Re: [tor-talk] Tracking blocker

[Jeremy Rand]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 02/19/2016 11:44 PM, Paul A. Crable wrote:
> A NYT article yesterday discussed tracking blockers and recommended
> Disconnect from among four candidates for Intel-architecture
> computers.  Disconnect would be installed as an add-on to Firefox.
> You have a standing recommendation that we not install add-ons to
> the TOR browser.  Would that prohibition apply to the tracking
> blocker Disconnect?
> 
> Paul
> 

It's not clear to me why Disconnect and similar systems are so
popular.  My understanding is that they basically act as blacklists.
This is relatively easy for a competent attacker to bypass, and the
blacklist definitely changes your browser fingerprint compared to a
stock browser.  (Dynamic blacklists like Privacy Badger are probably
worse in terms of fingerprintability.)  Tor Browser is designed to
make tracking less effective without resorting to a blacklist [1], so
in theory you don't need a blacklist anyway.

Cheers,
- -Jeremy Rand

[1] Of course, Tor Browser is imperfect in this area, so it is at
least plausible that a blacklist might help in some limited
circumstances.  I doubt that it would be a net benefit.
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCAAGBQJWyADLAAoJEAHN/EbZ1y06yIkQANgPvPtFnQyF0Xm6G8o4fTTf
g+EmuJnf45mjVAGnHmhnfxyFGzbq/uNgnfaErkbL9oSlrrAeNXXh1Ab0Ydzh2HMh
Dyq7IHGF/x0ewLq/3kRDAy5tC2b4zwlgSCHHrpX6ulDj6xZfg3HW0IlJdKu6t90T
PEfOWNZYYG2WCr7D0HF8DxRn3cFvQ1/oWKxisXyOvnLkOL50ukjR94XJUe3bZzCu
+e3FV8WCfXHIKdRkq+Y1O82waRhwmhUrO6KiONtkcoL9JjFCd7UF4zzWFhclimjb
R5j4XUM+02kx30ZAGWkckeoXz9PIGXEZNdCItV//MqN2JLRjr7+W19VlBMzeVSVi
Ih5vjhsAduJ1hiNwKBGmOhRsrWjtlSbDulgzcdRv7TQJuYA/RZh2H5TKBwhV6xfW
2N7BcZLG4MMZvcCAt19NQtL2Doxr6zgL228OyTXKqEwJFPWf5hPf/i/sRyVnQWmj
wGZLdWDzz9/nBQ+8HKlJ17RX4LI7luE42GihZnh1q7LjpfT5ZeLxBuDoPEn6BsKs
Z+i/tF6SrmUSprJ3UOZWGp+Gt8hOlqeXxchbKaKOTDZOBUwckFuld8GuWg/pgzEO
pkfz1U4Q6upFIIknvf8yVn2K14yaTs5A4rpQ9afKLdpX90qiWW8ct1DuxSm60Zmo
a4p6KoKni90XMoYBUHW7
=QAd5
-END PGP SIGNATURE-
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tracking blocker

[Seth David Schoen]

Paul A. Crable writes:

>   A NYT article yesterday discussed tracking blockers and
>   recommended Disconnect from among four candidates for
>   Intel-architecture computers.  Disconnect would be installed
>   as an add-on to Firefox.  You have a standing recommendation
>   that we not install add-ons to the TOR browser.  Would that
>   prohibition apply to the tracking blocker Disconnect?

The recommendation not to install add-ons is because they will make
your Tor browser more different from others and so potentially more
recognizable to sites you visit -- because they could look at their
logs and say "oh, that's the Tor Browser user who was also using
Disconnect!".  If you didn't use Disconnect, they wouldn't necessarily
have a straightforward way to distinguish you from any other Tor Browser
users who also visited the site, or to speculate about whether a Tor
Browser user who visited site A was also the same Tor Browser user who
visited site B.

The Tor Browser design already provides quite strong tracker protection
compared to a run-of-the-mill desktop web browser because of all of the
ways that it tries not to keep state between sessions, tries not to let
sites find out many things about your computer or browser, and tries not
to let one site see what you've done on another site.

https://www.torproject.org/projects/torbrowser/design/

If you can point out a specific way that Disconnect protects your privacy
that Tor Browser currently doesn't, or if the Disconnect developers
can think of one, it might be constructive to bring it up with the Tor
Browser developers, because they might be willing to consider adding it
as a standard feature for all users.

-- 
Seth Schoen  
Senior Staff Technologist   https://www.eff.org/
Electronic Frontier Foundation  https://www.eff.org/join
815 Eddy Street, San Francisco, CA  94109   +1 415 436 9333 x107
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] Tracking blocker

[Paul A. Crable]

A NYT article yesterday discussed tracking blockers and
recommended Disconnect from among four candidates for
Intel-architecture computers.  Disconnect would be installed
as an add-on to Firefox.  You have a standing recommendation
that we not install add-ons to the TOR browser.  Would that
prohibition apply to the tracking blocker Disconnect?

Paul
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] [Fwd: Multiple Internets]

[Jonathan Wilkes]

> some fucking arrogant shit but some info as well
Totally.  He's so patronizing.  Reminds me of the oracle from the Matrix, if 
instead of baking cookies she had defended Phil Zimmerman in a 
criminal investigation of PGP and helped win the crypto wars.
-Jonathan



On Friday, February 19, 2016 11:29 PM, Cari Machet  
wrote:
 

 o interesting WW - thanks much

F2C2012: Eben Moglen keynote - "Innovation under Austerity"

https://www.youtube.com/watch?v=G2VHf5vpBy8

some fucking arrogant shit but some info as well

On Fri, Feb 12, 2016 at 7:36 AM,  wrote:

>  Original Message 
> From: Ted Smith 
> Apparently from: cypherpunks-boun...@cpunks.org
> To: cypherpu...@cpunks.org
> Subject: Re: [Fwd: Multiple Internets]
> Date: Wed, 10 Feb 2016 12:02:57 -0500
>
> >I'm a little skeptical of wireless mesh networks as a general solution
> to this sort of problem, because they're inherently chatty, and have
> very limited reach.
>
> Wireless meshes are usually short range but there is no architectural
> reason they can't be linked by LoS or even longer distances connections.
> One area familiar to hams in the VHF/UHF bands is troposcatter. Tropo is
> similar to the more common HF phenomenon ionospheric reflection ("skip")
> but instead uses refraction changes in lower layers of the atmosphere due
> to temperature/density differences.
>
> Tropo is shorter range (generally 100-500 km) than skip and less RF
> efficient but tends to be more reliable and because it operates using much
> higher frequencies can support much higher bandwidth (data rates). All the
> VHF/UHF ham bands and several unlicensed bands (900 MHz, U.S. only), 2.4
> GHz and 5.7 GHz can all support tropo though reflection efficiency tends to
> be greatest at the lower frequencies.
>
> Until the advent of satellites tropo use was widespread by commercial and
> military. Now that anti-satellite tech is becoming more widespread (e.g.,
> recent Chinese launches) tropo is again being investigated
> http://www.militaryaerospace.com/articles/2013/07/army-troposcatter-communications.html
> I'm considering tropo experiments in one of the ham or ISM bands. Please PM
> if you might have SDR or RF skills, time and some money to throw toward
> this.
>
> Speaking of skip, in my PP Hacker Conference slides
> http://s000.tinyupload.com/?file_id=03580328025747098705 I discuss a
> variant, NVIS (Near Vertical Incident Skywave), first developed by the
> Germans during WW II, which allows HF stations operating between 2 - 12 MHz
> to bounce signals off the ionosphere for intermediate rage (25-100 km)
> non-LoS communications.
>
> WW
> --
> tor-talk mailing list - tor-talk@lists.torproject.org
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>



-- 
Cari Machet
NYC 646-436-7795
carimac...@gmail.com
AIM carismachet
Syria +963-099 277 3243
Amman +962 077 636 9407
Berlin +49 152 11779219
Reykjavik +354 894 8650
Twitter: @carimachet 

7035 690E 5E47 41D4 B0E5 B3D1 AF90 49D6 BE09 2187

Ruh-roh, this is now necessary: This email is intended only for the
addressee(s) and may contain confidential information. If you are not the
intended recipient, you are hereby notified that any use of this
information, dissemination, distribution, or copying of this email without
permission is strictly prohibited.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk


  
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] [Fwd: Multiple Internets]

[Cari Machet]

o interesting WW - thanks much

F2C2012: Eben Moglen keynote - "Innovation under Austerity"

https://www.youtube.com/watch?v=G2VHf5vpBy8

some fucking arrogant shit but some info as well

On Fri, Feb 12, 2016 at 7:36 AM,  wrote:

>  Original Message 
> From: Ted Smith 
> Apparently from: cypherpunks-boun...@cpunks.org
> To: cypherpu...@cpunks.org
> Subject: Re: [Fwd: Multiple Internets]
> Date: Wed, 10 Feb 2016 12:02:57 -0500
>
> >I'm a little skeptical of wireless mesh networks as a general solution
> to this sort of problem, because they're inherently chatty, and have
> very limited reach.
>
> Wireless meshes are usually short range but there is no architectural
> reason they can't be linked by LoS or even longer distances connections.
> One area familiar to hams in the VHF/UHF bands is troposcatter. Tropo is
> similar to the more common HF phenomenon ionospheric reflection ("skip")
> but instead uses refraction changes in lower layers of the atmosphere due
> to temperature/density differences.
>
> Tropo is shorter range (generally 100-500 km) than skip and less RF
> efficient but tends to be more reliable and because it operates using much
> higher frequencies can support much higher bandwidth (data rates). All the
> VHF/UHF ham bands and several unlicensed bands (900 MHz, U.S. only), 2.4
> GHz and 5.7 GHz can all support tropo though reflection efficiency tends to
> be greatest at the lower frequencies.
>
> Until the advent of satellites tropo use was widespread by commercial and
> military. Now that anti-satellite tech is becoming more widespread (e.g.,
> recent Chinese launches) tropo is again being investigated
> http://www.militaryaerospace.com/articles/2013/07/army-troposcatter-communications.html
> I'm considering tropo experiments in one of the ham or ISM bands. Please PM
> if you might have SDR or RF skills, time and some money to throw toward
> this.
>
> Speaking of skip, in my PP Hacker Conference slides
> http://s000.tinyupload.com/?file_id=03580328025747098705 I discuss a
> variant, NVIS (Near Vertical Incident Skywave), first developed by the
> Germans during WW II, which allows HF stations operating between 2 - 12 MHz
> to bounce signals off the ionosphere for intermediate rage (25-100 km)
> non-LoS communications.
>
> WW
> --
> tor-talk mailing list - tor-talk@lists.torproject.org
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>



-- 
Cari Machet
NYC 646-436-7795
carimac...@gmail.com
AIM carismachet
Syria +963-099 277 3243
Amman +962 077 636 9407
Berlin +49 152 11779219
Reykjavik +354 894 8650
Twitter: @carimachet 

7035 690E 5E47 41D4 B0E5 B3D1 AF90 49D6 BE09 2187

Ruh-roh, this is now necessary: This email is intended only for the
addressee(s) and may contain confidential information. If you are not the
intended recipient, you are hereby notified that any use of this
information, dissemination, distribution, or copying of this email without
permission is strictly prohibited.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] large increase in .onion domains

[Leo Francisco]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

BBC picked up a story on this:
http://www.bbc.co.uk/news/technology-35614335

Glad the good professor was able to spot this one :P


On 19/02/16 07:50, Jeremy Rand wrote:
> On 02/19/2016 01:44 AM, CANNON NATHANIEL CIOTA wrote: > > On 2016-02-19 
> 01:40, Jeremy Rand wrote: On 02/19/2016 01:37 AM, > >
CANNON NATHANIEL CIOTA wrote: >  >  That chat program you are
referring to would be ricochet IM >  > > > Well, there was something
called TorChat which fits that > > description, but TorChat hasn't
gotten any security updates or > > maintenance in years, so Ricochet is
pretty clearly preferable. > > > Cheers, -Jeremy Rand > > > I also know
latest version of Bitcoin Core has capability of > > automatically
creating .onion host, maybe the testing of that could > > have been
result in spike as well? Though I am leaning more towards > > botnet or
malware being the likely reason behind jump in hidden > > services. > >
> It's been a while since I looked at that Bitcoin Core feature, but I'm
> pretty sure it only creates a .onion when it detects that Tor is >
already running when Bitcoin Core boots.  So I think it's unlikely to >
generate even close to as many new .onion hosts as we're seeing now. > A
botnet seems more likely to me.  Of course, I have no actual data to >
back up my guess. > > Cheers, > -Jeremy Rand
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCAAGBQJWx8WAAAoJEDktq+nBATNfQYEP/0klwk3P011CE1XfoqM8ZsTr
Pq3MDxn1XDc8ZyVKITtHtwvXh3kDiaJVGr37KF0m61iYMQGbm5y1X7VZALkyL1/4
JU4gZtE2ee0cFw6jBVHah96jR/kPFZUgmleRyolLtJyEKukjVx3JmidOCwxRM2ox
zdhojojJQ8kdBem/FSkOE3EvTcYURk3KcScjsid6IIcl6xJijyZC1S9iTkjdyAKe
VqIGqoi5dVYfHESAerxrfMjJ3fWNh1g4oU9TkmFPRE+Fk17Qmrv27SEYNMxIgh4Y
vAzO5K/klOL7nbAWhg+geAqU73hKNpL0VjM3ijiAP0eqOM1yORjdPL5ZGbLKorMf
1lg7yvYUCZYO38RYULVBrXZVVWVkimUSsg22aPxToOphgEr2v+tzu/hXSMNIz1zk
ehwbUXxy0tb+27Qo8qYtSB/A1kbHQVmyBuO1lfkaTPPI1T2V5dC0fb2p+M5iBW7v
yfD9vAcg40yTao3hzQSSCcpBg7OB5nawbeOXdZWB+FS5eKdbDmIHdAFfM7reuyqf
m2fA/UFCLb3W2MKFG8Ij/ecM5jcYc/mhoijmo2CvnLyfypP8KSQ02BTIT1vOyifN
YVfQACNiF/zdaNkFbDc5AAoGZPSrkz/oukErRD1P8Dzdeqw7mMNeXcCs6sU4ktTb
qwegymhSbqmKezdx/oVt
=1acE
-END PGP SIGNATURE-


-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] PGP and Signed Messages,

[Cain Ungothep]

> The traditional answer, which amazingly nobody has mentioned in this
> thread, is called the PGP web of trust.

This is not just the "traditional" answer, it's the only proper answer.

For the uneducated reducing OpenPGP's WoT to WebPKI: you are lame.

Also worth mentioning: Ian Goldberg's shadow WoT experiment.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] PGP and Signed Messages,

[Juan Miguel Navarro Martínez]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

El 19/02/16 a las 19:55, Anthony Papillion escribió:
> All of that makes sense. Good to see that they have verification.
> But what about faked accounts? I mean, technically, I suppose if I
> were motivated enough, I could create all of those (maybe the user
> doesn't even have any SM accounts even). I guess, at that point,
> it's about common sense.
> 
Yes, at that point is basically TOFU, WoT or common sense depending on
the cases to see if it is real or not. At this moment, Snowden@Twitter
has gained enough trust globally that if he calls bullshit on X
keybase account or other site, it'll certainly be it.

- -- 
Juan Miguel Navarro Martínez

GPG Keyfingerprint:
5A91 90D4 CF27 9D52 D62A
BC58 88E2 947F 9BC6 B3CF
-BEGIN PGP SIGNATURE-

iQEcBAEBCgAGBQJWx3ThAAoJECDeJXHIWzXQo5UIAMitGjVCkWG42I/XQgtcqbOI
e948W2RO+8VFz6knnVXMkIcaQ0xtFDWZ5uJTHDKChWwCisfBpUY26LXN1Ioyt8XT
QJigC8xB+XroEdrBobp2WqXJA7PSdiZEQFQIRuJsi0pDQVhOU+AE+t6MmXi4E7h6
YE4uJO/V8VGefq4Uz47zVmDa4ozUeUXlBg6/GA4rgiocWfMe88v7q1P7cPcTEq4r
0P8fqqSUg3BpbUXKwEopWfpwxbO3lorir+nqOAAbofqWg/jT8S0oV1hjpg1ip8tK
WnlrIAyfd9NfCpJc0+5YCX2ksgrf0Pqnpf5RJ6mruIdscYlYz2eWpYSJ7kOOQlI=
=o44d
-END PGP SIGNATURE-
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] PGP and Signed Messages,

[Seth David Schoen]

Seth David Schoen writes:

> People also don't necessarily check it in practice.  Someone made fake
> keys for all of the attendees of a particular keysigning party in
> 2010 (including me); I've gotten unreadable encrypted messages from
> over a dozen PGP users as a result, because they believed the fake key
> was real or because software auto-downloaded it for them without
> checking the signatures.

This happened once again today, shortly after I wrote this message!
The person who made the mistake was a cryptography expert who has done
research in this area.  So I fear the web of trust isn't holding up
very well under strain, at least in terms of common user practices with
popular PGP clients.

-- 
Seth Schoen  
Senior Staff Technologist   https://www.eff.org/
Electronic Frontier Foundation  https://www.eff.org/join
815 Eddy Street, San Francisco, CA  94109   +1 415 436 9333 x107
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] PGP and Signed Messages,

[Anthony Papillion]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 02/19/2016 12:46 PM, Juan Miguel Navarro Martínez wrote:
> El 18/02/16 a las 18:32, Anthony Papillion escribió:
>> What is stopping me from creating a fictitious key for you and
>> then going and registering a Keybase account for that key,
>> pretending to be you and listing all of your social media
>> accounts as my own? Is there some sort of verification that
>> happens?
> 
> 
> Yes, there is a verification process for each supported 
> account/website on Keybase.
> 
> For Twitter, it's a tweet with some verification ID. For GitHub,
> it's a gist called keybase.md. For Reddit, it's a post on
> https://www.reddit.com/r/KeybaseProofs.
> 
> For both last verification processes, it contains some code and a
> PGP message.

All of that makes sense. Good to see that they have verification. But
what about faked accounts? I mean, technically, I suppose if I were
motivated enough, I could create all of those (maybe the user doesn't
even have any SM accounts even). I guess, at that point, it's about
common sense.

>> I'm not a Keybase user (I've been waiting for more than a year
>> and a half, I believe for an invite from them)
> 
> 
> If you are still interested, I could send you one.

I'd love one! I've been wanting to try out Keybase for a while now and
I don't think I'll ever get an invite otherwise. Thank you very much!

Anthony
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJWx2UuAAoJEAKK33RTsEsVSZ0QAIyeJKOP0LVOR7UIVFF2kmeY
mjeQ3KyWUoTL8yGLqbjU+u5PDQIsjEY1ganqY8AaFWm7nQ7EoLvyn//hT3b09Nst
fpgfvA0TDsq1nRnJg48D2k6RdazrDP6WsGHRQMRjPGh+5y40dHlzHnkyMlSPPUO9
YhFwYO3dbbvNMqjdzIAHMMt3y0qEMhjIg54af1J5K/so1m8TVAqQaDYHjxNxLdH5
wU+FM2BHqgIIdxhwbqvu8cTDCGvTV8SEpY+P89mRvssL6rHuiENJa3vcATxv5cHn
a1RrSPEd1/WXTNctgwMvqFWIP9Q2kQSkqjTVID4UT5/sw0piT1BuYRrczBj0c8m/
KKr5QB/hacVovmxoyrM+rRK0Y7voNd3NnnEt7MQUgdTmYSa+7OJipWxG9oK5Y/Xq
AuuPF8nJJ409rcGNS4W6pv2JGZX1wv9DYy6lFy3DxXfbLXL4yO+7ZwhS+/+7jXze
FU3yy5VSG23aEMQ0USbSmPx8r/mzj8k/7R62yvfwaJDeCFJoHuyfpnurCDBgXnix
PQZEjZ0nV+jwGTPEg8i4rQo5QGOv0+3uv1aqWm7va4vnHcXwdHj4uNZt/OfSji7x
IEEeWElmU2PWn80DQbOnIAvDmTR+xKDo56UwOv4BU4HenxgxbVwODBvxQTX/+i9j
alU2T+/OVe4D3zXpqKaE
=Acf9
-END PGP SIGNATURE-

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] PGP and Signed Messages,

[Juan Miguel Navarro Martínez]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

El 18/02/16 a las 18:32, Anthony Papillion escribió:
> What is stopping me from creating a fictitious key for you and then
> going and registering a Keybase account for that key, pretending to
> be you and listing all of your social media accounts as my own? Is
> there some sort of verification that happens?
> 

Yes, there is a verification process for each supported
account/website on Keybase.

For Twitter, it's a tweet with some verification ID.
For GitHub, it's a gist called keybase.md.
For Reddit, it's a post on https://www.reddit.com/r/KeybaseProofs.

For both last verification processes, it contains some code and a PGP
message.

> I'm not a Keybase user (I've been waiting for more than a year and
> a half, I believe for an invite from them)
> 

If you are still interested, I could send you one.
- -- 
Juan Miguel Navarro Martínez

GPG Keyfingerprint:
5A91 90D4 CF27 9D52 D62A
BC58 88E2 947F 9BC6 B3CF
-BEGIN PGP SIGNATURE-

iQEcBAEBCgAGBQJWx2L/AAoJECDeJXHIWzXQgNIH/3D6068lXfmC+yPnR13Bg/Nh
oxrKdntQcadRG2aw8GsCF/9jrjD38FCL4lEgR67bcfAzKxN1UEGhz8A1CogQkMaU
pUYv2x0kQJyLdMaj09UC0l65FgkuR9irOmXoepyhIGxxnoPGv41NZLtPXrMRA38W
3uL1kMA6QKbKtzeyv4RdgYRGVYgRNZW5KDmI+fsy1KURAgAB4Zbvb5V3h8KvN/8b
bbT4/XTYD5xxCDEYUfFdX6zZnD8JVUlwh7DGyM0H0T0rKp8GIm9NedMICrJpodln
GU9wBw2Qezv1dIa+Dm5Y6iNC0TXmcKf43j20O4NMzLDkntAIQDqW/aTOEpyuF1k=
=JY5O
-END PGP SIGNATURE-
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] PGP and Signed Messages,

[Seth David Schoen]

Cain Ungothep writes:

> This is not just the "traditional" answer, it's the only proper answer.

There are other ideas out there too, like CONIKS.

https://eprint.iacr.org/2014/1004.pdf

-- 
Seth Schoen  
Senior Staff Technologist   https://www.eff.org/
Electronic Frontier Foundation  https://www.eff.org/join
815 Eddy Street, San Francisco, CA  94109   +1 415 436 9333 x107
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] [SOLVED] Tor Browser Bundle stuck at "Loading authority certificates"

[Anthony Papillion]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Just wanted to update the list in case anyone else runs into this: I
just figured it out. My problem was caused by an incorrectly set
clock. Once I set the clock correctly, everything worked perfectly.

Anthony

-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJWx1lJAAoJEAKK33RTsEsVCNkQAJAcKTDTn+Sjmxb+mz/v9HXn
6PQrVMN0IeaTaVntQ1TGGvzX29VcnC/3MU880Vd9fsiY3z8tghM4gSqasFzR+uuw
wcENrmItxCUeDcUXTmu+Qkd8NxwmMAkSlpuIQrmLRc+q7s0CVoOGu2u/hmGKnfLe
ZCpiFmYSDdGiSTRygxfpcbag+HKlb8Zrhi7ccs3rKsxZoZD3a2y2BXgjpP6HLM2S
MSjYE2WYU9dsaHSJE2qoQYFHaZwYzDLVZ9fV+O/tu8nfVWNqxy6Hss3zBMOAd5ZV
vHtxaPwdahKvtyIVKgTq7lmL6RFnSUAiztCONaDq6i1W0TjXFfPYsOS3beStdEQn
iKLscUzZ+53rXh1MJrK+aY0KW19XGwiyeMHqbIQborOkU46soP07vhnOmU79ozy+
upWZxC9UoFuUuKnWwU6f59xxUcPvtJe9ofOeD8Az7MsOn8aPitv/IR5zRejOECB0
If7YkzxdR0YCDcVLL9ZKa+putyEaDtHz96/W9hirh+1Q3by8IbPHYBEn9NafkT6r
ZuSEtkC0YCr9rNzbn+C7lE4cn7KdRvG90KwZ7TlQpWxKLZzjigEoqp3Kbe03C4s3
YRnEhz7z+bZFlU4GSuawB3gWQ4rTP6b9HzCfJkMRSQVQvQTKCcSxSDbgIkQyav3x
t9o4cNLDzWa0O0oBOkw7
=u5qL
-END PGP SIGNATURE-

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] Tor Browser Bundle stuck at "Loading authority certificates"

[Anthony Papillion]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

I just downloaded the new version of Tor Browser Bundle and I can't
get it to run. It just sits on the "loading authority certificates"
screen and won't go any further. Can anyone tell me what might be
wrong? I've let it sit for quite a while thinking the servers might be
busy but it doesn't move. I'd include the log but I can't find it.
Clicking "Copy Tor Log to Clipboard" doesn't do anything and I can't
find a log file anywhere.

System is Xubuntu 14.04.

Thanks,
Anthony


-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJWxgU4AAoJEAKK33RTsEsVnXIP/1pg03cSjitTDqPEP85V7juk
/RqMb8u93jtkSd3xs1JKnsLhnMUTi3OAKXCEncnNL7FMnmX6rvslaJ8JUBPiRtfU
s+0bc0NQbFe2DNwQ9DvL7YaCrgNvxXvRJIjkURKF8oUVPqQV2l0NcjIUjY7fZ/ub
Ff7GXYd8J3jj584em/kEtu/v287u/vhHJB5igx9Uqekm/q5TFlrNaNLhINJzyTyl
3C9tQd0/ym252tq8brNVeN0Dv3DhbDsVCzU+XHzEBUXEGcyImfDYqkX3wwy5SNTw
iCB1W0bQevGsawk8nGppvju5tcWdfpfT7ZMAC3nsW5JnHa3dOEHJdnGmIUt9xUD9
PpyV+XrmEahzprCD4cbLLCIYnIFFFGT7YCl+BLf8ByUyhjxJRpPlnIOkRcUiCn7I
Xs3Tr3RA/fyUrIPF475LTF/ygb43idPxZ/qzgpDXX2Z23DMh+/6tUblOZhPfp0vo
K9Jpa+F0LqIr5CiTJrGtt5G+6sa5ZY74AMMePVPr+77CsmC4luRt90bHovYgZ0SN
Vdnykin6batONIguYkzAipC6XlXUCyMyleCNuRiNSmHYCodKhGuC42vADE/LxxEQ
veaQIg3v3a3NmT8Hmem60Lj3IliNxRSyiktyO70+vpwF+pSZsxhtv8eO3Wjik+Pa
1inaP//aeNbwfYLz6+SQ
=qdrw
-END PGP SIGNATURE-

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] PGP and Signed Messages,

[Anthony Papillion]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512



On 02/19/2016 06:58 AM, Suphanat Chunhapanya wrote:
> Hi,
> 
> Another way is to use Keybase (https://keybase.io). It will bind
> many different social media (twitter, reddit, github) to the key.
> This means that the attacker needs to compromise all of your
> accounts of those media to forge the key.

I'm not a Keybase user (I've been waiting for more than a year and a
half, I believe for an invite from them) but I have a basic question
about it: What is stopping me from creating a fictitious key for you
and then going and registering a Keybase account for that key,
pretending to be you and listing all of your social media accounts as
my own? Is there some sort of verification that happens?



-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJWxgA3AAoJEAKK33RTsEsVgG0P/AviT8Fyp/Ql4uGJ97wrx9zO
Ell1YruoV+wS7WX+pmB1sPazU4c9Yhz7giAJBli8qJ6jWcGFqLF3yy5BU6iBv1oU
VyG2pv8OrQZQA5AoNb1FkCqOggR9Pq6gIgrM4xS+UDql/TdP8dFAda7MpN+gX9m7
3sOKjhIgTTc/9GuY6Xibyzgqx+fH+2h5EcKrs9J+409RLp8dGsBfiHm5jDJpRVuK
b2VVcSmIHlQ5UPHMIzsuM6gj23eBqUjIV5K4eMSEoK3dQAJhD/fSdaCmptcO48Nh
DySenTNfOipL2n9uzLqQ+ASzyDQVKfK5S3NZplCdZRMiNe/8iL+yVfNthMFyPoJE
v9pMm4T2iQgMr+dbXpaPJ4qUsU7ObHqmR4R9jNG3II53xHZceRLRWISm2KSxTCxl
wEsAk6E5Tr5J/9CiTJd4lgE5/WJJ6cS+4whzo5y5xi0p6d39h4glThZ3k0Nuz7h3
1jsxvU8Iq+ae+yDYGNTE1Q4gEYgpaw82dwQKSFmAXbDxeIhx5aZ7NShAUohTQehg
4dKQB6wyOYxdgkEcoooZ5mb+grVHoBVDBJn5/2hoQ0UWKQ4qRRZHmL9xvWEes3mP
px2tmOWSRlMFtb8jmmIlQ1x1T2KAOfeYOm/TRmdTb0xebAnQHm77ax4fj3bjGpb8
a5rmoCw3pLFhVy49t0YO
=WMTx
-END PGP SIGNATURE-

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] PGP and Signed Messages,

[Seth David Schoen]

Nathaniel Suchy writes:

> I've noticed a lot of users of Tor use PGP. With it you can encrypt or sign
> a message. However how do we know a key is real? What would stop me from
> creating a new key pair and uploading it to the key servers? And from there
> spoofing identity?

The traditional answer, which amazingly nobody has mentioned in this
thread, is called the PGP web of trust.

https://en.wikipedia.org/wiki/Web_of_trust

In the original conception of PGP, people were supposed to sign other
people's keys, asserting that they had checked that those keys were
genuine and belonged to the people they purported to.

This is used most successfully by the Debian project for authenticating
its developers, all of whom have had to meet other developers in person
and get their keys signed.  Debian people and others still practice
keysigning parties.

https://en.wikipedia.org/wiki/Key_signing_party

This method has scaling problems, transitive-trust problems (it's possible
that some people in your extended social network don't understand the
purpose of verifying keys, or even actively want to subvert the system),
and the problem that it reveals publicly who knows or has met whom.  For
example, after a keysigning party, if the signatures are uploaded to
key servers, there is public cryptographic evidence that all of those
people were together at the same time.

So there is a lot of concern that the web of trust hasn't lived up to
the expectations people had for it at the time of PGP's creation.

People also don't necessarily check it in practice.  Someone made fake
keys for all of the attendees of a particular keysigning party in
2010 (including me); I've gotten unreadable encrypted messages from
over a dozen PGP users as a result, because they believed the fake key
was real or because software auto-downloaded it for them without
checking the signatures.

If you did try to check the signatures but didn't already have some
genuine key as a point of reference, there's also this problem:

https://evil32.com/

-- 
Seth Schoen  
Senior Staff Technologist   https://www.eff.org/
Electronic Frontier Foundation  https://www.eff.org/join
815 Eddy Street, San Francisco, CA  94109   +1 415 436 9333 x107
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] PGP and Signed Messages,

[Mirimir]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 02/19/2016 05:34 AM, Nathaniel Suchy wrote:
> I've noticed a lot of users of Tor use PGP. With it you can encrypt
> or sign a message. However how do we know a key is real? What would
> stop me from creating a new key pair and uploading it to the key
> servers? And from there spoofing identity?

Yes, you could create a key with user ID mirimir (miri...@riseup.net).
And you could share it with others, pretending to be me. But email to
miri...@riseup.net goes to me, not to you, and I'd be unable to read
it. So I'd probably reply, attaching my public key. I could also
download the fake key, and alert the sender.

But Riseup could do that, and also filter out messages going to their
fake key. Adversaries that could MitM Riseup's connections with other
mailservers could also manage that.

But correspondents who bothered to check https://keybase.io/mirimir
could determine whether or not they have the right key for me. In
order to change keys, an adversary would need to make coordinated
changes to four online accounts and the VM that I'm using. Possible?
Sure. But not so easy.

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (GNU/Linux)

iQEcBAEBAgAGBQJWxxReAAoJEGINZVEXwuQ+63kIAMk9S4gWczEPMKt1aJQF0+ev
EnNxyExKaWOBWRoCJst7NUdVtr/vwh4mu29p6fsOrEHP+h/BfwLHaHqKgO+KJGE/
QxMgWcoUUh0rHkk5kRaosGFheJ2J94cVwL0XXoTXFVUwDKJ+XUvVQmEY4AKVSdAg
vc99/IZ23qxP4MKwSqcYPOsdPUCR4v4J5EKWqCMZdqnFOpQI36b0f2Q82iPh8Xfv
qA1rOl6Kogx1gL992mNJ/4NRaZUFK40/QEubTyxAKi2/XzYUu6cjcEtyitoByc7V
lWEW11yztYW8mUm8LdVQUNT7kJU+wc+GMCdVO3UAINy4Cg/yuuBh3EP7QwaPOfo=
=UdyX
-END PGP SIGNATURE-
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] PGP and Signed Messages,

[Suphanat Chunhapanya]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hi,

Another way is to use Keybase (https://keybase.io). It will bind many
different social media (twitter, reddit, github) to the key. This
means that the attacker needs to compromise all of your accounts of
those media to forge the key.

On 02/19/2016 07:45 PM, Josef 'veloc1ty' Stautner wrote:
> Hi,
> 
> this is a basic problem of PKI - is the key the correct one to
> use. There is nothing to stop you from copying for example my key 
> information. That's why you need to check the received key over
> another channel. For example I put my fingerprint on my website and
> it's also on my business card.
> 
> A second way is looking at the signatures from other users thus
> it's not the best method for validating an identity.
> 
> ~Josef
> 
> Am 19.02.2016 um 13:34 schrieb Nathaniel Suchy:
>> I've noticed a lot of users of Tor use PGP. With it you can
>> encrypt or sign a message. However how do we know a key is real?
>> What would stop me from creating a new key pair and uploading it
>> to the key servers? And from there spoofing identity?
> 
> 
> 
> 
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCAAGBQJWxxFfAAoJEGyq803SvUvTCYMP/0KGON0QoE4ZilVqTxHZV4kB
Gg0mjg3nNr42mz/GVlF6eh2vktbrTX7rge9/YRvSIc2/HdLdyNRf6wf8bfYQo0/W
o+IndxquAFMne++kykMmluCk1KVRXoW5IVsAVBw0MXBI6YP4HaCEwQAC2vhx5Dmn
h4zIzYQkOsbBDitVLVKNFxsCWqAnlHdZUZ81U/tdCGsAuAohS5fCIKzmkxKdPPag
F3c4MGv1nKI+IO2LFAN2tIqAG630BEkgwu+y8eUbmIzE42QnRqu2a9k7lowRXnOh
vzL5jKbMyp00TULTIt4PR9+y61i4G0nOUvmZUBJ5ur2jhEMEBhAWywJHGYfL4+/H
2eiGR1hVGR15Z/j0Tpy015VUbo0wnNWbVBDEvfE0IfrZAmX6cfsNRKMpHrCBoQts
aS/JNG4xDVhzkrcrkzZH7UQkHcTZWSAgTbPNDsQXUYeIZyRAm7wJiKwuB26avZPF
EbqweRQFSCzKC7+BogxNFdr6R+h2o21yYTT/O5AeDt1/QSU5UBQVpaBmb8N+CoqP
wseiR0AvZ4Mu9+6uEyaYFQh32yDUPaIi2u6YnJq9L5UjSGIx3gJNNzrmnX0GOmPA
yVcxdjxi20etYqfbm/tvGYpHA6e30r9PqQ4hBpfg515zBVPDgrk9dg+QJHJ5K7n4
HOVs4cLk0GGpzf2CHjtM
=vwo9
-END PGP SIGNATURE-
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] PGP and Signed Messages,

[Josef 'veloc1ty' Stautner]

Hi,

this is a basic problem of PKI - is the key the correct one to use.
There is nothing to stop you from copying for example my key
information. That's why you need to check the received key over another
channel. For example I put my fingerprint on my website and it's also on
my business card.

A second way is looking at the signatures from other users thus it's not
the best method for validating an identity.

~Josef

Am 19.02.2016 um 13:34 schrieb Nathaniel Suchy:
> I've noticed a lot of users of Tor use PGP. With it you can encrypt or sign
> a message. However how do we know a key is real? What would stop me from
> creating a new key pair and uploading it to the key servers? And from there
> spoofing identity?




signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] PGP and Signed Messages,

[Nathaniel Suchy]

I've noticed a lot of users of Tor use PGP. With it you can encrypt or sign
a message. However how do we know a key is real? What would stop me from
creating a new key pair and uploading it to the key servers? And from there
spoofing identity?
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk