-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 2014.10.06 01.56, Bill Cox wrote:
I will have an impact on the code going forward. Also, I am
entirely a pragmatist. I am an engineer, not a cryptographer, and
I build stuff that works in the real world. Can you explain a
deniable
Hi Bill,Just keep in mind that there hasn't been a single citation of any
reliable research or human rights reports about deniability in this thread. So
if you are looking for advice specifically on whether the system should even
include deniability, you're basically working off an opinion of
And just to keep the discussion on topic-- I'm talking about research or
reports on the benefits/drawbacks of using software in the field that has some
deniability features.
-Jonathan
On Monday, October 6, 2014 12:56 PM, Eleanor Saitta e...@dymaxion.org
wrote:
-BEGIN PGP SIGNED
On Mon, Oct 06, 2014 at 05:56:59PM +0100, Eleanor Saitta wrote:
On 2014.10.06 01.56, Bill Cox wrote:
I will have an impact on the code going forward. Also, I am
entirely a pragmatist. I am an engineer, not a cryptographer, and
I build stuff that works in the real world. Can you explain a
Deniability is not inherently better. Of course it has advantages. But a world
that only had deniable cryptography would be worse than one which also had
systems like TrueCrypt whose presence is not hidden.
It makes no sense to argue that an improved version of TrueCrypt is no better
if it’s
This is not directed to anyone in particular. But, come on, everyone, let's
have a respectful and constructive conversation. There's no need to get
snippy.
Thanks,
Yosem
One of the moderators
On Sun, Oct 5, 2014 at 3:44 PM, Greg g...@kinostudios.com wrote:
Dear Rich,
On Oct 4, 2014, at 3:50
On Oct 5, 2014, at 3:48 PM, Yosem Companys compa...@stanford.edu wrote:
This is not directed to anyone in particular. But, come on, everyone, let's
have a respectful and constructive conversation. There's no need to get
snippy.
I agree, and sorry if my email came off that way. Let me try to
On Thu, Oct 2, 2014 at 4:28 PM, Eleanor Saitta e...@dymaxion.org wrote:
Field outcomes aren't about math. That's the point I'm trying to make
here.
The precautionary principle and a Do No Harm approach to software
development are incredibly important when looking at the requirements
On Fri, Oct 03, 2014 at 10:23:09PM +, Jonathan Wilkes wrote:
Hi Rich, Your footnote #1 is dubious at best. The cost of
aiming peoples eyes at bugs is _not_ $0. Until it is, the free software
community has a problem with too few resources chasing too many bugs.
I'm not sure why you're
This is dragging out, so I'm going to try to be brief.
On Fri, Oct 03, 2014 at 06:07:36PM -0700, Greg wrote:
You may also be misunderstanding our NDA.
I'm not misunderstanding it. I didn't bother to read it, because the
mere fact that it exists is the problem. People who are serious about
On Fri, Oct 3, 2014 at 2:50 AM, Greg g...@kinostudios.com wrote:
Also, you convince me how to keep providing high quality software and
support while simultaneously making Espionage completely free and open
source and I will do it in a flash.
Call up Red Hat and ask them about how they manage
Dear Natanael,
Call up Red Hat and ask them about how they manage their open source
Linux distribution.
Oh, I am very familiar with the Red Hat model, and I respect it greatly, and am
in fact pursuing something similar.
Red Hat works because it is complicated, technical infrastructure
On 10/03/2014 12:57 PM, Greg wrote:
Dear Natanael,
Call up Red Hat and ask them about how they manage their open source
Linux distribution.
Oh, I am very familiar with the Red Hat model, and I respect it
greatly, and am in fact pursuing something similar.
Red Hat works because it is
Hi Greg. The burden of proof is on Espionage to convince people that
it is safe. I can't trust it based on marketing claims alone.
There is not a sufficiently detailed design document on the website,
much less a battle-tested, peer-reviewed design. I don't see any
reference to independent
On Oct 3, 2014, at 12:04 PM, Steve Weis stevew...@gmail.com wrote:
Hi Greg. The burden of proof is on Espionage to convince people that
it is safe. I can't trust it based on marketing claims alone.
There is not a sufficiently detailed design document on the website,
much less a
Dear Jonathan,
On Oct 3, 2014, at 11:41 AM, Jonathan Wilkes jancs...@yahoo.com wrote:
You could also do a 3-clause BSD license for the library (i.e., business
logic), then separate out the GUI part and put whatever license you want on
the bundle. You could even do deterministic builds of
On Thu, Oct 02, 2014 at 05:50:08PM -0700, Greg wrote:
K, thanks for the read (I read it but nothing there seems to apply,
perhaps some of its points will be addressed below).
I'm sorry that you feel that way; I included that link because I think
the entire message applies, particularly this
Hi Rich, Your footnote #1 is dubious at best. The cost of aiming peoples
eyes at bugs is _not_ $0. Until it is, the free software community has a
problem with too few resources chasing too many bugs. Sitting my Debian box
next to an XP box that's running Flash certainly doesn't change
Dear Rich,
I echo Jonathan's reply to your email.
At the same time, I do feel a certain empathy and understanding of the feeling
behind your words. If there was anything in your email that I came closest to
agreeing with, it would be this:
You can't have the former without the latter: it's
Well, to be completely honest I wouldn't use security software with a
proprietary GUI myself. But I'm not most people, and it would be better for
your business logic to be open source than for the whole thing to be subject to
the terms you describe.
-Jonathan
On Friday, October 3, 2014
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 2014.10.01 04.22, Greg wrote:
On Sep 30, 2014, at 2:48 PM, Eleanor Saitta e...@dymaxion.org
wrote:
I don't have any field stories that I have permission to share,
but yes, I've heard of specific incidents.
Incidents involving our
Truecrypt has not properly been audited.
For information, Truecrypt have been audited and agreed in version 6.0a by
ANSSI (French national IT Sec agency).
Rapport (french only) :
http://www.ssi.gouv.fr/fr/produits-et-prestataires/produits-certifies-cspn/certificat_cspn_2008_03.html
2014-10-02
On Oct 2, 2014, at 6:54 AM, Eleanor Saitta e...@dymaxion.org wrote:
On 2014.10.01 04.22, Greg wrote:
On Sep 30, 2014, at 2:48 PM, Eleanor Saitta e...@dymaxion.org
wrote:
I don't have any field stories that I have permission to share,
but yes, I've heard of specific incidents.
P.S. I would rather keep the tone of this conversation civil, and I recognize
that in matching what I felt was your tone (in the previous email) it does not
help accomplish that, so, sorry for that.
From my POV, this is where the upset comes from: somebody asks for a TrueCrypt
alternative and
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 2014.10.02 20.39, Greg wrote:
There are different types of deniable encryption systems, with
very _different_ deniability properties.
What you're failing to see here, I think, is that your adversary is
almost never a cryptographer. You
On Oct 2, 2014, at 1:28 PM, Eleanor Saitta e...@dymaxion.org wrote:
Signed PGP part
On 2014.10.02 20.39, Greg wrote:
There are different types of deniable encryption systems, with
very _different_ deniability properties.
What you're failing to see here, I think, is that your adversary is
Ai karumba, I dislike our ancient email system that does not allow you to edit
things.
On Oct 2, 2014, at 1:37 PM, Greg g...@kinostudios.com wrote:
Stop telling me what I fail to see.
* Please tell me what I fail to see, but only do so when you've read and
understood what the other person
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 2014.10.02 21.37, Greg wrote:
Have you read everything in the reddit r/security link I sent you?
Of course not. It turns out I have other things to do than read
voluminous ramblings by folks on Reddit who don't actually do field
work. I'll
On Oct 2, 2014, at 1:51 PM, Eleanor Saitta e...@dymaxion.org wrote:
You have failed to demonstrate this in any way, other than by brute force
assertion
I demonstrated it by logic.
You have only yourself to blame for _choosing_ to ignore the other side's
argument:
Have you read everything
We have placed this thread under moderation, as it is now violating
guideline #3:
3. To maintain civil discourse, we have a zero-tolerance policy for
anyone who posts ad hominems, or otherwise inflammatory, extraneous,
or off-topic messages.
You are welcome to continue other substantive
1. Well, this has certainly been an interesting discussion, but until
Espionage is FULLY open-source, it's moot, because it hasn't (yet) been
exposed to unlimited peer review by arbitrary, independent third parties.
Please see:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 2014.09.28 04.15, Greg wrote:
Dear Rory,
See this list on ArsTechnica's forum:
http://arstechnica.com/civis/viewtopic.php?f=21t=1245367
I work for Tao Effect LLC, our software is on that list, and you
can read about how its plausible
Hi Eleanor,
I understand the logic of the argument, but are there news stories about
people being harmed in the field due specifically (or mainly) to deniability of
the software they are using? (Or research on the topic, though I'm not sure
how it could be a falsifiable or reproducible.)
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 2014.09.30 18.01, Jonathan Wilkes wrote:
Hi Eleanor, I understand the logic of the argument, but are there
news stories about people being harmed in the field due
specifically (or mainly) to deniability of the software they are
using? (Or
Eleanor, maybe you can help shed some light on this lack of awareness.
How do you think developers should be analyzing risk here? Do you have
specific suggestions and/or can you point to sources where that information
can be found?
On Tue, Sep 30, 2014 at 2:48 PM, Eleanor Saitta e...@dymaxion.org
On Tue, 2014-09-30 at 14:55 -0700, Huned Botee wrote:
Eleanor, maybe you can help shed some light on this lack of awareness.
How do you think developers should be analyzing risk here? Do you have
specific suggestions and/or can you point to sources where that information
can be found?
The
Dear Eleanor,
On Sep 30, 2014, at 2:48 PM, Eleanor Saitta e...@dymaxion.org wrote:
I don't have any field stories that I have permission to share, but
yes, I've heard of specific incidents.
Incidents involving our software?
More generally, it represents
an utter lack of awareness on the
Dear Rory,
See this list on ArsTechnica's forum:
http://arstechnica.com/civis/viewtopic.php?f=21t=1245367
I work for Tao Effect LLC, our software is on that list, and you can read about
how its plausible deniability compares to TrueCrypt's here (forgive this
subreddit's insane color scheme):
Hi everyone,
While the jury is still out on how this TrueCrypt issue plays out.
With TC such a big part of the furniture in LibTech community
practises, lessons, manuals, advice, etc., the question I'm sure a lot
of us are thinking is:
What are the best alternatives to TrueCrypt for the people
On Thu, May 29, 2014 at 09:10:08AM +0100, Security First wrote:
While the jury is still out on how this TrueCrypt issue plays out.
Hmmm..
What are the best alternatives to TrueCrypt for the people we work
with and train?
http://en.wikipedia.org/wiki/Comparison_of_disk_encryption_software
Truecrypt has not properly been audited.
The only audit to date is what has been organised by Matthew Green of Johns
Hopkins University.
I believe there is still more to go on this, but in light of recent events,
one wonders of this is worth it.
On Thursday, May 29, 2014, carlo von lynX
On Thu, May 29, 2014 at 08:51:21PM +1000, Tom O wrote:
Truecrypt has not properly been audited.
The only audit to date is what has been organised by Matthew Green of Johns
Hopkins University.
I believe there is still more to go on this, but in light of recent events,
one wonders of this
No I mean TrueCrypt
Site is is truecryptauditedyet.com
Heartbleed was a vuln found by researchers at Google (Heel Mehta), not the
result of an audit.
I assure you that there are significant software projects that go through
intense auditing.
Nothing is secure, but there are some things less
Sorry the link should be www.istruecryptauditedyet.com
On 29 May 2014 22:37, carlo von lynX l...@time.to.get.psyced.org wrote:
On Thu, May 29, 2014 at 08:51:21PM +1000, Tom O wrote:
Truecrypt has not properly been audited.
The only audit to date is what has been organised by Matthew Green
Subject: Re: [liberationtech] TrueCrypt Alternatives?
On Thu, May 29, 2014 at 08:51:21PM +1000, Tom O wrote:
Truecrypt has not properly been audited.
The only audit to date is what has been organised by Matthew Green
of
Johns Hopkins University.
I
45 matches
Mail list logo
