Re: [cryptography] Varoufakis ridicules GR taxation hacking story

2015-07-27 Thread Nikos Fotiou 
The actual recording
https://twitter.com/OMFIF/status/625615275350736897 The quotes of the
original article
(http://www.ekathimerini.com/199945/article/ekathimerini/news/varoufakis-claims-had-approval-to-plan-parallel-banking-system)
are accurate

On 27 July 2015 at 14:13, John Young j...@pipeline.com wrote:
 twitter.com/yanisvaroufakis/status/625336067831558144


 ___
 cryptography mailing list
 cryptography@randombit.net
 http://lists.randombit.net/mailman/listinfo/cryptography

___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] LeastAuthority.com announces PRISM-proof storage service

2013-08-29 Thread Nikos Fotiou 
A naive comment.

In his first email Zooko states:

S4 offers “*verifiable* end-to-end security” because all of the source
code that makes up the Simple Secure Storage Service is published for
everyone to see

A suspicious user may wonder, how can he be sure that the service
indeed uses the provided source code. IMHO, end-to-end security can be
really verifiable--from the user perspective--if it can be attested by
examining only the source code of the applications running on the user
side.

Best,
Nikos

On Sat, Aug 17, 2013 at 11:52 AM, ianG i...@iang.org wrote:
 On 16/08/13 22:11 PM, zooko wrote:

 On Tue, Aug 13, 2013 at 03:16:33PM -0500, Nico Williams wrote:


 Nothing really gets anyone past the enormous supply of zero-day vulns in
 their complete stacks.  In the end I assume there's no technological PRISM
 workarounds.


 I agree that compromise of the client is relevant. My current belief is
 that
 nobody is doing this on a mass scale, pwning entire populations at once,
 and
 that if they do, we will find out about it.

 My goal with the S4 product is not primarily to help people who are being
 targeted by their enemies, but to increase the cost of indiscriminately
 surveilling entire populations.

 Now maybe it was a mistake to label it as PRISM-Proof in our press
 release
 and media interviews! I said that because to me PRISM means mass
 surveillance
 of innocents. Perhaps to other people it doesn't mean that. Oops!



 My understanding of PRISM is that it is a voluntary  secret arrangement
 between the supplier and the collector (NSA) to provide direct access to all
 information.

 By 'voluntary' I mean that the supplier hands over the access, it isn't
 taken in an espionage or hacker sense, or leaked by an insider.  I include
 in this various techniques of court-inspired voluntarianism as suggested by
 recent FISA theories [0].

 I suspect it is fair to say that something is PRISM-proof if:

   a) the system lacks the capability to provide access
   b) the operator lacks the capacity to enter into the voluntary
 arrangement, or
   c) the operator lacks the capacity to keep the arrangement (b) secret

 The principle here seems to be that if the information is encrypted on the
 server side without the keys being held or accessible by the supplier, then
 (a) is met [1].

 Encryption-sans-keys is an approach that is championed by Tahoe-LAFS and
 Silent Circle.  Therefore I think it is reasonable in a marketing sense to
 claim it is PRISM-proof, as long as that claim is explained in more detail
 for those who wish to research.

 In this context, one must market ones product, and one must use simple
 labels to achieve this.  Otherwise the product doesn't get out there, and
 nobody is benefited.



 iang


 [0] E.g., the lavabit supplier can be considered to have not volunteered the
 info, and google can be considered to have not volunteered to the Chinese
 government.
 [1]  In contrast, if an operator is offshore it would meet (b) and if an
 operator was some sort of open source distributed org where everyone saw
 where the traffic headed, it would lack (c).





 Regards,

 Zooko

 ___
 cryptography mailing list
 cryptography@randombit.net
 http://lists.randombit.net/mailman/listinfo/cryptography


 ___
 cryptography mailing list
 cryptography@randombit.net
 http://lists.randombit.net/mailman/listinfo/cryptography
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] skype backdoor confirmation

2013-05-20 Thread Nikos Fotiou 
I was inspecting Skype terms and condition

http://www.skype.com/en/legal/tou/#15
 [...]We will process your personal information, the traffic data and
the content of your communication(s) in accordance with our Privacy
Policy:http://www.skype.com/go/privacy.;

http://www.skype.com/en/legal/privacy/
1. WHAT INFORMATION DOES SKYPE COLLECT AND USE?
.
Content of instant messaging communications, voicemails, and video messages

Nikos

On Sun, May 19, 2013 at 10:41 PM, Jacob Appelbaum ja...@appelbaum.net wrote:
 Krassimir Tzvetanov:
 To the best of my knowledge in Russia (no, I'm not Russian nor have lived
 there so I'm not 100% sure) you need to submit a copy of the private key if
 you are operating a website providing encryption on their territory to
 allow for legal intercept.

 They also have other provisions about wiretapping and monitoring which
 would mean that Skype really has not options if they want to _legally_
 operate there... It's just the way the local legislation is rather than a
 function of how Skype is. They are just following the law. Now if somebody
 does not like the law there are other ways to approach this but
 breaking/violating it is usually one that is not effective.

 I think this discussion is focusing too much into the technical details and
 forgets a simple detail - doing some of those things to increase privacy
 may itself be _illegal_ in certain jurisdictions which make this even more
 fun.

 It's not impossible but it is usually very difficult to provide technical
 solutions to political/politics problems. That's of course just my
 experience :)

 Cheers,
 Krassimir

 Hi,

 I'm late to the party on this list but I've been worried about these
 kinds of backdoors in Skype for quite some time. My worry partially
 comes from the common rumors, of which there are many, though it is
 largely the existential proof, the economic, the political and the
 social contextual issues that raise the largest concerns in my mind.

 As we've seen with Cisco, we know how some of these so-called lawful
 interception systems are implemented:

   http://www.cisco.com/web/about/security/intelligence/LI-3GPP.html

 This patent by Microsoft may be of interest to those looking into Skype,
 automated interception and probably many other kinds of interception -
 note that this is not just a matter of recording, it in fact *tampers*
 with the data:

 Aspects of the subject matter described herein relate to silently
 recording communications. In aspects, data associated with a request to
 establish a communication is modified to cause the communication to be
 established via a path that includes a recording agent. Modification may
 include, for example, adding, changing, and/or deleting data within the
 data. The data as modified is then passed to a protocol entity that uses
 the data to establish a communication session. Because of the way in
 which the data has been modified, the protocol entity selects a path
 that includes the recording agent. The recording agent is then able to
 silently record the communication.


 http://appft1.uspto.gov/netacgi/nph-Parser?Sect1=PTO2Sect2=HITOFFu=%2Fnetahtml%2FPTO%2Fsearch-adv.htmlr=1f=Gl=50d=PG01p=1S1=20110153809OS=20110153809RS=20110153809

 Note that this is from 2009 and the Skype purchase was not finalized
 until 2011.

 Perhaps the authors (Ghanem; George; (Redmond, WA) ; Bizga; Lawrence
 Felix; (Monroe, WA) ; Khanchandani; Niraj K.; (Redmond, WA)) of that
 patent are open to discussing how they might improve on their patent for
 a peer to peer system as deployed today? :)

 Skype is clearly inspecting the entire message and right now, we have an
 existential proof that they extract at least HTTP and HTTPS urls and
 process them in some fashion. I suspect that it would be a useful idea
 to insert many different kinds of protocols to see the depth of the
 rabbit hole probing, so to speak.

   http://user@password:www.example.com/secret-area
   magnet://[hash]
   ftp://ftp.example.com
   https://user@password:www.example.com/secret-area
   telnet//user@password:telnet.example.com

 I would also suggest that we might try a few hacks to determine where
 the parsing, inspection and extraction of interesting data is or isn't
 taking place. As an example - run Skype in a virtual machine, type a
 message - delay the message sending to the network, freeze the virtual
 machine and flip a single bit in the url already in the outbound message
 queue. This isn't trivial to do with Skype by any means but it most
 certainly isn't impossible for someone with the inclination.

 We know that Skype clients sync up the social graph of a given user;
 they call this a buddy list. This suggests that information in the
 directory of clients and the linked list for relationships is stored on
 their servers - is it encrypted in a way that may not be recovered by
 anyone other than the user? Skype dynamically routes calls to devices,
 does this imply that the location of the user is