Re: [liberationtech] TEXTCOMBINE-REV, A software for combining text files to obtain high-quality pseudo-randomness in practice (replacing an earlier retracted software)

I don't see anything that TEXTCOMBINE is useful for with respect to security, privacy, or liberation tech. It is not a robust entropy extractor and I would not use it for anything. Randomness extraction has been a research topic for 30 years. For background reading, here are a couple

Re: [liberationtech] Boston event: How nonprofits can use Facebook to broadcast their impact??? (Feb 27th)

Hi José. Facebook's data policy states it only shares non-personally identifying demographic information in aggregate with advertisers. See the section under "Sharing With Third-Party Partners and Customers": https://www.facebook.com/policy.php# On Mon, Feb 27, 2017 at 7:25 AM, José María Mateos

Re: [liberationtech] Intro/Projects

Hi Charles. Regarding #1, there are dozens of open source projects and companies that support end-to-end encryption for Dropbox-like storage services. In fact, Box KeySafe already supports customer-managed keys. Some examples that support end-to-end encryption: Boxcryptor, Mozy (now EMC),

Re: [liberationtech] AnnealMail: post-quantum fork of Enigmail

Hi Nick. I think codecrypt is for learning purposes only and should not be used in practice. I do see you have the warning "DO NOT USE this for mission-critical things", which is good. You may want to have that as part of the actual encrypted email body. On Tue, Oct 4, 2016 at 8:25 AM Nick

Re: [liberationtech] A Toolset for Usable Security with ICT Service Networks

Hello Sven. I don't understand what is going on in this poster. Have you implemented any part of this toolset which you can share? On Sun, Sep 25, 2016 at 7:30 AM Sven Wohlgemuth wrote: > Dear Community on Liberation Technology, > > Please let me kindly ask for your attention

Re: [liberationtech] Learning how to hack

What is the background of the students? Do they know how to program? Do they have experience with web apps or operating systems? If they have some basic coding and web app background, here are some suggestions: - Google has a good "Web Application Exploits and Defenses" tutorial named

Re: [liberationtech] Need some advice re: online secure communications platform for a survivors group

Hello Miles. I think your suggestions are not practical for an ad hoc group of sexual assault survivors. You're talking about them using PGP, downloading open source clients, or using untested blockchain systems. I think for a random group of people, all of these will fail in practice due to poor

Re: [liberationtech] Need some advice re: online secure communications platform for a survivors group

I'd use Google Apps for Nonprofits: http://www.google.com/nonprofits/ It's simple, familiar, and the security is good enough for enterprise businesses. On Sun, Jul 10, 2016 at 4:56 PM Lina Srivastava wrote: > Hello all, > > A new support group for survivors of campus

Re: [liberationtech] Looking for Feedback | Ombuds

Hi Nick. I'll throw out some questions: - The Bitcoin blockchain is 40GB and growing at about 4GB a month. Will end users have to download that much data to their clients? Or will people be able to download a partial chain? If the latter, will this have to rely on trusted intermediaries? - If an

Re: [liberationtech] Can anyone help me get my account unblocked on Facebook?!

Hello Hassan. The PGP encryption feature is used only for outbound email from Facebook. For example, password reset emails sent to you may be encrypted. I think in this case, submitting documentation over TLS is preferable to attaching it in a PGP-encrypted email both for security and usability.

Re: [liberationtech] Can anyone help me get my account unblocked on Facebook?!

Hello Inna. I work at Facebook and have contacted you from my work account. I'm not in a position to discuss the merits of the policy. Regardless, for future reference, under Option 2 there is a set of acceptable forms of ID that are not government issued:

[liberationtech] Securing Email Communications from Facebook offering PGP support

Hi Libtech. Facebook added support to put a PGP public key to your profile and optionally use it to encrypt email notifications that are sent to you: https://www.facebook.com/notes/protect-the-graph/securing-email-communications-from-facebook/1611941762379302 Special thanks to the beta testers

Re: [liberationtech] Securing Email Communications from Facebook offering PGP support

: http://www.google.com/transparencyreport/saferemail/data/ On Mon, Jun 1, 2015 at 12:35 PM, Thomas Delrue tho...@epistulae.net wrote: On 06/01/2015 01:46 PM, Steve Weis wrote: Hi Libtech. Facebook added support to put a PGP public key to your profile and optionally use it to encrypt email

Re: [liberationtech] Whatsapp, a Trojan horse for seekers of easy privacy?

Hello Carlo. This is about backward compatibility. WhatsApps is running on hundreds of millions of iOS, Android, Windows, Blackberry and Nokia phones. There are even people using it on 8 year old Java ME feature phones. It's not feasible to simultaneously upgrade their installed apps to support

[liberationtech] Facebook available as a Tor hidden service

Facebook is now available as a Tor hidden service at this .onion address: https://facebookcorewwwi.onion/ Blog post is here: https://www.facebook.com/notes/protect-the-graph/making-connections-to-facebook-more-secure/1526085754298237 -- Liberationtech is public archives are searchable on

[liberationtech] Espionge.app's lack of plausible deniability (Was: TrueCrypt Alternatives?)

Hello Greg. I tried out Espionage.app and it was easy to distinguish real encrypted images from fake images via filesystem metadata. I don't think Espionage offers any realistic notion of plausible deniability, especially against totalitarian regimes as the webpage claims. This took no special

Re: [liberationtech] TrueCrypt Alternatives?

Hi Greg. The burden of proof is on Espionage to convince people that it is safe. I can't trust it based on marketing claims alone. There is not a sufficiently detailed design document on the website, much less a battle-tested, peer-reviewed design. I don't see any reference to independent

[liberationtech] Matasano Crypto Challenges

Matasano Security posted 6 sets of their crypto challenges online, which may be of interest to anyone trying to learn more about implementing and breaking crypto: http://cryptopals.com/ The challenges start with basics and move through a variety of attacks. They've provided solutions implemented

Re: [liberationtech] Snakeoil and suspicious encryption services

I wouldn't use any of these. InfoEncrypt is especially bad. If a product doesn't have a link to source code, doesn't have detailed documentation, or relies on code running on their servers, then do not expect privacy of your messages. Somewhat relevant, I recently gave a talk about Crypto

Re: [liberationtech] Wicker: Déjà vu all over again

I'll echo Tom: It's relatively easy and a good learning exercise to pick apart mobile apps and see what they're doing. On that note, here's some source generated from the Wickr Android app class files using jd-gui: http://saweis.net/files/wickr.src.zip That doesn't include a native library that

Re: [liberationtech] Hardened servers, new hope for federation?

Hello Carlo. PrivateCore is my company and ironically your libtech message was flagged as spam in my inbox. You are correct that today's technology reduces the trust to the CPU and, for now, the TPM. I view that a significant improvement compared to having to trust all components, like network

Re: [liberationtech] A tool for encrypted laptops

Hi Tom. Does hibernation on a Mac protect from physical memory extraction by default or is this something yontma configures? After a quick search, I ran across destroyfvkeyonstandby to destroy the FileVault key on standby. Is that sufficient? As for DMA attacks, my understanding is the latest OS

[liberationtech] Video of NSA Surveillance and What To Do About It by Bruce Schneier

The Stanford law school posted a video of this recent Bruce Schneier NSA talk: https://cyberlaw.stanford.edu/multimedia/nsa-surveillance-and-what-do-about-it-bruce-schneier On Mar 21, 2014 10:38 AM, Steve Weis stevew...@gmail.com wrote: Bruce Schneier is speaking about NSA surveillance

Re: [liberationtech] About Telegram

As an epilogue, the Telegram client misused a non-secure random number generator mrand48 for the keys used in their contest. A student, Thijs Alkemade, was able to recover their keys and decrypt the contest message transcripts:

Re: [liberationtech] About Telegram

On Apr 2, 2014 2:58 PM, Maxim Kammerer m...@dee.su wrote: On Wed, Apr 2, 2014 at 10:33 PM, Steve Weis stevew...@gmail.com wrote: As an epilogue, the Telegram client misused a non-secure random number generator mrand48 for the keys used in their contest. A student, Thijs Alkemade, was able

Re: [liberationtech] keybase.io

On Mon, Mar 24, 2014 at 2:03 PM, David Berry dmbe...@gmail.com wrote: Is anyone familiar with: https://keybase.io It looks like an interesting project and the idea of a database of public keys is definitely a good one... or is it? As a public key directory, the state of the art is

[liberationtech] NSA Surveillance and What To Do About It, Bruce Schneier @ Stanford, April 15

Bruce Schneier is speaking about NSA surveillance at the Stanford Law School on April 14th: http://www.law.stanford.edu/event/2014/04/15/cis-evening-event-with-bruce-schneier Open to the public and free admission with RSVP. -- Liberationtech is public archives are searchable on Google.

Re: [liberationtech] Trsst Encryption (was: About Telegram)

Hi Michael. Some comments inline... On Wed, Mar 19, 2014 at 9:01 AM, Michael Powers mich...@mpowers.net wrote: For a private message, we generate a random 256-bit key and encrypt with AES. Then for each recipient, we use a hash of the shared ECDH secret and the message-id to encrypt the key

Re: [liberationtech] Amazing New Privacy Product for Webcams

I prefer a military-grade, 8192-bit, CCA-2 secure Post-It note. They are available in packs of 100 in a variety of unhackable pastel colors. On Sun, Mar 2, 2014 at 11:39 AM, Tony Arcieri basc...@gmail.com wrote: And the same thing could more or less be accomplished with less than $0.10 worth

Re: [liberationtech] About Telegram

Hi Maxim. There was a man-in-the-middle attack against Telegram's algorithm published back in December: http://habrahabr.ru/post/206900/ (Russian) English Google translated: http://translate.google.com/translate?hl=ensl=ruu=http://habrahabr.ru/post/206900/ If I understand the translation of this

Re: [liberationtech] Website censorship in the US

On Wed, Dec 18, 2013 at 9:39 AM, Maxim Kammerer m...@dee.su wrote: I doubt very much it's due to my site — it's a free hosting, and there is probably some malware on one of the virtual hosts on one of the IPs in the block. I think you answered your own question. You might have a bad neighbor

Re: [liberationtech] PrivateSky Takedown

PrivateSky came up on libtech two and a half years ago: https://mailman.stanford.edu/pipermail/liberationtech/2011-June/001925.html At the time, it was already clear Certivox had a root key that issued customer keys: https://mailman.stanford.edu/pipermail/liberationtech/2011-June/001926.html

[liberationtech] Ibis: An Overlay Mix Network for Microblogging by Ian Goldberg

Ian Goldberg is speaking about Ibis: An Overlay Mix Network for Microblogging today at the Stanford security seminar. The talk is 4:30pm in the Gates building, room 463A. http://crypto.stanford.edu/seclab/sem-12-13/goldberg.html Abstract: Microblogging services such as Twitter are extremely

Re: [liberationtech] Ibis: An Overlay Mix Network for Microblogging by Ian Goldberg

It was an interesting talk. The gist is that they've shrunk the overhead of the Sphinx mix net ( http://research.microsoft.com/en-us/um/people/gdane/papers/sphinx-eprint.pdf) to 47 bytes. They've done this by removing the requirement for message replies and using curve25519 for ECC. They've also

Re: [liberationtech] Small size static HTML hosting with no ads and tor friendly

Take a look at github.io. On Sep 7, 2013 5:15 AM, Moon Jones mjo...@pencil.allmail.net wrote: Maybe it's too much. I know, people have to gain something from what they are doing. And although hard drive space is getting cheaper by the year, bandwidth is not the same. I want to do some

Re: [liberationtech] Standalone JS apps vs. browser extensions, which is better?

If delivered as a regular Javascript web app, then Francisco, anyone at Site 44, or anyone at Dropbox can steal PassLok keys and messages anytime they want. I do not think it's realistic to expect every single user to look at the code before [they] execute it for every single page load. As

Re: [liberationtech] Google confirms critical Android crypto flaw

$ git log --pretty=format:%an drivers/char/random.c | sort | uniq | wc The number of committers to random.c is 41. You missed having a lame joke by just one committer. On Thu, Aug 15, 2013 at 10:23 AM, Maxim Kammerer m...@dee.su wrote: On Thu, Aug 15, 2013 at 7:33 PM, Doug Chamberlin

[liberationtech] Passlok's broken security model

Hi Francisco. I split this off into a new thread, since it touches on some points on why the security model for Passlok is broken. Comments inline... On Tue, Aug 13, 2013 at 2:54 PM, Francisco Ruiz r...@iit.edu wrote: 1. Unicode: wget returned escaped Unicode characters. Chrome saved output

Re: [liberationtech] In defense of client-side encryption

Francisco, you assume that all browsers will save a static version of the page identically. This is not the case. I ran a test using 'wget https://passlok.site44.com' and Chrome's Save As. The former will actually match the hash value you've posted, but the latter does not. I spotted at least 5

Re: [liberationtech] OneTime 2.0 (beta): one-time pad system.

Comments inline... On Thu, Aug 1, 2013 at 7:58 AM, Andy Isaacson a...@hexapodia.org wrote: Then someone may force you to exhaust your pad bits by corrupting or dropping messages in transit. An attacker with control of your wire can deny you service. News at 11! What cryptosystem does not

Re: [liberationtech] WC3 and DRM

I think what you're saying was true in the past, but the game is changing with modern hardware. There have been advances in CPU features that make it possible to reduce the trust perimeter to just the CPU and TPM. If I trust those two components, I can privately compute on remote hardware, even if

Re: [liberationtech] PGP is hard to use and needs stuff installed on your computer. Use PassLok instead.

Hi. I think you're slowly reinventing PGP. Just to summarize what you have so far: 1. Alice and Bob each generate key pairs locally. 2. Both securely store their private keys. 3. Both generate hash values of their public keys. 4. Both mutually exchange public keys over an untrusted channel. 5.

Re: [liberationtech] WC3 and DRM

DRM technologies have a flip side as privacy-preserving technology. It's all a matter of whose data is being protected and who owns the hardware. We generally think of DRM in cases where the data owner is large company and an individual owns the hardware. In this case, DRM stops you from copying

Re: [liberationtech] PGP is hard to use and needs stuff installed on your computer. Use PassLok instead.

If you assume communications are monitored and your machine is compromised, this has some fundamental flaws: - How do I communicate a password to Bob? Before I get a crucial bit of information to Bob, I need to first get a crucial bit of information to Bob? - You assumed a keylogger is installed.

Re: [liberationtech] Interesting new project for decentralized communication

I skimmed a couple files of this project. It does not inspire confidence. In 7 lines of encryption code, they unsafely use ECB, don't authenticate their ciphertext, don't have any comments, don't have any testing, and have a couple WTF lines like XORing parts of the key with itself:

Re: [liberationtech] Heml.is - The Beautiful Secure Messenger

It's not true that all widely used crypto implementations are open. Even open source projects themselves depend on closed implementations. For example, Linux, OpenSSL, GnuTLS, libgcrypt, and dm-crypt may all use AESNI on x86, usually by default [1]. Linux now also uses a closed RdRand [2] RNG if

Re: [liberationtech] Resources on electronic voting

Ben Adida's thesis Advances in Cryptographic Voting Systems is thorough and well-written: http://electionmathematics.org/em-voting-systems/rivest-student-adida-phd.pdf Some of these ideas are implemented in Helios Voting: http://heliosvoting.org/ https://github.com/benadida/helios-server Note,

[liberationtech] Real World Crypto 2014

Registration for the Real World Crypto 2014 workshop is open (and free). http://realworldcrypto.wordpress.com/ What: The Real World Cryptography Workshop aims to bring together cryptography researchers with developers implementing cryptography in real-world systems. The main goal of the workshop

Re: [liberationtech] Identity Based Encryption

tl;dr: It depends whether you care about security or compliance. IBE has worked in practice for enterprises who want to enforce centralized control of encrypted messages and meet compliance regulations. These enterprises would typically operate the private key generator, although there are

Re: [liberationtech] Identity Based Encryption

One correction: I looked at an old Voltage email and it does download an HTML file. However, this just has a link that posts back to a server where you enter your password and decrypt the message. It kind of defeats the purpose. On Tue, Jun 25, 2013 at 12:35 PM, Steve Weis stevew...@gmail.com

Re: [liberationtech] PrivateCore and secure hosting

: Hi Steve, a technical (and perhaps stupid) question: On Sat, Jun 22, 2013 at 1:49 AM, Steve Weis stevew...@gmail.com wrote: The host H will have a trusted platform module (TPM). When H boots up, it will measure all software state into platform control registers (PCRs) in the TPM. See Intel

Re: [liberationtech] PrivateCore and secure hosting

Hi Eleanor. tl;dr: Today we bootstrap from the TPM. To have a secure channel between two processes/compartments (in this case, the CPU of the hosted machine and the remote, non-service-provider-controlled system), they must share a secret. This is a good question since it's not necessarily

Re: [liberationtech] PrivateCore and secure hosting

Hi Eleanor. I am a co-founder of PrivateCore and happy to answer questions. I'll keep it non-commercial and focus on the technical answers for this mailing list: [We] were talking about secure hosting PrivateCore's technology is currently packaged as a hypervisor, so is targeted at environments

Re: [liberationtech] Encipher.it

PM, Steve Weis stevew...@gmail.com wrote: It's not safe. This is their bookmarklet: (function(){document.body.appendChild(document.createElement('script')).src=' https://encipher.it/javascripts/inject.js';})(); That loads a JavaScript file from the encipher.it site, which can be changed

Re: [liberationtech] Encipher.it

It's not safe. This is their bookmarklet: (function(){document.body.appendChild(document.createElement('script')).src=' https://encipher.it/javascripts/inject.js';})(); That loads a JavaScript file from the encipher.it site, which can be changed at any time and compromise your messages without

Re: [liberationtech] How to defend against attacks on chips?

My company is working on the problem of how to compute on untrusted platforms. We gave a technical talk earlier in the year about privilege escalation through physical attacks: http://cansecwest.com/slides/2013/PrivateCore%20CSW%202013.pdf From a practical perspective on x86 platforms, we can

[liberationtech] Stanford Security Seminar 6/17: Digital Forensics Tools

There's an upcoming Stanford security seminar on how bulk data from captured drives and network traffic are analyzed. Thought it might of some interest to this list. Lessons Learned Writing High-Performance Multi-Threaded Digital Forensic Tools for Analyzing Hard Drives and

Re: [liberationtech] New Anonymity Network for Short Messages

Hi. I took a quick look while procrastinating at work and found a few potential issues: - What's up with this hard-coded salthttps://bitbucket.org/scassidy/dinet/src/9f3afe465afb124367e03b63c6b63cba261e4edf/client/broadcast_client.c?at=master#cl-16 ? - Any specific reason you picked

Re: [liberationtech] New Anonymity Network for Short Messages

Comments inline... On Tue, Jun 11, 2013 at 10:47 AM, Sean Cassidy sean.a.cass...@gmail.comwrote: - Any specific reason you picked CTR? CTR is widely recommended. Cryptography Engineering specifically recommends it. The reason I ask is that this makes your IV-generation more critical than,

Re: [liberationtech] Question about otr.js

kind of threats tend to be far more common than library bugs. NK On 2013-06-06, at 7:49 PM, Steve Weis stevew...@gmail.com wrote: The status is: [otr.js] hasn't been properly vetted by security researchers. Do not use in life and death situations! https://github.com/arlolra/otr#warning

Re: [liberationtech] Question about otr.js

The status is: [otr.js] hasn't been properly vetted by security researchers. Do not use in life and death situations! https://github.com/arlolra/otr#warning On Thu, Jun 6, 2013 at 3:14 PM, Anthony Papillion anth...@cajuntechie.org wrote: I'm thinking about working on a web app that would use

Re: [liberationtech] Cell phone tracking

Regarding wifi-only phones, Euclid Analytics (http://euclidanalytics.com/product/how/), has developed router add-on software that can track consumers' mobile devices by MAC addresses. The routers send that data back to Euclid for aggregation. There are other companies working on similar ideas. I

Re: [liberationtech] Android Full-Disk Encryption Cracked

To add to the list of issues here, crypto implementations on mobile devices may be vulnerable to power analysis side-channel attacks. Attackers may be able to measure RF signal strength to infer power consumption during crypto operations, then derive key material. I think Cryptography Research

Re: [liberationtech] Android Full-Disk Encryption Cracked

Hi Richard. Your grad student's experience corroborates what I've heard from other researchers. Simple power analysis attacks are easy to conduct against mobile devices in a lab environment. On Mon, Apr 29, 2013 at 12:56 PM, Richard Brooks r...@acm.org wrote: The power analysis

Re: [liberationtech] Fwd: SafeGDocs: encrypted documents in Google Drive

Hi. SafeGDocs appears to use a unsafe implementation of AES-CTR mode from here: http://www.movable-type.co.uk/scripts/aes.html Two problems with this library: - It generates a predictable CTR mode IV using time of day. - There is apparently no authentication of the ciphertext, which in CTR mode

[liberationtech] New session starting for Stanford's online crypto course

A new session of Dan Boneh's free online crypto course is starting today: https://www.coursera.org/course/crypto -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at

Re: [liberationtech] Crypho

Hi Yiorgis. The ways of asserting the authenticity of served [JavaScript] always reduce to trusted code executing on the client. You need to trust whatever is authenticating the served application. You can't get around it. This approach always ends up with either trusting the service or running

Re: [liberationtech] Crypho

Hi Yiorgis. The Crypho web page says: No-one can access your data, either in transit or when stored — Not even Crypho staff or the government. Yet, you acknowledge that we are aware of the potential problems of serving JS [Javascript], meaning it's trivial for your staff or a government to

Re: [liberationtech] Freeze the memory out of a galaxy nexus?

This is a good illustration how data in use is exposed to physical attacks on most computing devices. An interesting side-note is that Android phones are starting to ship with a hardware security module (HSM), which can be used for crypto operations and key storage. Duo Security is one company

Re: [liberationtech] Freeze the memory out of a galaxy nexus?

TRESOR uses debug registers and only protects key material. It doesn't protect the code that actually reads that key in or out of the register, nor any of the data that is actually decrypted with the key. So, it provides protection just for keys against passive, read-only attacks against memory.

Re: [liberationtech] The Privacy Book, by James Black, PhD?

I see nothing online to indicate that this book is good and don't want to spend 0.5 grams of gold to find out. On Thu, Feb 14, 2013 at 2:11 PM, Lee Fisher blib...@gmail.com wrote: Does anyone have any opinions about the advise in this book? Thanks.

Re: [liberationtech] Mega

Mega is using server-side Javascript for crypto, so you're trusting them just like you'd trust Dropbox. Other people have reported issues with their implementation, including using weak randomness. I skimmed through their implementation and found some portions that indicate they don't know what

[liberationtech] Browser-based Tor proxies

I noticed a Stanford project for setting up browser-based, ephemeral Tor proxies. In their words, the purpose of this project is to create many, generally ephemeral bridge IP addresses, with the goal of outpacing a censor's ability to block them. The core idea is that volunteers outside a

Re: [liberationtech] Browser-based Tor proxies

Yes, the system is vulnerable to client enumeration if there are few facilitators and proxies. If there are many facilitators and proxies, then the adversary needs to discover facilitators, constantly poll them, and compete with legitimate proxies to learn client IPs. They won't discover every

Re: [liberationtech] The Goverment is Profiling You talk by ex-NSA whistleblower @ MIT, 11/19/2012

The video of the William Binney The Government is Profiling You talk at MIT is now online: http://techtv.mit.edu/collections/csail/videos/21783-the-government-is-profiling-you On Thu, Nov 15, 2012 at 10:41 AM, Steve Weis stevew...@gmail.com wrote: There's an upcoming talk at MIT CSAIL

[liberationtech] Workshop on Real-World Cryptography, Stanford, Jan. 9-11, 2013

Dan Boneh from Stanford is organizing a Workshop on Real-World Cryptography on January 9-11, 2013: http://crypto.stanford.edu/RealWorldCrypto/program.php Looks like a good lineup of speakers. -- Unsubscribe, change to digest, or change password at:

Re: [liberationtech] NPC digital security event video

I attended the beginning of this event and was taken aback by some bad advice given by Jonathan Hutcheson. Starting around 17:50, he talks about how password managers can supposedly protect you from keyloggers and malware: http://www.youtube.com/watch?v=cLp2pl3BVhg#t=17m50s Specifically around

Re: [liberationtech] best practices - roundup

I hadn't seen Tails before and don't know how baked it is as a project. I just tried it out and found an exploitable vulnerability in their configuration that would allow someone to compromise the system. It's a corner case and not likely to impact many systems, but is a well known problem. I've

Re: [liberationtech] CryptoParty Handbook

For what it's worth regarding multiple passes to sanitize data: http://www.infosecisland.com/blogview/16130-The-Urban-Legend-of-Multipass-Hard-Disk-Overwrite.html http://cs.harvard.edu/malan/publications/pet06.pdf On Thu, Oct 4, 2012 at 5:06 PM, Seth David Schoen sch...@eff.org wrote: I was

Re: [liberationtech] Images of Blocking in Different Countries?

This paper Ignoring the Great Firewall of China is a few years old, but at the time China was inspecting TCP packets for verboten keywords: http://www.cl.cam.ac.uk/~rnc1/ignoring.pdf The blocking was easy to circumvent. The researchers were able to just ignore TCP reset packets and the

Re: [liberationtech] Avaaz, is this for real?

...globally-distributed botnet of thousands of computers... Someone could rent thousands of botnet agents for two days for a couple hundred dollars: http://www.zdnet.com/blog/security/study-finds-the-average-price-for-renting-a-botnet/6528 Avaaz does not have any further information about who is