Owner and Operator, Lavabit LLC
>> Defending the constitution is expensive! Help us by donating to the
>> Lavabit Legal Defense Fund here.
>>
>>
>> --
>> Liberationtech list is public and archives are searchable on Google. Too
>> many emails? Unsubscribe, change to digest, or change password by emailing
>> moderator at compa...@stanford.edu or changing your settings at
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
>
>
>
> --
>
> Shava Nerad
> shav...@gmail.com
>
> --
> Liberationtech list is public and archives are searchable on Google. Too
> many emails? Unsubscribe, change to digest, or change password by emailing
> moderator at compa...@stanford.edu or changing your settings at
> https://mailman.stanford.edu/mailman/listinfo/liberationtech



-- 
@kylemaxwell
--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] From Snowden's email provider. NSL???

[Shava Nerad]

http://boingboing.net/2013/08/08/lavabit-email-service-snowden.html

has the link to the correct paypal donation page.


On Thu, Aug 8, 2013 at 4:31 PM, David Johnson wrote:

>
>
>
> https://lavabit.com/
>
> My Fellow Users,
> I have been forced to make a difficult decision: to become complicit in
> crimes against the American people or walk away from nearly ten years of
> hard work by shutting down Lavabit. After significant soul searching, I
> have decided to suspend operations. I wish that I could legally share with
> you the events that led to my decision. I cannot. I feel you deserve to
> know what’s going on--the first amendment is supposed to guarantee me the
> freedom to speak out in situations like this. Unfortunately, Congress has
> passed laws that say otherwise. As things currently stand, I cannot share
> my experiences over the last six weeks, even though I have twice made the
> appropriate requests.
> What’s going to happen now? We’ve already started preparing the paperwork
> needed to continue to fight for the Constitution in the Fourth Circuit
> Court of Appeals. A favorable decision would allow me resurrect Lavabit as
> an American company.
> This experience has taught me one very important lesson: without
> congressional action or a strong judicial precedent, I would _strongly_
> recommend against anyone trusting their private data to a company with
> physical ties to the United States.
> Sincerely,
> Ladar Levison
> Owner and Operator, Lavabit LLC
> Defending the constitution is expensive! Help us by donating to the
> Lavabit Legal Defense Fund 
> here
> .
>
>
> --
> Liberationtech list is public and archives are searchable on Google. Too
> many emails? Unsubscribe, change to digest, or change password by emailing
> moderator at compa...@stanford.edu or changing your settings at
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>



-- 

Shava Nerad
shav...@gmail.com
--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] From Snowden's email provider. NSL???

[Andrés Leopoldo Pacheco Sanfuentes]

right. They're putting their lives' work, their livelihood, at stake.

Best Regards | Cordiales Saludos | Grato,

Andrés L. Pacheco Sanfuentes

+1 (817) 271-9619


On Thu, Aug 8, 2013 at 3:53 PM, Mike Perry  wrote:
> It is profoundly encouraging to see that people of such courage and
> integrity as the Lavabit staff exist, and are willing to put everything
> on the line to stand up against this madness.
>
> David Johnson:
>> https://lavabit.com/
>>
>> My Fellow Users,
>> I have been forced to make a difficult decision: to become complicit in
>> crimes against the American people or walk away from nearly ten years of
>> hard work by shutting down Lavabit. After significant soul searching, I
>> have decided to suspend operations. I wish that I could legally share with
>> you the events that led to my decision. I cannot. I feel you deserve to
>> know what’s going on--the first amendment is supposed to guarantee me the
>> freedom to speak out in situations like this. Unfortunately, Congress has
>> passed laws that say otherwise. As things currently stand, I cannot share
>> my experiences over the last six weeks, even though I have twice made the
>> appropriate requests.
>> What’s going to happen now? We’ve already started preparing the paperwork
>> needed to continue to fight for the Constitution in the Fourth Circuit
>> Court of Appeals. A favorable decision would allow me resurrect Lavabit as
>> an American company.
>> This experience has taught me one very important lesson: without
>> congressional action or a strong judicial precedent, I would _strongly_
>> recommend against anyone trusting their private data to a company with
>> physical ties to the United States.
>> Sincerely,
>> Ladar Levison
>> Owner and Operator, Lavabit LLC
>> Defending the constitution is expensive! Help us by donating to the Lavabit
>> Legal Defense Fund
>> here
>> .
>
>> --
>> Liberationtech list is public and archives are searchable on Google. Too 
>> many emails? Unsubscribe, change to digest, or change password by emailing 
>> moderator at compa...@stanford.edu or changing your settings at 
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
>
> --
> Mike Perry
>
> --
> Liberationtech list is public and archives are searchable on Google. Too many 
> emails? Unsubscribe, change to digest, or change password by emailing 
> moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] From Snowden's email provider. NSL???

[Mike Perry]

It is profoundly encouraging to see that people of such courage and
integrity as the Lavabit staff exist, and are willing to put everything
on the line to stand up against this madness.

David Johnson:
> https://lavabit.com/
> 
> My Fellow Users,
> I have been forced to make a difficult decision: to become complicit in
> crimes against the American people or walk away from nearly ten years of
> hard work by shutting down Lavabit. After significant soul searching, I
> have decided to suspend operations. I wish that I could legally share with
> you the events that led to my decision. I cannot. I feel you deserve to
> know what’s going on--the first amendment is supposed to guarantee me the
> freedom to speak out in situations like this. Unfortunately, Congress has
> passed laws that say otherwise. As things currently stand, I cannot share
> my experiences over the last six weeks, even though I have twice made the
> appropriate requests.
> What’s going to happen now? We’ve already started preparing the paperwork
> needed to continue to fight for the Constitution in the Fourth Circuit
> Court of Appeals. A favorable decision would allow me resurrect Lavabit as
> an American company.
> This experience has taught me one very important lesson: without
> congressional action or a strong judicial precedent, I would _strongly_
> recommend against anyone trusting their private data to a company with
> physical ties to the United States.
> Sincerely,
> Ladar Levison
> Owner and Operator, Lavabit LLC
> Defending the constitution is expensive! Help us by donating to the Lavabit
> Legal Defense Fund
> here
> .

> --
> Liberationtech list is public and archives are searchable on Google. Too many 
> emails? Unsubscribe, change to digest, or change password by emailing 
> moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech


-- 
Mike Perry
--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

[liberationtech] From Snowden's email provider. NSL???

[David Johnson]

https://lavabit.com/

My Fellow Users,
I have been forced to make a difficult decision: to become complicit in
crimes against the American people or walk away from nearly ten years of
hard work by shutting down Lavabit. After significant soul searching, I
have decided to suspend operations. I wish that I could legally share with
you the events that led to my decision. I cannot. I feel you deserve to
know what’s going on--the first amendment is supposed to guarantee me the
freedom to speak out in situations like this. Unfortunately, Congress has
passed laws that say otherwise. As things currently stand, I cannot share
my experiences over the last six weeks, even though I have twice made the
appropriate requests.
What’s going to happen now? We’ve already started preparing the paperwork
needed to continue to fight for the Constitution in the Fourth Circuit
Court of Appeals. A favorable decision would allow me resurrect Lavabit as
an American company.
This experience has taught me one very important lesson: without
congressional action or a strong judicial precedent, I would _strongly_
recommend against anyone trusting their private data to a company with
physical ties to the United States.
Sincerely,
Ladar Levison
Owner and Operator, Lavabit LLC
Defending the constitution is expensive! Help us by donating to the Lavabit
Legal Defense Fund
here
.
--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech