On 07/11/2013 02:08 PM, Maxim Kammerer wrote:
On Thu, Jul 11, 2013 at 9:04 PM, Jonathan Wilkes jancs...@yahoo.com wrote:
I think the upshot of that is to steer whatever funds Cryptocat has
toward the form of peer review that did work, which is the bug
hunt (as well as look into other forms of
On Tue, Jul 9, 2013 at 4:45 PM, Jacob Appelbaum ja...@appelbaum.net wrote:
I think he very clearly stated it:
Interviewer: What happens after the NSA targets a user?
Snowden: They're just owned. An analyst will get a daily (or scheduled
based on exfiltration summary) report on what changed
On 2013-07-11, at 12:38 PM, Maxim Kammerer m...@dee.su wrote:
On Tue, Jul 9, 2013 at 4:57 PM, Jacob Appelbaum ja...@appelbaum.net wrote:
While I think Maxim is viewed as exceedingly harsh in how he writes, I
think that your response is really the wrong way to deal with him. We
should
On 07/11/2013 12:38 PM, Maxim Kammerer wrote:
On Tue, Jul 9, 2013 at 4:57 PM, Jacob Appelbaumja...@appelbaum.net wrote:
While I think Maxim is viewed as exceedingly harsh in how he writes, I
think that your response is really the wrong way to deal with him. We
should consider that his cultural
On 2013-07-11, at 2:08 PM, Maxim Kammerer m...@dee.su wrote:
On Thu, Jul 11, 2013 at 9:04 PM, Jonathan Wilkes jancs...@yahoo.com wrote:
I think the upshot of that is to steer whatever funds Cryptocat has
toward the form of peer review that did work, which is the bug
hunt (as well as look
On 2013-07-09, at 12:34 AM, Jonathan Wilkes jancs...@yahoo.com wrote:
On 07/08/2013 07:07 AM, Nadim Kobeissi wrote:
On 2013-07-08, at 3:34 AM, Tom Ritter t...@ritter.vg wrote:
On 7 July 2013 17:20, Maxim Kammerer m...@dee.su wrote:
This thread started off with discussion of peer review, so
On 08 July, 2013 - Nadim Kobeissi wrote:
On 2013-07-08, at 2:48 PM, Reed Black r...@unsafeword.org wrote:
On Mon, Jul 8, 2013 at 11:00 AM, David Goulet dgou...@ev0ke.net wrote:
Furthermore, looking at those lines of code, there is simply NO comments
at all,
nothing to help peer
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 08/07/13 20:35, Maxim Kammerer wrote:
Writing secure software is relatively easy, and does not rely much
on abstraction layers or whatever OOP ideology is popular at the
moment. You just document each function' input/output, test it
somehow,
On Tue, Jul 9, 2013 at 11:39 AM, Michael Rogers
mich...@briarproject.org wrote:
Google and Mozilla wouldn't have to run
competitions to find holes in their own browsers. There wouldn't be a
multi-million-dollar 0day black market.
You are talking about huge projects with complex design, where
If it's so easy, go ahead and produce a more secure alternative that people
will use. Talking about how exceedingly easy it is in Internet forums
doesn't contribute much.
On Tue, Jul 9, 2013 at 5:55 AM, Maxim Kammerer m...@dee.su wrote:
On Tue, Jul 9, 2013 at 11:39 AM, Michael Rogers
Patrick Mylund Nielsen:
If it's so easy, go ahead and produce a more secure alternative that people
will use. Talking about how exceedingly easy it is in Internet forums
doesn't contribute much.
I'm not sure if you're away but Maxim did exactly this many years ago.
He wrote a system called
Patrick Mylund Nielsen:
On Tue, Jul 9, 2013 at 9:22 AM, Eugen Leitl eu...@leitl.org wrote:
On Tue, Jul 09, 2013 at 09:12:21AM -0400, Patrick Mylund Nielsen wrote:
If it's so easy, go ahead and produce a more secure alternative that
people
You mean something like http://dee.su/ ?
And
On Tue, Jul 9, 2013 at 9:57 AM, Jacob Appelbaum ja...@appelbaum.net wrote:
Patrick Mylund Nielsen:
If it's so easy, go ahead and produce a more secure alternative that
people
will use. Talking about how exceedingly easy it is in Internet forums
doesn't contribute much.
I'm not sure if
On 2013-07-09, at 10:29 AM, Jacob Appelbaum ja...@appelbaum.net wrote:
Patrick Mylund Nielsen:
On Tue, Jul 9, 2013 at 9:22 AM, Eugen Leitl eu...@leitl.org wrote:
On Tue, Jul 09, 2013 at 09:12:21AM -0400, Patrick Mylund Nielsen wrote:
If it's so easy, go ahead and produce a more secure
Here are more statistics on TLS modes failing back to less secure modes, and a
semi-complete listing of affected browsers, published 2 days ago:
http://jbp.io/2013/07/07/tls-downgrade/
Best,
Jason Gulledge
On Jul 9, 2013, at 4:29 PM, Jacob Appelbaum ja...@appelbaum.net wrote:
Patrick
Sorry, when I wrote scare normal users away from e.g. MSN, I meant scare
normal users away from switching from e.g. MSN
On Tue, Jul 9, 2013 at 12:31 PM, Patrick Mylund Nielsen
cryptogra...@patrickmylund.com wrote:
What I hear from you is a common idea: it is the idea is that people
who
On 07/09/2013 10:29 AM, Jacob Appelbaum wrote:
Patrick Mylund Nielsen:
On Tue, Jul 9, 2013 at 9:22 AM, Eugen Leitl eu...@leitl.org wrote:
On Tue, Jul 09, 2013 at 09:12:21AM -0400, Patrick Mylund Nielsen wrote:
If it's so easy, go ahead and produce a more secure alternative that
people
You
Nadim Kobeissi:
Hi Jacob,
You've said a lot about Cryptocat's SSL configuration — can you recommend a
better configuration that is similarly compatible?
Hi Nadim,
I mentioned this on the cryptography list - I suggest several things.
First up - either disable all non-forward secure SSL/TLS
Jonathan Wilkes:
On 07/09/2013 10:29 AM, Jacob Appelbaum wrote:
Patrick Mylund Nielsen:
On Tue, Jul 9, 2013 at 9:22 AM, Eugen Leitl eu...@leitl.org wrote:
On Tue, Jul 09, 2013 at 09:12:21AM -0400, Patrick Mylund Nielsen wrote:
If it's so easy, go ahead and produce a more secure alternative
On 07/09/2013 06:25 PM, Petter Ericson wrote:
What are the steps for sending Bob a message using Cables?
This isn't rhetorical, I'd actually like to know what the steps are.
Roughly I think this is correct:
0. Download https://www.dee.su/liberte
1. Boot any modern computer with the usb
On 10-07-13 00:57, h0ost wrote:
On 07/09/2013 06:25 PM, Petter Ericson wrote:
What are the steps for sending Bob a message using Cables?
This isn't rhetorical, I'd actually like to know what the steps are.
Roughly I think this is correct:
0. Download https://www.dee.su/liberte
1. Boot
On 07/09/2013 02:33 PM, Jacob Appelbaum wrote:
Jonathan Wilkes:
On 07/09/2013 10:29 AM, Jacob Appelbaum wrote:
Patrick Mylund Nielsen:
On Tue, Jul 9, 2013 at 9:22 AM, Eugen Leitl eu...@leitl.org wrote:
On Tue, Jul 09, 2013 at 09:12:21AM -0400, Patrick Mylund Nielsen wrote:
If it's so easy,
On 2013-07-08, at 12:13 PM, Ralph Holz h...@net.in.tum.de wrote:
Hi Tom,
If you think this bug could never happen to you or your favorite pet
project; if you think there's nothing you can learn from this incident
- you haven't thought hard enough about ways it could have been
prevented,
On Mon, Jul 8, 2013 at 4:34 AM, Tom Ritter t...@ritter.vg wrote:
As one of the people on this list who does paid security audits, I
both want to, and feel obligated to, weigh in on the topic.
Thanks for your insight into code review process. Besides perhaps
insinuating that Veracode didn't do
On 2013-07-08, at 3:34 AM, Tom Ritter t...@ritter.vg wrote:
On 7 July 2013 17:20, Maxim Kammerer m...@dee.su wrote:
This thread started off with discussion of peer review, so I have
shown that even expensive, well-qualified peer review (and I am sure
that Veracode people are qualified)
On Mon, Jul 8, 2013 at 4:34 AM, Maxim Kammerer m...@dee.su wrote:
On Mon, Jul 8, 2013 at 4:34 AM, Tom Ritter t...@ritter.vg wrote:
As one of the people on this list who does paid security audits, I
both want to, and feel obligated to, weigh in on the topic.
Thanks for your insight into code
On 2013-07-08, at 2:00 PM, David Goulet dgou...@ev0ke.net wrote:
Hi everyone,
Very good post Tom! :)
I would like to point out something here, no bashing, but rather possible
improvements from my point of view. As Tom stated, basically if you don't do
code, you'll have no bugs so in
So introductory-level programming course mistakes are right out.
In my experience it's quite often a really simple mistake that gets you,
even when you're an experienced programmer. I'm quite afraid of simple
off-by-one bug,
places which I didn't fix in copypaste, basic logic mistakes etc.
IMO
On 2013-07-07, at 2:25 PM, CodesInChaos codesinch...@gmail.com wrote:
So introductory-level programming course mistakes are right out.
In my experience it's quite often a really simple mistake that gets you,
even when you're an experienced programmer. I'm quite afraid of simple
to be careful with
these things, but... Keep going ;)
gpg --keyserver pgp.mit.edu --search-keys
EEE5A447http://pgp.mit.edu:11371/pks/lookup?search=0xEEE5A447op=vindex
From: na...@nadim.cc
Date: Sun, 7 Jul 2013 22:34:24 +0200
To: liberationtech@lists.stanford.edu
Subject: Re: [liberationtech
I see a ton of people criticizing left and right, conveniently leaving out
that this didn't apply to the OTR implementation. I don't see a lot of
people producing more secure or as-easy-to-use alternatives, which
presumably they're more than capable of.
Criticizing is easy. It's okay to feel bad
On Sun, Jul 7, 2013 at 3:25 PM, CodesInChaos codesinch...@gmail.com wrote:
So introductory-level programming course mistakes are right out.
In my experience it's quite often a really simple mistake that gets you,
even when you're an experienced programmer. I'm quite afraid of simple
On 07/07/2013 05:20 PM, Maxim Kammerer wrote:
On Sun, Jul 7, 2013 at 3:25 PM, CodesInChaos codesinch...@gmail.com wrote:
So introductory-level programming course mistakes are right out.
In my experience it's quite often a really simple mistake that gets you,
even when you're an experienced
On 7 July 2013 17:20, Maxim Kammerer m...@dee.su wrote:
This thread started off with discussion of peer review, so I have
shown that even expensive, well-qualified peer review (and I am sure
that Veracode people are qualified) didn't help in this case.
As one of the people on this list who
On Thu, Jul 4, 2013 at 12:36 PM, KheOps khe...@ceops.eu wrote:
Just came accross this:
http://tobtu.com/decryptocat.php
Any comment?
Clearly false, since Cryptocat earned “[leading application security
team] Veracode Level 2 classification highlighted by a Security
Quality Score of 100/100”
Hi all,
Just came accross this:
http://tobtu.com/decryptocat.php
Pointing out an apparent set of severe crypto bugs in Cryptocat - but
I'm myself not enough an expert to assess all this.
Any comment?
KheOps
--
Too many emails? Unsubscribe, change to digest, or change password by emailing
On Thu, Jul 4, 2013 at 11:36 AM, KheOps khe...@ceops.eu wrote:
Just came accross this:
http://tobtu.com/decryptocat.php
Eep!
It seems like the saying given enough eyeballs, all bugs are shallow has
become obsolete, huh? Peer review is an integral part to developing secure
cryptography
Hello everyone,
I urge you to read our response at the Cryptocat Development Blog, which
strongly clarifies the situation:
https://blog.crypto.cat/2013/07/new-critical-vulnerability-in-cryptocat-details/
Thank you,
NK
On 2013-07-04, at 12:18 PM, Jens Christian Hillerup j...@hillerup.net wrote:
Jens Christian Hillerup j...@hillerup.net writes:
So what do we do about this? Opening the source code as an argument
for security no longer suffices. How can we raise money for rigid and
independent quality assurance of software that in this case is
designed to potentially saving lives? And how
I think he missed a prime opportunity to call his post DecipherDog ;-)
~Griffin
--
Too many emails? Unsubscribe, change to digest, or change password by emailing
moderator at compa...@stanford.edu or changing your settings at
https://mailman.stanford.edu/mailman/listinfo/liberationtech
40 matches
Mail list logo