On Fri, Feb 15, 2013 at 01:35:53PM -0800, Adam Fisk wrote:
At the risk of getting swept up in this by consciously saying something
unpopular, I want to put my shoulder against the wheel of the open source
process produces more secure software machine. [snip]
I've been thinking about your
Rich,
That was the best email I have ever read on this mailing list.
Congratulations and thank you. Please post this as a blog post somewhere.
NK
On Tue, Mar 5, 2013 at 6:23 PM, Rich Kulawiec r...@gsp.org wrote:
On Fri, Feb 15, 2013 at 01:35:53PM -0800, Adam Fisk wrote:
At the risk of
Another aspect of this discussion I'm a bit surprised that no one has yet
raised is the simple truth that no amount of testing and source code review can
(or should) anoint a tool as secure.
Even with formally provably secure software, OS, hardware, etc. it is still a
very hard problem to make
On Fri, Feb 15, 2013 at 2:01 PM, Nadim Kobeissi na...@nadim.cc wrote:
On Fri, Feb 15, 2013 at 4:35 PM, Adam Fisk af...@bravenewsoftware.org
wrote:
I'm certainly more confident in the overall security of silent circle in
its first release than I was in the overall security of cryptocat.
Of
Adam,
There is a difference between telling someone you should *trust* this
software and telling them this software is probably going to work for you
because of X Y Z.
I feel like you are conflating two different issues. I firmly believe you
should *never* just *trust* encryption software that
On Tue, Feb 19, 2013 at 5:05 PM, Brian Conley bri...@smallworldnews.tvwrote:
PS even crypto-gods are fallible. and that's not a bad thing, its just
human nature.
Yep. The day after Silent Phone code was published, someone found a privacy
issue:
..on Mon, Feb 18, 2013 at 08:00:24PM -0800, Adam Fisk wrote:
I think the principle of that is great, but in practice we just can't
all review all the code all the time. In practice we often end up
trusting open source code that is far worse reviewed than much of the
closed source code we
I don't think anyone would claim that every piece of free software is
automatically more secure than every piece of proprietary software,
because as you say there are many other factors involved.
Nor would I!
But in your definition of security, you seem to be discounting the
user's
Adam Fisk wrote:
but there are many other factors at play, including the resources and
expertise an organization is able to devote to the problem. Apple, for
example, has an overall great security track record, with most of that
code closed source.
Umm last time I looked, most of the
When I say million, I always mean billion...
On Fri, Feb 15, 2013 at 1:35 PM, Adam Fisk a...@bravenewsoftware.org wrote:
At the risk of getting swept up in this by consciously saying something
unpopular, I want to put my shoulder against the wheel of the open source
process produces more
On 2/14/13 8:36 AM, Jacob Appelbaum wrote:
The live code review with ascii art was really something to behold. It
was some kind of new art form that isn't very good but at the same time
is nearly impossible to not watch...
Something interesting happened yesterday, here a summary in case someone
On 14 February, 2013 - Fabio Pietrosanti (naif) wrote:
On 2/14/13 8:36 AM, Jacob Appelbaum wrote:
The live code review with ascii art was really something to behold. It
was some kind of new art form that isn't very good but at the same time
is nearly impossible to not watch...
Something
The collaborative platform which we've been using to inspect Silent
Circle's code (and where we were making good progress) has been
continuously vandalized for the past seven hours straight. Yes, that's
someone who's been on that pad for literally seven hours trying to prevent
collaboration.
Hi guys,
Let's set up another pad for collaboration, which hopefully will not get
vandalized.
Please try not to share this pad on Twitter or outside LibTech.
https://pad.riseup.net/p/silentcircle9504
NK
On Thu, Feb 14, 2013 at 9:43 AM, Nadim Kobeissi na...@nadim.cc wrote:
The collaborative
Nadim,
While I ~entirely~ agree this sucks and you're been mercilessly and
tastelessly trolled - if you're inferring there was any relation to the SC
code being swapped out - that's an irrelevant and unnecessary stretch.
Lets look at it from the other side w/ the same irrelevant
and unnecessary
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
All,
First of all, hi, I'm Lex van Roon from the Netherlands, and I've been
a lurker of this list up until now. Seeing the issues you guys have
had with keeping the silentcircle pad up running, I've setup a pad
on one of my colo boxen on which I
looks like the Silent Circle code is up on github?
https://github.com/SilentCircle--
Unsubscribe, change to digest, or change password at:
https://mailman.stanford.edu/mailman/listinfo/liberationtech
This is good news! Still far from a complete source code release, but it's
good that they're progressing, even if very slowly.
Once all of the code is out I'll finally shut up about Silent Circle.
NK
On Wed, Feb 13, 2013 at 5:51 PM, Joseph Lorenzo Hall j...@cdt.org wrote:
looks like the
Here some notes i collected with a quick review of the source code:
https://pad.riseup.net/p/silentcircle
-naif
On 2/14/13 1:36 AM, Nadim Kobeissi wrote:
This is good news! Still far from a complete source code release, but
it's good that they're progressing, even if very slowly.
Once all
Fabio Pietrosanti (naif):
Here some notes i collected with a quick review of the source code:
I can see the headlines now...
Cryptography super-group more like a cover band
Cryptography Boy Band covers Latvian super-group
Cryptography super-group? More like Milli Vanilli!
or perhaps simply:
So to recap:
It hasn't been a few hours since Silent Circle released *some* of their
source code, and we already know that:
1. Silent Circle isn't in built to be a secure communications platform,
but is simply a rebranding of TiviPhone, a latvian-made VoIP software, with
added
Fabio just discovered that Silent Phone derives device IDs by hashing the
device IMEI with MD5...
WOW
NK
On Wed, Feb 13, 2013 at 11:51 PM, Nadim Kobeissi na...@nadim.cc wrote:
So to recap:
It hasn't been a few hours since Silent Circle released *some* of their
source code, and we already
Wait, wait, i just read some code around but without taking care much
about the logic of the code itself.
So there are stuff that should be checked more in details by someone
else, notes also by other people ended up on that sort of
collaborative/caotic pad https://pad.riseup.net/p/silentcircle .
The TiVi rebranding page is gone but the cache:
https://webcache.googleusercontent.com/search?q=cache:http://rebrand.tiviphone.com/
It would be utterly bizarre if Silent Circle started as a $199 euro
investment. I just can't swallow that. Not, by default, a negative
attribute - just - whacky.
I
Who is light green on the etherpad??
NK
On Thu, Feb 14, 2013 at 12:13 AM, Ali-Reza Anghaie a...@packetknife.comwrote:
The TiVi rebranding page is gone but the cache:
https://webcache.googleusercontent.com/search?q=cache:http://rebrand.tiviphone.com/
It would be utterly bizarre if Silent
The last useful version of the Silent Circle pad before troll-erasing is at
http://pastebit.com/pastie/12001 if you want to DL it..
Useful has varying definitions. Cheers, -Ali
On Thu, Feb 14, 2013 at 12:30 AM, Nadim Kobeissi na...@nadim.cc wrote:
Who is light green on the etherpad??
NK
Well so we've learned a few things:
1. The limits of completely open/anonymous spaces
2. Why anarchists operate in affinity groups and not everyone has equal right
hooray!
3. Someone is obviously threatened by nadim(be proud not frustrated Nadim!)
4. People are still utter douchebags. I'm
Overall, I am dissatisfied with Chris totally ignoring my point regarding
hype in the media. Chris selectively criticizes projects he doesn't like
when the media hypes them up, but when it's Silent Circle, even calling it
unbreakable crypto doesn't get anything out of him but dozens of
quotations
At this point, I'd like to realize that I'm no longer contributing
productively to this conversation. I've stated my points, would like to
apologize should anyone have felt offended, and am going to bow out.
NK
On Fri, Feb 8, 2013 at 11:48 AM, Nadim Kobeissi na...@nadim.cc wrote:
Overall, I
An entire article's worth of lip service?
“I’m agnostic about this,” he says, “I don’t really care if Silent Circle
captures this market, just as long as somebody does.”
I spent the entire interview with the Verge writer complaining about the
crappy security delivered by the wireless carriers,
On 02/07/2013 04:42 AM, Nadim Kobeissi wrote:
Actual headline.
http://www.extremetech.com/mobile/147714-cryptography-super-group-creates-unbreakable-encryption-designed-for-mass-market
NK
Notionally there is no unbreakable encryption.
Practically there is a unbreakable encryption (AES,
On Thu, Feb 7, 2013 at 11:41 AM, Andreas Bader noergelpi...@hotmail.de wrote:
Notionally there is no unbreakable encryption.
Practically there is a unbreakable encryption (AES, SHA-3); our
standarts are more than adequate.
The risk with encryptions is more the possibility of a hardware hack.
On 02/07/2013 11:58 AM, Jens Christian Hillerup wrote:
On Thu, Feb 7, 2013 at 11:41 AM, Andreas Bader noergelpi...@hotmail.de
wrote:
Notionally there is no unbreakable encryption.
Practically there is a unbreakable encryption (AES, SHA-3); our
standarts are more than adequate.
The risk with
Small follow-up:
Maybe it's true I look like my goal here is just to foam at the mouth at
Silent Circle. Maybe it looks like I'm just here to annoy Chris, and I'm
truly sorry. These are not my goals, even if my method seems forced.
I've tried writing multiple blog posts about Silent Circle,
Hello all,
I'm no sec expert but to me, it's so obvious that Nadim is right on this.
Perhaps the form is not perfect, but if he's the only one fighting for our
own sanity here, as he says, that's no surprise.
We should all be asking Silent Circle to commit to their statement and show
us the
On Thu, Feb 7, 2013 at 10:31 AM, Nadim Kobeissi na...@nadim.cc wrote:
I've tried writing multiple blog posts about Silent Circle, contacting
Silent Circle, asking journalists to *please* mention the importance of
free, open source in cryptography, and so on. All of this has failed. It
has
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Nadim Kobeissi:
Small follow-up: Maybe it's true I look like my goal here is just
to foam at the mouth at Silent Circle. Maybe it looks like I'm just
here to annoy Chris, and I'm truly sorry. These are not my goals,
even if my method seems
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Jens Christian Hillerup:
Hear-hear. They don't need to open-source their software to
convince me, as long as they are open about their protocol at
least.
And what if there's a second set of decryption master keys? You're
willing to trust them
Can Silent Circle promoters explain why Zimmerman is excused from
Kerckhoffs's principle?
Is it because something unverifiable is allegedly better than nothing?
Even if we had divine knowledge to tell us Silent Circle is secure,
isn't it an overriding problem to encourage lock-in of closed source
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Douglas Lucas:
Is it because something unverifiable is allegedly better than
nothing? Even if we had divine knowledge to tell us Silent Circle
is secure, isn't it an overriding problem to encourage lock-in of
closed source being acceptable for
On Thu, Feb 7, 2013 at 8:36 AM, Douglas Lucas d...@riseup.net wrote:
Can Silent Circle promoters explain why Zimmerman is excused from
Kerckhoffs's principle?
Is it because something unverifiable is allegedly better than nothing?
Even if we had divine knowledge to tell us Silent Circle is
Chris,
You have repeatedly stood up asking VoIP software to be more transparent
about their encryption. You have repeatedly stood up when the media
overblew coverage into hype.
I've never asked Skype to release the source code to their products, nor
have I berated Apple, Facebook or
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
scarp:
Douglas Lucas:
Is it because something unverifiable is allegedly better than
nothing? Even if we had divine knowledge to tell us Silent
Circle is secure, isn't it an overriding problem to encourage
lock-in of closed source being
On Thu, Feb 7, 2013 at 9:12 AM, Christopher Soghoian ch...@soghoian.net wrote:
My area of research is the intersection of law, policy and technology. As
such, I am most interested in companies' surveillance policies, their
commitment to transparency, and their stated willingness to tell the
On Thu, Feb 7, 2013 at 12:12 PM, Christopher Soghoian ch...@soghoian.netwrote:
What I resent though, is Nadim's repeated, malicious attempts to drag my
name through the mud, simply because I will not join his witch hunt against
Silent Circle. Since he cannot find a single example of me saying
Alchemy is to chemistry, astrology is to astronomy, as closed-source
is to open source.
Closed-source is intellectual fraud. It is the equivalent of an academic
paper which has a synopsis and conclusions -- but nothing else. No honest
reviewer would ever approve such tripe for publication in a
Inline below..
On Thu, Feb 7, 2013 at 11:34 AM, scarp sc...@tormail.org wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Jens Christian Hillerup:
Hear-hear. They don't need to open-source their software to
convince me, as long as they are open about their protocol at
least.
Douglas, I'm not sure many people are disagreeing with the end-goals and
even Zimmerman acknolwedges the window for verifiable source proof is
closing fast (longer than many would have liked as-is).
My comments to Nadim are coming from a tact perspective - if the goal is to
gain wider adoption
Just as a reminder, please let's all try to refrain from engaging in any
personal attacks. We're all build and use liberationtech to make a
difference in various ways, and we're bound to have disagreements. But
let's not forget that we're all working toward the same broad goal of
making people's
And even the proponents already have. Here, elsewhere, .. Nobody is happy
at technically ignorant gee-whiz journalism.
The discussion has been, a few times now, how we tend to speak out about
it. And what busses people on the same side seem willing to throw each
other under. Gods know why. -Ali
On Thu, Feb 7, 2013 at 5:34 PM, scarp sc...@tormail.org wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Jens Christian Hillerup:
Hear-hear. They don't need to open-source their software to
convince me, as long as they are open about their protocol at
least.
And what if there's a
The latest unbreakable even by a supercomputer article includes artistic,
black and white photographs of Phil Zimmermann and John Callas:
“I tell them go ahead and use Skype — I don’t even want to talk to you.
This is for serious people interested in serious cryptography,” Zimmermann
said. “We are not Facebook. We are the opposite of Facebook.”
I do have to wonder why they've twice mentioned embargoes countries they
couldn't sell to legally anyway.
Is there something I'm missing about ~selling~ dissidents solutions in Iran
and NK? US Government have an exception for that? -Ali
On Feb 7, 2013 4:38 PM, Nadim Kobeissi na...@nadim.cc wrote:
Is there something I'm missing about ~selling~ dissidents solutions in
Iran and NK? US Government have an exception for that? -Ali
There is a Favorable Licensing Policy for Iran on Internet Freedom that
specifically mentions Fee-Based Internet Communication Services, although
since published in
See Inline
On Thu, Feb 7, 2013 at 12:15 PM, Andy Isaacson a...@hexapodia.org wrote:
Silent Circle may be an excellent privacy app. It might not have any
significant security problems. It might even do a good job of
mitigating important platform-based attacks and supporting important new
Christopher Soghoian ch...@soghoian.net wrote:
Twitter's official client and server code are not open source
Much of Google's code, including all of the Gmail backend code is not open
source
That's a bit of a false equivalency, don't you think? Silent Circle's
whole premise is
Chris,
Nicely put. Agree with your comments 100%
Robert
--
On 2013-02-07, at 8:14 PM, Christopher Soghoian wrote:
See Inline
On Thu, Feb 7, 2013 at 12:15 PM, Andy Isaacson a...@hexapodia.org wrote:
Silent Circle may be an excellent privacy app. It might not have any
significant
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Ali-Reza Anghaie:
Inline below..
On Thu, Feb 7, 2013 at 11:34 AM, scarp sc...@tormail.org wrote:
The fact you can't buy into this service anonymously, so at least
payment credentials will be available. Even if Phil says he won't
be bad
+1.
I wish I could say otherwise, but now after a few years working as a
journalism trainer and in the journalism field I've been led to recognize
that, whether I like it or not, and whether it is ethical or not:
1. headlines are used to grab readers and generate buzz. I'd not read the
article
Actual headline.
http://www.extremetech.com/mobile/147714-cryptography-super-group-creates-unbreakable-encryption-designed-for-mass-market
NK
--
Unsubscribe, change to digest, or change password at:
https://mailman.stanford.edu/mailman/listinfo/liberationtech
C'mon Nadim, that's a bit of a cheap shot, no? Do you disagree fundamentally
with anything he said there?
Brian
On Feb 6, 2013, at 19:56, Nadim Kobeissi na...@nadim.cc wrote:
Chris Soghoian gives Silent Circle's unbreakable encryption an entire
article's worth of lip service here, it must
What I'm trying to point out is that Silent Circle can call itself a
super-group creating unbreakable encryption, market closed-source software
towards activists, and some experts will still speak out for
them favourably.
NK
On Wed, Feb 6, 2013 at 11:21 PM, Brian Conley
The enemy knows the system, but some enemies are more equal than others.
On 02/06/2013 10:21 PM, Brian Conley wrote:
C'mon Nadim, that's a bit of a cheap shot, no? Do you disagree
fundamentally with anything he said there?
Brian
On Feb 6, 2013, at 19:56, Nadim Kobeissi na...@nadim.cc
64 matches
Mail list logo
