Re: [cryptography] The next gen P2P secure email solution
I think frivolous stuff could wait some more ... but you can always bundle several connections by means of bonding interfaces. I know it is not the best approach, but let's suppose you need to command a robot or conduct a surgery over p2p. Bonding a few openvpn connections together would do the trick. Message du 02/06/14 03:45 De : Cathal (phone) A : tpb-cry...@laposte.net, tpb-cry...@laposte.net, grarpamp , p2p-hack...@zim.maski.org Copie à : cypherpu...@cpunks.org, cryptography@randombit.net Objet : Re: [cryptography] The next gen P2P secure email solution What about streaming, which is increasingly used to hold power to account in real time? Or other rich, necessarily large media which needs to *get out fast*? Big media isn't always frivolous. Even frivolity is important, and a mixnet without fun is gonna be a small mixnet. On 2 June 2014 02:33:56 GMT+01:00, tpb-cry...@laposte.net wrote: Message du 01/06/14 20:37 De : grarpamp In May 2014 someone wrote: p2p is no panacea, it doesn't scale I believe it could. Even if requiring super aggregating nodes of some sort. Layers of service of the whole DHT space. More research is surely required. It is not possible to have fast p2p unless: - Cable networks collaborate by increasing bandwidth 7 to 8 times My references to scale were not intended to be about... bulk bandwidth across such networks (for example, right now, I2P and Tor are doing well enough to see very low quality video between their hidden nodes if you get a lucky path, and well enough for moving large files around in non realtime). ie: the nodes have bandwidth available. We all wish privacy, not necessarily 4k videos. The current bandwidth can provide for 4k videos and also privacy, no matter if a littler slower, for a little chat, work and file transfers. Except if you are into media production or warez, the current bandwidth already does the trick for all the rest. -- Sent from my Android device with K-9 Mail. Please excuse my brevity. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] TrueCrypt
Message du 29/05/14 10:20 De : Lukasz Biegaj A : cryptography@randombit.net Copie à : Objet : Re: [cryptography] TrueCrypt On 29.05.2014 09:34, David Johnston wrote: So WTF happened? The same thing that happened with Lavabit. Someone needs to fork the code (the version prior to the most recent change), address the issues raised in the recent audit and host it outside the jurisdiction of the US government, using fresh signing keys. Nitpick: Truecrypt is proprietary (it's source is viewable, but you aren't licensed to distribute modifications of it). That seems to not be a problem, if the owner does not complain. They will lose their anonymity if they do complain. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] TrueCrypt
Unfortunately both seem to be too stupid to run grep in their files ... they go the old fashioned way. If they had sysadmin help, maybe the documents could be perl-filtered and have the most interesting bits extracted in one big file. Message du 29/05/14 23:56 De : Jeffrey Walton A : Sadiq Saif Copie à : Cryptography List Objet : Re: [cryptography] TrueCrypt Does anyone know if Greenwald or Poitras are holding relevant documents? Dr. Schneier does not have much to add: I have no idea what's going on with TrueCrypt. On Wed, May 28, 2014 at 4:35 PM, Sadiq Saif wrote: http://truecrypt.sourceforge.net/ https://gist.github.com/anonymous/e5791d5703325b9cf6d1 https://twitter.com/matthew_d_green So WTF happened? ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] The next gen P2P secure email solution
Message du 16/05/14 02:26 De : grarpamp A : p2p-hack...@lists.zooko.com Copie à : cypherpu...@cpunks.org, cryptography@randombit.net Objet : Re: [cryptography] The next gen P2P secure email solution pesky to/from/subject/etc headers. Oh boy, here we go. Those are hidden by use of TLS. Have you not been following the weaknesses intrinsic to SMTP discussions? Yes, they are hidden in TLS transport on the wire. No, they are not hidden in core or on disk at the intermediate and final message transport nodes. That's bad. There is no way to hide metadata because you need a destination for your messages to arrive, you can't hide it even in Bitcoin, Tor or any other network which has to find its destinations to deliver its contents. The best you can do is cloak it, but like any cover there are means to uncover it. We want all human relevant plaintext content, such pesky headers included, to be hidden from observation by anyone other than us (at our origination or final receipt nodes). There is no oh boy in that sensible new design. Regarding government wanting your data in the clear by requesting it to the ISP you use, well switch your communications to another country, problem solved. Have you ever heard of MLAT, extradition, interpol, public and private cooperation, dealings, and other such things? And maybe you simply do not trust any 'country' with carriage of your insistent plaintext. There is no such 'solved' with that. What is Iran? What is Cuba? What is China? What is Switzerland? - voluntary 'cooperation' to do the same. - capability for messaging over encrypted anonymous p2p overlay networks so that the only real place left to compel is the investigated user themselves (or millions of users if you want to fight up against free speech / privacy). p2p is no panacea, it doesn't scale I believe it could. Even if requiring super aggregating nodes of some sort. Layers of service of the whole DHT space. More research is surely required. Here is your problem, you hold a belief, I hold knowledge. That's the little difference between us. It is not possible to have fast p2p unless: - Cable networks collaborate by increasing bandwidth 7 to 8 times the current levels without increasing costs. That was done Brazil and South Korea which now have much better internet than the US. But the US still rule as the biggest market; - People accept a more bumpy internet experience; and it will never, ever be able to handle the latest netflixy app Joes are so much into. p2p is for techead kids like you, not for the masses. We are talking messaging, not bulk data. However, once you have the nodes scalable to millions of communicators, there is probably no issue transporting bulk data among a select few along their path metrics. The first thing people complained about Tor was that they couldn't run bittorrents with it and they couldn't see youtube. Cathal brings up a great and tricky issue regarding choices to store-and-forward. SF is quite more complex, but possibly more useful, than realtime. The masses do not understand it unless it brings spiderman, batman, faggotman hollywood garbage faster to their living rooms. I agree such garbage is rather pointless life endeavour. I would be happy to message you via such a new messaging system though :) I would it too, of course. But in order to make it work we have to dial back the complexity of our pages and our want for high definition videos. It is not interesting to merely have an e-mail substitute, because instead of e-mail metadata spies will request our google search and navigation history. You will certainly send links and those tell a lot about what we are talking about. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] The next gen P2P secure email solution
Message du 13/05/14 05:55 De : grarpamp A : cypherpu...@cpunks.org Copie à : p2p-hack...@lists.zooko.com, cryptography@randombit.net Objet : Re: [cryptography] The next gen P2P secure email solution On Fri, May 9, 2014 at 11:49 AM, rysiek wrote: Dnia wtorek, 22 kwietnia 2014 20:58:50 tpb-cry...@laposte.net pisze: Although technical solutions are feasible Then do it and see what happens. we ought to consider some things: - Email is older than the web itself; So is TCP/IP and the transistor. Irrelevant. You clearly did not get the point, but let's move along your argument. - Email has three times as many users as all social networks combined; And how did those nets get any users when 'email' was supposedly working just fine? E-mail not allowing one to make his ego appreciated and envied in a structured nicely formatted page maybe? - Email is entrenched in the offices, many a business is powered by it; They are powered by authorized access to and useful end use of message content, not by email. That's not going anywhere, only the intermediate transport is being redesigned. Can you recode outlook, eudora and other closed source stuff people use(d) for e-mail handling for business? No? Well, that answers why it is hard to remove. Given the enormous energy necessary to remove such an appliance and replace Removal is different from introducing competitive alternatives. Little proprietary walled gardens are absolutely not the answer for this problem. it with something better. How could we make a secure solution that plays nicely with the current tools without disturbing too much what is already established? By writing a gateway (i.e. between RetroShare and e-mail)? The gateway idea is interesting, but it has to be efficient enough and low cost enough for people to switch over. Something like bitmessage is not. MUA's become file readers and composers. They hand off to a localhost daemon that recognizes different address formats of the network[s] and does the right thing. Perhaps they compile against additional necessary network/crypto libs. Whatever it is, those are not a big change. Ditching centralized SMTP transport in the clear is... and for the better. http://arstechnica.com/security/2014/05/good-news-for-privacy-fewer-servers-sending-e-mail-naked-facebook-finds/ I think that answers your concern about SMTP transport in the clear, in less than one year the darkest bar in that chart will be close to 100%. If 80% of hosts demand strict encrypted transport, it will force the other 20% to change. Considering the snowden revelations and the fact that one year ago we barely used encrypted transport, having 1/4 already and accelerating is a good prospect. Reread the threads, forget about that old SMTP box, think new. Fixing the problem is better than overhauling all offices in the world, you clearly haven't been in may offices in your life. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] The next gen P2P secure email solution
Oh boy, here we go. Message du 15/05/14 23:14 De : grarpamp http://arstechnica.com/security/2014/05/good-news-for-privacy-fewer-servers-sending-e-mail-naked-facebook-finds/ I think that answers your concern about SMTP transport in the clear Yes, great, we're now moving towards strict and PFS encrypted transport. That's not much of a complete achievement since it does not solve any of the other snowden-ish issues recent p2p threads are meant to encompass... - [secret/trollish/illegal] orders against centralized mail servers/services to store and disclose all metadata and [unencrypted] content, including transport headers and pesky to/from/subject/etc headers. pesky to/from/subject/etc headers. Those are hidden by use of TLS. Regarding government wanting your data in the clear by requesting it to the ISP you use, well switch your communications to another country, problem solved. - voluntary 'cooperation' to do the same. - capability for messaging over encrypted anonymous p2p overlay networks so that the only real place left to compel is the investigated user themselves (or millions of users if you want to fight up against free speech / privacy). p2p is no panacea, it doesn't scale and it will never, ever be able to handle the latest netflixy app Joes are so much into. p2p is for techead kids like you, not for the masses. The masses do not understand it unless it brings spiderman, batman, faggotman hollywood garbage faster to their living rooms. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Request - PKI/CA History Lesson
Message du 29/04/14 20:11 De : Ben Laurie On 29 April 2014 07:41, Ryan Carboni wrote: the only logical way to protect against man in the middle attacks would be perspectives (is that project abandoned?) or some sort of distributed certificate cache checking. Or Certificate Transparency. :-) And how is that supposed to work? ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] The next gen P2P secure email solution
Message du 22/04/14 20:30 De : Randolph This thread pertains specifically to the use of P2P/DHT models to replace traditional email as we know it today. *Anonymous Email based on virtual institutions* What about this model? In a network you send your public email encryption key to an virtual institution. The institution is defined by a name (e.g. AES string) and postal address (e.g. hash key). Having this information added to your node, all your email to you or from you will be stored in the virtual email provider institution. This detaches your nodes IP and encrpytion key from the institution. That means, care-off (c/o) institutions will be able to house 3rd-party e-mail without needing to distribute their own public keys. To create a post office for your friends, two methods exist: 1) Define a common neighbor (e.g Alice and Bob connect to a common webserver as node, and all three have email encryption keys shared), then the webserver stores the emails, even if Alice or Bob are offline. 2) Or/additionally: Create an virtual institution and add the email key of a friend to your node. In case your friend adds the magnet link (which contains name and address of the virtual institution, aka AES key and Hash key) for the institution as well to his node, the institution will save all emails for him (as well from senders, which are not registered at the virtual institution). A Magnet Link allows to share the virtual institution easily. The magnet Uri would look like: *magnet:?in=Gmailct=aes256pa=dotcomht=sha512xt=urn:institution* With this method an email provider can be build without data retention and with the advantage of detached email encrpytion keys from node´s IP addresses. Next to TCP, you can use as well UDP and SCTP as protocol. Virtual Institutions (VI) have been - due to the homepage - introduced by the lib-version 0.9.04 of http://goldbug.sf.net email and chat application. If we understand this right, now everyone can create an email provider without data retention just as a service for friends. In case in a network of connected nodes everyone uses gmail as VI-name and dotcom as VI-address, everyone will host everyone for email, while all remains encrypted.. could be a nice net or p2p model in a testing. Although technical solutions are feasible, we ought to consider some things: - Email is older than the web itself; - Email has three times as many users as all social networks combined; - Email is entrenched in the offices, many a business is powered by it; Given the enormous energy necessary to remove such an appliance and replace it with something better. How could we make a secure solution that plays nicely with the current tools without disturbing too much what is already established? ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] [Cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL
Message du 08/04/14 18:44 De : ianG E.g., if we cannot show any damages from this breach, it isn't worth spending a penny on it to fix! Yes, that's outrageous and will be widely ignored ... but it is economically and scientifically sound, at some level. So, let's wait until another 40 million credit cards are stolen, then we prove this method was used exactly, then we will try to fix it in all deployments ... yeah, seems reasonable. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] [Cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL
Message du 08/04/14 21:42 De : ianG A : tpb-cry...@laposte.net, cryptogra...@metzdowd.com, cryptography@randombit.net Copie à : Objet : Re: [Cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL On 8/04/2014 20:18 pm, tpb-cry...@laposte.net wrote: Message du 08/04/14 18:44 De : ianG E.g., if we cannot show any damages from this breach, it isn't worth spending a penny on it to fix! Yes, that's outrageous and will be widely ignored ... but it is economically and scientifically sound, at some level. So, let's wait until another 40 million credit cards are stolen, then we prove this method was used exactly, then we will try to fix it in all deployments ... yeah, seems reasonable. Well, be blind if you like. But 40 million stolen credit cards are measurable, are damages, and are directly relatable by statistical models to theft damages. My advice is when you have a number like 40m in front of you, then you should DO SOMETHING. Spend a penny, dude! Your first advice is extremely dangerous and preposterous, I was being sardonic in my comment, but let's get this straight. You said you control a quite famous bug list. I should not ask this here, but considering the situation we found ourselves regarding encryption infrastructure abuse from the part of US government ... I'm just curious and can't resist it. How much are you being paid to give such dangerous and preposterous advice? Or, who are your handlers? ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Github Pages now supports SSL
Message du 04/04/14 20:09 De : Eric Mill Along with Cloudflare's 2014 plan to offer SSL termination for free, and their stated plan to double SSL on the Internet by end of year, the barrier to HTTPS everywhere is dropping rapidly. I agree that putting https everywhere is great, but Cloudflare's founders are tightly linked with the US-intelligence community. That fact alone kind of kills any claims they make about data security within their service. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Github Pages now supports SSL
Message du 06/04/14 17:41 De : staticsafe On 4/6/2014 10:40, tpb-cry...@laposte.net wrote: Message du 04/04/14 20:09 De : Eric Mill Along with Cloudflare's 2014 plan to offer SSL termination for free, and their stated plan to double SSL on the Internet by end of year, the barrier to HTTPS everywhere is dropping rapidly. I agree that putting https everywhere is great, but Cloudflare's founders are tightly linked with the US-intelligence community. That fact alone kind of kills any claims they make about data security within their service. Source for this please? Is it so painful to do your own homework? Matthew Prince, Lee Holloway, and Michelle Zatlyn created CloudFlare in 2009.[1][2] They previously worked on Project Honey Pot. - http://en.wikipedia.org/wiki/CloudFlare [...] the project organizers also help various law enforcement agencies combat private and commercial unsolicited bulk mailing offenses and overall work to help reduce the amount of spam being sent [...] - http://en.wikipedia.org/wiki/Project_Honey_Pot That's just for starters, you can dig more and find more. It is interesting that the history of the founders themselves is no longer exhibited in cloudflare.com website as it was years ago. As an American company, there is nothing preventing Cloudflare from receiving NSLs and having to shut up about them. What use is a system that you can't trust like this? You can say oh, but they go after the bad guys, spammers. But that doesn't limit it to spammers neither do we know who are the so called bad guys, since that is decided by American secret laws, made by secret courts, that issue secret orders. No trust to American companies, less even trust to American companies that promise any kind of data security. Better no security than a false sense of it. Sorry. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Geoff Stone, Obama's Review Group
Message du 03/04/14 16:54 De : Cari Machet Not that journalists should be expected to make a lasting difference. WTF? this shit was posted on huffington post probably for those without ad blocker there was ad with bewbs on it next to the text one more thing why do you assume to know the minds of the people that own the snowden data - they are capitalists - that is all Do capitalists upset you? ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Comsec as Public Utility Beyond Illusory Privacy
Message du 14/03/14 04:52 De : Troy Benjegerdes A : tpb-cry...@laposte.net Copie à : John Young , cypherpu...@cpunks.org, cryptography@randombit.net, crypt...@freelists.org Objet : Re: Comsec as Public Utility Beyond Illusory Privacy getting agreement of all targets -- gov, com, edu, org -- to say enough is enough, national security has become a catchall for inexcusable invasion of the public realm. It remembers me when someone proposed that IPv6 encryption should become optional and the proposal was accepted. If we had IPv6 encrypted by now, things would be a little bit different ... And networks would be harder to debug, unless you happened to work for the comsec utility or the NSA and already had all the decryption keys. Let me suggestion using IPv7 where encryption is also optional, but at least happens to use the same ecdsa keys you use for your money to encrypt packets if you so desire. -- Troy Benjegerdes 'da hozer' ho...@hozed.org 7 elements earth::water::air::fire::mind::spirit::soul grid.coop Never pick a fight with someone who buys ink by the barrel, nor try buy a hacker who makes money by the megahash I absolutely don't see the point that justifies debugging network problems to be a bigger concern than the privacy of everyone in the world. Debugging be damned. We should move to quantum-proof crypto, ECDSA is merely a stopgap. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Comsec as Public Utility Beyond Illusory Privacy
Okay, isn't this a bit over the top? -- Kevin Over the top you say? I will tell you what is over the top ... The US and UK are doing the digital equivalent of the medieval practice of throwing corpses, rats and dead cats over the fence of our backyards on the mere suspicion that we are doing something wrong or just to feed their jealousy (LOVEINT) or to have fun (Yahoo's camera spying system). If that is not over the top, I don't know what it is. Pack your things stooge and go home before people get angry enough to lynch you. We don't like your ilk, you are the same as common thugs. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Comsec as Public Utility Beyond Illusory Privacy
Message du 13/03/14 15:33 De : John Young A : cypherpu...@cpunks.org, cryptography@randombit.net, crypt...@freelists.org Copie à : Objet : Comsec as Public Utility Beyond Illusory Privacy Snowden may have raised the prospect of comsec as a public utility like power, water, gas, sewage, air quality, environmental protection and telecommunications. Privacy protection has been shown to be illusory at best, deceptive at worst, due to the uncontrollable technology applied erroneously for national security. Each of the other public utilities began as private offerings before becoming commercialized and then institutionalized as necessities, many eventually near or wholly monopolies. Each also evolved into military targets for control, contamination, destruction, and in some cases excluded as too essential for civilian livelihood to target. Comsec as a right for human discourse rather than a commercial service could enforce privacy beyond easy violation for official and commercial purposes. Freedom of comsec, say, as a new entry in the US Bill of Rights could lead the way for it to be a fundamental element of Human Rights. The problem will be as ever the commercial and governmental exploiters aiming to protect their interests against that of the public. FCC and NIST, indeed, the three branches, are hardly reliable to pursue this, so beholden to the spy agencies they cannot be trusted. NSA's ubiquitous spying on everybody at home and elsewhere with technology beyond accountability does raise the chances of getting agreement of all targets -- gov, com, edu, org -- to say enough is enough, national security has become a catchall for inexcusable invasion of the public realm. It remembers me when someone proposed that IPv6 encryption should become optional and the proposal was accepted. If we had IPv6 encrypted by now, things would be a little bit different ... ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography