There was a recent article that dug into it:
http://www.hackinsight.org/news,326.html
I would say there's several things that need improvement - but the
crypto is present... some of the time :)
-tom
On 18 May 2015 at 11:08, Brian Conley bri...@smallworldnews.tv wrote:
Anyone know with
On 27 November 2014 at 07:53, Robert Guerra rgue...@privaterra.org wrote:
Dear Libtech community,
I've developed a list of digital security list of services, tools and
resources of interest. It is pretty much in alpha, meaning that it is more
a list and brainstorming idea, that hasn't gone
On 19 November 2014 09:13, Richard Brooks r...@g.clemson.edu wrote:
Just looked at this:
https://letsencrypt.org/howitworks/technology/
The EFF's new CA to make things cheap and easy for
installing certs. I like the goal.
What I do not get from the description is how they
really verify
On 31 October 2014 08:05, AntiTree antit...@gmail.com wrote:
I find the interesting part the fact that they got a CA to sign a .onion
domain certificate. Is that normal?
No, this is the first time it's ever happened.
On 31 October 2014 09:20, AntiTree antit...@gmail.com wrote:
I'm still
On Sep 11, 2014 6:28 AM, Leonardo Maccari leonardo.macc...@unitn.it
wrote:
On 09/10/2014 04:54 AM, elijah wrote:
On 09/09/2014 11:01 AM, Leonardo Maccari wrote:
Before i apply to the new call (and get the money to really do it),
i'd like to receive feedback to validate the idea.
On 4 August 2014 14:39, Seth David Schoen sch...@eff.org wrote:
One thing I think is especially important if you're going to try to
propagate every message to every potential recipient is forward secrecy,
because with something like PGP, only someone who was proactively
eavesdropping on you or
On 29 June 2014 13:13, Alexey Zakhlestin indey...@gmail.com wrote:
Seems to be down. Was data released somewhere else?
It is up for me. The site itself is open source
(https://github.com/albancrommer/nsa-observer) and the data ex
exportable (https://www.nsa-observer.net/export/json).
-tom
--
I just want to jump in and mention again that it's entirely possible to
pick apart applications written for Android, iPhone, Windows, Mac, etc and
understand how they operate. Going even deeper than just 'what they store
on disk' and 'what they send on the wire'. It requires a little bit of
On 9 June 2014 12:06, Seth David Schoen sch...@eff.org wrote:
Griffin Boyce writes:
I'd recommend reaching out formally (perhaps to privacy@ ?) and
proposing a whitelist or other special consideration for Tor users.
It seems obviously crazy to me for Twitter to prevent people from
I know GoAgent used to be a very popular proxy in China, and I believe
it tunneled through Google Apps... Is it still popular (prior to this
block I suppose) and does this mean it's now inaccessible?
-tom
On 1 June 2014 18:58, Matthew Finkel matthew.fin...@gmail.com wrote:
On Mon, Jun 02, 2014
On 14 May 2014 23:36, Fabio Pietrosanti (naif) li...@infosecurity.ch wrote:
i think that would be very important to organize a project to Audit the
functionalities of Auto-Update of software commonly used by human rights
defenders.
Sounds interesting. What software did you have in mind?
-tom
a version for Mac. (Open Source of course.)
-tom
On 30 May 2013 13:24, Seth David Schoen sch...@eff.org wrote:
Tom Ritter writes:
On 25 March 2013 11:57, Tom Ritter t...@ritter.vg wrote:
It the moment it only supports Bitlocker, but support for Truecrypt is
coming[0]. \
Due to some internal
On 9 May 2014 16:08, Steve Weis stevew...@gmail.com wrote:
Hi Tom. Does hibernation on a Mac protect from physical memory
extraction by default or is this something yontma configures?
Not sure what you mean. Obviously we can't protect against someone
unscrewing the computer and stealing the
On 2 May 2014 17:22, Griffin Boyce grif...@cryptolab.net wrote:
Do chrome extensions have a private offline key you use to sign
extensions, to prevent malicious extension upgrades by google/an
attacker who can middle SSL?
No, though I have two-factor authentication using a secure device
On 2 May 2014 11:00, Griffin Boyce grif...@cryptolab.net wrote:
Also open to ideas about how I'm screwing this all up or am
failing to account for Threat Model X.
I'm wondering about the update mechanism. As I understand it, some
scenarios are:
1) You bake in SHA256 hashes of software, with
On 26 April 2014 17:18, Shava Nerad shav...@gmail.com wrote:
Anyone who is lauding the verifiability of open source security software had
best show that their code has been regularly and thoroughly audited.
Open source, closed source - at this point I am pretty much
universally disgusted by
On 22 April 2014 07:47, Caspar Bowden (lists) li...@casparbowden.net wrote:
TAHOE is also cool, but doesn't claim to provide confidentiality. A TAHOE
service provider would have no choice but to round-up/backdoor the necessary
keys under existing US (FISA/PATRIOT) or UK (RIPA Pt.3) legislation
IANAL, but I think it's perfectly legal.
But if a customer walks in, could they ask for his/her address, and
reject him/her if he/she doesn't have a local address? - I just got
back from Australia and not only is this legal, it's common. The bowls
clubs refuse entry to someone if they're within
In addition to what the others have said, I'll give a name to some of
these techniques.
The process of assigning an opaque random identifier to an easily
reversed string is 'Tokenization'. I don't work in payment processing
- but it's big there. Don't want to have a ton of PCI requirements?
Pay
A cleared friend lamented this recently. (But long enough ago my
memory is a tad hazy.) I believe they told me that they're allowed to
read reports _about_ the material (e.g. a summarizing article) but not
the content themselves. They wished there was some uncleared, but
'blessed' source from
I just had the guy next to me with a ATT phone try to access it and
indeed he was unable. It is unusual. If I was a betting man, I would
put my money on them mislabeling your server or server farm as a
spam/malware serving site. I don't know for sure, but I wouldn't be
surprised if they did block
I've been super impressed with the recent Citizen Lab work. I wanted
to pull out a couple choice quotes for folks who may have only skimmed
this.
Citizen Lab researchers verified that LINE chat traffic is sent
unencrypted over 3G networks on the latest version of the client. This
This looks interesting! Am I being dense, or is there a paper or
slides or anything somewhere non-Stanfordites can read?
-tom
--
Liberationtech is public archives are searchable on Google. Violations of
list guidelines will get you moderated:
This is cool. I hear pretty frequently that phishing and
phishing-like attacks are huge problems for activists, I think this is
a great example of how work can be done to combat this. If users are
running into this regularly, maybe it'd be cool to have a submission
form to queue up analysis of
I tried this once [0,1]. My suggestions.
0) There's an app (hdparm) that lets you interact with the drive's AT
security stuff. But obviously this only helps you if it's not your
boot drive.
1) Repost this on the cryptography mailing list, it's more technical
focused that libtech.
2) See if the
On 23 August 2013 16:29, Nicolai nicolai-liberationt...@chocolatine.org wrote:
On Fri, Aug 23, 2013 at 01:53:59AM -0700, DC wrote:
My plan is to make make your email the hash of your public key.
For example, my address is *nqkgpx6bqscsl...@scramble.io*
(I borrowed this idea from Tor Hidden
https://whispersystems.org/blog/asynchronous-security/
Since these key exchange parts are ephemeral, recording ciphertext traffic
doesn’t help a would-be adversary, since there is no durable key for them to
compromise in the future.
I disagree. PFS traffic today protected with 1024-bit DH
I'm trying to think of how you could prosecute free speech (in the
US). It's not illegal to talk about how to use rusty nails to create
themite - that's been in the Anarchist Cookbook for years. It's a
somewhat fine line between X should be killed and incitement to
murder but as all the Assange
On 9 August 2013 18:16, Seth David Schoen sch...@eff.org wrote:
If you think governments are likely to use their own CAs for spying by
issuing fraudulent certificates, you want to remove trust for those
CAs _in your web browser_. Having a valid, correct, and publicly issued
certificate from
On 14 August 2013 18:01, Richard r...@linux-m68k.org wrote:
On the other end of the paranoia scale I would like to remind folks of the
the mixmaster remailer chaining technique which does much more than plain
encryption - as far as I can see it is theoretically completely untraceable.
That
On 14 August 2013 19:11, Bernard Tyers - ei8fdb ei8...@ei8fdb.org wrote:
Yes, you're right. My mistake. But is my second question not still valid? If
SSL was compromised would the user not then be compromised?
Is:
…we generate public and private keys for the user and then encrypt the
On 14 August 2013 19:30, Bernard Tyers - ei8fdb ei8...@ei8fdb.org wrote:
IF, (big IF) my understanding of Lavabit's architecture is correct,
then if you gained access to the user's SSL session, and then also
access to Lavabit's server where the user's data and (encrypted)
private key is stored
On 10 August 2013 11:43, Michael Rogers mich...@briarproject.org wrote:
If we assume that app stores aren't going away any time soon, we need
to address this problem: How can a user who downloads an app from an
app store be satisfied that it was built from published source code?
We might also
For those interested, I'll point to the tor-talk thread:
https://lists.torproject.org/pipermail/tor-talk/2013-August/thread.html#29331
This does seem very focused on bypassing censorship - not providing
anonymity. The tiny FAQ at the bottom:
While it uses Tor network, which is designed for
On 21 July 2013 20:00, micah mi...@riseup.net wrote:
Uh ok, that is weird? Eugen, care to explain what that is about?
I wouldn't give it too much thought. John Young often archives emails
from mailing lists to cryptome.org.
It's basically a curated archive service. Take it as a badge of
Mix Networks are designed to do this, with remailers being
implementations of them (although quite out of date, and best studied
academically and not relied on. An intro, in blog form, is here:
https://crypto.is/blog/
Shared Mailboxes like the usenet group alt.anonymous.messages also are
On 10 July 2013 09:43, Jacob Appelbaum ja...@appelbaum.net wrote:
Andreas Bader:
Tens of thousands zero-days; that sounds like totally shit. That guy
seems to be a script kiddie poser, nothing more.
Are there any real hackers that can issue a competent statement to that?
I couldn't disagree
On 7 July 2013 17:20, Maxim Kammerer m...@dee.su wrote:
This thread started off with discussion of peer review, so I have
shown that even expensive, well-qualified peer review (and I am sure
that Veracode people are qualified) didn't help in this case.
As one of the people on this list who
On 1 July 2013 05:20, Adam Back a...@cypherspace.org wrote:
The remaining claimed problems are then pidgin itself having bugs, nothing
on OTR. So if you want to argue for an interpreted language chat client,
go
for it.
If libpurple/pidgin itself has bugs, that compromises OTR. If an
On 27 June 2013 05:07, Rich Kulawiec r...@gsp.org wrote:
[ Okay, so I have a long-winded response to this. It's possible that
eventually I'll wander somewhere near a point. ;-) ]
...
...
My suggestion (and this is based on many other kinds of operations
since I've never run a Tor exit node)
The claim of end to end encryption give me pause, although I'm also not
clear on the differences between the products and which claim applies to
which. Do they claim the other end is them the provider, or the other user?
It gives me pause because
1) They say they use SSL with CA certs. But if
On 18 June 2013 07:01, Bernard Tyers - ei8fdb ei8...@ei8fdb.org wrote:
I also thought Willliam Binney's view that Edward Snowden was potentially
crossing a line from whistleblower to traitor with the release of information
about the USA's alleged hacking of foreign computer systems is
On 12 June 2013 14:21, Travis McCrea m...@travismccrea.com wrote:
I was wondering if you guys had any ideas on how to potentially leverage
that to perhaps sue the CIA in an effort to ensure they are not
collecting any data on Travis McCrea the Canadian who is Travis
McCrea the American. Is
On 11 June 2013 13:42, Sean Cassidy sean.a.cass...@gmail.com wrote:
On Tue, Jun 11, 2013 at 10:10 AM, Griffin Boyce griffinbo...@gmail.com
wrote:
It would be a fairly simple task to review all of the chat information and
correlate call and response for all of the conversations.
I disagree
On 8 June 2013 22:04, Nadim Kobeissi na...@nadim.cc wrote:
I want to encourage all the open source, communication and security software
developers on this list to start talking about metadata.
1. Start raising awareness on what metadata is given to your software and how
it's handled.
2.
On 9 June 2013 17:43, Matt Johnson railm...@gmail.com wrote:
I have to say going to Hong Kong for free speech and safety seems like
a very odd choice to me. What was he thinking?
I actually think Hong Kong seems pretty smart. Parroting the news
organizations, Hong Kong has some extradition
On 7 June 2013 18:51, Travis McCrea m...@travismccrea.com wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
http://googleblog.blogspot.com/2013/06/what.html
I do believe them, but I have no proof to back that up. You would assume
they wouldn't make a bold faced lie, they would just not
On Jun 6, 2013 7:28 PM, Eduardo Robles Elvira edu...@gmail.com wrote:
Hello
NSA just $20M of budget? The same NSA that is building a data center
(for processing what? =) for 869 million USD$ in Maryland?
Without opinion on the entirety, here are some random thoughts.
I think the password section is missing the most important piece of
advice: don't use the same password for different services. Every one
should have it's own, and they shouldn't be algorithmic (e.g.
myp4ssw0rdisF4C3B00K and
Tested it, got the following:
HEAD /this_is_a_test2.html HTTP/1.1 from 65.52.100.214 with no User Agent.
-tom
On 14 May 2013 11:44, Pranesh Prakash pran...@cis-india.org wrote:
Heise Security is reporting that Microsoft accesses links sent over Skype
chat.[1]
Here is the /. lede:
A
Also, it came about two hours after I sent the link to a friend.
-tom
On 14 May 2013 14:39, Tom Ritter t...@ritter.vg wrote:
Tested it, got the following:
HEAD /this_is_a_test2.html HTTP/1.1 from 65.52.100.214 with no User Agent.
-tom
On 14 May 2013 11:44, Pranesh Prakash pran...@cis
While defending against side channel attacks like power analysis is
desirable, and key stretching can be used to slow down cracking...
there's a much simpler win that can be done right now, much more
easily that using a Yubikey.
Android *NEEDS* to allow a user to have a separate unlock screen
Hi all - at the risk of shilling, my company has released an Open
Source tool called You'll Never Take Me Alive. If your encrypted
laptop has its screen locked, and is plugged into power or ethernet,
the tool will hibernate your laptop if either of those plugs are
removed. So if you run out for
On 25 March 2013 14:41, Karl Fogel kfo...@red-bean.com wrote:
Your paragraph above doesn't mention it, but appears this is (right now)
only for MS Windows. Any chance of Linux support coming soon, and in
the long run of getting folded in as a kernel service so that I can just
configure it
I've never played with it, but I think you could use fakeroute to do
this: http://www.thoughtcrime.org/software/fakeroute/
I also suspect this may have something to do with it:
https://twitter.com/moxie/status/308694012842369025 Although I could
be wrong.
-tom
--
Too many emails? Unsubscribe,
On 28 February 2013 07:39, anonymous2...@nym.hush.com wrote:
Hi,
We are a human rights NGO that is looking to invest in the best
possible level of network security (protection from high-level
cyber-security threats, changing circumvention/proxy to protect IP
address etc, encryption on
When law enforcement relies on vulnerabilities in the system (be it
protocols, operating systems, applications, or web sites), they are
incentivized to keep it insecure. If it were secure, how would they
get in?
Would the FBI patch their own systems against the bugs they know
about? How would
Nadim, I'm with you. I'm not sure it's the perfect solution for
everyone, but like Nathan said, if you already trust Google, I think
it's a good option.
On 6 February 2013 07:12, Andreas Bader noergelpi...@hotmail.de wrote:
Why don't you use an old thinkpad or something with Linux, you have the
Kulawiec r...@gsp.org wrote:
On Wed, Feb 06, 2013 at 10:24:28AM -0500, Tom Ritter wrote:
- ChromeOS's update mechanism is automatic, transparent, and basically
foolproof. Having bricked Ubuntu and Gentoo systems, the same is not
true of Linux.
Concur on this point, and wish to ask a related question
or on) and/or submit pull requests.
https://github.com/iSECPartners/LibTech-Auditing-Cheatsheet/
-tom
On 3 January 2013 18:41, Tom Ritter t...@ritter.vg wrote:
Hi all,
I'm working on a checklist/guidelines type document that aims to help
technical folks new to the LibTech arena audit
Hi all,
I'm working on a checklist/guidelines type document that aims to help
technical folks new to the LibTech arena audit applications to
identify weaknesses; and also help app developers look at the various
ways their application, stack and service providing may be weak. It is
not a every box
Something I'm not seeing discussed much is that the fundamental shift
of Who has this IP doesn't change. Right now my ISP gives me a
single IPv4 address and I NAT behind it. If someone asks them Who
has IP X at this time? they can answer. That doesn't change with
IPv6. They assign me a /64.
62 matches
Mail list logo