On 30/06/13 at 01:04am, Jacob Appelbaum wrote:
Yeah, about that...
Have you seen the most recent paper by Egger et al?
IMHO that's is unfair. There are many publications on Tor
vulnerabilities as well, and this is unavoidable.
Are you sure that in the next two months Tor will not be the main
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 04/07/13 13:34, danimoth wrote:
IMHO that's is unfair. There are many publications on Tor
vulnerabilities as well, and this is unavoidable. Are you sure that
in the next two months Tor will not be the main actor of a similar
publication?
The more fiercely defended security system (anything)
the more likely indefensible. Best ones require constant
patching and understatement, without exculpation, apologia
and bullying arrogance of ignorance.
But cloying humility, obsequiousness and masochism
seduces sadists for backdooring STD.
On 04/07/13 at 04:28pm, Michael Rogers wrote:
I think the point is that i2p's decision to use a decentralised
directory service led to the vulnerabilities described in the paper.
Uhm, I don't consider it a matter of centralization vs decentralization.
I think the point is how I2P select peers
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 04/07/13 17:15, danimoth wrote:
Uhm, I don't consider it a matter of centralization vs
decentralization. I think the point is how I2P select peers to
communicate with; attacker DoS'd previous high-performance peers,
then replace them with nodes
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 03/07/13 13:26, danimoth wrote:
Not directly related to remailer, but what about dc nets [1] ?
[1] The Dining Cryptographers Problem:
Unconditional Sender and Recipient Untraceability (David Chaum)
DC nets have two major drawbacks: they
On 30/06/13 at 07:32pm, Jacob Appelbaum wrote:
I'd love to see a revitalisation of remailer research, focussing on
unlinkability (which we know many people would benefit from) rather
than sender anonymity (which fewer people need, and which is prone to
abuse that discourages people from
On 03/07/2013 13:31, Michael Rogers wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 03/07/13 13:26, danimoth wrote:
Not directly related to remailer, but what about dc nets [1] ?
[1] The Dining Cryptographers Problem:
Unconditional Sender and Recipient Untraceability (David
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi Wasabee,
I'm no expert either but I'll try to answer to the best of my
understanding. I'm CCing Henry Corrigan-Gibbs, one of the Dissent
designers, who will hopefully correct my mistakes. :-)
On 03/07/13 17:11, Wasabee wrote:
is it really
On 2013-07-04 2:11 AM, Wasabee wrote:
On 03/07/2013 13:31, Michael Rogers wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 03/07/13 13:26, danimoth wrote:
Not directly related to remailer, but what about dc nets [1] ?
[1] The Dining Cryptographers Problem:
Unconditional Sender
The more interesting point is high vs low latency. I really like the
idea of having a high-latency option in Tor. It would still need to
have a lot of users to actually be useful, though. But it seems there
are various protocols that would be ore high-latency-friendly than
HTTP - SMTP, of
Given those shortcomings I think is not wise to recommend it unless your
enemy doesn't have the resources of a country. That being said, it's the
best tool at the moment, lights year ahead of other popular software
like
Cryptocat, whose end-point security should be considered not only
On 2/07/13 11:17 AM, aort...@alu.itba.edu.ar wrote:
But I don't blame you. I don't think any real-time chat can ever be made
safe and by safe I mean anonymous, because of its low-latency nature.
On a tangent, I have often wanted high-latency chat because high-speed
chat is so damn
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 30/06/13 20:32, Jacob Appelbaum wrote:
Michael Rogers:
I'd love to see a revitalisation of remailer research, focussing
on unlinkability (which we know many people would benefit from)
rather than sender anonymity (which fewer people need, and
Il 7/1/13 1:32 PM, Tom Ritter ha scritto:
I'm not saying GlobaLeaks+Tor is safe. I'm saying I think our current
remailer network is wildly unsafe. (Now what I think about fixing
it... that's a whole other story, for a whole other time.)
While it's outside the scope of GlobaLeaks to provide a
aort...@alu.itba.edu.ar:
The more interesting point is high vs low latency. I really like the
idea of having a high-latency option in Tor. It would still need to
have a lot of users to actually be useful, though. But it seems there
are various protocols that would be ore high-latency-friendly
On 2013-07-02, at 4:17 AM, aort...@alu.itba.edu.ar wrote:
Given those shortcomings I think is not wise to recommend it unless your
enemy doesn't have the resources of a country. That being said, it's the
best tool at the moment, lights year ahead of other popular software
like
Cryptocat,
On 1 July 2013 01:55, Jacob Appelbaum ja...@appelbaum.net wrote:
So then - what do you suggest to someone who wants to leak a document to
a press agency that has a GlobaLeaks interface?
I would suggest: don't use GlobalLeaks, use anonymous remailers.
Bottom line: Tor is weak against powerful
On 1 July 2013 01:55, Jacob Appelbaum ja...@appelbaum.net wrote:
I would like to see a tor configuration flag that sacrifices speed for
anonymity.
You're the first person, perhaps ever, to make that feature request
without it being in a mocking tone. At least, I think you're not mocking! :)
On 1 July 2013 05:04, Ben Laurie b...@links.org wrote:
On 1 July 2013 01:55, Jacob Appelbaum ja...@appelbaum.net wrote:
So then - what do you suggest to someone who wants to leak a document to
a press agency that has a GlobaLeaks interface?
I would suggest: don't use GlobalLeaks, use
Ben Laurie:
On 1 July 2013 12:32, Tom Ritter t...@ritter.vg wrote:
On 1 July 2013 05:04, Ben Laurie b...@links.org wrote:
On 1 July 2013 01:55, Jacob Appelbaum ja...@appelbaum.net wrote:
So then - what do you suggest to someone who wants to leak a document to
a press agency that has a
On 1 July 2013 14:33, Jacob Appelbaum ja...@appelbaum.net wrote:
I think having Mixmaster and MixMinion support in Tails and run over Tor
would be a good way to start. I also agree that GlobaLeaks should have
an interface for receiving leaks via either of those networks - though I
sometimes
On 01.07.2013 15:33, Jacob Appelbaum wrote:
I think if Tor had an arbitrary queue with store and forward as a high
latency module of sorts, we'd really be onto something.
Isn't that what Roger proposed as Alpha Mixing?
http://freehaven.net/anonbib/#alpha-mixing:pet2006
It could be valuable if
On 2013-07-01 9:50 PM, Ben Laurie wrote:
On 1 July 2013 12:32, Tom Ritter t...@ritter.vg wrote:
On 1 July 2013 05:04, Ben Laurie b...@links.org wrote:
On 1 July 2013 01:55, Jacob Appelbaum ja...@appelbaum.net wrote:
So then - what do you suggest to someone who wants to leak a document to
a
I think if Tor had an arbitrary queue with store and forward as a high
latency module of sorts, we'd really be onto something. Then there would
be tons of traffic on the Tor relays for all kinds of reasons - high and
low latency - only to all be wrapped in TLS and then in the Tor protocol.
On 2013-06-29, at 11:48 PM, Jacob Appelbaum ja...@appelbaum.net wrote:
Natanael:
I'm not seeing that many options though. The Phantom project died pretty
fast;
https://code.google.com/p/phantom/
https://groups.google.com/forum/#!forum/phantom-protocol
http://phantom-anon.blogspot.se/
So
There should be a disclaimer somewhere that Tor is a competitor to I2P, is
far from perfect itself (actually has a few glaring weaknesses, such as exit
nodes), and the guy critiquing I2P works for Tor.
There should be a table somewhere that shows that
all these different systems have
I'm not seeing that many options though. The Phantom project died pretty
fast;
https://code.google.com/p/phantom/
https://groups.google.com/forum/#!forum/phantom-protocol
http://phantom-anon.blogspot.se/
I would bet that Phantom both ran out of developer time and
has discouraged further
Nadim Kobeissi:
On 2013-06-29, at 11:48 PM, Jacob Appelbaum ja...@appelbaum.net
wrote:
Natanael:
I'm not seeing that many options though. The Phantom project died
pretty fast; https://code.google.com/p/phantom/
https://groups.google.com/forum/#!forum/phantom-protocol
On 2013-06-30, at 9:40 AM, Jacob Appelbaum ja...@appelbaum.net wrote:
Nadim Kobeissi:
On 2013-06-29, at 11:48 PM, Jacob Appelbaum ja...@appelbaum.net
wrote:
Natanael:
I'm not seeing that many options though. The Phantom project died
pretty fast; https://code.google.com/p/phantom/
Nadim Kobeissi:
Read my email more carefully next time. I specifically encouraged
experimentation in a way that seems reasonably safe:
There's no need to be so patronizing — I'm aware that you recommended TAILS
(which is also a Tor project).
I'm sorry to write with more bad news - it
I don't think they are doing this (as I said, they only bother with the
low hanging fruit) but they could.
Is there a tool that detects changes of CA?
Certificate Patrol does it for you on client-side:
https://addons.mozilla.org/de/firefox/addon/certificate-patrol/
Our own Crossbear does
So who's out there developing any useful protocols for anonymization today?
*Anybody*? Could we try to start a new project (if needed) to create one?
I'd love to see a revitalisation of remailer research, focussing on
unlinkability (which we know many people would benefit from) rather than
Michael Rogers:
So who's out there developing any useful protocols for
anonymization today? *Anybody*? Could we try to start a new project
(if needed) to create one?
I'd love to see a revitalisation of remailer research, focussing on
unlinkability (which we know many people would benefit
I believe Anonymity is a problem orders of magnitude bigger than privacy.
Tor seems like the only serious project aiming at solving it but I think
you should be wise by choosing your enemies and Tor in its current state
is useless against government-type surveillance for the following reasongs
aort...@alu.itba.edu.ar:
I believe Anonymity is a problem orders of magnitude bigger than privacy.
I agree - though most people think the two terms mean the same thing.
Lots of different terms are a similar set of things for different people.
Tor seems like the only serious project aiming at
On 1 July 2013 01:55, Jacob Appelbaum ja...@appelbaum.net wrote:
I would like to see a tor configuration flag that sacrifices speed for
anonymity.
You're the first person, perhaps ever, to make that feature request
without it being in a mocking tone. At least, I think you're not mocking!
Natanael:
I would like to point out that the developers of the anonymizing network
I2P are looking for more external review of the codebase (it's in Java, by
the way). Everybody who knows how to do security reviews of source code and
has time to spare should take a look at it.
I've
I'm not seeing that many options though. The Phantom project died pretty
fast;
https://code.google.com/p/phantom/
https://groups.google.com/forum/#!forum/phantom-protocol
http://phantom-anon.blogspot.se/
So who's out there developing any useful protocols for anonymization today?
*Anybody*? Could
Natanael:
I'm not seeing that many options though. The Phantom project died pretty
fast;
https://code.google.com/p/phantom/
https://groups.google.com/forum/#!forum/phantom-protocol
http://phantom-anon.blogspot.se/
So who's out there developing any useful protocols for anonymization today?
On 2013-06-30 10:21 AM, Natanael wrote:
Of course there's that whole 'almost none of our tools are usable'
problem.
That problem needs fixing first. Only then will our enemies start
bothering with pattern recognition and such.
Right now, the most trivial precautions result in
Yeah, I know about Tor already of course, but I also want *more options*
(at least so that any critical bugs in one of the options doesn't
automatically put *everybody* at risk), and there's also a few too many
things I don't like about Tor. I know a lot of it can be fixed, but it
would also
The biggest Tor vulnerability is that governments and large criminal
organizations (but I repeat myself) can use their influence over a CA to
perform a man in the middle attack.
I don't think they are doing this (as I said, they only bother with the
low hanging fruit) but they could.
Is
Convergence, (in-browser) certificate pinning, and a few more. You could
also use DNSSEC to serve the certificate.
2013/6/30 James A. Donald jam...@echeque.com
The biggest Tor vulnerability is that governments and large criminal
organizations (but I repeat myself) can use their influence over
On Thu, Jun 13, 2013 at 9:27 AM, Moritz mor...@headstrong.de wrote:
...
A foundation offered me money for improving, auditing, or implementing
crypto-related software ...
wanted: SSL/TLS session ticket storage clustering support for apache2,
nginx, haproxy using memcached or suitable memory
Hi,
A foundation offered me money for improving, auditing, or implementing
crypto-related software and hardware. We could probably also
fund/perform usability studies.
Any suggestions?
--Mo
signature.asc
Description: OpenPGP digital signature
___
46 matches
Mail list logo