On Aug 26, 2013, at 5:27 PM, The Doctor wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On 08/26/2013 08:46 AM, Phillip Hallam-Baker wrote:
>
>> Which is why I think Ted Lemon's idea about using Facebook type
>> friending may be necessary.
>
> Or Gchat-style contacts.
>
>> I do
On 08/27/2013 01:17, Perry E. Metzger wrote:
> On Mon, 26 Aug 2013 17:39:16 -0400 The Doctor
> wrote:
>> On 08/26/2013 09:26 AM, Perry E. Metzger wrote:
>>
>>> Mix networks are, however, a well technique. Onion networks, which
>>> are related, are widely deployed right now in the form of Tor, and
>Custom built hardware will probably be the smartest way to go for an
>entrepreneur trying to sell these in bulk to people as home gateways anyway
Meanwhile, while Phill may have spent $25 for a USB Ethernet, I
frequently see them on sale for $10 and sometimes $5.
__
On Mon, Aug 26, 2013 at 07:12:21AM -0400, Richard Salz wrote:
> I don't think you need all that much to get good secure private email.
> You need a client that can make PEM pretty seamless; reduce it to a
> button that says "encrypt when possible." You need the client to be
> able to generate a
"Perry E. Metzger" writes:
>Custom built hardware will probably be the smartest way to go for an
>entrepreneur trying to sell these in bulk to people as home gateways anyway
>-- you want the nice injection molded case, blinkylights and package as well.
>:)
In that case why not just get an Alix e
Ralph Holz writes:
>There is a host of older literature, too - P2P research, however, has become
>a cold topic. Although I expect that it will see a revival in the face of
>surveillance.
For people who are interested, the list I have (for a year or two back) is:
"Security Considerations for Pee
On Tue, 27 Aug 2013 12:06:47 +1200 Peter Gutmann
wrote:
> "Perry E. Metzger" writes:
>
> >Custom built hardware will probably be the smartest way to go for
> >an entrepreneur trying to sell these in bulk to people as home
> >gateways anyway -- you want the nice injection molded case,
> >blinkyli
On Mon, 26 Aug 2013 17:39:16 -0400 The Doctor
wrote:
> On 08/26/2013 09:26 AM, Perry E. Metzger wrote:
>
> > Mix networks are, however, a well technique. Onion networks, which
> > are related, are widely deployed right now in the form of Tor, and
> > work well. I see little reason to believe mix
I was pointed to this list by a friend of mine who thought I'd be
interested in this discussion, and indeed I am. I intended to lurk for
a while before posting, but this discussion so perfectly fits with a
SkyTalk I gave at DefCon last year (DC20, not just a few weeks ago)
where I proposed this ve
On Mon, Aug 26, 2013 at 5:43 PM, Perry E. Metzger wrote:
> On Mon, 26 Aug 2013 16:12:22 -0400 Phillip Hallam-Baker
> wrote:
> > I really like RPis as a cryptographic tool. The only thing that
> > would make them better is a second Ethernet interface so they could
> > be used as a firewall type de
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 08/26/2013 09:26 AM, Perry E. Metzger wrote:
> Mix networks are, however, a well technique. Onion networks, which
> are related, are widely deployed right now in the form of Tor, and
> work well. I see little reason to believe mix networks would no
On Mon, Aug 26, 2013 at 4:12 PM, Phillip Hallam-Baker wrote:
> I really like RPis as a cryptographic tool. The only thing that would make
> them better is a second Ethernet interface so they could be used as a
> firewall type device.
Two things to look at. Onion Pi turns one into a WiFi hotspot &
On 8/26/13 8:14 AM, Perry E. Metzger wrote:
> there is a good reason that I proposed that in the
> long run, whitelist only systems like Jabber and Facebook messaging
> are a better model.
As one of those Jabber guys, I agree. :-)
Perry, thanks for starting some very interesting threads here --
On Mon, 26 Aug 2013 16:12:22 -0400 Phillip Hallam-Baker
wrote:
> I really like RPis as a cryptographic tool. The only thing that
> would make them better is a second Ethernet interface so they could
> be used as a firewall type device.
You can of course use a USB ethernet with them, but to me, th
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 08/26/2013 08:46 AM, Phillip Hallam-Baker wrote:
> Which is why I think Ted Lemon's idea about using Facebook type
> friending may be necessary.
Or Gchat-style contacts.
> I don't think we can rely on that for Key distribution. But I think
> it
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 08/25/2013 09:04 PM, Christian Huitema wrote:
> If we want something robust, we have to forgo the mathematical
> elegance of the DHT, and adopt a network structure in which nodes
> only connect to peers that they trust. You could call that
> "netwo
On Mon, 26 Aug 2013 14:53:54 -0400 Richard Salz
wrote:
> > Traffic analysis is the problem
>
> Do you really think that for most people on the planet, that it is?
Probably. If one's threat model is mass dragnet surveillance, traffic
analysis is far too useful a way for the enemy to figure out wh
I really like RPis as a cryptographic tool. The only thing that would make
them better is a second Ethernet interface so they could be used as a
firewall type device.
However that said, the pros are:
* Small, cheap, reasonably fast, has ethernet and even a monitor output
* Boot from an SD card w
On Mon, Aug 26, 2013 at 02:44:32PM -0400, Perry E. Metzger wrote:
> > My main issue with this proposal is that somebody identifiable is
> > going to manufacture these boxes. Maybe several somebodies, but
> > IMO, that's an identifiable central point of control/failure.
Recently there's a trend f
On Aug 26, 2013, at 2:54 PM, Ray Dillinger wrote:
> On 08/26/2013 10:39 AM, Jerry Leichter wrote:
>> On Aug 26, 2013, at 1:16 PM, Ray Dillinger wrote:
>
>>> Even a tiny one-percent-of-a-penny payment
>>> that is negligible between established correspondents or even on most email
>>> lists woul
On 08/26/2013 10:39 AM, Jerry Leichter wrote:
On Aug 26, 2013, at 1:16 PM, Ray Dillinger wrote:
Even a tiny one-percent-of-a-penny payment
that is negligible between established correspondents or even on most email
lists would break a spammer.
This (and variants, like a direct proof-of-wor
> This is everything *but* PRISM-proof
I wasn't trying to be PRISM proof, hence my subject line. The client
and keyserver could help thwart traffic analysis by returning a few
"extra" keys on each request. The client then sends a structure
message to some of those keys that the receiving client r
On Mon, 26 Aug 2013 10:40:17 -0700 Ray Dillinger
wrote:
> On 08/25/2013 03:28 PM, Perry E. Metzger wrote:
>
> > So, imagine that we have the situation described by part 1 (some
> > universal system for mapping name@domain type identifiers into
> > keys with reasonable trust) and part 2 (most user
On Sun, Aug 25, 2013 at 12:12 PM, Perry E. Metzger wrote:
> Anyone care to shed some light? Pointers to literature are especially
> welcome
Check out this paper: Security Considerations for Peer-to-Peer Distributed
Hash Tables
http://and.they.can.be.quite.long.3.4.0.f.0.6.a.0.1.0.0.2.ip6.arpa/~
On Aug 26, 2013, at 1:16 PM, Ray Dillinger wrote:
Minor point in an otherwise interesting message:
> Even a tiny one-percent-of-a-penny payment
> that is negligible between established correspondents or even on most email
> lists would break a spammer. Also, you can set your client to automatical
On 08/25/2013 08:32 PM, Jerry Leichter wrote:
Where
mail servers have gotten into trouble is when they've tried to provide
additional services - e.g., virus scanners, which then try to look
inside of complex formats like zip files. This is exactly the kind
of thing you want to avoid - another p
On 08/25/2013 03:28 PM, Perry E. Metzger wrote:
So, imagine that we have the situation described by part 1 (some
universal system for mapping name@domain type identifiers into keys
with reasonable trust) and part 2 (most users having some sort of
long lived $40 device attached to their home netw
On 08/26/2013 04:12 AM, Richard Salz wrote:
> You need the client to be
able to generate a keypair, upload the public half, and pull down
(seamlessly) recipient public keys. You need a server to store and
return those keys. You need an installed base to kickstart the network
effect.
Who has
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Aug 26, 2013, at 4:12 AM, Richard Salz wrote:
> I don't think you need all that much to get good secure private email.
> You need a client that can make PEM pretty seamless; reduce it to a
> button that says "encrypt when possible." You need the
A3: Please.
Q3: Should I avoid top posting on this mailing list?
A2: Because, by reversing the order of a conversation, it leaves the
reader without much context, and makes them read a message in an
unnatural order.
Q2: Why is top posting irritating?
A1: It is the practice of putting you
This is everything *but* PRISM-proof : it doesn t solve the metadata issue
and your directory server containing public keys could very well be forced
by a law enforcement agency ( in the best case scenario because it could
also be the mafia) to answer the fbi/mafia public key on any request made
to
On Sun, Aug 25, 2013 at 7:42 PM, Christian Huitema wrote:
> > My knowledge of the field is pretty spotty in general as I've never paid
> much
> > attention up until now -- mostly I know about how people have built DHTs
> in
> > non-hostile environments. I'm close enough to starting from scratch th
On Mon, Aug 26, 2013 at 1:47 AM, Richard Clayton wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> In message , Jerry Leichter
> writes
>
> >On the flip side, mail systems like gMail or Yahoo mail are complex and
> >difficult to run *exactly because they are immense*.
>
> The mail syst
On Aug 26, 2013, at 10:14 AM, Perry E. Metzger wrote:
> On Mon, 26 Aug 2013 06:47:49 +0100 Richard Clayton
> wrote:
>> If you run your own emails system then you'll rapidly find out what
>> 2013's spam / malware problem looks like.
>
> This is slightly off topic, but...
>
> As it happens, I ru
Hi,
On 26.08.2013 00:28, Perry E. Metzger wrote:
> We probably don't want any sort of central service running this
> network that could be easily disrupted, so identifier to IP address
> information should probably be stored in some big honking DHT, signed
> in the ID's key. Access to the DHT prob
Hi,
>> Can you rephrase whether you want info about DHT systems that are
>> related to some kind of mix system (e.g. GNUnet), or whether you
>> simply want to know about common DHT systems. If the latter, what
>> kind of attacks are you after? Eclipse?
>
> My knowledge of the field is pretty spot
I don't think you need all that much to get good secure private email.
You need a client that can make PEM pretty seamless; reduce it to a
button that says "encrypt when possible." You need the client to be
able to generate a keypair, upload the public half, and pull down
(seamlessly) recipient p
On Sun, 25 Aug 2013 18:04:13 -0700 "Christian Huitema"
wrote:
> Bottom line, anonymous DHT are fragile.
Though it appears that Tor uses them for its hidden service
directory. How does it do that robustly (or does it do it robustly)?
How do other users of DHTs handle attacks in practice (or is it
On Mon, 26 Aug 2013 06:47:49 +0100 Richard Clayton
wrote:
> If you run your own emails system then you'll rapidly find out what
> 2013's spam / malware problem looks like.
This is slightly off topic, but...
As it happens, I run my own email system (and run email for a few
other people at the sam
On Sun, 25 Aug 2013 23:32:32 -0400 Jerry Leichter
wrote:
> I think the goal to aim for is no patches! Keep the device and its
> interfaces simple enough that you can get a decent formal proof of
> correctness, along with a ton of careful review and testing (per
> Don Knuth's comment somewhere to
On Sun, 25 Aug 2013 23:40:35 -0400 Phillip Hallam-Baker
wrote:
> There has to be a layered approach.
>
> Traffic analysis is probably going to demand steganography and that
> is almost by definition outside standards work.
I'm unaware of anyone who has seriously proposed steganography for
that p
41 matches
Mail list logo
