Re: [liberationtech] [cpsr-activists] CPSR Curriculum?

[Richard Brooks]

In my security course, I have students look at and contrast
the ACM and IEEE codes of ethics.

To be honest the ACM code is long winded, hard to follow, and
(in my opinion) almost impossible to follow.

It does not surprise me that it did not influence the people.
What would surprise me is if they read the whole thing.

The IEEE code is brief and less legalistic in tone.

On 2/4/19 2:20 PM, Aaron Massey wrote:
> Re: seeking empirical evidence about ethics instruction
> 
> A recent publication at FSE attempted to evaluate the impact of the new
> ACM code of ethics on decision-making and found no evidence of an effect
> according to their methodology.  You can read the paper here:
> 
> https://people.engr.ncsu.edu/ermurph3/papers/fse18nier.pdf
> 
> It’s worth asking whether this is the sort of structure a study of this
> nature should have.  For example, this study doesn’t really address many
> (or any?) of the points Charles made earlier.
> 
> Best, Aaron
> 
> 
> On Mon  04 Feb 2019  07:40 AM, Charles M. Ess wrote:
>> And thanks on both fronts!
>>
>> My acknowledging that it was a critical, spot-on point was not
>> gratuitous or merely courteous: behind it is a larger point - one that
>> we don't always point out to our undergraduate students.  But
>> Aristotle warned at the outset of his Nichomachean Ethics that no one
>> under 30 should attempt it - precisely because of their comparative
>> lack of experience as enculturated ethical beings.  (Part of this
>> enculturation includes precisely our learning from our mistakes -
>> phronesis as self-correcting ethical judgment.)
>> FWIW: while I loved teaching undergraduate philosophy courses, such as
>> ethics and logic, for example - and still think that there's value and
>> some measure of good effect from them - having so-called
>> "non-traditional" was always a great pleasure, precisely because they
>> could bring their greater experience into play.  FWIW: the past couple
>> of decades have been even better on this front as I've been privileged
>> to work with a number of groups and communities who meet Aristotle's
>> age requirement - and it shows up in insights, discussion, debates,
>> dialogue, etc. that are that much richer for it.
>>
>> In all events - yes, kudos and great thanks, Paul!
>> - c.
>>
>> On 04/02/2019 05:32, Paul wrote:
>>> Charles,
>>>    I would like to claim partial credit for spurring your excellent
>>> response. ;)
>>>   Paul
>>
>> -- 
>> Professor in Media Studies
>> Department of Media and Communication
>> University of Oslo
>> 
>>
>> Postboks 1093
>> Blindern 0317
>> Oslo, Norway
>> c.m@media.uio.no
>> -- 
>> Liberationtech is public & archives are searchable from any major
>> commercial search engine. Violations of list guidelines will get you
>> moderated:
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech.
>> Unsubscribe, change to digest mode, or change password by emailing
>> liberationtech-ow...@lists.stanford.edu.
> 


-- 
===
R. R. Brooks

Professor
Holcombe Department of Electrical and Computer Engineering
Clemson University

313-C Riggs Hall
PO Box 340915
Clemson, SC 29634-0915
USA

Tel.   864-656-0920
Fax.   864-656-5910
Voicemail: 864-986-0813
email: r...@acm.org
web:   http://www.clemson.edu/~rrb
PGP:   48EC1E30
-- 
Liberationtech is public & archives are searchable from any major commercial 
search engine. Violations of list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest mode, or change password by emailing 
liberationtech-ow...@lists.stanford.edu.

Re: [liberationtech] [cpsr-activists] CPSR Curriculum?

[Richard Brooks]

On 2/3/19 1:26 AM, Paul wrote:
> Is there any evidence, or even anecdotes, suggesting that ethics courses
> (in any form) work to make people act more ethically?  

Main issue that I would see is how you measure ethics. Psychology
studies seem to lack reproducibility.

>      I can see that someone who was already ethical might find something
> they had missed, but it's hard for me (admittedly a cynical person) to
> imagine that an ethics course can make someone ethical, any more than
> one could expect an "empathy" course to make people empathetic.
>   Paul
> 

In courses I taught that touch on ethics, I feel that it has
made some impact. I notice that the position of students coming
in tends to be:

"We won't do anything unethical, because we are good people."

Which is not what you want. I think I get them to at least think
of the possible, including unintended, consequences of their
actions. That may be the best you can do.

A good text is: "The Case of the Killer Robot" it has lots of
cases it presents with no clear answers and possible legal
liability. Probably for a large segment of the population
ethical activity is mainly trying to avoid litigation.

Am concerned about autonomous systems ethics having devolved into
a repeat of the trolley problems. In discussion with automotive
companies, they tell me their answer: "Autonomous vehicle needs
to save the life of the owner. Otherwise no one will buy the cars."
-- 
Liberationtech is public & archives are searchable from any major commercial 
search engine. Violations of list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest mode, or change password by emailing 
liberationtech-ow...@lists.stanford.edu.

Re: [liberationtech] [cpsr-activists] CPSR Curriculum?

[Richard Brooks]

> But I wonder what the pedagogical research literature says about the
> best way to teach ethics? I'm data-driven, so I'd rather see empirical
> evidence guide educational policy or someone conduct a study to assess
> the best course of action.

I doubt that you could come up with an empirical measure of ethics.

Reminds me of a proposal I wrote for an ethics course to NSF.
My proposed course looked at the economics of the industry, as
pointed out by Ross Anderson, that the market rewards bad
and insecure software. This means that structurally it is
almost impossible to be ethical and survive. The course included
finding regulatory and market modifications that would support
producing secure systems and economic survival.

I find something wrong with a system that supports making
insecure products.

My course proposal was turned down. My favorite review
of the proposal said it is wrong to combine ethics and
economics.

We should teach them to do the ethical thing, especially
when it means that they will go bankrupt.

-- 
Liberationtech is public & archives are searchable from any major commercial 
search engine. Violations of list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest mode, or change password by emailing 
liberationtech-ow...@lists.stanford.edu.

Re: [liberationtech] [cpsr-activists] CPSR Curriculum?

[RICHARD BROOKS]

ABET accreditation requirements include ethics and some type of
contemporary issues awareness. This has to be addressed in the curriculum
in at least one course.

This can be, does not have to be, a separate course. It can be more
effective as part of another course.

To be accredited, the department has to show the accreditation authorities
that this requirement is fulfilled.

On 5:02AM, Fri, Feb 1, 2019 Daniel Bosk  On Thu 31 Jan 2019 21:28:53 GMT, Doug Schuler wrote:
> > I had been talking to Dick Sclove about this recently and he said that
> > adding ethics or social responsibility as a class that graduates had to
> > take was essentially a bad idea. Louis Bucciarelli  apparently was using
> > this in the engineering department at MIT.
> >
> > I wonder if this approach is being taken in any other CS departments.
>
> Not as a class. But it's definitely part of the courses in a programme.
> For instance, I start my Computer Security course with a seminar on such
> a topic. Instruction here:
>
>
> https://github.com/OpenSecEd/ethics/releases/download/v1.1/security-society-seminar.pdf
>
> This is actually motivated by the Swedish Qualifications Ordinance [1],
> which regulates requirements for academic degrees in Sweden. Already at
> Bachelor level we have:
>
>   For a Degree of Bachelor the student shall
>
>   - demonstrate the ability to make assessments in the main field of
> study informed by relevant disciplinary, social and ethical issues
>
>   - demonstrate insight into the role of knowledge in society and the
> responsibility of the individual for how it is used
>
>   [...]
>
>   For a Degree of Bachelor of Science in Engineering the student shall
>
>   - demonstrate the ability to make assessments informed by relevant
> disciplinary, social and ethical aspects
>
>   - demonstrate insight into the possibilities and limitations of
> technology, its role in society and the responsibility of the
> individual for how it is used, including social and economic aspects
> as well as environmental and occupational health and safety aspects,
>
> And then it increases the requirements for Masters and PhDs.
>
> [1]:
> https://www.uhr.se/en/start/laws-and-regulations/Laws-and-regulations/The-Higher-Education-Ordinance/Annex-2/
>
> > On Thu, Jan 31, 2019 at 8:55 PM Paul (via cpsr-activists list)
> >  wrote:
> >
> > > speaking of curriculum:
> > > Harvard works to embed ethics in computer science curriculum – Harvard
> > > Gazette
> > >
> > >
> https://news.harvard.edu/gazette/story/2019/01/harvard-works-to-embed-ethics-in-computer-science-curriculum/
> > >
> > > On Thu, Jan 31, 2019 at 8:01 PM Yosem Companys (via cpsr-activists
> list)
> > >  wrote:
> > >
> > >> Wow, I'd love to see that, even if for historical reasons...
> > >>
> > >> On Wed, Jan 30, 2019 at 6:33 PM Jeff Johnson (via cpsr-activists list)
> > >>  wrote:
> > >>
> > >>> CPSR Folks,
> > >>>
> > >>> I seem to recall that educators in CPSR developed a “Socially
> > >>> Responsible Computing” curriculum for college courses.  Am I
> remembering
> > >>> correctly?  If so, please refresh my memory, or point me to anything
> online
> > >>> about it.  Of course, it probably is decades old.
> > >>>
> > >>> Thanks,
> > >>> Jeff Johnson
> > >>> 
> --
> Liberationtech is public & archives are searchable from any major
> commercial search engine. Violations of list guidelines will get you
> moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech.
> Unsubscribe, change to digest mode, or change password by emailing
> liberationtech-ow...@lists.stanford.edu.
-- 
Liberationtech is public & archives are searchable from any major commercial 
search engine. Violations of list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest mode, or change password by emailing 
liberationtech-ow...@lists.stanford.edu.

Re: [liberationtech] Facebook Asks - Hard Questions: Social Media and Democracy

[Richard Brooks]

>> Should it allow antifa? Should it include racists?
> 
> If the rules of the discursive process are sufficiently
> well defined, then everyone is inhibited from causing
> damage or bring forward opinions that aren't compatible
> with previous fundamental decisions such as human rights
> etc. To ensure that rules are respected you need
> moderators and to ensure that moderators aren't abusing
> their powers you need judges. That's what it takes to
> really have online democracy - simplifications may fail.
> 
You are begging the question. Who makes those rules?
If it is the majority, then 50 years ago gay speech
(let alone transgender) would have been suppressed.

How do you deal with the tyranny of the majority?
And the hecklers veto? Are pro-nazi statements
permitted (in the US, yes. In Germany with a
constitution written in large part by the US,
no.)

Saying that it is possible to define a set of rules,
ignores the issue of who defines the rules and
how minority rights are protected.

And allowing a majority mob-rule is not an answer,
either.
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing the moderator at 
zakwh...@stanford.edu.

Re: [liberationtech] Facebook Asks - Hard Questions: Social Media and Democracy

[Richard Brooks]

> 
> You can have all the apps and Internet fun you like, but to
> betray democracy must be technically impossible. Such an
> abuse-resistant Internet is possible. Society has to care
> and to regulate.
> 

A general concern should be who does the regulation and
to what ends? The UN is questionable, since the majority
of its members are autocrats. The non-autocrats are
typically controlled by the large corporations.

I think the question of how to have a globally open
forum for legitimate discourse is probably unsolvable,
since I do not think we can have a consensus on what
"legitimate discourse" is.

Should it allow antifa? Should it include racists?
How do you fact check? If you exclude antifa and
racists (I am not drawing an equivalency here, I
am just citing groups that would be likely to
be excluded), wouldn't you be excluding the
dis-satisfied groups that are disturbing democratic
norms?

I wonder, honestly, if an abuse resistant platform
is possible. Also, I wonder if it would be desirable.

And, I have no good answers to any of these questions.
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing the moderator at 
zakwh...@stanford.edu.

Re: [liberationtech] Decentralization

[Richard Brooks]

On the other hand, why are they using gmail?

Our university outsourced email to Google. They
software up to date, handle the security, provide
convenient cloud access (I personally dislike
their GUIs),  etc. For our university, this decision
probably did make our email traffic more secure
as well.

I am not wild about the decision our university
made, but for most users using Gmail is probably
the more reasonable and secure choice. Not the
choice that I would make for myself. Being spied
on bothers me.

But, if you want to have the broad base of users
move elsewhere, you need to address the clear
advantages that Gmail provides.

Political, social, and economics arguments will not
convince most people.

On 02/07/2017 07:06 AM, Andrés Pacheco wrote:
> Signore Camozzo hit the nail on the head, twice. So then I have to draw the 
> proper conclusion...
> 
> 1. We need concerted action to set non-proprietary communication standards at 
> the application level, much like the TCP-IP Protocols did for the lower 
> layer(s)
> 
> 2. This action HAS to be POLITICAL, since it's not just a matter of devising 
> technical standards, but to have them ADOPTED by the majority. We need the 
> 75% of his email correspondents to not use proprietary email platforms (and 
> so forth and so on, and including me and this email itself!)
> 
> Ergo, it is at best naive trying to separate "Technology" from "Politics:" 
> all Technology is Political, and ignoring this only rubber stamps the 
> technology of the proprietary powers that be.
> 
> Not by chance it's Technology companies at the top of the "most valuable 
> company of the world" food chain: Google and Apple. If that's not a political 
> statement, then what is? Where is "the swamp?"
> 
> Regards | Saludos,
> 
> Andrés Leopoldo Pacheco Sanfuentes
> 
> 
>> On Feb 7, 2017, at 5:34 AM, Alberto Cammozzo  wrote:
>>
>> So far so good, but what is it all for? ~75% of my email correspondents
>> use Gmail ...
>> You cant decentralize alone...
>> We need to fix this quickly or the information revolution will be lost
>> and archived as an annex of the industrial revolution.


-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] E-Voting

[Richard Brooks]

With all these discussions too often vote selling
is overlooked. If I can vote from an insecure location,
I can vote in front of someone paying me $100 to
vote as they want.

On 12/07/2016 09:24 AM, Rich Kulawiec wrote:
> On Fri, Dec 02, 2016 at 02:26:49PM -0500, Andres wrote:
>> Rich, the article you link to talks about the risk of one individual voting 
>> machine being tampered with.
> 
> I think you missed the point Schneier was making.  It's NOT about one
> individual voting machine, it's about attacker budgets.  Look at the
> big picture, not the small one he used to illustrate the point.
> 
> An attacker with a $100M budget (a conservative estimate in 2004, now
> clearly only a fraction of that available) isn't going to use it to
> attack just one voting machine: that'd be a poor return on investment.
> A 2016 attacker, who could have a budget an order of magnitude larger,
> would likely attack in a systemic, distributed -- and subtle -- fashion.
> 
>> When voting online you can use any hardware (PC, Mac, Linux, iPhone
>> or Android phone, public or private) to vote and later verify your vote.
> 
> That last part ("...later verify your vote") disqualifies the system
> from use.  This is a well-known problem with election systems (electronic
> of otherwise): if you can verify your vote at some later point, then
> so can someone else.  And if someone else can verify your vote, then
> you can be induced (willingly or otherwise) to vote as directed.
> 
> And even if that's addressed, there's a massive problem with this approach,
> or ANY approach that allows voters to use their own computing systems.
> End-user systems are compromised in enormous numbers.  This is a well-known
> problem that's been discussed at length for much of this century, e.g.:
> 
>   Vint Cerf: one quarter of all computers part of a botnet
>   
> https://urldefense.proofpoint.com/v2/url?u=http-3A__arstechnica.com_news.ars_post_20070125-2D8707.html=CwICAg=Ngd-ta5yRYsqeUsEDgxhcqsYYY1Xs5ogLxWPA_2Wlc4=V-iMGiA8Z-z_leHLkLSzXQ=qMImdh9SPdSh0J1lYvW6lT4Efp8_E0PG25r-1X0yqnY=uc0iCxMO3Cofo8KoWjuvBByD54w0bAmxBXLjanHMkII=
>  
> 
> When Cerf made that estimate, I thought -- based on my own research and
> consultation with others doing similar work -- that it was too high by
> perhaps 25% to 50%.  With the benefit of hindsight, I think he was right
> and I was wrong.  Given the passage of time since then, the numbers are
> undoubtedly far higher.  (Doubly so since nothing truly effective has
> been done to reduce them or even slow down the growth rate, and many
> things have happened to make the situation much, much worse.)  I suspect
> that the number of compromised systems is probably ten times what it was
> ten years ago and no doubt the mass deployment of IoT devices with horrible
> (or no) security will make this even worse.  And if various governments
> are successful in forcing vendors to build in backdoors, it will get
> MUCH worse in a big hurry.
> 
> Why does this matter?  Because (as I've said ad nauseum) if someone else
> can run arbitrary code on your computer, it's not YOUR computer any more.
> 
> If your phone is compromised, and you use it to vote, and you later
> use that phone to verify that your vote was cast as you think it was,
> how do you know that what you're seeing on the screen is correct?
> Why couldn't the same malware that redirected your vote from candidate
> A to candidate B also show you that you voted for candidate A?  (That isn't
> a particularly challenging software problem given that the former has
> been solved.)
> 
> Remember: it's not your phone any more.  It's theirs.  You may walk
> around with it, you may use it, but you don't own it.  Not any more.
> So why would you expect someone else's phone to behave as you think
> or believe or want it to?
> 
> Does that malware exist?  I don't know.  But I do know that if a
> sizable enough population starts using their phones to vote, it WILL
> exist, because it will become worth someone's effort.  (And by the way:
> this will require far less than even the small $100M budget from 2004.)
> 
> Substitute "tablet" or "laptop" or "smart home IoT device" or "desktop"
> or whatever without loss of generality for "phone". 
> 
> Any voting system which allows voters to use their own computing devices
> is fatally flawed and must be dismissed, with prejudice, immediately.
> 
> ---rsk
> 


-- 
===
R. R. Brooks

Professor
Holcombe Department of Electrical and Computer Engineering
Clemson University

313-C Riggs Hall
PO Box 340915
Clemson, SC 29634-0915
USA

Tel.   864-656-0920
Fax.   864-656-5910
Voicemail: 864-986-0813
email: r...@acm.org
web:   http://www.clemson.edu/~rrb
PGP:   48EC1E30
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by 

Re: [liberationtech] Gambia

[Richard Brooks]

Had not seen that. When Bill Clinton was elected in the US,
did they mention that he grew up in a trailer park?

It seems like the motivation for this type of story is
obvious, and sad. When one of the worst autocrats is
overthrown by democratic means, it should be big news.

On 12/05/2016 02:29 PM, Heather Leson wrote:
> Thanks for bringing up this topic.
> 
> Did you see this article from the Guardian
> 
> https://www.theguardian.com/commentisfree/2016/dec/05/gambia-argos-president-security-guard-adama-barrow
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.theguardian.com_commentisfree_2016_dec_05_gambia-2Dargos-2Dpresident-2Dsecurity-2Dguard-2Dadama-2Dbarrow=CwMFaQ=Ngd-ta5yRYsqeUsEDgxhcqsYYY1Xs5ogLxWPA_2Wlc4=V-iMGiA8Z-z_leHLkLSzXQ=SlJXG_BoOkn0cGCftQZKo1Rvd4GzZTG5vHpxYD7xAzo=pjRz7d5ebB99Fa5PCmqY9FrHdrL3fNw-50wtGkeNuaY=>
> 
> Heather
> 
> 
> Heather Leson
> heatherle...@gmail.com <mailto:heatherle...@gmail.com>
> Twitter/skype: HeatherLeson
> Blog: textontechs.com
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__textontechs.com=CwMFaQ=Ngd-ta5yRYsqeUsEDgxhcqsYYY1Xs5ogLxWPA_2Wlc4=V-iMGiA8Z-z_leHLkLSzXQ=SlJXG_BoOkn0cGCftQZKo1Rvd4GzZTG5vHpxYD7xAzo=Zbv2_gyBalZfZ6ij7X-fsvr7x8ZuRLqJ4sGecfebOq4=>
> 
> On Mon, Dec 5, 2016 at 8:28 PM, Richard Brooks <r...@g.clemson.edu
> <mailto:r...@g.clemson.edu>> wrote:
> 
> Have not seen any discussion here on Gambia, where a surprise
> peaceful exchange of power seems to be taking place. The
> dictator cut off Internet and phone service during the
> election and yet has accepted that he lost the election.
> 
> A rare piece of good news.
> --
> Liberationtech is public & archives are searchable on Google.
> Violations of list guidelines will get you moderated:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__mailman.stanford.edu_mailman_listinfo_liberationtech=CwMFaQ=Ngd-ta5yRYsqeUsEDgxhcqsYYY1Xs5ogLxWPA_2Wlc4=V-iMGiA8Z-z_leHLkLSzXQ=SlJXG_BoOkn0cGCftQZKo1Rvd4GzZTG5vHpxYD7xAzo=TJF-tvNJHMZejMSIjuuzlDlUfF74OluaxAbIgh5hG1I=>.
> Unsubscribe, change to digest, or change password by emailing
> moderator at compa...@stanford.edu <mailto:compa...@stanford.edu>.
> 
> 
> 
> 


-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

[liberationtech] Gambia

[Richard Brooks]

Have not seen any discussion here on Gambia, where a surprise
peaceful exchange of power seems to be taking place. The
dictator cut off Internet and phone service during the
election and yet has accepted that he lost the election.

A rare piece of good news.
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

[liberationtech] Verification of censorship resistance

[Richard Brooks]

Am doing a prototype tool for avoiding network traffic
analysis. Does anyone have write ups on what national
firewalls are using to filter traffic?

There are the obvious DNS names, IP addresses, port numbers
and keywords in the traffic content.

What other header fields may be inspected?

If anyone had tech reports they could point me to, it
would be useful.

I want to subject our prototype to as thorough an analysis
as possible.

Thanks,

-Richard
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] E-Voting

[Richard Brooks]

I would agree. Also consider the numerous cases of
intentional network disruptions on the continent during voting
over the past year. It is predictable that this would become
a tool of voter suppression.

Oddly, though, mobile devices have been essential tools
in monitoring voting and mobilizing voters in recent years
in the same region.

It makes me wonder what the essential differences are between
these two applications that make the difference.

On 11/17/2016 08:11 AM, Patrick Kariuki wrote:
> Mobile voting in Africa is impractical. Even as an option, If people
> would start to lose their phones around the election period, the
> recovery effort involved in ensuring the service is available and the
> consequences thereafter, would be a potential legal and customer service
> nightmare.
> 
> 
> On Mon, Nov 14, 2016 at 4:57 PM, Zacharia Gichiriri
>  > wrote:
> 
> Hi, 
> 
> Are there any countries that have implemented a form of mobile
> voting? Is there any research on the potential, challenges and
> applicability of mobile voting? 
> Considering the explosive growth of mobile phones across Africa,
> would the use of mobile phones for elections (citizens voting
> through mobile phones) improve election outcomes and transparency? 
> 
> Best,
> -- 
> Zack. 
> 
> 
> *Note: *All emails sent from Strathmore University are subject to
> Strathmore’s Email Terms & Conditions. Please click here
> 
> 
> to read the policy.
> *
> *
> 
> "Visit our Facebook
> 
> Page
> and Twitter
> 
> Account".
> 
> 
> --
> Liberationtech is public & archives are searchable on Google.
> Violations of list guidelines will get you moderated:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 
> .
> Unsubscribe, change to digest, or change password by emailing
> moderator at compa...@stanford.edu .
> 
> 
> 
> 


-- 
===
R. R. Brooks

Professor
Holcombe Department of Electrical and Computer Engineering
Clemson University

313-C Riggs Hall
PO Box 340915
Clemson, SC 29634-0915
USA

Tel.   864-656-0920
Fax.   864-656-5910
Voicemail: 864-986-0813
email: r...@acm.org
web:   http://www.clemson.edu/~rrb
PGP:   48EC1E30
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

[liberationtech] The league of African cyber-activists for democracy

[Richard Brooks]

Here is their web page:

http://www.africtivistes.org/!/

It is (of course) in French. A very amazing community
of local activists, many with hands-on experience of
social activism putting democratic governments in place
for the first time.



-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

[liberationtech] Sahel Spring

[Richard Brooks]

As a recap, about 1 year ago a popular uprising called Balai Citoyen:

https://en.wikipedia.org/wiki/Le_Balai_Citoyen

started by rappers and tech activists in Ouagadougou got
a lot of the population in the street to protest moves
by the President to prolong his 27 years in office.

Ouagadougou is the capital of Burkina Faso.

The military eventually asked the President to leave, and
a transition government was put in place. Elections were
planned for mid-October.

Yesterday, the presidential guard held the interim government
hostage and called off the elections. People close to the
ex-President are leading this action by part of the military.
Latest news:

http://uk.reuters.com/article/2015/09/17/uk-burkina-army-idUKKCN0RG28S20150917

The studio of one of Balai Citoyen's founders was under attack.
There is a curfew. Some dead protesters. Dozens wounded.

Calls for more protests.

Note that the Sahel Spring in Burkina Faso lead to a number of
protest movements in Subsaharan Africa. Their actions lead to
hope of democratic change.

The question is whether the combination of rappers and tech
activists can mobilize a large enough response to repel
this attack.
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

[liberationtech] On-line voting

[Richard Brooks]

As if made for each other:

ACM commentary on risks of on-line voting:

http://cacm.acm.org/blogs/blog-cacm/185174-computer-security-and-the-risks-of-online-voting/fulltext

Commercial trade press saying that
Just five years ago, the debate about Internet voting was dominated by
classically, appropriately paranoid security professionals saying we
shouldn't go down this path,

http://www.networkworld.com/article/2946689/security/internet-voting-not-ready-yet-but-can-be-made-more-secure.html

Trade press is based entirely on info commissioned by the U.S. Vote
Foundation, an organization that helps U.S. residents vote.

Presentation with good info on security of voting systems:

https://www.youtube.com/watch?v=JY_pHvhE4os

Of course from a paranoid security professional.


-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

[liberationtech] Goma DRC Web activism summit

[Richard Brooks]

 Goma Web Activism Summit in the city that has become the hub of web
activisim in #DRC twitter.com/arsenebaguma/s…
-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Burundi

[Richard Brooks]

From an informed acquaintance talking with people
on the ground:

No local journalists are allowed to cover the demonstrations and
foreign journalists have now too been banned from covering
demonstrations for their own safety.

This isn't a West Africa thing, but we see the same patterns repeating
themselves all over Francophone Africa. What is really new, whether in
Togo, Burundi or DR Congo is how well the regimes have learnt to
effectively block online news sites and social media applications
whenever there is an election in the air.


On 05/19/2015 01:00 PM, Brian Conley wrote:
 Yep, but they aren't technically offline. Yaga Burundi for example may
 not be posting regularly on their site, but they are coordinating online
 and members are posting via twitter and other means.
 
 With today's announcement that the President will not seek revenge but
 only prosecute those involved the coup, individuals are cautiously
 hopeful, but we'll see what happens next.
 
 Also, I don't believe all those social media are still blocked, or
 perhaps they were unblocked during the coup and reblocked.
 
 Brian
 
 On Tue, May 19, 2015 at 1:27 AM, Eric S Johnson cra...@oneotaslopes.org
 mailto:cra...@oneotaslopes.org wrote:
 
 From a Burundi friend:
 
 “Bloggers are off line because of their physical security. On police
 checkpoints they check phones, laptop,...
 Police monitor what people are writing now.
 Many well-known bloggers fled the country or are hidden for their
 security.
 4 private media have been burnt and other forced to close!
 I myself didn't reach Burundi. I am in Kigali.
 Not imprisonment until now.
 social media such as Face book, whatsapp, viber are blocked. People use
 VPN”
 
 
 
 On May 18, 2015 7:19 AM, Richard Brooks r...@g.clemson.edu
 mailto:r...@g.clemson.edu
 mailto:r...@g.clemson.edu mailto:r...@g.clemson.edu  wrote:
 
 We have noticed that Burundi bloggers are off-line. No
 doubt related to the President's crack down after the
 failed coup.
 
 Does anyone have any news as to whether this silence is
 due to:
 -Internet blackout?
 -Physical threat/imprisonment?
 -Fear?
 
 
 
 
 
 --
 Liberationtech is public  archives are searchable on Google.
 Violations of list guidelines will get you moderated:
 https://mailman.stanford.edu/mailman/listinfo/liberationtech.
 Unsubscribe, change to digest, or change password by emailing
 moderator at compa...@stanford.edu mailto:compa...@stanford.edu.
 
 
 
 
 -- 
 
  
 
 Brian Conley
 
 Co-founder, Small World News
 
 http://smallworldnews.tv http://smallworldnews.tv/
 
 m: 646.285.2046
 
 Skype: brianjoelconley
 
 
 
 


-- 
===
R. R. Brooks

Professor
Holcombe Department of Electrical and Computer Engineering
Clemson University

313-C Riggs Hall
PO Box 340915
Clemson, SC 29634-0915
USA

Tel.   864-656-0920
Fax.   864-656-5910
email: r...@acm.org
web:   http://www.clemson.edu/~rrb
PGP:   48EC1E30
-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

[liberationtech] Burundi

[Richard Brooks]

We have noticed that Burundi bloggers are off-line. No
doubt related to the President's crack down after the
failed coup.

Does anyone have any news as to whether this silence is
due to:
-Internet blackout?
-Physical threat/imprisonment?
-Fear?
-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

[liberationtech] Internet blackouts

[Richard Brooks]

Sources in Togo report an Internet blackout. Probably related to
expecting problems after reporting results from the recent election.

Sources in Burundi also expecting a blackout as a result of
ongoing pro-democracy protests.
-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

[liberationtech] NPR debate on right to be forgotten

[Richard Brooks]

About 1 hour of audio

For right to be forgotten:
-Eurocrat
-U of Chicago Law Professor

Against:
-Former Google Exec
-Zittrain from Berkmann center, Harvard

Very reasoned and thoughtful discussion of privacy issues:

http://podcastdownload.npr.org/anon.npr-podcasts/podcast/510184/393751110/npr_393751110.mp3?orgId=1e=393751110d=3025ft=podf=510184
-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Whatsapp, a Trojan horse for seekers of easy privacy?

[Richard Brooks]

Actually, you also need to have source code for the compilers
used and the compiler's compilers...

And that ignores the use of hardware trojans.

On 01/15/2015 12:29 PM, carlo von lynX wrote:
 On Thu, Jan 15, 2015 at 08:49:31AM -0800, Steve Weis wrote:
 Note you said users will never know if e2e is being used, but as Moxie
 says we'll be surfacing this into the UI of upgraded clients.
 
 There is a systemic legal problem by which neither Facebook, nor
 Whatsapp, nor Textsecure nor Moxie are in a position to guarantee
 that whatever is surfaced into the UI actually means what it says.
 
 Still, as long as these systems are operating from U.S. American 
 ground, the current legal situation is such that the President of 
 the U.S.  has under the U.S. Constitution the sole and final power 
 of deciding whether companies and individuals in these companies 
 get to implement anything they would like to implement, or not. [1]
 And the services we have been hearing about a lot operate under 
 direct executive mandate of the POTUS.
 
 So, I again express respect to Moxie and everyone involved for
 trying to improve the lives of everyday users, but I see a terrible
 risk in promoting any such technology considering the NSA's track
 record on making use of its given privileges. The chances this is
 actually happening can only be considered minimal.
 
 It would take millions of people running independenlty built
 clients from source code, and a credible procedure thereof - only
 then would a hindrance for the NSA exist to exercise its privileges.
 
 As we are by now familiar with its inner workings and strategies,
 the agency will intervene in the process early enough to impede
 anything like this from happening.
 
 Prove me wrong. Give us a way to reproduce the exact client millions
 of humans are relying on, from source code. And make that information
 arise to the UI surface. Then we will know that Whatsapp and TextSecure
 are doing the right thing, and we will have to continue worrying about
 Google and Apple (the NSA may choose to pick up the TextSecure ratchets
 or private keys via Android/iOS backdoors).
 
 
 [1] Caspar Bowden, 31c3, 
 http://cdn.media.ccc.de/congress/2014/webm-sd/31c3-6195-en-The_Cloud_Conspiracy_2008-2014_webm-sd.webm.torrent
 


-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

[liberationtech] The only way to fight censorship is

[Richard Brooks]

More censorship and surveillance:

http://www.zdnet.com/article/europes-answer-to-terror-attacks-on-free-speech-is-to-double-down-on-internet-censorship/#ftag=RSSbaffb68

sarcasmWe can only defend freedom by killing it.\sarcasm
-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] bulk sms

[Richard Brooks]

Which gateways have you used? Of particular interest
is sending to rather exotic destinations.

On 1/1/2015 4:15 PM, ITechGeek wrote:
 My preferred method is using email to sms gateways.
 
 On your side that becomes free (depending on how you send the emails). 
 Most providers have  a disclaimer of no guarantee of delivery via the
 gateways, but I have yet to lose an email that way.
 
 Is mission critical, I would just use a service like Twilio which will
 charge per msg, but not hard to set-up.
 
 
 ---
 -ITG (ITechGeek)
 i...@itechgeek.com
 https://itg.nu/
 GPG Keys: https://itg.nu/contact/gpg-key
 Preferred GPG Key: Fingerprint: AB46B7E363DA7E04ABFA57852AA9910A DCB1191A
 Google Voice: +1-703-493-0128 / Twitter: ITechGeek / Facebook:
 http://fb.me/Jbwa.Net
 
 On Thu, Jan 1, 2015 at 11:57 AM, Eduardo Robles Elvira
 edu...@agoravoting.com mailto:edu...@agoravoting.com wrote:
 
 Hello:
 
 I have used multiple services. I currently use esendex as an SMS
 sender provider, which is a spanish company (I'm from Spain). We have
 used other services. Some important facts:
 * sending SMS to most of the countries costs the same
 * if you don't care if some messages don't reach their destination or
 take hours, then go for the cheapest provider. that's good for sending
 publicity for example. In the other hand, if you do care about the SMS
 reaching always to the destination, and if you want that to happen
 fast, then find a quality provider. In my experience esendex is good
 (they specialized in that, for example in sending sms authentication
 codes), but there are probably other better providers in other
 countries.
 * the providers might be able to send 20-50 sms/second. You could
 scale to do more by using multiple providers at the same time.
 
 There are other services specialised in sending SMS, Amazon for
 example http://docs.aws.amazon.com/sns/latest/dg/SMSMessages.html
 those I haven't used yet.
 
 Regards,
 --
 Eduardo Robles Elvira @edulix skype: edulix2
 http://agoravoting.org   @agoravoting +34 634 571 634
 tel:%2B34%20634%20571%20634
 
 
 On Thu, Jan 1, 2015 at 5:41 PM, Richard Brooks r...@g.clemson.edu
 mailto:r...@g.clemson.edu wrote:
  Anyone willing to share experiences on setting up
  (or using) an Internet to SMS interface...
 
  --
  Liberationtech is public  archives are searchable on Google.
 Violations of list guidelines will get you moderated:
 https://mailman.stanford.edu/mailman/listinfo/liberationtech.
 Unsubscribe, change to digest, or change password by emailing
 moderator at compa...@stanford.edu mailto:compa...@stanford.edu.
 --
 Liberationtech is public  archives are searchable on Google.
 Violations of list guidelines will get you moderated:
 https://mailman.stanford.edu/mailman/listinfo/liberationtech.
 Unsubscribe, change to digest, or change password by emailing
 moderator at compa...@stanford.edu mailto:compa...@stanford.edu.
 
 
 
 

-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

[liberationtech] bulk sms

[Richard Brooks]

Anyone willing to share experiences on setting up
(or using) an Internet to SMS interface...

-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

[liberationtech] mail2tor.com hidden service

[Richard Brooks]

Does anyone have any info about this hidden service?

I've been using it to set up temporary accounts to
exchange info as a pgp work-around for people having
trouble working with pgp keys. I assume the content
can be read by whoever runs the site, but they won't
know who I am.

If the other side uses the hidden service, too. The mails
can be read but the service won't know who either side is.

Any faults in this logic?

-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Update on African authoritarians

[Richard Brooks]

I don't have answers for that. I have some ideas, but without
the means to put it in place as of yet. I have seen a number
of project ideas, but not anything that seems to be ready
for prime time.

Another problem is that, for example, Gabon is surrounded by
people just as nasty as the regime in Gabon.

On 12/31/2014 05:50 PM, Collin Anderson wrote:
 
 On Wed, Dec 31, 2014 at 1:24 PM, Richard Brooks r...@g.clemson.edu
 mailto:r...@g.clemson.edu wrote:
 
 All of these countries have active blogger communities. One
 common fear in these countries is a nationwide communications
 (Internet, mobile, phone, etc.) black-out. These seem to
 happen frequently at politically sensitive moments.
 
 
 Please share more on this, at least I have had an interest in
 political-timed infrastructure degradation
 http://arxiv.org/abs/1306.4361 and I suspect others on this list do as
 well.
 
 
 -- 
 *Collin David Anderson*
 averysmallbird.com http://averysmallbird.com | @cda | Washington, D.C.
 
 


-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

[liberationtech] Detekt

[Richard Brooks]

Any reviews/opinions of this:

https://resistsurveillance.org/
-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

[liberationtech] Question EFF CA Let's Encrypt

[Richard Brooks]

Just looked at this:

https://letsencrypt.org/howitworks/technology/

The EFF's new CA to make things cheap and easy for
installing certs. I like the goal.

What I do not get from the description is how they
really verify that I legitimately own the site. If
I should manage to reroute some traffic and do
DNS cache poisoning on a web-site address, wouldn't
the system accept my web-site as valid? It seems like
they are accepting the fact that you can reach the
site using DNS information (which is not secured)
as proof of legitimacy.

Or is there something I am missing?
-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Question EFF CA Let's Encrypt

[Richard Brooks]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

My question boils down to:

DNS (not DNSSEC) is unauthenticated, and a number
of spoofing, poisoning attacks have been shown. One
of the goals of the certs is to authenticate the
other end of the communications, but I get the
impression that this approach gives no extra verification
beyond the fact that DNS sent you to the site
at some point in time.

How does this provide more security than self-signed
certs?

If you do verification from multiple geographic locations,
that may be OK but still seems a bit dodgy.

I really like the goal, I feel like I must be missing
something here.


On 11/19/2014 12:41 PM, Joseph Lorenzo Hall wrote:
 Hopefully you've seen the developing description of the protocol here:
 
 https://github.com/letsencrypt/acme-spec/blob/master/draft-barnes-acme.md
 
 That sounds like it will soon make its way into IETF for a broader
 discussion. I don't see an explicit mechanism that can deal with
 poisoning, but it might be that they check a few independent network
 views of the record they're verifying.
 
 I'm CC'ing Richard who has done a lot of the thinking to date...
 Richard, not sure if you can post to libtech but happy to intermediate.
 
 best, Joe
 
 On 11/19/14, 10:13 AM, Richard Brooks wrote:
 Just looked at this:
 
 https://letsencrypt.org/howitworks/technology/
 
 The EFF's new CA to make things cheap and easy for installing
 certs. I like the goal.
 
 What I do not get from the description is how they really verify
 that I legitimately own the site. If I should manage to reroute
 some traffic and do DNS cache poisoning on a web-site address,
 wouldn't the system accept my web-site as valid? It seems like they
 are accepting the fact that you can reach the site using DNS
 information (which is not secured) as proof of legitimacy.
 
 Or is there something I am missing?
 
 
 
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iEYEARECAAYFAlRs2ZIACgkQEwFPdUjsHjCmbACffwHoqUwTCk5n+njJBUysaUc9
qjUAnRt9Jr341choZlT4dMYGDikKUOVR
=wqjy
-END PGP SIGNATURE-
-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

[liberationtech] Burkina Faso

[Richard Brooks]

Interesting article on events in Burkina Faso and
social media:

http://www.jeuneafrique.com/Article/ARTJAWEB20141031144747/
-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

[liberationtech] Accountability

[Richard Brooks]

In a serious publication (Communications of the ACM), researchers
from ETH in Zurich explain that cybersecurity becomes
easier, if only we make everyone accountable by making
the infrastructure indelibly track every packet:

http://cacm.acm.org/magazines/2014/9/177943-accountability-in-future-internet-architectures/fulltext

What a brilliant idea. While we are at it, we could install
videocameras in every home that tell participants they are
being watched. Bentham's Panopticon personified.

-Richard
-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Accountability

[Richard Brooks]

On 09/18/2014 02:15 PM, Richard Brooks wrote:
 In a serious publication (Communications of the ACM), researchers
 from ETH in Zurich explain that cybersecurity becomes
 easier, if only we make everyone accountable by making
 the infrastructure indelibly track every packet:
 
 http://cacm.acm.org/magazines/2014/9/177943-accountability-in-future-internet-architectures/fulltext
 
 What a brilliant idea. While we are at it, we could install
 videocameras in every home that tell participants they are
 being watched. Bentham's Panopticon personified.
 
 -Richard
 

Excuse me. Full text follows.


LAW AND TECHNOLOGY
Accountability in Future Internet Architectures
By Stefan Bechtold, Adrian Perrig
Communications of the ACM, Vol. 57 No. 9, Pages 21-23
10.1145/2644146

Accountability in Future Internet Architectures, illustration
When the Internet architecture was designed some 40 years ago, its
architects focused on the challenges of the time. These included the
creation of a distributed communication network that is robust against
packet loss and other network failures; support across multiple types of
networks and communication services; and the management of Internet
resources in a cost-effective and distributed way. As history has shown,
the Internet's architects succeeded on many dimensions. The phenomenal
success of the Internet has often been attributed to its basic
architectural principles.

As the uses of the Internet have expanded beyond the original creators'
wildest dreams, its protocols have been stretched to accommodate new
usage models, such as mobile, video, real-time, and security-sensitive
applications. A string of extensions has resulted in an infrastructure
that has increasingly become ossified due to the numerous constraints
each extension introduces, in turn complicating further extensions.
These challenges have prompted researchers to rethink architectural
principles, thereby engaging in visionary thinking about what a future
Internet architecture, which should last for many decades, should look like.
One important dimension of clean-slate Internet architecture proposals
is to rethink the role of accountability. The general idea is that
accountability for one's actions would enable identification of the
offender, making it possible to either defend oneself against
misbehavior or deter it altogether. It is therefore natural to consider
accountability as a way of addressing network attacks, ranging from
route hijacking, to various kinds of network denial-of-service attacks
and remote exploitation of host vulnerabilities. Increased
accountability could not only address some of the technical shortcomings
of the current Internet architecture. It could also enable various
partly legal solutions to problems which, to date, have not been solved
by purely technical means.

In recent years, security incidents have repeatedly stressed the need
for accountability mechanisms. We highlight the use of accountability to
address the hijacking of Internet traffic routing by altering or
deleting authorized Border Gateway Protocol (BGP) routes. In 2008,
YouTube became globally unreachable after a Pakistani Internet service
provider (ISP) altered a route in an attempt to block YouTube access in
Pakistan. In 2013, the network intelligence firm Renesys documented that
traffic routes from Mexico to Washington, D.C., and from Denver to
Denver had been rerouted via Belarus and Iceland. In March 2014,
Google's Public Domain Name System (DNS) server, which handles
approximately 150 billion queries a day, had its IP address hijacked for
22 minutes. During this time, millions of Internet users were redirected
to British Telecom's Latin America division in Venezuela and Brazil.
Such rerouting, whether deliberate or not, abuses the implicit trust
enshrined in the BGP routing protocol. Traffic rerouting is often
difficult to detect for both Internet users and network operators. It
can be used for a wide range of attacks. Despite the introduction of
BGPSEC (a security protocol that promises to stop hijacking attacks),
accountability—which makes it possible for an attacker to be identified,
sued, and prosecuted—may prove a better solution to the hijacking problem.

Another example where accountability matters is the network neutrality
debate. Insufficient accountability mechanisms in today's Internet
prevent consumers from finding out why their access to particular
services has been blocked or slowed down. Is today's access to Hulu slow
due to technical problems at Hulu's servers, due to delays somewhere in
the network, or due to bandwidth limitations between your ISP and your
home network? It is difficult to determine. More generally, if a
technical architecture does not provide means for users to monitor
whether service providers keep their promises with regard to service
quality and features, service providers may have insufficient incentives
to actually keep their promises.

An architecture that leaves loopholes in legal

[liberationtech] Interesting intercept article.

[Richard Brooks]

List of supporters caught my eye:

https://firstlook.org/theintercept/2014/09/02/obama-12333-surveillance-nsa-rights-groups-letter/

-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Time validation for 2-step verification codes

[Richard Brooks]

Botnet in the mobile (BITM) like Zeus in the mobile (ZITM)
usually gets around 2-step verification by tricking people
to install malware on their Android that intercepts SMS.

Can also be done by tricking the system to SMS another device
(done lately to attack German banks).

On 08/27/2014 11:29 AM, Amin Sabeti wrote:
 Hi,
 
 Recently, a bunch of Iranian journalists/ activists have been targeted
 by Iranian hackers.
 
 Some of them said their 2-step verification was active during the attack
 but hacker could reuse the code that sent by Google via SMS and passed
 2-step verification!
 
 I was wonder to know if some folks here know the validation time for the
 2-step verification code that users receive through SMS not the app.
 
 Cheers,
 
 Amin
 
 


-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

[liberationtech] Does the White House’s cybersecurity czar need to be a coder? He says no.

[Richard Brooks]

Lack of technical expertise is apparently a plus in the world
of federal cybersecurity:

http://www.washingtonpost.com/blogs/the-switch/wp/2014/08/22/does-the-white-houses-cybersecurity-czar-need-to-be-a-coder-he-says-no/
-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

[liberationtech] Man convicted of using skype

[Richard Brooks]

Gambia -- finds man guilty of broadcasting without a
license, because he used skype:

http://standard.gm/site/news/4297-UDP-pays-Lasana-Jobartehs-court-fine-says-they-will-appeal.html
-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Foxacid payload

[Richard Brooks]

On 07/17/2014 05:57 PM, Griffin Boyce wrote:
 Andy Isaacson wrote:
 this is exactly why some who have received these payloads are
 sitting on them, rather than disclosing.
 
 Hmmm, that seems pretty antisocial and shortsighted.  While the
 pool of bugs is large, it is finite.  Get bugs fixed and get
 developers to write fewer bugs going forward, and we'll rapidly
 deplete the pool of 0day and drive up the cost of FOXACID style
 deployments.
 
 Forcing deployments to move to more interesting bugs will also
 give insight into IAs' exploit sourcing methodologies.
 
   Solidarity is really important here.  Increased security for those
 who actively set honeytraps doesn't really scale at all, and most
 people will never reap the rewards of this work. =/  Forcing the
 government and defense contractors to burn through 0day at a high rate
 is far, FAR better than coming across one or two on your own and
 hiding it.  These backdoors need to be revealed if we're to protect
 ourselves.
 
   Let's sunburn these motherfuckers.
 

You are forgetting moral hazard.

Why are there so many bugs? The laws relieve software manufacturers
of liability for the flaws of their programs. It is cheaper to
let clients do the testing for you.

If a 3rd party like Google takes over the software testing for
free, there is even less incentive to make the slightest effort
to test pre-release software and make non-faulty products.

You will not exterminate all the bugs, you will give the bug
makers (software manufacturers) more incentive to flood the
world with faulty products.

Which I think is why the open source/free products are more reliable
than the commercial ones. The economic incentives are to build
crap quickly. If you are not doing the work for profit motives,
you can afford to make a decent product.


-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

[liberationtech] vxheavens.com

[Richard Brooks]

The Vx Heaven security education website had been taken
down a year or so ago by the Ukrainian authorities for
allegedly encouraging cybercrime. Early this year it
came back up. I don't know where.

Interestingly, this week or last the vxheaven.org site
stopped working and now you get adds from DNS vendors.
But vxheavens.com works on Tor, Firefox and chromium.
Chrome seems to just ignore the name.

Any ideas as to what is going on? Is Google just dropping
security related information sources?


-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] vxheavens.com

[Richard Brooks]

No. My question was why vxheavens.com works on Firefox, Chromium
and Tor Browser, but not in Chrome.

I realized that they let the .org address lapse.

Is chrome filtering it out?

On 7/15/2014 8:09 PM, Collin Anderson wrote:
 It's more simple, vxheaven.org http://vxheaven.org has not been
 renewed and is parked by its registry until the grace period lapses.

 Domain Name:VXHEAVEN.ORG http://VXHEAVEN.ORG
 Domain ID: D169115535-LROR
 Creation Date: 2013-07-03T09:40:49Z
 Updated Date: 2014-07-10T06:33:44Z
 Registry Expiry Date: 2015-07-03T09:40:49Z
 Sponsoring Registrar:Bizcn.com, Inc. (R1248-LROR)

 vxheavens.com http://vxheavens.com appears to be better maintained
 and registered for a while.


 On Tue, Jul 15, 2014 at 9:04 PM, Richard Brooks r...@g.clemson.edu
 mailto:r...@g.clemson.edu wrote:

 The Vx Heaven security education website had been taken
 down a year or so ago by the Ukrainian authorities for
 allegedly encouraging cybercrime. Early this year it
 came back up. I don't know where.

 Interestingly, this week or last the vxheaven.org
 http://vxheaven.org site
 stopped working and now you get adds from DNS vendors.
 But vxheavens.com http://vxheavens.com works on Tor, Firefox and
 chromium.
 Chrome seems to just ignore the name.

 Any ideas as to what is going on? Is Google just dropping
 security related information sources?


 --
 Liberationtech is public  archives are searchable on Google.
 Violations of list guidelines will get you moderated:
 https://mailman.stanford.edu/mailman/listinfo/liberationtech.
 Unsubscribe, change to digest, or change password by emailing
 moderator at compa...@stanford.edu mailto:compa...@stanford.edu.




 -- 
 *Collin David Anderson*
 averysmallbird.com http://averysmallbird.com | @cda | Washington, D.C.



-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

[liberationtech] Allegedly secure email service

[Richard Brooks]

Just saw this:

https://protonmail.ch/

purports to be a secure email service. Did not look at it in
detail. Would be curious about critiques.
-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

[liberationtech] Breaking Tor for $3K

[Richard Brooks]

See:

https://www.blackhat.com/us-14/briefings.html#you-dont-have-to-be-the-nsa-to-break-tor-deanonymizing-users-on-a-budget

Sounds like hype to me. Anyone else have an opinion?
-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

[liberationtech] Sanna Camara - Gambia

[Richard Brooks]

The problems of Sanna Camara in Gambia:

http://www.internetsansfrontieres.org/Gambie-arrestation-et-inculpation-d-un-correspondant-d-Internet-Sans-Frontieres-une-attaque-intolerable-contre-la_a542.html

We put together a hashtag #FreeSanna on Twitter. The Gambian
government seems to be prosecuting him for reporting on child
sex trafficking in Gambia.

The hope at the moment is that publicity and a social media
campaign could help him. Last year the twitter storm about
Makaila Nguebla when he was expelled from various countries
in West Africa Senegal helped him get political asylum in
France, rather than being repatriated to Chad.

Sanna is a journalist in Gambia. He is active on-line and has
provided information about Gambia blocking Viber and access
to Tor downloads.

-Richard
-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

[liberationtech] Report on NSA targeting Tor users in Germany

[Richard Brooks]

See:

http://www.sueddeutsche.de/digital/internet-ueberwachung-nsa-soll-deutschen-tor-nutzer-ausspioniert-haben-1.2029100
-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

[liberationtech] Gambian journalist in jail

[Richard Brooks]

The author of:

http://standard.gm/site/news/4063-Police-admit-problems-with-human-trafficking.html

Was arrested yesterday. Is currently out on bail. He risks jail time,
at least six months, and at least US$105 000 fine. This is
under Gambia's recent information laws making it criminal to
insult the government.

It appears that his quoting the police spokesman is one of the
things the government objects to.

Any help that could be provided would be welcome. The Gambian
government is particularly bad with respect to press freedom.



-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

[liberationtech] More (in French) about arrest of Gambian journalist

[Richard Brooks]

See:

http://www.internetsansfrontieres.org/Gambie-arrestation-et-inculpation-d-un-correspondant-d-Internet-Sans-Frontieres-une-attaque-intolerable-contre-la_a542.html

He also helped provide more information about Gambia blocking Viber.

Gambia also blocks downloading Tor, but not using Tor. (This is from
people on the ground.)
-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

[liberationtech] Whitehouse.gov request for inputs on big data and privacy.

[Richard Brooks]

The President's review of big data and privacy

In January, President Obama spoke about changes in the technology we use
for national security purposes, and what they mean for our privacy broadly.

He launched a 90-day review of big data and privacy: how they affect the
way we live, and the way we work -- and how data is being used by
universities, the private sector, and the government.

As part of that review, we've already heard from leading privacy
advocates and industry leaders, among others.

But this is a conversation that affects all Americans, and we want to
make sure you have a chance to be a part of it. We want your input.

Take a moment to tell us what you think about big data, privacy, and
what it means to you.

http://links.whitehouse.gov/track?type=clickenid=ZWFzPTEmbWFpbGluZ2lkPTIwMTQwMzIxLjMwNDA4MDUxJm1lc3NhZ2VpZD1NREItUFJELUJVTC0yMDE0MDMyMS4zMDQwODA1MSZkYXRhYmFzZWlkPTEwMDEmc2VyaWFsPTE2Nzg5ODE0JmVtYWlsaWQ9cnJiQGFjbS5vcmcmdXNlcmlkPXJyYkBhY20ub3JnJmZsPSZleHRyYT1NdWx0aXZhcmlhdGVJZD0mJiY=100http://www.whitehouse.gov/issues/technology/big-data-review?utm_source=emailutm_medium=emailutm_content=email311-text1utm_campaign=tech

Stay Connected

-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

[liberationtech] Survey - population in 22 out of 24 countries worried about government online surveillance

[Richard Brooks]

http://www.theguardian.com/technology/2014/mar/19/internet-censorship-emerging-countries-pew

-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

[liberationtech] Italian student researching Iranian censorship.

[Richard Brooks]

This journalist is writing a thesis on Iranian
Censorship at the University of Bologna:

lisaviolaro...@gmail.com

She would appreciate information on the topic from
people actively working on this problem. If you want
to help her, please contact her directly.

-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] 13 years in the making...

[Richard Brooks]

My understanding is that, in urban environments, it is very difficult to
identify the exact location of wireless signals. There is a pirate
low-power FM station in DC within blocks of the FCC. It has been
broadcasting for years, no one has been able to find it. This is due to
multi-path fading of the signals. You could localize it within a certain
region, but the exact position is hard to find.

This is from talking to people active in this space. It would be
important to hide the antennas.

Not sure how this is with 802.11 and such. They were using FM.

On 01/02/2014 09:16 AM, Petter Ericson wrote:
 Wireless communication is inherently about transmitting and receiving radio
 waves, and triangulating any omnidirectional radiation source is relatively
 easy. So the answer is yes, assuming they have agents in close enough
 proximity and using the correct tools.
 
 A big thanks to the Commotion team, your work has been very useful to me
 personally in making localised meshes in my neighbourhood.
 
 Happy new year
 
 /P
 
 On 02 January, 2014 - S.Aliakbar Mousavi wrote:
 
 Dear Sascha,

 Happy new year too.
 Thanks for informing us.

 Before sending to the Iranian users I want to make sure about its
 security. You mentioned Commotion V1.0 is safe. *Can Iranian government
 find the location of users by triangulating it or so?*

 Best,
 Aliakbar




 On 31 December 2013 15:02, Sascha Meinrath sas...@ucimc.org wrote:

 Hi all,

 Commotion v1.0 is out!  Helping spread safe, secure, ubiquitous wireless
 connectivity for all:  http://www.newamerica.org/node/99668

 We've come such a helluva long way from our humble Y2K beginnings of a
 group of
 hackers meeting up in my living room... But, as Samuel Johnson once said,
 Great
 works are performed not by strength but by perseverance (that and an
 incredibly
 talented and dedicated team ;).

 Now we just need to spread the word to all our Internet Freedom-loving
 peeps.

 Happy New Year!!!

 --Sascha


 --
 Liberationtech is public  archives are searchable on Google. Violations
 of list guidelines will get you moderated:
 https://mailman.stanford.edu/mailman/listinfo/liberationtech.
 Unsubscribe, change to digest, or change password by emailing moderator at
 compa...@stanford.edu.




 -- 
 S.Aliakbar Mousavi
 
 -- 
 Liberationtech is public  archives are searchable on Google. Violations of 
 list guidelines will get you moderated: 
 https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
 change to digest, or change password by emailing moderator at 
 compa...@stanford.edu.
 
 

-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

[liberationtech] Assange message to CCC sabotaged

[Richard Brooks]

The Sueddeutsche Zeitung seems to think his speech
was disrupted as a type of feminist protest

http://sz.de/1.1853271


-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Assange message to CCC sabotaged

[Richard Brooks]

Wer weiss.

On 12/31/2013 09:59 AM, andreas.ba...@nachtpult.de wrote:
 Felix von Leitner says that is's not like that, check his blog at 
 blog.fefe.de :)
 -Original Message-
 From: Richard Brooks r...@acm.org
 Sender: liberationtech-boun...@lists.stanford.edu
 Date: Tue, 31 Dec 2013 09:54:56 
 To: liberationtechliberationtech@lists.stanford.edu
 Reply-To: liberationtech liberationtech@lists.stanford.edu
 Subject: [liberationtech] Assange message to CCC sabotaged
 
 The Sueddeutsche Zeitung seems to think his speech
 was disrupted as a type of feminist protest
 
 http://sz.de/1.1853271
 
 


-- 
===
R. R. Brooks

Associate Professor
Holcombe Department of Electrical and Computer Engineering
Clemson University

313-C Riggs Hall
PO Box 340915
Clemson, SC 29634-0915
USA

Tel.   864-656-0920
Fax.   864-656-5910
email: r...@acm.org
web:   http://www.clemson.edu/~rrb

-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Export Control of Intrusion Software

[Richard Brooks]

Some clarifications on the Wassenaar update:

http://www.lexology.com/library/detail.aspx?g=f642284a-03b0-4767-9c93-30a3407041cc

It seems that it is meant to be narrowly aimed at
snooping tools, and not at counter snooping tools.

On 12/10/2013 03:50 AM, Fabio Pietrosanti (naif) wrote:
 This email to note that the Wassenaar Agreement has been updated to
 include Intrusion Software in the export controlled goods.
 
 See page 209:
 http://www.wassenaar.org/controllists/2013/WA-LIST%20%2813%29%201/WA-LIST%20%2813%29%201.pdf
 
 Intrusion software
 Software specially designed or modified to avoid detection by
 'monitoring tools', or to defeat 'protective countermeasures', of a
 computer or network- capable device, and performing any of the following:
 a. The extraction of data or information, from a computer or network-
 capable device, or the modification of system or user data; or
 b. The modification of the standard execution path of a program or
 process in order to allow the ex ecution of externally provided
 instructions.
 
 Notes
 1. Intrusion software does not include any of the following:
  a. Hypervisors, debuggers or Software Reverse Engineering (SRE) tools;
  b. Digital Rights Management (DRM) software; or
  c. Software designed to be installedby manufacturers, administrators
 or users, for the purposes of asset tracking or recovery.
 
 2. Network-capable devices include mobile devices and smart meters.
 
 Technical Notes
 
 1. 'Monitoring tools': software or hardware devices, that monitor
 system behaviours or processes running on a device. This includes
 antivirus (AV) products, end point security products, Personal Security
 Products (PSP), Intrusion Detection Systems (IDS), Intrusion Prevention
 Systems (IPS) or firewalls.
 2. 'Protective countermeasures': techniques designed to ensure the safe
 execution of code, such as Data Execution Prevention (DEP), Address
 Space Layout Randomisation (ASLR) or sandboxing
 
 -- 
 Fabio Pietrosanti (naif)
 HERMES - Center for Transparency and Digital Human Rights
 http://logioshermes.org - http://globaleaks.org - http://tor2web.org
 
 
 



-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] [guardian-dev] Changing MAC addresses on mobile devices

[Richard Brooks]

On 11/12/2013 10:14 AM, Timur Mehrvarz wrote:
 On 12.11.2013 15:28, Tamer Bilir wrote:
 You need a MAC and IMEI changer  not MAC only. In my opinion 

 
Seems to be an IMEI modifier:

http://forum.xda-developers.com/showthread.php?t=1103766

 I don't think so. Wifi MAC addresses are not being exchanged in 3G/4G
 networks. IMEI numbers are not being exchanged in Wifi communications
 (my tablet doesn't have an IMEI, for instance). IMEI numbers are
 officially being used as personal identifiers. MAC addresses are not.
 
 Changing a Wifi MAC usually has no billing implications. You would want
 to change your Wifi MAC address, not to prevent cost, but to gain
 (better) privacy.
 


-- 
===
R. R. Brooks

Associate Professor
Holcombe Department of Electrical and Computer Engineering
Clemson University

313-C Riggs Hall
PO Box 340915
Clemson, SC 29634-0915
USA

Tel.   864-656-0920
Fax.   864-656-5910
email: r...@acm.org
web:   http://www.clemson.edu/~rrb

-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Riseup registration process a bit odd...

[Richard Brooks]

I would assume that they see the port, too.

It is also well known that URLs have identifiable
signatures based on the number of items retrieved
and the packet sizes. In most cases, it is easy to
infer the URLs visited. But the encryption should
protect data entered into forms.

So, the sequences of URLs seen is not available in
clear text, but it is not hard to guess correctly.
See:

http://research.microsoft.com/pubs/119060/webappsidechannel-final.pdf

On 10/29/2013 01:09 PM, Sean Alexandre wrote:
 This site name (or domain name) is exposed, but not the URL. So for example if
 I browse to this URL using Tor:
 https://user.riseup.net/ticket/123456/foo.bar
 
 The exit node can see the domain name:
 user.riseup.net
 
 but not the URL:
 https://user.riseup.net/ticket/123456/foo.bar
 
 Or, another way to say it is the domain name is part of the URL but is not 
 the URL.
 
 On Tue, Oct 29, 2013 at 11:50:54AM -0500, Douglas Lucas wrote:
 That no one can see an HTTPS URL seems contradicted by this EFF Tor and
 HTTPS diagram: https://www.eff.org/pages/tor-and-https

 For the diagram, if you click the HTTPS button to show what data is
 visible with only HTTPS enabled, you can see that some of the data is
 encrypted, but not the site name (site.com in the diagram).

 Can anyone clarify?

 Thanks,

 Douglas

 On 10/29/2013 07:29 AM, andrew cooke wrote:

 it's https.  no-one else can see the url.

 http://security.stackexchange.com/questions/7705/does-ssl-tls-https-hide-the-urls-being-accessed

 andrew


 On Tue, Oct 29, 2013 at 01:01:55PM +0100, Alex Comninos wrote:
 Hi All

 So I am looking to make a #PRISMBREAK and get a riseup.net account. It
 will be no secret, as I am aiming for alex.comni...@riseup.net, and I
 will advertise this publicly.

 The registration process seems a bit odd. I get an HTTPS link to check
 my ticket.

 The link looks something like
 https://user.riseup.net/ticket/**/***

 The first set of stars is the ticket number, the second is the email
 address used to register.

 I can I believe visit this link to monitor the progress of my ticket.
 However, any one on the network I used to register, and all the way
 along the internet to riseup.net can see this link, if I used TOR,
 presumably the exit node. The link reveals that I have a ticket with
 riseup and intending to register, the email I am using to register it.
 The link can then be followed by anyone who saw it along its way on
 the internet, and my ticket read with my possibly private motivation
 for doing so elaborated (does not require a login).

 My link was:

 https://user.riseup.net/ticket/813773/alex[dot]comninos[at]gmail[dot]com

 Replace the words in square brackets with punctuation, and I invite
 you to read my motivation to open a riseup account.

 I am no information security professional, so please let me know if
 anyone else thinks the registration process may be a bit insecure.

 Kind regards.
 ...
 Alex Comninos | doctoral candidate
 Department of Geography | Justus Liebig University, Gießen
 http:// comninos.org | Twitter: @alexcomninos

-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Riseup registration process a bit odd...

[Richard Brooks]

getnameinfo() should provide a list of DNS names associated
with the IP address. So that catlovers.com and terrorism.com
would both be included.

Of course, the machine can have multiple IP and DNS names.

On 10/29/2013 01:49 PM, andrew cooke wrote:
 
 people are saying that the site name is visible, but that's not strictly
 correct.
 
 a server can have many names.  with https, someone can see which server you
 connected to, but they don't see which name you used to do so.
 
 (although a very powerful attacker might be able to infer that from other
 data - dns quereies)
 
 the eff tor/https diagram (which is excellent) assumes that the server has a
 single name (site.com), which is often the case (especially for large, popular
 sites).  then it is easy to infer the name from the server.
 
 i don't know of anywhere that this is used, but in principle a server could
 host https://catlovers.com and https://terrorism.com, with the first providing
 cover for the latter (why are you connecting to terrorism.com?  i am not;
 i am looking at cute pictures of cats!).  but as someone else said, some
 information will leak with the size of packets, etc, so it probably isn't that
 secure or useful anyway.
 
 to understand this further you need to understand the concept of layered
 protocols.  the ssl/tls layer is below the http layer and above the ip
 layer.  so the ip address is visible, but the site name (in the http data, in
 the url) is not.
 
 andrew
 
 
 On Tue, Oct 29, 2013 at 11:50:54AM -0500, Douglas Lucas wrote:
 That no one can see an HTTPS URL seems contradicted by this EFF Tor and
 HTTPS diagram: https://www.eff.org/pages/tor-and-https

 For the diagram, if you click the HTTPS button to show what data is
 visible with only HTTPS enabled, you can see that some of the data is
 encrypted, but not the site name (site.com in the diagram).

 Can anyone clarify?

 Thanks,

 Douglas

 On 10/29/2013 07:29 AM, andrew cooke wrote:

 it's https.  no-one else can see the url.

 http://security.stackexchange.com/questions/7705/does-ssl-tls-https-hide-the-urls-being-accessed

 andrew


 On Tue, Oct 29, 2013 at 01:01:55PM +0100, Alex Comninos wrote:
 Hi All

 So I am looking to make a #PRISMBREAK and get a riseup.net account. It
 will be no secret, as I am aiming for alex.comni...@riseup.net, and I
 will advertise this publicly.

 The registration process seems a bit odd. I get an HTTPS link to check
 my ticket.

 The link looks something like
 https://user.riseup.net/ticket/**/***

 The first set of stars is the ticket number, the second is the email
 address used to register.

 I can I believe visit this link to monitor the progress of my ticket.
 However, any one on the network I used to register, and all the way
 along the internet to riseup.net can see this link, if I used TOR,
 presumably the exit node. The link reveals that I have a ticket with
 riseup and intending to register, the email I am using to register it.
 The link can then be followed by anyone who saw it along its way on
 the internet, and my ticket read with my possibly private motivation
 for doing so elaborated (does not require a login).

 My link was:

 https://user.riseup.net/ticket/813773/alex[dot]comninos[at]gmail[dot]com

 Replace the words in square brackets with punctuation, and I invite
 you to read my motivation to open a riseup account.

 I am no information security professional, so please let me know if
 anyone else thinks the registration process may be a bit insecure.

 Kind regards.
 ...
 Alex Comninos | doctoral candidate
 Department of Geography | Justus Liebig University, Gießen
 http:// comninos.org | Twitter: @alexcomninos
 -- 
 Liberationtech is public  archives are searchable on Google. Violations 
 of list guidelines will get you moderated: 
 https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
 change to digest, or change password by emailing moderator at 
 compa...@stanford.edu.
 -- 
 Liberationtech is public  archives are searchable on Google. Violations of 
 list guidelines will get you moderated: 
 https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
 change to digest, or change password by emailing moderator at 
 compa...@stanford.edu.


-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

[liberationtech] NSA must be best informed entity regarding viagra market

[Richard Brooks]

Since most email is spam, how productive is the NSA dragnet?

http://www.washingtonpost.com/blogs/the-switch/wp/2013/10/15/the-nsas-giant-utah-data-center-will-probably-hold-a-bunch-of-spam/?wpisrc=nl_tech


-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] 10 reasons not to start using PGP

[Richard Brooks]

10 reasons to give up, stop trying, hide in a corner, and die.

-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

[liberationtech] State beats NSA

[Richard Brooks]

Foreign Policy Magazine claims that US Dept of State
trumps the NSA:

http://thecable.foreignpolicy.com/posts/2013/10/04/not_even_the_nsa_can_crack_the_state_departments_online_anonymity_tool




-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

[liberationtech] China broadcasts blogger confession

[Richard Brooks]

http://www.washingtonpost.com/world/china-broadcasts-confession-of-chinese-american-blogger/2013/09/15/3f2d82da-1e1a-11e3-8459-657e0c72fec8_story.html?wpisrc=nl_cuzheads

-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Naive Question

[Richard Brooks]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


 For large companies, I wonder how resignations would count in this?
 Could an NSL require, say, the lead cryptographer of an org to /not/
 resign?
 
 
They could easily do the equivalent of an East German Berufsverbot and
make it impossible for them to ever get a job in their field.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlIxyIMACgkQEwFPdUjsHjBirgCfYhVIY1OpgmuSK9SWrd3gtM7V
CGAAnjhPwgyDbtJlk3EnCjtwyeUlVEDK
=WkWt
-END PGP SIGNATURE-
-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Matthew D Green

[Richard Brooks]

Follow the money.
-- 
Liberationtech is a public list whose archives are searchable on Google. 
Violations of list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] NYTimes and Guardian on NSA

[Richard Brooks]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 They have two jobs: to monitor foreign communication, and to secure
 domestic communication against foreign monitoring.
 
 http://www.nsa.gov/about/mission/
 
 The argument for trusting NSA/NIST crypto standards has historically
 been that weak crypto would make the first job easier but the second
 job harder. We now have to re-examine that argument and ask whether
 the NSA has been gambling with the security of US commercial,
 government and military data (up to top secret level - the highest
 level that relies on NSA/NIST-published standards) in order to further
 its surveillance mission.
 
That has always been an inherent conflict. It is, however,
difficult to decouple the cryptography and cryptanalysis
expertise.

Interestingly, with the DES standard there were some changes
introduced by NSA that were thought at the time to be backdoors,
since they were never justified.

Many years later, the community realized that these changes made
some obscure attacks less likely.



-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlIp7mMACgkQEwFPdUjsHjAkCACg6eajrd6sSr2Gz3aw0Q8dJQ2y
fmoAoNHILC4gjgQV9tS4d/QRg1KupU3g
=lr8i
-END PGP SIGNATURE-
-- 
Liberationtech is a public list whose archives are searchable on Google. 
Violations of list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

[liberationtech] Wikileaks surveillance

[Richard Brooks]

For the francophones:

http://www.rue89.com/2013/09/04/nouvelles-revelations-lunite-contre-espionnage-wikileaks-245374

-- 
Liberationtech is a public list whose archives are searchable on Google. 
Violations of list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

[liberationtech] NYTimes and Guardian on NSA

[Richard Brooks]

Latest articles:

http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html?emc=edit_na_20130905_r=0pagewanted=print

http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security


I find most of this (if not all) silly. They seem shocked that the
NSA does cryptanalysis. It would be nice if the newspapers had
people with some knowledge of the domain writing articles.

-- 
Liberationtech is a public list whose archives are searchable on Google. 
Violations of list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

[liberationtech] SMS questions

[Richard Brooks]

I have colleagues living in a small country, far, far
away with a history of rigged elections who want to
put in place a system for collecting information
using SMS. The local government keeps shutting
down the systems that they put in place.

I think I understand their needs and wants. SMS is
really not my strong point. If anyone with an understanding
of SMS, SMS web interfaces, and/or related security issues
would be willing to point me in the right direction
(or discuss potential issues) I (and by extension
they) would be grateful.

The alternative is for me to dedicate my excess cycles
to researching those issues from scratch, which sounds
time consuming. They kind of need help in the near future.

-Richard
-- 
Liberationtech is a public list whose archives are searchable on Google. 
Violations of list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

[liberationtech] New Zealand

[Richard Brooks]

What do you do if the government is caught illegally spying on citizens?
Change the laws:
http://www.globalpost.com/dispatch/news/afp/130821/new-zealand-passes-law-allowing-domestic-spying?goback=.gde_1836487_member_267577237#!
-- 
Liberationtech is a public list whose archives are searchable on Google. 
Violations of list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Bradley Manning's sentence: 35 years for exposing us to the truth

[Richard Brooks]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I guess this is progress.

In ancient Greece and the Middle Ages, exposing people to
the truth would get you killed.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlIVP+EACgkQEwFPdUjsHjDCoQCaAxcCPUGSs6ibezZNEsA/LDx/
/3oAnR1q0HMpCJEaiNzm+3x+ga6BO6od
=ZOgu
-END PGP SIGNATURE-
-- 
Liberationtech is a public list whose archives are searchable on Google. 
Violations of list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Does anyone know a celebrity who feels strongly about privacy issues?

[Richard Brooks]

Some idle thoughts:

Edward Snowden
Bradley Manning
Julian Assange
Gen. Hayden
Jacob or Nadim

On 08/12/2013 04:32 PM, Francisco Ruiz wrote:
 Quick request.
 
 In comments to a recent post, people seemed to agree that publishing a
 video of someone reading a hash might be a fairly hard-to-hack way to
 deliver that hash to the public, and thus assure the authenticity of a
 piece of code, a public key, or whatnot. The problem is that the sample
 youtube video I linked had yours truly reading the hash, and people
 naturally objected that I wasn't Justin Bieber and, consequently,
 weren't too convinced that the video was authentic.
 
 Aside from the fact that an adversary might be able to convince Justin
 Bieber to make a video reading a fake hash (not that I believe Justin
 doesn't care; it's just a hypothesis), the idea of getting a celebrity
 for this kind of video has a lot of merit. I'd like to engage one for
 the next update of my app.
 
 So, here's my question. Does any one know of a celebrity who cares
 enough about computer security to be persuaded to take one minute of
 his/her time to read a hash before a camera?
 
 Thanks a million!
 
 -- 
 Francisco Ruiz
 Associate Professor
 MMAE department
 Illinois Institute of Technology
 
 PL13lok=WsH3zTgZn8V3hnIqjdbfPus+5YF5n+LBRPuH9USMMp8izPv+hsLoZKv+jaCFMapJFfiA11Q9yJU1K1Wo0TbjXK/=PL13lok
 
 get the PassLok privacy app at: http://passlok.com
 
-- 
Liberationtech is a public list whose archives are searchable on Google. 
Violations of list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Bill Gates on Project Loon vs malaria

[Richard Brooks]

Nadim,

I think it is good that Bill Gates is working to
solve health issues that have been ignored because
the people involved are mainly poor and dark
complected.

I think freedom of information, though, may be
more important than you think. Take, for example,
The Gambia, one of the poorest countries on Earth
with all of the problems you mentioned.

Oddly enough, the dictator running the country seems to be
making a lot of money off the country's mineral riches
while letting the majority of the people rot in poverty.
It is not a coincidence that many of the poorest countries
are the least well governed. Those governments also
tend to have very restrictive information controls.

In many ways, creating freer access to information may
do more to to help some of these problems than anything
else. Once people can know what is going on and control
their destiny, they may be able to find a way out of
poverty. Once dark complected people have money, the
medical industry may be willing to invest in solving
their problems and invest less in botox and erectile
dysfunction medicines.

-Richard

On 8/10/2013 7:48 AM, Nadim Kobeissi wrote:
 I actually agree with Bill Gates here. If I had his money, I would make sure 
 people have clean water, toilets, condoms, before even starting to consider 
 working on Internet access.
 
 Sure, his comments are below the belt as Andrés says below, but this is 
 only because he is unfairly attacking a noble, unrelated project. But the 
 question he raises is: if you have unlimited money and want to tackle what 
 you perceive as a human rights necessity, what do you go for?
 
 From my perspective of the world, the Internet should be on the bottom of 
 this list. Sure, it should *be* on the list, but people who think that it's a 
 priority really need to examine the kind of awful problems that the world has 
 right now. No water, no food, no shelter, no hygiene, no toilets, no 
 education, no condoms, no medication… all of those things need to be solved 
 before we start worrying about the lack of Internet.
 
 Michael Glassman notes (also earlier in this thread):
 Famine is not caused by lack of food but by lack of knowledge about access 
 and location to food - something I believe is much more easily overcome 
 through Internet access perhaps.
 
 It doesn't just work like that, I don't think. You don't just open Internet 
 access and fund Internet centres and expect knowledge problems to work 
 themselves out. Basic necessities need to be fulfilled first, and in that 
 scenario, that deeply includes education. And in order to focus on education, 
 you're going to need less malaria and more shelter, toilets and hygiene… I 
 hope I'm making my point clearly here.
 
 This is a super interesting issue! I guess I'm going to stick to the 
 conservative side here, though. The Internet is the current human rights 
 issue for developed regions of the Middle East and North Africa (and 
 deservedly so!!), but in some other parts of the world, we're just not there 
 yet. There are more basic problems to solve, and this is only a testament to 
 how harsh the world can be.
 
 NK
 
 
 
 On 2013-08-09, at 7:25 PM, Kyle Maxwell ky...@xwell.org wrote:
 
 http://www.theguardian.com/technology/2013/aug/09/bill-gates-google-project-loon

 ===

 Bill Gates criticises Google's Project Loon initiative

 Former Microsoft chief says low-income countries need more than just
 internet access

 ===

 Google's Project Loon initiative wants to provide internet access for
 the developing world from a network of balloons floating in the
 stratosphere. Former Microsoft boss Bill Gates isn't keen on the idea.

 When you're dying of malaria , I suppose you'll look up and see that
 balloon, and I'm not sure how it'll help you. When a kid gets
 diarrhoea, no, there's no website that relieves that, Gates told
 Business Week, in an interview about the work of the Bill  Melinda
 Gates Foundation.

 Certainly I'm a huge believer in the digital revolution. And
 connecting up primary-healthcare centres, connecting up schools, those
 are good things. But no, those are not, for the really low-income
 countries, unless you directly say we're going to do something about
 malaria.

 Gates also questioned Google's commitment to projects in developing
 countries through its Google.org arm and related initiatives.

 Google started out saying they were going to do a broad set of
 things. They hired Larry Brilliant, and they got fantastic publicity,
 said Gates. And then they shut it all down. Now they're just doing
 their core thing. Fine. But the actors who just do their core thing
 are not going to uplift the poor.

 Project Loon was announced in June as Google launched a pilot scheme
 with 30 balloons above New Zealand, providing internet access through
 receivers on the ground.

 We believe that it might actually be possible to build a ring of
 balloons, flying around the globe on the stratospheric winds, that
 provides Internet 

Re: [liberationtech] Bill Gates on Project Loon vs malaria

[Richard Brooks]

On 08/09/2013 12:25 PM, Kyle Maxwell wrote:
http://www.theguardian.com/technology/2013/aug/09/bill-gates-google-project-loon

 ===

 Bill Gates criticises Google's Project Loon initiative

 Former Microsoft chief says low-income countries need more than just
 internet access

 ===

On the one hand, clean drinking water is important and
the fact that little work is done on malaria because it
effects mainly poor people is disgusting.

On the other hand, I've heard lots of people in the
countries that would benefit from a cure for
malaria this year asking about what they can do when
their government shuts down the Internet. The idea
that information can still go in or out against government
wishes is important to them.

I guess people may want to be healthy and free at the
same time.




--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

[liberationtech] Publishing material smuggled from bad countries

[Richard Brooks]

Got a message from one of my contacts who wants to try
to publish information he finds important. He is from
a country ranked by Freedom House as not free.

I'm a techie and not a reporter. Any idea as to who
might be interested (I could contact)? The general
region is Sub-Saharan Africa.

--
Liberationtech list is public and archives are available via Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

[liberationtech] Internet misuse in Gambia

[Richard Brooks]

New law in Gambia makes using the Internet to incite
dissatisfaction with the government punishable by
up to 15 years in jail and $100,00 fine:

http://frontpageinternational.wordpress.com/2013/07/28/internet-is-being-used-as-platform-for-nefarious-and-satanic-activities/

Looks like other governments are following David Cameron's
lead. He could also add satanism to porn in his new firewall.

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Internet misuse in Gambia

[Richard Brooks]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- From what I hear, yes complaining about the government on
Facebook or Twitter would easily qualify. To give you an
idea, Guinea where the government soldiers rounded up
large segments of the population in 2009, put them in
a stadium for mass beatings, public rapes, and killings,
is ranked better in human rights than Gambia.

In other news, social media monitoring of the recent election
in Togo can be found at (helps if you know French):

http://nukpola.org/public2/


On 07/29/2013 12:30 PM, Bernard Tyers - ei8fdb wrote:
 On 29 Jul 2013, at 15:26, Richard Brooks wrote:
 
 New law in Gambia makes using the Internet to incite
 dissatisfaction with the government punishable by
 up to 15 years in jail and $100,00 fine:
 
 http://frontpageinternational.wordpress.com/2013/07/28/internet-is-being-used-as-platform-for-nefarious-and-satanic-activities/
 
 Looks like other governments are following David Cameron's
 lead. He could also add satanism to porn in his new firewall.
 
 
 Wow, incite dissatisfaction? I don't suppose they've been helpful by 
 defining what dissatisfaction is?
 
 Is complaining about government bureaucracy on Facebook incitement of 
 dissatisfaction?
 
 Bernard
 
 --
 Bernard / bluboxthief / ei8fdb
 
 IO91XM / www.ei8fdb.org
 
 --
 Too many emails? Unsubscribe, change to digest, or change password by 
 emailing moderator at compa...@stanford.edu or changing your settings at 
 https://mailman.stanford.edu/mailman/listinfo/liberationtech
 

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlH2o6sACgkQEwFPdUjsHjALmwCgj402KjCWv+9Tg3Qy/xWiOJDd
6ygAoOFukqW/BgAO6Dt7qzq7giPwkQ82
=9bBD
-END PGP SIGNATURE-
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] WC3 and DRM

[Richard Brooks]

Obviously, these issues have been very thoroughly discussed
by Corey Doctorow and Larry Lessig. DRM has not proved to be
effective at safeguarding intellectual property. It seems
to be most effective as a tool in maintaining limited
monopolies, since it stops other companies from investing
in creating products compatible with existing products.

If you insert a lame DRM module into a toner cartridge,
you can sue anyone that makes cheaper compatible components
for breaking your DRM.

The use of DRM sure has not been effective in stopping
music, video, or video game piracy.

It seems that the basic idea behind many of these arguments
is that all intellectual pursuits that are not driven
solely by the profit motive are of low quality.
For example, the novels of Franz Kafka and Jean Genet
are lowbrow.

While profit driven art, like 50 Shades of Grade, is what will
advance the world's aesthetics.
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] WC3 and DRM

[Richard Brooks]

Also interestingly explored in Vernor Vinge's Rainbow's End

On 07/26/2013 06:18 PM, Steve Weis wrote:
 DRM technologies have a flip side as privacy-preserving technology.
 It's all a matter of whose data is being protected and who owns the
 hardware.
 
 We generally think of DRM in cases where the data owner is large
 company and an individual owns the hardware. In this case, DRM stops
 you from copying data you paid for from your own device.
 
 Now flip the roles. You're the data owner and the large company is the
 hardware owner; say a cloud computing provider you lease machines
 from. Those same technologies can prevent that service provider from
 accessing your private data.
 
 Cory Doctrow has come around to this view, as he discusses in his talk
 The coming civll war over general purpose computing [1]. He's now
 advocating the use of Trust Platform Modules (TPMs) as a nub of
 stable certainty which you can use to verify that whatever hardware
 you are using is faithfully booting your own software. This is a
 significant departure from viewing TPMs as an anti-consumer
 technology, which was espoused by groups like Chilling Effects [2].
 
 As Doctrow puts it a victory for the freedom side in the war on
 general purpose computing would result in computers that let their
 owners know what was running on them. Some of the very same
 technologies that enable DRM could help us verify that computers are
 running what they should be.
 
 [1] http://boingboing.net/2012/08/23/civilwar.html
 [2] http://chillingeffects.org/anticircumvention/weather.cgi?WeatherID=534
 
 On Fri, Jul 26, 2013 at 2:22 PM, Richard Brooks r...@acm.org wrote:
 Obviously, these issues have been very thoroughly discussed
 by Corey Doctorow and Larry Lessig. DRM has not proved to be
 effective at safeguarding intellectual property. It seems
 to be most effective as a tool in maintaining limited
 monopolies, since it stops other companies from investing
 in creating products compatible with existing products.

 --
 Too many emails? Unsubscribe, change to digest, or change password by 
 emailing moderator at compa...@stanford.edu or changing your settings at 
 https://mailman.stanford.edu/mailman/listinfo/liberationtech
 


-- 
===
R. R. Brooks

Associate Professor
Holcombe Department of Electrical and Computer Engineering
Clemson University

313-C Riggs Hall
PO Box 340915
Clemson, SC 29634-0915
USA

Tel.   864-656-0920
Fax.   864-656-5910
email: r...@acm.org
web:   http://www.clemson.edu/~rrb

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

[liberationtech] vxheaven

[Richard Brooks]

For those that know and care, vxheaven is back online.
It happened a week ago.
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] In his own words: Confessions of a cyber warrior

[Richard Brooks]

1. The NSA center of excellence program is not really that
important. If you look carefully, they are mainly 2 year
community colleges located near Army bases that give
basic sysadmin training. This is good and necessary, but
don't get fooled into thinking that they are training
the highly skilled cyber operations people. They are
training low level IT support mainly.

2. There is a growing outsourcing of intel and cyber work. You
could look at some of the Washington Post articles on the large
number of companies and facilities doing classified work. Northern
Virginia has more tech workers now than silicon valley. There
are lots of SCIFS available for cyber work.

3. 0-days are not bought to deny them to the enemy. They are
bought for integration into things like stuxnet.

There are a large number of contracting companies with a
highly skilled workforce in this domain. There are also
other branches of the government with expertise...

On 07/10/2013 06:46 PM, Maxim Kammerer wrote:
 On Wed, Jul 10, 2013 at 4:43 PM, Jacob Appelbaum ja...@appelbaum.net wrote:
 I couldn't disagree more. This sounds consistent with the current arms
 race and also relates directly to the 0day markets that have been active
 for many many years. Remember though: buying 0day bugs or exploits for
 0day is just one part of a much larger picture.
 
 The interview is either a hoax or an exaggerated “hunting story”, for
 two primary reasons: number of employees, and number of exploits.
 Militiaries have a huge problem recruiting cyber ops specialists at
 present, and most of the recruited are not even remotely good. At the
 moment, the whole of USA has just 4 colleges certified by NSA to teach
 offensive security (CAE-CO) [1]. USCYBERCOM has “close to 750
 employees” [2]. For the level of skill described, all of US military
 might have, I don't know, 50 senior specialists? Why would this guy
 work via a staffing company, in a team of 5000, in an unmarked
 building? What's there to protect by obscuring their work? They need
 to reside inside some TEMPEST-resistant installation at a military
 base, especially if they work with classified equipment, etc. The
 number of 0-days and rate of their production don't make sense either.
 Unless 0-days are purchased exclusively in order to deny them to the
 enemy (which doesn't seem to be the case), the exploits wouldn't cost
 hundreds of thousands of USD each.
 
 [1] http://www.nsa.gov/academia/nat_cae_cyber_ops/index.shtml
 [2] 
 http://abcnews.go.com/Technology/pentagon-cyber-command-unit-recommended-elevated-combatant-status/story?id=16262052
 
 --
 Maxim Kammerer
 Liberté Linux: http://dee.su/liberte
 --
 Too many emails? Unsubscribe, change to digest, or change password by 
 emailing moderator at compa...@stanford.edu or changing your settings at 
 https://mailman.stanford.edu/mailman/listinfo/liberationtech
 

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

[liberationtech] Using Tor increases likelihood you will be spied on

[Richard Brooks]

http://arstechnica.com/tech-policy/2013/06/use-of-tor-and-e-mail-crypto-could-increase-chances-that-nsa-keeps-your-data/

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Skype interception - Project Chess

[Richard Brooks]

Nathan,

You've probably explained this before, but what is the difference
between OSTN and RedPhone?

Thanks.

-Richard

On 06/21/2013 10:30 AM, Nathan of Guardian wrote:
 On 06/20/2013 10:08 AM, Jacob Appelbaum wrote:
 To the Skype promoters, apologists and deniers - I encourage you to
 start using, and improving Jitsi - it needs a lot of love but it at
 least has a chance of being secure, whereas Skype is beyond repair.
 
 I also want to add to this, that in order to use Jitsi, you need a
 trustworthy, privacy-oriented SIP service provider [0], to go with it.
 This means someone that doesn't keep logs, doesn't require real name
 registration, defaults to secure, and that also offers features to help
 defend against traffic analysis and mass metadata gathering [1].
 
 This is exactly what we have been working on at Guardian Project with
 our Open Secure Telephony Network [2] project and our public
 beta/testbed service at OStel.co. The base service platform we are using
 is Kamailio [3], which is a project that should be as equally supported
 as Jitsi.
 
 Ultimately, our goal is not to replace one single service with another
 single service, but rather to enable every user, organization, NGO,
 collective, cooperative, etc to run their own service, or at least have
 a variety of hosted service operators that run at a known quality and
 standard for privacy-oriented voice and video communications.
 
 +n
 
 [0] OSTel privacy policy https://ostel.co/privacy
 
 [1] more technical discussion here about our approach compared to a
 typical voice operator:
 https://guardianproject.info/2013/06/12/carrier-grade-verizon-and-the-nsa/
 
 [2] OSTN/OStel source https://github.com/guardianproject/OSTel
 
 [3] Kamailio - Open Source SIP Server - http://www.kamailio.org/
 --
 Too many emails? Unsubscribe, change to digest, or change password by 
 emailing moderator at compa...@stanford.edu or changing your settings at 
 https://mailman.stanford.edu/mailman/listinfo/liberationtech
 


-- 
===
R. R. Brooks

Associate Professor
Holcombe Department of Electrical and Computer Engineering
Clemson University

313-C Riggs Hall
PO Box 340915
Clemson, SC 29634-0915
USA

Tel.   864-656-0920
Fax.   864-656-5910
email: r...@acm.org
web:   http://www.clemson.edu/~rrb

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] How to defend against attacks on chips?

[Richard Brooks]

You can't defend against this. There is a lot of research
going into detecting hardware trojans. In general, verifying
that either hardware or software is (or is not) malicious
in undecidable. We are even lacking in tools, short of exhaustive
tests, for verifying that either hardware or software matches
their specs.


The trusted computing group (TCG) standards are meant to address
some of these issues. Unfortunately, it seems that TCG is being
hijacked to enforce walled gardens and keep FOSS out of the
market.

On 06/15/2013 06:19 PM, Anthony Papillion wrote:
 So we know the NSA is spying on the word. We know pretty much how they
 do it and we know that at least part of that spying and data collection
 is likely done by exploiting holes in software. We can fix that. We can
 move people to better software, not rely on software from companies who
 routinely turn over data, push open software, etc.
 
 But how do we handle hardware attacks? For example, what happens when a
 chip maker, say Intel, collaborates with the government to allow access
 to users systems from the chip level? How can we defend against this?
 
 Anthony
 

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

[liberationtech] Interesting QA

[Richard Brooks]

From Guardian QA with Snowden

http://www.guardian.co.uk/world/2013/jun/17/edward-snowden-nsa-files-whistleblower

Is encrypting my email any good at defeating the NSA survelielance? Id
my data protected by standard encryption?

Answer:

Encryption works. Properly implemented strong crypto systems are one
of the few things that you can rely on. Unfortunately, endpoint security
is so terrifically weak that NSA can frequently find ways around it.
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] NSA Director Alexander @ Senate Appropriations Committee (Jun 12)

[Richard Brooks]

Reminds me of a recent comment from someone I was
training:

Government information should be public. Personal
information should be private.

Unfortunately, we have it backwards.


On 06/13/2013 12:10 PM, Kyle Maxwell wrote:
 Thanks for this. His comments on Guarding Privacy and Civil
 Liberties are as follows:
 
 Let me emphasize that our nation’s security in cyberspace is not a
 matter of resources alone. It is an enduring principle and an
 imperative. Everything depends on trust. We operate in a way that
 ensures we keep the trust of the American people because that trust is
 a sacred requirement. We do not see a tradeoff between security and
 liberty. It is not a choice, and we can and must do both
 simultaneously. The men and women of USCYBERCOM and NSA/CSS take this
 responsibility very seriously, as do I. Beyond my personal commitment
 to do this right, there are multiple oversight mechanisms in place.
 Given the nature of our work, of course, few outside of our Executive,
 Legislative and Judicial Branch oversight bodies can know the details
 of what we do or see that we operate every day under strict guidelines
 and accountability within one of the most rigorous oversight regimes
 in the U.S. Government. For those of you who do, and who have the
 opportunity to meet with the men and women of USCYBERCOM and NSA/CSS,
 you have seen for yourself how seriously we take this responsibility
 and our commitment to earning and maintaining your trust.
 
 Someday - not today, of course, but someday - they're going to get
 it about increased transparency. Some things will and should remain
 secret, but not anywhere near the extent of today.
 
 I hope that day comes sooner rather than later.
 
 On Wed, Jun 12, 2013 at 11:51 PM, Gregory Foster
 gfos...@entersection.org wrote:
 U.S. Senate Committee on Appropriations (Jun 12) - Hearing on
 Cybersecurity:
 http://www.appropriations.senate.gov/ht-full.cfm?method=hearings.viewid=33dda6f9-5d83-409d-a8c5-7ada84b0c598

 Complete video of the hearing and prepared testimony of each of the
 witnesses is linked here.  This previously scheduled hearing received some
 press today as it was General Keith B. Alexander's first public appearance
 since the inception of the Snowden event.

 The General's prepared testimony provides a useful primer on the NSA/CSS and
 its relationship with Cyber Command - the US military branch active in the
 networked domain (PDF download):
 http://www.appropriations.senate.gov/ht-full.cfm?method=hearings.downloadid=6ae112a2-f7e1-4c6e-92a9-bd7b16f2824e

 gf

 --
 Gregory Foster || gfos...@entersection.org
 @gregoryfoster  http://entersection.com/

 --
 Too many emails? Unsubscribe, change to digest, or change password by
 emailing moderator at compa...@stanford.edu or changing your settings at
 https://mailman.stanford.edu/mailman/listinfo/liberationtech
 --
 Too many emails? Unsubscribe, change to digest, or change password by 
 emailing moderator at compa...@stanford.edu or changing your settings at 
 https://mailman.stanford.edu/mailman/listinfo/liberationtech
 

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

[liberationtech] Internet blackout

[Richard Brooks]

Just finished interacting with people from a number
of countries worried about Internet blackouts being
used by their governments to help prevent reporting
of unpleasant truths, such as vote-rigging.

I discussed with them what Telecomics did for Egypt
and other Arab countries and what Commotion and
mesh-networking may provide. They were enthusiastic
about these possibilities, but disappointed when
I explained that this was not anything that could
be put in place proactively for the moment.

This lead me to start thinking about the possibility
of deploying something like Fidonet as a tool for
getting around Internet blackouts. Has anyone tried
something like that?

Was wondering if anyone was aware of other approaches
for mitigating this type of DoS.

-Richard
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] NSA, FBI, Verizon caught red handed spying on US citizens in the US

[Richard Brooks]

On 06/07/2013 03:23 AM, Seth David Schoen wrote:

 The best widely-used tool to defend against traffic analysis is Tor,
 but Tor's developers readily concede that it has a lot of important
 limitations and that there's no obvious path around many of them.
 Two of these important limitations (not the only ones) are:
 
 ① Anonymization adds latency to communications.  Better anonymization
 usually adds more latency.  Everywhere else, communications engineers
 are struggling to take the latency out of people's communications.
 At least in some systems, anonymity engineers are struggling to put
 it in.
 
 ② Network adversaries can notice that things coming out of a system
 correspond to things going in.
 
 Here's one of many statements of these two issues as they relate to
 systems like Tor:
 
Furthermore, Onion Routing makes no attempt to stop timing attacks
using traffic analysis at the network endpoints. They assume that
the routing infrastructure is uniformly busy, thus making passive
intra-network timing difficult. However, the network might not
be statistically uniformly busy, and attackers can tell if two
parties are communicating via increased traffic at their respective
endpoints. This endpoint-linkable timing attack remains a difficulty
for all low-latency networks.
 
 http://www.freehaven.net/src/related-comm.thtml
 
 These issues are less severe if people are using e-mail or (maybe
 better yet) forum posting, over an encrypted channel to a popular
 service that many people use.  But they're quite serious for voice
 calls, video conferencing, and even instant messaging.
 
We were able to do our timing side-channel approach on Tor very
successfully on a private Tor instance in our lab. When we tried
it on the global net, we found the jitter inherent to Tor made
it practically impossible.

Have not tried it specifically on VOIP traffic, but the latency/jitter
seems to me to do a pretty good job of making timing attacks
unreliable for now.

-RRB
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Airline Shutdown Because of Loss of Internet Service?

[Richard Brooks]

On 06/06/2013 03:45 AM, michael gurstein wrote:
 This is probably not a Liberation issue directly but I'm not sure where else
 to address it...
 

 Sunday I was flying (Porter Airlines--small short hop Canadian carrier) from
 NYC to Ottawa, ON with a plane change in Toronto. When we arrived in Toronto
 we were informed that because the Internet was down planes were not able
 to land or depart.  The company's service was completely shut down for
 roughly 4 hours until the Internet service was restored (presumably by
 their ISP).
 
 I understand that other airlines have had similar experiences recently.  
 
 My question... how exactly is Internet service so intertwined with flight
 operations that service can function only if the Internet is operational?
 (And I guess the Liberation angle... if this is now pervasive for all
 airlines what is the hackable element of all this and where are the points
 of vulnerability etc.etc.?
 

This one is easy. Logistics. Airlines have enormous optimization
routines mapping planes, crews and passengers to flights. This
allows them to shave off overhead and make a profit. If the network
is down, they won't know who should fly where.

 M
 
 
 
 --
 Too many emails? Unsubscribe, change to digest, or change password by 
 emailing moderator at compa...@stanford.edu or changing your settings at 
 https://mailman.stanford.edu/mailman/listinfo/liberationtech
 

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Frei PiratenPartei

[Richard Brooks]

We are unipolar:

We have the best government that money can buy.

Mark Twain



On 05/16/2013 10:33 PM, Andrés Leopoldo Pacheco Sanfuentes wrote:
 This whole list, and many others, and we even have at least a martyr
 in Aaron Swartz, are for the tenets of the Swedish Pirate Party. So!
 What do we do? Sit on our BUTS, and not do something else in the
 political arena? Are we bipolar (either Republican or Democrat), or
 multipolar, as in diversity?
 
 That's the question :D
 
 
 Best Regards | Cordiales Saludos | Grato,
 
 Andrés L. Pacheco Sanfuentes
 a...@acm.org
 +1 (817) 271-9619
 
 
 On Thu, May 16, 2013 at 9:28 PM, Andrés Leopoldo Pacheco Sanfuentes
 alps6...@gmail.com wrote:
 Correction: 34 people now! :D XD LMFAO
 Best Regards | Cordiales Saludos | Grato,

 Andrés L. Pacheco Sanfuentes
 a...@acm.org
 +1 (817) 271-9619


 On Thu, May 16, 2013 at 9:25 PM, Andrés Leopoldo Pacheco Sanfuentes
 alps6...@gmail.com wrote:
 OK, that shows 33 people subscribed to the Pirate Party email list in
 Texas, where I live! :D (there are 38 people in the US congressional
 delegation of Texas..) Let's try a different angle!
 Best Regards | Cordiales Saludos | Grato,

 Andrés L. Pacheco Sanfuentes
 a...@acm.org
 +1 (817) 271-9619


 On Thu, May 16, 2013 at 8:50 PM, Scott Elcomb pse...@gmail.com wrote:
 On Thu, May 16, 2013 at 6:11 PM, Andrés Leopoldo Pacheco Sanfuentes
 alps6...@gmail.com wrote:
 Is there something like this in the US?

 http://www.piratenpartei.de/

 It's been awhile since last I looked in on the US Pirates - I
 should've before posting my earlier response.

 Anyway, I'm happy to see that it's growing; you can find them here:
 http://www.uspirates.org/

 Best
 --
   Scott Elcomb
   @psema4 on Twitter / Identi.ca / Github  more

   Atomic OS: Self Contained Microsystems
   http://code.google.com/p/atomos/

   Member of the Pirate Party of Canada
   http://www.pirateparty.ca/
 --
 Too many emails? Unsubscribe, change to digest, or change password by 
 emailing moderator at compa...@stanford.edu or changing your settings at 
 https://mailman.stanford.edu/mailman/listinfo/liberationtech
 


-- 
===
R. R. Brooks

Associate Professor
Holcombe Department of Electrical and Computer Engineering
Clemson University

313-C Riggs Hall
PO Box 340915
Clemson, SC 29634-0915
USA

Tel.   864-656-0920
Fax.   864-656-5910
email: r...@acm.org
web:   http://www.clemson.edu/~rrb

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Android Full-Disk Encryption Cracked

[Richard Brooks]

We did some work on power analysis sidechannels. The NSA solution
is to physically isolate anything that does crypto from
anything else. Separate power supplies and Faraday cages are used.
This is effective, but not practical for mobile devices.

Another alternative is to use dual rail instructions in hardware,
for each computation in the code, it also computes the complement.
This produces a flat power consumption profile, but consumes 1.9 times
the power and produces 1.9 times the heat.

We added compiler support where secret variables (ex. crypto key)
had tags marking them as secret. Then instructions that used this
data, or anything derived from them, would use the dual rail
instructions. This consumes 15% more power than normal.

Other people try to just add random fluctuations to the power
consumption profile. That never works. You just have to increase the
amount of data that you collect. You would be amazed at how many
people try to pass this off as an effective solution.

The power analysis attack(especially differential power analysis)
is really easy to do. We gave the grad student a paper. He had
the attack running after about 1 day of work.

On 04/29/2013 03:29 PM, Steve Weis wrote:
 To add to the list of issues here, crypto implementations on mobile
 devices may be vulnerable to power analysis side-channel attacks.
 Attackers may be able to measure RF signal strength to infer power
 consumption during crypto operations, then derive key material. I think
 Cryptography Research Inc. has been researching these attacks and
 working on countermeasures.
 
 On Mon, Apr 29, 2013 at 12:09 PM, Seth David Schoen sch...@eff.org
 mailto:sch...@eff.org wrote:
 
 ... 
 
 There are a lot of problems about disk encryption on small
 mobile devices.  One that was highlighted by Belenko and
 Sklyarov at Black Hat EU 2012 is that mobile device CPUs are
 relatively slow, so it's difficult to do very large numbers of
 iterations of key derivation functions, which would make
 brute-force cracking slower.
 
 
 
 --
 Too many emails? Unsubscribe, change to digest, or change password by 
 emailing moderator at compa...@stanford.edu or changing your settings at 
 https://mailman.stanford.edu/mailman/listinfo/liberationtech
 


-- 
===
R. R. Brooks

Associate Professor
Holcombe Department of Electrical and Computer Engineering
Clemson University

313-C Riggs Hall
PO Box 340915
Clemson, SC 29634-0915
USA

Tel.   864-656-0920
Fax.   864-656-5910
email: r...@acm.org
web:   http://www.clemson.edu/~rrb

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

[liberationtech] Liberte Linux

[Richard Brooks]

I have a student trying to make a modified
build of the Liberte Linux distribution. If
anyone would have time and be willing to
give her some pointers, please send me an email
and I will forward to her.

Thank you,

-Richard Brooks
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

[liberationtech] OpenPGP in Javascript for use with webmail

[Richard Brooks]

Happened to come across this, which I wasn't
aware of:

http://openpgpjs.github.io/

Am curious as to the opinions people might have
about it.

-Richard Brooks
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] For everyone and their grad students: Fake, pay-to-publish journals conferences

[Richard Brooks]

-boun...@lists.stanford.edu
 
 [mailto:liberationtech-boun...@lists.stanford.edu] On Behalf Of 
 Richard
 
 Brooks
 
 Sent: Monday, April 08, 2013 9:34 AM
 
 To: liberationtech@lists.stanford.edu 
 mailto:liberationtech@lists.stanford.edu
 
 Subject: Re: [liberationtech] For everyone and their grad students: 
 Fake,
 
 pay-to-publish journals  conferences
 
  
 
 It's not curious. It is accurate. As the funding model moved from
 
 subscribers paying for access to authors paying for publication, the
 
 financial incentives changed as well. The loosening of standards is an
 
 obvious consequence of this decision.
 
  
 
 The question of how best to publish quality academic information is
 
 non-trivial. Like the question of where to get quality current affairs
 
 information. It will take a while for things to adjust to the ability 
 of the
 
 Internet to make publishing dirt-cheap.
 
  
 
  
 
  
 
 On 04/08/2013 12:19 PM, James Losey wrote:
 
 I think it's curious how this article frames the journals as open
 
 access rather than a more appropriate pay to play
 
  
 
 On Mon, Apr 8, 2013 at 6:05 PM, Yosem Companys 
 compa...@stanford.edu mailto:compa...@stanford.edu
 
 mailto:compa...@stanford.edu mailto:compa...@stanford.edu 
 wrote:
 
  
 
  From: Nathaniel Poor natp...@gmail.com 
 mailto:natp...@gmail.com
 
 mailto:natp...@gmail.com mailto:natp...@gmail.com
 
  
 
  
 
 
 http://www.nytimes.com/2013/04/08/health/for-scientists-an-exploding-w
 
 orld-of-pseudo-academia.html
 
  
 
  The scientists who were recruited to appear at a conference 
 called
 
  Entomology-2013 thought they had been selected to make a 
 presentation
 
  to the leading professional association of scientists who 
 study
 
  insects. But they found out the hard way that they were 
 wrong
 
  
 
  This has been a problem for a while, but now it's big enough 
 to be a
 
  newspaper story.
 
  
 
  ---
 
  Nathaniel Poor, Ph.D.
 
  http://natpoor.blogspot.com/
 
  https://sites.google.com/site/natpoor/
 
  --
 
  Too many emails? Unsubscribe, change to digest, or change 
 password
 
  by emailing moderator at compa...@stanford.edu 
 mailto:compa...@stanford.edu
 
  mailto:compa...@stanford.edu 
 mailto:compa...@stanford.edu or changing your settings at
 
  https://mailman.stanford.edu/mailman/listinfo/liberationtech
 
  
 
  
 
  
 
  
 
 --
 
 Too many emails? Unsubscribe, change to digest, or change 
 password by
 
 emailing moderator at compa...@stanford.edu 
 mailto:compa...@stanford.edu or changing your settings
 
 at https://mailman.stanford.edu/mailman/listinfo/liberationtech
 
  
 
  
 
 --
 
 ===
 
 R. R. Brooks
 
  
 
 Associate Professor
 
 Holcombe Department of Electrical and Computer Engineering Clemson
 
 University
 
  
 
 313-C Riggs Hall
 
 PO Box 340915
 
 Clemson, SC 29634-0915
 
 USA
 
  
 
 Tel.   864-656-0920
 
 Fax.   864-656-5910
 
 email: r...@acm.org mailto:r...@acm.org
 
 web:   http://www.clemson.edu/~rrb
 
  
 
 --
 
 Too many emails? Unsubscribe, change to digest, or change password by
 
 emailing moderator at compa...@stanford.edu 
 mailto:compa...@stanford.edu or changing your settings at
 
 https://mailman.stanford.edu/mailman/listinfo/liberationtech
 
  
 
 --
 
 Too many emails? Unsubscribe, change to digest, or change password by 
 emailing moderator at compa...@stanford.edu mailto:compa...@stanford.edu or 
 changing your settings at 
 https://mailman.stanford.edu/mailman/listinfo/liberationtech
 
  
 
 --
 
 Too many emails? Unsubscribe, change to digest, or change password by 
 emailing moderator at compa...@stanford.edu mailto:compa...@stanford.edu or 
 changing your settings at 
 https://mailman.stanford.edu/mailman/listinfo/liberationtech
 
  
 
  
 
 --
 
 Too many emails? Unsubscribe, change to digest, or change password by 
 emailing moderator at compa...@stanford.edu mailto:compa...@stanford.edu or 
 changing your settings at 
 https://mailman.stanford.edu/mailman/listinfo/liberationtech
 
  
 
 
 
 --
 Too many emails? Unsubscribe

Re: [liberationtech] Is cryptography becoming less important?

[Richard Brooks]

 So organizations get compromised by well-meaning users who click on a
 link in an email or slip up and use an insecure connection, and while
 we can ameloriate that to a certain extent with code, we really need
 to think more about how to make it easier for users to make the
 right choices versus the wrong choices.


Too often this is phrased as users should know better. But,
to be honest, I think most anyone could be fooled by a well
planned spear-phishing attack. Last year it got RSA security,
ORNL, Lockheed-Martin, and the entire state of South Carolina.

The use of email in normal business practices far exceeds
what should be done, given the lack of authentication and
the ease of slipping malicious payloads into innocuous
looking URLs, PDFs, etc.
-- 
===
R. R. Brooks

Associate Professor
Holcombe Department of Electrical and Computer Engineering
Clemson University

313-C Riggs Hall
PO Box 340915
Clemson, SC 29634-0915
USA

Tel.   864-656-0920
Fax.   864-656-5910
email: r...@acm.org
web:   http://www.clemson.edu/~rrb

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech