-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Disclaimer: I'm an I2P developer, and a user of both Tor and I2P.
On 05/07/13 04:44, Michael Rogers wrote:
> As far as I can see, the attacks work by seizing control of the
> netDB, which is i2p's decentralised directory service.
>
> "We first show
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 04/07/13 17:15, danimoth wrote:
> Uhm, I don't consider it a matter of centralization vs
> decentralization. I think the point is how I2P select peers to
> communicate with; attacker DoS'd previous high-performance peers,
> then replace them with no
On 04/07/13 at 04:28pm, Michael Rogers wrote:
> I think the point is that i2p's decision to use a decentralised
> directory service led to the vulnerabilities described in the paper.
Uhm, I don't consider it a matter of centralization vs decentralization.
I think the point is how I2P select peers
The more fiercely defended security system (anything)
the more likely indefensible. Best ones require constant
patching and understatement, without exculpation, apologia
and bullying arrogance of ignorance.
But cloying humility, obsequiousness and masochism
seduces sadists for backdooring STD.
I
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 04/07/13 13:34, danimoth wrote:
> IMHO that's is unfair. There are many publications on Tor
> vulnerabilities as well, and this is unavoidable. Are you sure that
> in the next two months Tor will not be the main actor of a similar
> publication?
>
On 30/06/13 at 01:04am, Jacob Appelbaum wrote:
> Yeah, about that...
>
> Have you seen the most recent paper by Egger et al?
IMHO that's is unfair. There are many publications on Tor
vulnerabilities as well, and this is unavoidable.
Are you sure that in the next two months Tor will not be the ma
On 2013-07-04 2:11 AM, Wasabee wrote:
On 03/07/2013 13:31, Michael Rogers wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 03/07/13 13:26, danimoth wrote:
Not directly related to remailer, but what about dc nets [1] ?
[1] The Dining Cryptographers Problem:
Unconditional Sender and
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi Wasabee,
I'm no expert either but I'll try to answer to the best of my
understanding. I'm CCing Henry Corrigan-Gibbs, one of the Dissent
designers, who will hopefully correct my mistakes. :-)
On 03/07/13 17:11, Wasabee wrote:
> is it really feasib
On 03/07/2013 13:31, Michael Rogers wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 03/07/13 13:26, danimoth wrote:
Not directly related to remailer, but what about dc nets [1] ?
[1] The Dining Cryptographers Problem:
Unconditional Sender and Recipient Untraceability (David Chaum)
On 30/06/13 at 07:32pm, Jacob Appelbaum wrote:
> > I'd love to see a revitalisation of remailer research, focussing on
> > unlinkability (which we know many people would benefit from) rather
> > than sender anonymity (which fewer people need, and which is prone to
> > abuse that discourages people
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 03/07/13 13:26, danimoth wrote:
> Not directly related to remailer, but what about dc nets [1] ?
>
> [1] The Dining Cryptographers Problem:
> Unconditional Sender and Recipient Untraceability (David Chaum)
DC nets have two major drawbacks: the
On 2013-07-02, at 4:17 AM, aort...@alu.itba.edu.ar wrote:
>>> Given those shortcomings I think is not wise to recommend it unless your
>>> enemy doesn't have the resources of a country. That being said, it's the
>>> best tool at the moment, lights year ahead of other popular software
>>> like
>>>
aort...@alu.itba.edu.ar:
>>> The more interesting point is high vs low latency. I really like the
>>> idea of having a high-latency option in Tor. It would still need to
>>> have a lot of users to actually be useful, though. But it seems there
>>> are various protocols that would be ore high-latenc
ianG:
>> You can have privacy by using OTR and that's good in many situations, but
>> won't protect you from somebody with enough money to hire techs and put
>> some taps.
>
>
> The threat is always on the node, never on the wire...
>
It is both. DPI does not merely mean inspection and it hasn'
Michael Rogers:
> On 01/07/13 01:55, Jacob Appelbaum wrote:
>> It is also why we have multiple implementations as well. There is a
>> Java version of Tor that is nearly ready for release and it will
>> solve a number of the C implementation concerns and exchange them
>> for Java related concerns. T
Il 7/1/13 1:32 PM, Tom Ritter ha scritto:
I'm not saying GlobaLeaks+Tor is safe. I'm saying I think our current
remailer network is wildly unsafe. (Now what I think about fixing
it... that's a whole other story, for a whole other time.)
While it's outside the scope of GlobaLeaks to provide a
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 01/07/13 01:55, Jacob Appelbaum wrote:
> It is also why we have multiple implementations as well. There is a
> Java version of Tor that is nearly ready for release and it will
> solve a number of the C implementation concerns and exchange them
> for
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 30/06/13 20:32, Jacob Appelbaum wrote:
> Michael Rogers:
>> I'd love to see a revitalisation of remailer research, focussing
>> on unlinkability (which we know many people would benefit from)
>> rather than sender anonymity (which fewer people need,
On 2/07/13 11:17 AM, aort...@alu.itba.edu.ar wrote:
But I don't blame you. I don't think any real-time chat can ever be made
"safe" and by safe I mean anonymous, because of its low-latency nature.
On a tangent, I have often wanted high-latency chat because high-speed
chat is so damn disrupti
>> Given those shortcomings I think is not wise to recommend it unless your
>> enemy doesn't have the resources of a country. That being said, it's the
>> best tool at the moment, lights year ahead of other popular software
>> like
>> Cryptocat, whose end-point security should be considered not onl
>> The more interesting point is high vs low latency. I really like the
>> idea of having a high-latency option in Tor. It would still need to
>> have a lot of users to actually be useful, though. But it seems there
>> are various protocols that would be ore high-latency-friendly than
>> HTTP - SMT
> So then - what do you suggest to someone who wants to leak a document to
> a press agency that has a GlobaLeaks interface? What do you suggest to
> someone who wants to use a web email account that properly supports
> HTTPS? What do you suggest to someone who wants location privacy from
> their c
> I think if Tor had an arbitrary queue with store and forward as a high
> latency module of sorts, we'd really be onto something. Then there would
> be tons of traffic on the Tor relays for all kinds of reasons - high and
> low latency - only to all be wrapped in TLS and then in the Tor protocol.
On 2013-07-01 9:50 PM, Ben Laurie wrote:
On 1 July 2013 12:32, Tom Ritter wrote:
On 1 July 2013 05:04, Ben Laurie wrote:
On 1 July 2013 01:55, Jacob Appelbaum wrote:
So then - what do you suggest to someone who wants to leak a document to
a press agency that has a GlobaLeaks interface?
I w
On 01.07.2013 15:33, Jacob Appelbaum wrote:
> I think if Tor had an arbitrary queue with store and forward as a high
> latency module of sorts, we'd really be onto something.
Isn't that what Roger proposed as "Alpha Mixing"?
http://freehaven.net/anonbib/#alpha-mixing:pet2006
It could be valuable
On 1 July 2013 14:33, Jacob Appelbaum wrote:
> I think having Mixmaster and MixMinion support in Tails and run over Tor
> would be a good way to start. I also agree that GlobaLeaks should have
> an interface for receiving leaks via either of those networks - though I
> sometimes wonder if GL would
Ben Laurie:
> On 1 July 2013 12:32, Tom Ritter wrote:
>> On 1 July 2013 05:04, Ben Laurie wrote:
>>> On 1 July 2013 01:55, Jacob Appelbaum wrote:
So then - what do you suggest to someone who wants to leak a document to
a press agency that has a GlobaLeaks interface?
>>>
>>> I would sug
On 1 July 2013 12:32, Tom Ritter wrote:
> On 1 July 2013 05:04, Ben Laurie wrote:
>> On 1 July 2013 01:55, Jacob Appelbaum wrote:
>>> So then - what do you suggest to someone who wants to leak a document to
>>> a press agency that has a GlobaLeaks interface?
>>
>> I would suggest: don't use Glob
On 1 July 2013 05:04, Ben Laurie wrote:
> On 1 July 2013 01:55, Jacob Appelbaum wrote:
>> So then - what do you suggest to someone who wants to leak a document to
>> a press agency that has a GlobaLeaks interface?
>
> I would suggest: don't use GlobalLeaks, use anonymous remailers.
> Bottom line:
On 1 July 2013 01:55, Jacob Appelbaum wrote:
>> I would like to see a tor configuration flag that sacrifices speed for
>> anonymity.
>
> You're the first person, perhaps ever, to make that feature request
> without it being in a mocking tone. At least, I think you're not mocking! :)
Let me add a
On 1 July 2013 01:55, Jacob Appelbaum wrote:
> So then - what do you suggest to someone who wants to leak a document to
> a press agency that has a GlobaLeaks interface?
I would suggest: don't use GlobalLeaks, use anonymous remailers.
Bottom line: Tor is weak against powerful adversaries because
On 1 July 2013 01:55, Jacob Appelbaum wrote:
>
> > I would like to see a tor configuration flag that sacrifices speed for
> > anonymity.
>
> You're the first person, perhaps ever, to make that feature request
> without it being in a mocking tone. At least, I think you're not mocking!
> :)
>
I w
On 2013-06-30, at 4:24 PM, aort...@alu.itba.edu.ar wrote:
> I believe Anonymity is a problem orders of magnitude bigger than privacy.
> Tor seems like the only serious project aiming at solving it but I think
> you should be wise by choosing your enemies and Tor in its current state
> is useless
aort...@alu.itba.edu.ar:
> I believe Anonymity is a problem orders of magnitude bigger than privacy.
I agree - though most people think the two terms mean the same thing.
Lots of different terms are a similar set of things for different people.
> Tor seems like the only serious project aiming at
I believe Anonymity is a problem orders of magnitude bigger than privacy.
Tor seems like the only serious project aiming at solving it but I think
you should be wise by choosing your enemies and Tor in its current state
is useless against government-type surveillance for the following reasongs
(IMH
Michael Rogers:
>> So who's out there developing any useful protocols for
>> anonymization today? *Anybody*? Could we try to start a new project
>> (if needed) to create one?
>
> I'd love to see a revitalisation of remailer research, focussing on
> unlinkability (which we know many people would be
> So who's out there developing any useful protocols for anonymization today?
> *Anybody*? Could we try to start a new project (if needed) to create one?
I'd love to see a revitalisation of remailer research, focussing on
unlinkability (which we know many people would benefit from) rather than s
Hi,
> There should be a disclaimer somewhere that Tor is a competitor to
> I2P, is far from perfect itself (actually has a few glaring
> weaknesses, such as exit nodes), and the guy critiquing I2P works for
> Tor.
The guys who did the PETS 2011 attack on I2P are not with Tor, but with
GNUNet -- a
> I don't think they are doing this (as I said, they only bother with the
> low hanging fruit) but they could.
>
> Is there a tool that detects changes of CA?
Certificate Patrol does it for you on client-side:
https://addons.mozilla.org/de/firefox/addon/certificate-patrol/
Our own Crossbear doe
Nadim Kobeissi:
>>
>> Read my email more carefully next time. I specifically encouraged
>> experimentation in a way that seems reasonably safe:
>
> There's no need to be so patronizing — I'm aware that you recommended TAILS
> (which is also a Tor project).
>
I'm sorry to write with more bad new
On 2013-06-30, at 9:40 AM, Jacob Appelbaum wrote:
> Nadim Kobeissi:
>>
>> On 2013-06-29, at 11:48 PM, Jacob Appelbaum
>> wrote:
>>
>>> Natanael:
I'm not seeing that many options though. The Phantom project died
pretty fast; https://code.google.com/p/phantom/
https://groups.goo
Nadim Kobeissi:
>
> On 2013-06-29, at 11:48 PM, Jacob Appelbaum
> wrote:
>
>> Natanael:
>>> I'm not seeing that many options though. The Phantom project died
>>> pretty fast; https://code.google.com/p/phantom/
>>> https://groups.google.com/forum/#!forum/phantom-protocol
>>> http://phantom-anon
> I'm not seeing that many options though. The Phantom project died pretty
> fast;
> https://code.google.com/p/phantom/
> https://groups.google.com/forum/#!forum/phantom-protocol
> http://phantom-anon.blogspot.se/
I would bet that Phantom both ran out of developer time and
has discouraged further
> There should be a disclaimer somewhere that Tor is a competitor to I2P, is
> far from perfect itself (actually has a few glaring weaknesses, such as exit
> nodes), and the guy critiquing I2P works for Tor.
There should be a table somewhere that shows that
all these different systems have diffe
On 2013-06-29, at 11:48 PM, Jacob Appelbaum wrote:
> Natanael:
>> I'm not seeing that many options though. The Phantom project died pretty
>> fast;
>> https://code.google.com/p/phantom/
>> https://groups.google.com/forum/#!forum/phantom-protocol
>> http://phantom-anon.blogspot.se/
>>
>> So who'
On Thu, Jun 13, 2013 at 9:27 AM, Moritz wrote:
> ...
> A foundation offered me money for improving, auditing, or implementing
> crypto-related software ...
wanted: SSL/TLS session ticket storage clustering support for apache2,
nginx, haproxy using memcached or suitable memory only backed storage
Convergence, (in-browser) certificate pinning, and a few more. You could
also use DNSSEC to serve the certificate.
2013/6/30 James A. Donald
> The biggest Tor vulnerability is that governments and large criminal
> organizations (but I repeat myself) can use their influence over a CA to
> perfor
The biggest Tor vulnerability is that governments and large criminal
organizations (but I repeat myself) can use their influence over a CA to
perform a man in the middle attack.
I don't think they are doing this (as I said, they only bother with the
low hanging fruit) but they could.
Is ther
Yeah, I know about Tor already of course, but I also want *more options*
(at least so that any critical bugs in one of the options doesn't
automatically put *everybody* at risk), and there's also a few too many
things I don't like about Tor. I know a lot of it can be fixed, but it
would also requir
On 2013-06-30 10:21 AM, Natanael wrote:
Of course there's that whole 'almost none of our tools are usable'
problem.
That problem needs fixing first. Only then will our enemies start
bothering with pattern recognition and such.
Right now, the most trivial precautions result in you
Natanael:
> I'm not seeing that many options though. The Phantom project died pretty
> fast;
> https://code.google.com/p/phantom/
> https://groups.google.com/forum/#!forum/phantom-protocol
> http://phantom-anon.blogspot.se/
>
> So who's out there developing any useful protocols for anonymization t
I'm not seeing that many options though. The Phantom project died pretty
fast;
https://code.google.com/p/phantom/
https://groups.google.com/forum/#!forum/phantom-protocol
http://phantom-anon.blogspot.se/
So who's out there developing any useful protocols for anonymization today?
*Anybody*? Could w
Natanael:
> I would like to point out that the developers of the anonymizing network
> I2P are looking for more external review of the codebase (it's in Java, by
> the way). Everybody who knows how to do security reviews of source code and
> has time to spare should take a look at it.
>
I've prev
I would like to point out that the developers of the anonymizing network
I2P are looking for more external review of the codebase (it's in Java, by
the way). Everybody who knows how to do security reviews of source code and
has time to spare should take a look at it.
FYI, I also think that I2P's s
I've been waiting to reply to this until I can give it an hour to get my
thoughts down. Hopefully it's not too late. This is a very important
question: where should we spend our time, and our effort? Because I know
you Moritz, I'm going to stray heavily into the Liberation Tech side of
things, a
Hi,
A foundation offered me money for improving, auditing, or implementing
crypto-related software and hardware. We could probably also
fund/perform usability studies.
Any suggestions?
--Mo
signature.asc
Description: OpenPGP digital signature
___
cr
56 matches
Mail list logo