Re: [liberationtech] Wickr app aims to safeguard online privacy
I'm finding this discussion highly illuminating -- as I find many here.
So before I make my comments, I want to says thanks to everyone for the
education. You've given me *a lot* to think about while running.
My concerns re these sorts of self-destructing documents revolve (first)
around the general notion that the application software which manages them
has to have a timer -- so that it knows when it's time to delete them/expire
their key/whatever.
What if the timer never ticks? Or doesn't tick as expected?
I'll freely admit that I'm not at all a phone software guy, but on
the systems I'm most familiar with (Unix, Linux) it's not that hard to
rewrite the system call time(2), relink the shared C library, and then
cause dynamically linked applications to use this new one. It's somewhat
harder to perform the equivalent manipulation with statically linked
binaries (presuming one doesn't have the source code) but it can be done.
And of course just changing the behavior in the OS would suffice.
(Who's asking? Oh...then *this* is the answer.)
I have to guess that these applications may rely on a similar underlying
system service (which may in turn rely on NTP or some other off-system
time source) to find out what time it is. Am I way wrong here?
My (second) set of concerns is that displaying a message to a
user requires using utilizing underlying system services as well.
For example, when I read an email message with mutt, of course mutt
itself is in play, as are some underlying screen manipulation libraries
(curses and termlib, if memory serves) as is the OS tty driver.
Any of those could be modified to capture, store, copy, etc. the
stream of bytes as it goes by. (For that matter, script(1) will
do a first-order job of doing that.) None of these are particularly
elegant, and it would take some post-processing to reassemble the
pieces into a complete and accurate message, but Natasha! Tonight we
get moose and squirrel! could certainly be plucked out of that.
I suppose what I'm saying is that I don't think the set of {all
recipients' phones} can be or should be trusted to actually delete
messages when senders intend them to be because there's no way to
know -- on the sender's side -- that this has actually happened AND
that no copies of the plaintext were made anywhere along the way.
I think that what these projects are trying to do is impose DRM on
content...and so far, every attempt to do DRM has failed. (That's a good
thing.) Some of them have failed badly. (That's a very good thing.)
As Schneier has said, trying to make bits not copyable is like trying
to make water not wet. So I'm very skeptical that this can be made to
work in the presence of attacks on the recipient side.
---rsk
--
Unsubscribe, change to digest, or change password at:
https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Silent Circle is reading the list. ;-)
What's about Transactional Records? [1] http://privacysos.org/transactional_records Fabio On 2/6/13 12:47 AM, Ali-Reza Anghaie wrote: They're agile about their coverage. ;-) -Ali -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Chromebooks for Risky Situations?
On 02/06/2013 07:28 AM, Nathan of Guardian wrote: On 02/06/2013 01:22 PM, Ali-Reza Anghaie wrote: How can projects like Privly play into it? Carrying a Tor Router along with you or building one on-site. None of the operational matters will ever be squarely addressed by one platform but it all can be decision-treed out nicely. You could also use Orbot with wifi-tether on Android phone. It can transparent proxy all the wifi hotspot traffic over Tor. +n -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech Why don't you use an old thinkpad or something with Linux, you have the same price like a Chromebook but more control over the system. And you don't depend on the 3G and Wifi net. -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
[liberationtech] Teachers’ pension plan invests in Internet surveillance firm.
http://www.thestar.com/opinion/editorialopinion/2013/02/06/teachers_pension_plan_invests_in_internet_surveillance_firm.print.html Opinion / Editorial Opinion Teachers’ pension plan invests in Internet surveillance firm. Blue Coat Systems provides Internet censorship and surveillance technology to countries with poor human rights records. By: Ron Deibert and Sarah McKune Published on Wed Feb 06 2013 The Ontario Teachers Pension Plan (OTPP)Ontario Teachers Pension Plan (OTPP) administers pension benefits and invests assets on behalf of some 300,000 working and retired teachers. Its members have dedicated their careers to opening Canada’s young minds to new ideas, equipping them with the knowledge, skills and inspiration they will need to make their voices heard and contribute to society both in Canada and abroad. Which makes it all the more remarkable that OTPP invests these teachers’ assets in Blue Coat Systems, a U.S.-based company that derives revenue from provision of technology that can be used for Internet censorship and surveillance to countries with poor and at times condemnable records on freedom of expression, access to information, and other human rights. These teachers’ retirement — as one member described it, “a reward for, you know, 30 dedicated years” — is supported in part by the continued demand for information control by authoritarian regimes in Bahrain, China and Saudi Arabia, to name just a few. OTPP, as part of an investor group led by the private equity firm Thoma Bravo, agreed to acquire Blue Coat Systems in December 2011 for a total cost to the investor group of $1.3 billion (U.S.) At that time,the potential of Blue Coat products to undermine human rights was already clear: investigations by a number of groups, including Citizen Lab at the Munk School of Global Affairs of the University of Toronto, confirmed in the fall of 2011 that Blue Coat devices were used in Syria, a country experiencing significant unrest and government crackdown, and subject to U.S. sanctions. Citizen Lab wrote to OTPP then, urging it to engage in further analysis of Blue Coat’s corporate practices and policies concerning its Internet-filtering products and services, and direct dialogue with Blue Coat regarding uses of its products that may violate internationally recognized human rights. We received a response from OTPP in January 2012 noting that OTPP was aware of the issues Citizen Lab raised and was committed to principles for responsible investing. OTPP proceeded with its investment in Blue Coat Systems. Now, a year later, Citizen Lab has released a new report, Planet Blue Coat: Mapping Global Censorship and Surveillance Tools. Using a combination of technical interrogation methods, our researchers scanned the Internet to look for signature evidence of Blue Coat products. While our investigation was not exhaustive and provided only a limited window of visibility into the deployment of such tools, what we were able to find raises serious concerns. We uncovered 61 Blue Coat ProxySG and 316 Blue Coat PacketShaper devices, which are designed to filter online content and inspect and control network traffic. While legitimate for some purposes, these capabilities can also be used for mass censorship and surveillance of a country’s Internet users. It is noteworthy in this respect that 61 of these Blue Coat appliances are on public or government networks in countries with a history of concerns over human rights, surveillance and censorship (see the work of the OpenNet Initiative documenting such concerns). Specifically, we found the ProxySG product, designed to filter access to information online, in Egypt, Kuwait, Qatar, Saudi Arabia and the United Arab Emirates. We found the PacketShaper appliance, capable of deep packet inspection and mass surveillance, in Afghanistan, Bahrain, China, India, Indonesia, Iraq, Kenya, Kuwait, Lebanon, Malaysia, Nigeria, Qatar, Russia, Saudi Arabia, South Korea, Singapore, Thailand, Turkey and Venezuela. If companies like Blue Coat Systems are ever to acknowledge the human rights implications of their products and embrace corporate social responsibility measures, more pressure is necessary. What should OTPP do? Blue Coat Systems pursues profit on behalf of its investors, including OTPP and its members, and it is these investors who are perhaps best placed to call for more transparency and accountability within the company. Indeed, a representative of the OTPP asset group Teachers’ Private Capital sits on the Blue Coat Systems board. OTPP and its members should task Blue Coat to develop and make public robust human rights policy commitments, practices and due diligence measures; investigate the purposes for which its products will be used, ensuring that products are not sold to users likely to direct them to illegitimate ends; and engage in transparent discussions within civil society, industry, and elsewhere about the
Re: [liberationtech] Chromebooks for Risky Situations?
Nadim, I'm with you. I'm not sure it's the perfect solution for everyone, but like Nathan said, if you already trust Google, I think it's a good option. On 6 February 2013 07:12, Andreas Bader noergelpi...@hotmail.de wrote: Why don't you use an old thinkpad or something with Linux, you have the same price like a Chromebook but more control over the system. And you don't depend on the 3G and Wifi net. We started with the notion of Linux, and we were attracted to Chromebooks for a bunch of reasons. Going back to Linux loses all the things we were attracted to. - ChromeOS's attack surface is infinitely smaller than with Linux - The architecture of ChromeOS is different from Linux - process separation through SOP, as opposed to no process separation at all - ChromeOS was *designed* to have you logout, and hand the device over to someone else to login, and get no access to your stuff. Extreme Hardware attacks aside, it works pretty well. - ChromeOS's update mechanism is automatic, transparent, and basically foolproof. Having bricked Ubuntu and Gentoo systems, the same is not true of Linux. - Verified Boot, automatic FDE, tamper-resistant hardware Something I'm curious about is, if any less-popular device became popular amoung the activist community - would the government view is as an indicator of interest? Just like they block Tor, would they block Chromebooks? It'd have to get pretty darn popular first though. -tom -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Chromebooks for Risky Situations?
On 02/06/2013 04:24 PM, Tom Ritter wrote: Nadim, I'm with you. I'm not sure it's the perfect solution for everyone, but like Nathan said, if you already trust Google, I think it's a good option. On 6 February 2013 07:12, Andreas Bader noergelpi...@hotmail.de wrote: Why don't you use an old thinkpad or something with Linux, you have the same price like a Chromebook but more control over the system. And you don't depend on the 3G and Wifi net. We started with the notion of Linux, and we were attracted to Chromebooks for a bunch of reasons. Going back to Linux loses all the things we were attracted to. - ChromeOS's attack surface is infinitely smaller than with Linux - The architecture of ChromeOS is different from Linux - process separation through SOP, as opposed to no process separation at all - ChromeOS was *designed* to have you logout, and hand the device over to someone else to login, and get no access to your stuff. Extreme Hardware attacks aside, it works pretty well. - ChromeOS's update mechanism is automatic, transparent, and basically foolproof. Having bricked Ubuntu and Gentoo systems, the same is not true of Linux. - Verified Boot, automatic FDE, tamper-resistant hardware Something I'm curious about is, if any less-popular device became popular amoung the activist community - would the government view is as an indicator of interest? Just like they block Tor, would they block Chromebooks? It'd have to get pretty darn popular first though. -tom -- But you can't use it for political activists e.g. in Syria because of its dependence on the internet connection. This fact is authoritative. For Europe and USA and so on it might be a good solution. -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Chromebooks for Risky Situations?
Tom Ritter t...@ritter.vg writes: On 6 February 2013 07:12, Andreas Bader noergelpi...@hotmail.de wrote: Why don't you use an old thinkpad or something with Linux, you have the same price like a Chromebook but more control over the system. And you don't depend on the 3G and Wifi net. - The architecture of ChromeOS is different from Linux - process separation through SOP, as opposed to no process separation at all Can you say what you mean here? What is SOP in this context? - ChromeOS's update mechanism is automatic, transparent, and basically foolproof. Having bricked Ubuntu and Gentoo systems, the same is not true of Linux. I would be surprised if you actually 'bricked' these systems, since neither operating system you mention involves a procedure that has the risk of bricking a device. I suspect this is hyperbole? - Verified Boot, automatic FDE, tamper-resistant hardware All of this reminds me of this post: http://mjg59.dreamwidth.org/22465.html which concludes: Some people don't like Secure Boot because they don't trust Microsoft. If you trust Google more, then a Chromebook is a reasonable choice. But some people don't like Secure Boot because they see it as an attack on user freedom, and those people should be willing to criticise Google's stance. Unlike Microsoft, Chromebooks force the user to choose between security and freedom. Nobody should be forced to make that choice. -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
[liberationtech] Cyber war rhetoric
It seems to be escalating. The rhetoric, I mean. See e.g. http://m.csoonline.com/article/728341/preemptive-cyberattack-disclosure-a-warning-to-china ? -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Pressure Increases On Silent Circle To Release Application Source Code
On 02/06/2013 10:06 PM, Nadim Kobeissi wrote: http://www.forbes.com/sites/jonmatonis/2013/02/06/pressure-increases-on-silent-circle-to-release-application-source-code/ [Disclosure: Author is consultant for a Silent Circle reseller based in Japan.] That is one of the strangest disclosures I have ever seen. +n -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Chromebooks for Risky Situations?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 06/02/13 15:52, Rich Kulawiec wrote: Many operating systems and applications and even application extensions (e.g., Firefox extensions) now attempt to discover the presence of updates for themselves either automatically or because a user instructs them to do. Is there any published research on the security consequences of doing so? (What I'm thinking of is an adversary who observes network traffic and thus can ascertain operating system type/version/patch level, installed application base/version/patch level, etc.) I'd be interested to hear about rollback attacks on such mechanisms. For example, Debian's security updates are signed, but they're fetched over an unauthenticated channel. Can an attacker fool a Debian system into believing that no updates are available? Cheers, Michael -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJREoCaAAoJEBEET9GfxSfMWtQH/jfcN0wynzMtAfVJ91S4y84f qiHbKYaNswQFjvLRzxTGw9J9GYwhaZF/I1BbfYvd6f5q7Vj+b44SkndQT8SDjsHt 4Bj96rD+K5u5lGWXJjVvJHR1k5EGg+MREKe/6Kj4SKT8gRPLY8Scs7A3ZkxoGkNj S58e664+5Zb0lyezbnXqtf/smZ8jZ4IERam5JLpn0I0dTVeeT6r9W2h6gQoNZzHG mp8X08r0xsV3vY3o2qrSPiA4EllKnxzam/HOOWIcLDKQzkRARI/wgZ67dkw0b3lE kireffjEHGuwl64xrOUDrP0+LoyvQAnswlPphpyxrUCrP3ufMQ5wG1qEa9vm4Zo= =S4z6 -END PGP SIGNATURE- -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Pressure Increases On Silent Circle To Release Application Source Code
LOL! At least it implies that one of Silent Circle's customers or their consultants may support open sourcing the code. On Feb 6, 2013 8:09 AM, Nathan of Guardian nat...@guardianproject.info wrote: On 02/06/2013 10:06 PM, Nadim Kobeissi wrote: http://www.forbes.com/sites/jonmatonis/2013/02/06/pressure-increases-on-silent-circle-to-release-application-source-code/ [Disclosure: Author is consultant for a Silent Circle reseller based in Japan.] That is one of the strangest disclosures I have ever seen. +n -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Chromebooks for Risky Situations?
We started with the notion of Linux, and we were attracted to Chromebooks for a bunch of reasons. Going back to Linux loses all the things we were attracted to. - ChromeOS's attack surface is infinitely smaller than with Linux - The architecture of ChromeOS is different from Linux - process separation through SOP, as opposed to no process separation at all - ChromeOS was *designed* to have you logout, and hand the device over to someone else to login, and get no access to your stuff. Extreme Hardware attacks aside, it works pretty well. - ChromeOS's update mechanism is automatic, transparent, and basically foolproof. Having bricked Ubuntu and Gentoo systems, the same is not true of Linux. - Verified Boot, automatic FDE, tamper-resistant hardware I think SL, Debian, Suse or CentOS are not less secure than ChromeOS. And if there is a secure problem then you have enough control to fix the system. I have never bricked my LUKS encrypted Debian System. Running on an old Lenovo X61s. -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Chromebooks for Risky Situations?
On 6 February 2013 10:52, micah anderson mi...@riseup.net wrote: Can you say what you mean here? What is SOP in this context? ChromeOS's 'Apps' are all extensions or webpages. One can't interact with any other do to the standard Same Origin Policy browsers enforce. It's what stops evilco.com from reading your logged in gmail.com tab in FF/Chrome/IE/any browser today. I would be surprised if you actually 'bricked' these systems, since neither operating system you mention involves a procedure that has the risk of bricking a device. I suspect this is hyperbole? Well, I have a colleague rebuilding a FDE Ubuntu computer right now because we can't figure out how to repair its partition table and get it to boot without a LiveCD. It's probably possible, but we're pretty technical people and we made the call it would take less time to recreate the machine than 'fix' it. Similarly, I recently paid the gentoo tax while upgrading udev and not having a kernel switch turned on - wouldn't boot, requiring me to LiveCD it, enable the setting, recompile the kernel and replace it. So bricked in the sense of it's now a brick and might as well be sold for parts - you're right, that's hyperbole. But for a non-technical person, with no access to someone to repair a machine for him/her - I don't know, I think it might as well be bricked. They can't fix it on their own, and it's not going to boot. - Verified Boot, automatic FDE, tamper-resistant hardware All of this reminds me of this post: http://mjg59.dreamwidth.org/22465.html which concludes: Some people don't like Secure Boot because they don't trust Microsoft. If you trust Google more, then a Chromebook is a reasonable choice. But some people don't like Secure Boot because they see it as an attack on user freedom, and those people should be willing to criticise Google's stance. Unlike Microsoft, Chromebooks force the user to choose between security and freedom. Nobody should be forced to make that choice. I don't disagree with the notion that Chromebooks, Windows 8, iOS, and other examples make you choose between Insecure and running your own stuff and Secure and running their stuff. I completely agree with it. I do disagree with a phrase of your except Chromebooks force the user to choose between security and freedom - I would rephrase it Chromebooks force the user to choose between freedom and Google's stewardship. My gender-inspecific-nontechnical-family-member is not interesting in running after-market app stores or tethering apps on their phone, so if security was the only concern I would recommend iPhone because it is harder to root. Similarly, if an activist is not going to run third party apps or 'jailbreak' their device (and nobody is going to take the responsibility to do it for them and then be full time tech support) - choosing a more secure, albeit stewarded by Google/Apple, system makes sense. I know some people don't believe this, and I know some people (like RMS) say we should always fight the good fight and never give way... But if you nailed me down and said Make a computer recommendation, someone's life may depend on it. Depending on who their adversary is, I would probably not make the Free OS recommendation. On 6 February 2013 10:52, Rich Kulawiec r...@gsp.org wrote: On Wed, Feb 06, 2013 at 10:24:28AM -0500, Tom Ritter wrote: - ChromeOS's update mechanism is automatic, transparent, and basically foolproof. Having bricked Ubuntu and Gentoo systems, the same is not true of Linux. Concur on this point, and wish to ask a related question: Many operating systems and applications and even application extensions (e.g., Firefox extensions) now attempt to discover the presence of updates for themselves either automatically or because a user instructs them to do. Is there any published research on the security consequences of doing so? (What I'm thinking of is an adversary who observes network traffic and thus can ascertain operating system type/version/patch level, installed application base/version/patch level, etc.) I don't know of any research to point you to. Obviously any automatic or manual upgrade process is fraught with peril, as it is essentially designed to be an endpoint for remote code execution. It would be nice if Google or Microsoft did a case study on how they architected their update systems. Obviously MSFT's went screwy with Flame, but I still think there's lessons we can learn. To Michael's point, how these systems deal with rollbacks and network isolation is interesting. I've heard that Tor Project's Thandy is an implementation of a research paper that covers this and other topics, but I can't find a reference. Maybe someone can find it and provide one. On 6 February 2013 11:23, Andreas Bader noergelpi...@hotmail.de wrote: I think SL, Debian, Suse or CentOS are not less secure than ChromeOS. And if there is a secure problem then you have enough control to fix the system. I
Re: [liberationtech] Chromebooks for Risky Situations?
Just FYI: Chrome OS devices are not subject to roll back attacks because the verified boot does not allow that. Google has extensive documentation on this, and you can review the implementation by viewing the source code. Rollback attacks were an attack vector they specifically designed to prevent. In fact as a chrome OS user this is as much an disadvantage as it an advantage: updates are forced- you can not go back and bug regressions which don't effect security but that are annoying can occur and there isn't anything you can do about that. Also, it isn't just verified boot an attacker would have to overcome. The DM verity means any OS and onboard application code must checksum correctly or it will never run, this is true at all times. Realize as well that all of this code is always running off read only file systems. Note that the builtin data partition (not executable code, in fact data filesystem is mounted no exec) encryption is defeatable in the minimal sense that Chrome OS does allow users to choose to not have to login when waking from sleep, so user stupidity allows a small opening here. Heh- happened to me. Lost my chromebook and could not remember if I had left it locked (long story!), but I knew it was asleep. Finderay have had access to my login session, albeit og little use since I changed my password and I believe this deactivated access to current email login, eg. Also enterprise administrators may have the option of overriding user choice here, saving users from their stupidity. Another interesting point: the onboard ssh client is implemented partially in javavscript (the terminal portion). Before you whince, know that Google argues this is more secure than normal ssh Unix clients because in addition to all the usual ssh protections, it is necessarily running in a Chrome sandbox! They are probably right about that? I think so. Finally, I wrote up some stuff on their wiki: you can run in dev mode but still have fully verified boot and auto update. This gives the machine a larger local attack surface (not remote though), but opens access to some Unix user land such as the onboard openssl which you could use for additional encryption. Not too that chrome is devices share well and do while totally protecting users from each other. Not a security expert myself. But I have been administering Unix systems fulltime for over 15 years. No question in my mind that these things are more secure BY FAR than any other off the shelf solution you can buy as a consumer. That a normal Unix distro could be made to be as secure is IMO not true as well. Google has of course just made Chrome OS the target for their Pawnium challenge this year. Should be interesting! Trever On Feb 6, 2013 8:31 AM, Tom Ritter t...@ritter.vg wrote: On 6 February 2013 10:52, micah anderson mi...@riseup.net wrote: Can you say what you mean here? What is SOP in this context? ChromeOS's 'Apps' are all extensions or webpages. One can't interact with any other do to the standard Same Origin Policy browsers enforce. It's what stops evilco.com from reading your logged in gmail.com tab in FF/Chrome/IE/any browser today. I would be surprised if you actually 'bricked' these systems, since neither operating system you mention involves a procedure that has the risk of bricking a device. I suspect this is hyperbole? Well, I have a colleague rebuilding a FDE Ubuntu computer right now because we can't figure out how to repair its partition table and get it to boot without a LiveCD. It's probably possible, but we're pretty technical people and we made the call it would take less time to recreate the machine than 'fix' it. Similarly, I recently paid the gentoo tax while upgrading udev and not having a kernel switch turned on - wouldn't boot, requiring me to LiveCD it, enable the setting, recompile the kernel and replace it. So bricked in the sense of it's now a brick and might as well be sold for parts - you're right, that's hyperbole. But for a non-technical person, with no access to someone to repair a machine for him/her - I don't know, I think it might as well be bricked. They can't fix it on their own, and it's not going to boot. - Verified Boot, automatic FDE, tamper-resistant hardware All of this reminds me of this post: http://mjg59.dreamwidth.org/22465.html which concludes: Some people don't like Secure Boot because they don't trust Microsoft. If you trust Google more, then a Chromebook is a reasonable choice. But some people don't like Secure Boot because they see it as an attack on user freedom, and those people should be willing to criticise Google's stance. Unlike Microsoft, Chromebooks force the user to choose between security and freedom. Nobody should be forced to make that choice. I don't disagree with the notion that Chromebooks, Windows 8, iOS, and other examples make you choose between Insecure and running your own stuff and
Re: [liberationtech] Pressure Increases On Silent Circle To Release Application Source Code (Transactional data)
Please remind that for a service-based model the risks are not also related to the transactional data : http://privacysos.org/transactional_records It would be really nice to know which is the data-retention policy for: - connection logs - phone call logs - email logs (as they will provide also secure email) Additionally it would be very useful to know, being a service based business model (and not a software based one): - which is the policy related to the handling and to the publicity of NSL (National Security Letters) and other kind of inquiry (connection logs, phone call logs) from governmental's security agencies? Fabio On 2/6/13 5:20 PM, Brian Conley wrote: LOL! At least it implies that one of Silent Circle's customers or their consultants may support open sourcing the code. On Feb 6, 2013 8:09 AM, Nathan of Guardian nat...@guardianproject.info mailto:nat...@guardianproject.info wrote: On 02/06/2013 10:06 PM, Nadim Kobeissi wrote: http://www.forbes.com/sites/jonmatonis/2013/02/06/pressure-increases-on-silent-circle-to-release-application-source-code/ [Disclosure: Author is consultant for a Silent Circle reseller based in Japan.] That is one of the strangest disclosures I have ever seen. +n -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Chromebooks for Risky Situations?
Andreas, Plenty of Syrians do have internet access, and use it on a regular basis. Also, lack of appropriateness for one use-case doesn't necessitate lack of appropriateness across the board. Linux is a great solution for many use cases, but as has been elaborated, quite a terrible one for many others. Brian On Wed, Feb 6, 2013 at 7:44 AM, Andreas Bader noergelpi...@hotmail.dewrote: On 02/06/2013 04:24 PM, Tom Ritter wrote: Nadim, I'm with you. I'm not sure it's the perfect solution for everyone, but like Nathan said, if you already trust Google, I think it's a good option. On 6 February 2013 07:12, Andreas Bader noergelpi...@hotmail.de wrote: Why don't you use an old thinkpad or something with Linux, you have the same price like a Chromebook but more control over the system. And you don't depend on the 3G and Wifi net. We started with the notion of Linux, and we were attracted to Chromebooks for a bunch of reasons. Going back to Linux loses all the things we were attracted to. - ChromeOS's attack surface is infinitely smaller than with Linux - The architecture of ChromeOS is different from Linux - process separation through SOP, as opposed to no process separation at all - ChromeOS was *designed* to have you logout, and hand the device over to someone else to login, and get no access to your stuff. Extreme Hardware attacks aside, it works pretty well. - ChromeOS's update mechanism is automatic, transparent, and basically foolproof. Having bricked Ubuntu and Gentoo systems, the same is not true of Linux. - Verified Boot, automatic FDE, tamper-resistant hardware Something I'm curious about is, if any less-popular device became popular amoung the activist community - would the government view is as an indicator of interest? Just like they block Tor, would they block Chromebooks? It'd have to get pretty darn popular first though. -tom -- But you can't use it for political activists e.g. in Syria because of its dependence on the internet connection. This fact is authoritative. For Europe and USA and so on it might be a good solution. -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Brian Conley Director, Small World News http://smallworldnews.tv m: 646.285.2046 Skype: brianjoelconley -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Pressure Increases On Silent Circle To Release Application Source Code (Transactional data)
Their existing policies indicate they don't store transactional data between SC users but they do store login and business data from an individual customer to SC. They have not yet released the email solution and haven't expanded their statements to include that data. They state they currently hold any logs for seven days and are working to reduce that to 24 hours. They have other statements on CALEA already but I'm not sure how anyone can address, at least ahead of time, NSLs specifically (by nature). They also offer anonymous purchasing options. All of this has gaps I'm sure we can all ponder on - but for now where they stand, which in relation to their peers sounds pretty good, is all at: https://silentcircle.com/web/law-compliance/ https://silentcircle.com/web/what-we-do-dont-do/ https://silentcircle.com/web/privacy/ https://silentcircle.com/web/ronin/ Will be interesting to see how it evolves and their first reports to customers about Government requests. -Ali On Wed, Feb 6, 2013 at 1:43 PM, Fabio Pietrosanti (naif) li...@infosecurity.ch wrote: Please remind that for a service-based model the risks are not also related to the transactional data : http://privacysos.org/transactional_records It would be really nice to know which is the data-retention policy for: - connection logs - phone call logs - email logs (as they will provide also secure email) Additionally it would be very useful to know, being a service based business model (and not a software based one): - which is the policy related to the handling and to the publicity of NSL (National Security Letters) and other kind of inquiry (connection logs, phone call logs) from governmental's security agencies? Fabio On 2/6/13 5:20 PM, Brian Conley wrote: LOL! At least it implies that one of Silent Circle's customers or their consultants may support open sourcing the code. On Feb 6, 2013 8:09 AM, Nathan of Guardian nat...@guardianproject.info wrote: On 02/06/2013 10:06 PM, Nadim Kobeissi wrote: http://www.forbes.com/sites/jonmatonis/2013/02/06/pressure-increases-on-silent-circle-to-release-application-source-code/ [Disclosure: Author is consultant for a Silent Circle reseller based in Japan.] That is one of the strangest disclosures I have ever seen. +n -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
[liberationtech] Draft Chapter on Deep Packet Inspection
Hi all, My doctoral research focuses on the politics of DPI, with attention spent to how the technology operates as a nexus for a host of competing political interests. I've just made available the first chapter, which outlines the 'lineage' of packet inspection devices as well as the use cases of DPI. It's written to explain to social scientists (a) what the technology is; (b) why it's significant. Analysis and argumentative facets of the dissertation come later, in chapters six and seven, and thus are significantly absent in this chapter. I thought that it might be of interest to members on the list. Comments and feedback are welcomed. Summary: This chapter traces the lineage of contemporary packet inspection systems that monitor data traffic flowing across the Internet in real time. After discussing how shallow, medium, and deep packet inspection systems function, I outline the significance of this technology’s most recent iteration, deep packet inspection, and how it could be used to fulfill technical, economic, and political goals. Achieving these goals, however, requires that deep packet inspection be regarded as a surveillance practice. Indeed, deep packet inspection is, at its core, a surveillance-based technology that is used by private actors, such as Internet service providers, to monitor and mediate citizens’ communications. Given the importance of Internet-based communications to every facet of Western society, from personal communications, to economic, cultural and political exchanges, deep packet inspection must be evaluated not just in the abstract but with attention towards how society shapes its deployment and how it may shape society. Link: http://www.christopher-parsons.com/blog/technology/draft-deep-packet-inspection-and-its-predecessors/ Cheers, Chris -- ** Christopher Parsons Doctoral Candidate Political Science, University of Victoria http://www.christopher-parsons.com ** -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Chromebooks for Risky Situations?
The biggest (and very important) difference between Linux and Chromebooks is the hugely smaller attack surface. NK On Wed, Feb 6, 2013 at 2:36 PM, Brian Conley bri...@smallworldnews.tvwrote: Andreas, Plenty of Syrians do have internet access, and use it on a regular basis. Also, lack of appropriateness for one use-case doesn't necessitate lack of appropriateness across the board. Linux is a great solution for many use cases, but as has been elaborated, quite a terrible one for many others. Brian On Wed, Feb 6, 2013 at 7:44 AM, Andreas Bader noergelpi...@hotmail.dewrote: On 02/06/2013 04:24 PM, Tom Ritter wrote: Nadim, I'm with you. I'm not sure it's the perfect solution for everyone, but like Nathan said, if you already trust Google, I think it's a good option. On 6 February 2013 07:12, Andreas Bader noergelpi...@hotmail.de wrote: Why don't you use an old thinkpad or something with Linux, you have the same price like a Chromebook but more control over the system. And you don't depend on the 3G and Wifi net. We started with the notion of Linux, and we were attracted to Chromebooks for a bunch of reasons. Going back to Linux loses all the things we were attracted to. - ChromeOS's attack surface is infinitely smaller than with Linux - The architecture of ChromeOS is different from Linux - process separation through SOP, as opposed to no process separation at all - ChromeOS was *designed* to have you logout, and hand the device over to someone else to login, and get no access to your stuff. Extreme Hardware attacks aside, it works pretty well. - ChromeOS's update mechanism is automatic, transparent, and basically foolproof. Having bricked Ubuntu and Gentoo systems, the same is not true of Linux. - Verified Boot, automatic FDE, tamper-resistant hardware Something I'm curious about is, if any less-popular device became popular amoung the activist community - would the government view is as an indicator of interest? Just like they block Tor, would they block Chromebooks? It'd have to get pretty darn popular first though. -tom -- But you can't use it for political activists e.g. in Syria because of its dependence on the internet connection. This fact is authoritative. For Europe and USA and so on it might be a good solution. -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Brian Conley Director, Small World News http://smallworldnews.tv m: 646.285.2046 Skype: brianjoelconley -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Chromebooks for Risky Situations?
On Wed, Feb 6, 2013 at 1:28 AM, Nathan of Guardian nat...@guardianproject.info wrote: On 02/06/2013 01:22 PM, Ali-Reza Anghaie wrote: How can projects like Privly play into it? Carrying a Tor Router along with you or building one on-site. None of the operational matters will ever be squarely addressed by one platform but it all can be decision-treed out nicely. You could also use Orbot with wifi-tether on Android phone. It can transparent proxy all the wifi hotspot traffic over Tor. Using an android phone as a tether seems much more normal and fits the profile of an international traveler. Carrying a router around might not be the best option for staying low-profile. I like Chrome OS but am addicted to Pidgin with OTR. It's really the only thing keeping me from trying out a Chromebook. (Even Photoshop is available 'in the cloud'). If you need to install a few programs locally but like the overall idea and features, JoliOS looks to be a good option: http://www.jolicloud.com/jolios Somewhat off-topic: I reject the idea that because something isn't right for Syrians, that it's not useful. There is an incredible spectrum of threat models to consider. And usability is a factor. It's worth considering that state-sponsored Windows spyware is a major problem. But people still use it because the realistic alternative is more difficult to use (even Ubuntu has a sharp learning curve). Best, Griffin Boyce -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Chromebooks for Risky Situations?
I'm glad people have had luck with tethering their Android phones internationally. I've had absolutely zero - I'll have to give it another run with a locally renter provider I suppose. Anyone try in the UAE recently? Provider, hardware? Egypt? Curious. -Ali On Feb 6, 2013 3:19 PM, Griffin Boyce griffinbo...@gmail.com wrote: On Wed, Feb 6, 2013 at 1:28 AM, Nathan of Guardian nat...@guardianproject.info wrote: On 02/06/2013 01:22 PM, Ali-Reza Anghaie wrote: How can projects like Privly play into it? Carrying a Tor Router along with you or building one on-site. None of the operational matters will ever be squarely addressed by one platform but it all can be decision-treed out nicely. You could also use Orbot with wifi-tether on Android phone. It can transparent proxy all the wifi hotspot traffic over Tor. Using an android phone as a tether seems much more normal and fits the profile of an international traveler. Carrying a router around might not be the best option for staying low-profile. I like Chrome OS but am addicted to Pidgin with OTR. It's really the only thing keeping me from trying out a Chromebook. (Even Photoshop is available 'in the cloud'). If you need to install a few programs locally but like the overall idea and features, JoliOS looks to be a good option: http://www.jolicloud.com/jolios Somewhat off-topic: I reject the idea that because something isn't right for Syrians, that it's not useful. There is an incredible spectrum of threat models to consider. And usability is a factor. It's worth considering that state-sponsored Windows spyware is a major problem. But people still use it because the realistic alternative is more difficult to use (even Ubuntu has a sharp learning curve). Best, Griffin Boyce -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Chromebooks for Risky Situations?
What Android OS are you using, Ali? It's a snap with Google Nexus running 4.0. Perhaps its an OS version or carrier-rolled OS that is the problem? Brian On Wed, Feb 6, 2013 at 12:26 PM, Ali-Reza Anghaie a...@packetknife.comwrote: I'm glad people have had luck with tethering their Android phones internationally. I've had absolutely zero - I'll have to give it another run with a locally renter provider I suppose. Anyone try in the UAE recently? Provider, hardware? Egypt? Curious. -Ali On Feb 6, 2013 3:19 PM, Griffin Boyce griffinbo...@gmail.com wrote: On Wed, Feb 6, 2013 at 1:28 AM, Nathan of Guardian nat...@guardianproject.info wrote: On 02/06/2013 01:22 PM, Ali-Reza Anghaie wrote: How can projects like Privly play into it? Carrying a Tor Router along with you or building one on-site. None of the operational matters will ever be squarely addressed by one platform but it all can be decision-treed out nicely. You could also use Orbot with wifi-tether on Android phone. It can transparent proxy all the wifi hotspot traffic over Tor. Using an android phone as a tether seems much more normal and fits the profile of an international traveler. Carrying a router around might not be the best option for staying low-profile. I like Chrome OS but am addicted to Pidgin with OTR. It's really the only thing keeping me from trying out a Chromebook. (Even Photoshop is available 'in the cloud'). If you need to install a few programs locally but like the overall idea and features, JoliOS looks to be a good option: http://www.jolicloud.com/jolios Somewhat off-topic: I reject the idea that because something isn't right for Syrians, that it's not useful. There is an incredible spectrum of threat models to consider. And usability is a factor. It's worth considering that state-sponsored Windows spyware is a major problem. But people still use it because the realistic alternative is more difficult to use (even Ubuntu has a sharp learning curve). Best, Griffin Boyce -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Brian Conley Director, Small World News http://smallworldnews.tv m: 646.285.2046 Skype: brianjoelconley -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Chromebooks for Risky Situations?
The word Linux doesn't refer to anything, other than maybe the kernel. Chrome OS is linux. But it's a massively stripped down distribution that has a radical design, including the fact that it will ONLY run if all of the cryptographic checks are verified from the root of trust. That root of trust is Google's massively large PKI public key that is burned into the firmware. For a journalist in the field, that's a great reassurance. Take your Chromebook to China. The Chinese government can not alter what you are running without either (a) modifying your hardware, which means they take possession of it for a period of time and manage to do something that is tricky to do (i.e. circumstances under which you'd no longer trust your computer anyways) or (b) you will know they tried to hack it and your Chromebook will refuse to boot, and will instead wipe away the hacks and update itself and won't boot unless the update is a legitimate one signed by Google. Yes, you can't compare Chrome OS's attack surface to a typical linux distribution, or even a highly customized linux install which doesn't have the hardware root of trust. On Wed, Feb 6, 2013 at 12:15 PM, Nadim Kobeissi na...@nadim.cc wrote: The biggest (and very important) difference between Linux and Chromebooks is the hugely smaller attack surface. NK On Wed, Feb 6, 2013 at 2:36 PM, Brian Conley bri...@smallworldnews.tvwrote: Andreas, Plenty of Syrians do have internet access, and use it on a regular basis. Also, lack of appropriateness for one use-case doesn't necessitate lack of appropriateness across the board. Linux is a great solution for many use cases, but as has been elaborated, quite a terrible one for many others. Brian On Wed, Feb 6, 2013 at 7:44 AM, Andreas Bader noergelpi...@hotmail.dewrote: On 02/06/2013 04:24 PM, Tom Ritter wrote: Nadim, I'm with you. I'm not sure it's the perfect solution for everyone, but like Nathan said, if you already trust Google, I think it's a good option. On 6 February 2013 07:12, Andreas Bader noergelpi...@hotmail.de wrote: Why don't you use an old thinkpad or something with Linux, you have the same price like a Chromebook but more control over the system. And you don't depend on the 3G and Wifi net. We started with the notion of Linux, and we were attracted to Chromebooks for a bunch of reasons. Going back to Linux loses all the things we were attracted to. - ChromeOS's attack surface is infinitely smaller than with Linux - The architecture of ChromeOS is different from Linux - process separation through SOP, as opposed to no process separation at all - ChromeOS was *designed* to have you logout, and hand the device over to someone else to login, and get no access to your stuff. Extreme Hardware attacks aside, it works pretty well. - ChromeOS's update mechanism is automatic, transparent, and basically foolproof. Having bricked Ubuntu and Gentoo systems, the same is not true of Linux. - Verified Boot, automatic FDE, tamper-resistant hardware Something I'm curious about is, if any less-popular device became popular amoung the activist community - would the government view is as an indicator of interest? Just like they block Tor, would they block Chromebooks? It'd have to get pretty darn popular first though. -tom -- But you can't use it for political activists e.g. in Syria because of its dependence on the internet connection. This fact is authoritative. For Europe and USA and so on it might be a good solution. -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Brian Conley Director, Small World News http://smallworldnews.tv m: 646.285.2046 Skype: brianjoelconley -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
[liberationtech] Fwd: Don't endorse #biometric govt.
I'm not up to date on these issues, but it seemed like throwing this out for discussion here might be a great way to get some quality pointers to current resources on the fine points of the issue. Any links to share? Ms. Dean became aware of me through a post here being republished in another context. She's an independent activist in the Seattle area, and has asked me to look into these issues and I'd love to give her an informed opinion - it hasn't been central to my radar... Thanks! Shava Nerad shav...@gmail.com -- Forwarded message -- From: BeatTheChip beatthec...@gmail.com Date: Feb 6, 2013 2:33 PM Subject: Don't endorse #biometric govt. To: Shava Nerad shav...@gmail.com Cc: Shava, I need the help of people like you at social media projects. The twitter count functionality on my Thunderclap are not currently registering but there is support for the messaging, so you may not see your Tweet count added to the others. I went ahead and sponsored this action so there will be accountability adjustment in the structures at NIST. Please support this with a tweet and circulation to some of your friends who will understand. https://www.thunderclap.it/projects/1206 Best, Sheila Dean -- BeatTheChip.org 511Campaign.org Twitter: BeatTheChip **I am a United States citizen. My phone and electronic communications may be monitored by the NSA, the FBI, DHS and private contractors who will be held unaccountable for crimes against privacy according to illegal and unenforceable laws, FISA The Patriot Act. Due to the invasive and unconstitutional nature of these laws, I do not recognize the authority of the surveillants and will prosecute on stalking, habitual harassment if there is no legal grounds for reasonable suspicion of wrongdoing in my private conversations. Get a warrant.* -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Chromebooks for Risky Situations?
Always Nexus Verizon stock. My alternate ROMs don't travel with me. Verizon contacted ahead of time per their suggestions. Tethering in US and Canada fine. UK or elsewhere is no-joy. I gave up after a while and just carry my wipe'a'router and but use local WiFi. My advantage being I'm in tent data centers and hotels. I'll give the activist shuffle a try again next trip. -Ali On Feb 6, 2013 3:31 PM, Brian Conley bri...@smallworldnews.tv wrote: What Android OS are you using, Ali? It's a snap with Google Nexus running 4.0. Perhaps its an OS version or carrier-rolled OS that is the problem? Brian On Wed, Feb 6, 2013 at 12:26 PM, Ali-Reza Anghaie a...@packetknife.comwrote: I'm glad people have had luck with tethering their Android phones internationally. I've had absolutely zero - I'll have to give it another run with a locally renter provider I suppose. Anyone try in the UAE recently? Provider, hardware? Egypt? Curious. -Ali On Feb 6, 2013 3:19 PM, Griffin Boyce griffinbo...@gmail.com wrote: On Wed, Feb 6, 2013 at 1:28 AM, Nathan of Guardian nat...@guardianproject.info wrote: On 02/06/2013 01:22 PM, Ali-Reza Anghaie wrote: How can projects like Privly play into it? Carrying a Tor Router along with you or building one on-site. None of the operational matters will ever be squarely addressed by one platform but it all can be decision-treed out nicely. You could also use Orbot with wifi-tether on Android phone. It can transparent proxy all the wifi hotspot traffic over Tor. Using an android phone as a tether seems much more normal and fits the profile of an international traveler. Carrying a router around might not be the best option for staying low-profile. I like Chrome OS but am addicted to Pidgin with OTR. It's really the only thing keeping me from trying out a Chromebook. (Even Photoshop is available 'in the cloud'). If you need to install a few programs locally but like the overall idea and features, JoliOS looks to be a good option: http://www.jolicloud.com/jolios Somewhat off-topic: I reject the idea that because something isn't right for Syrians, that it's not useful. There is an incredible spectrum of threat models to consider. And usability is a factor. It's worth considering that state-sponsored Windows spyware is a major problem. But people still use it because the realistic alternative is more difficult to use (even Ubuntu has a sharp learning curve). Best, Griffin Boyce -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Brian Conley Director, Small World News http://smallworldnews.tv m: 646.285.2046 Skype: brianjoelconley -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Chromebooks for Risky Situations?
A VZW employee was nice enough to reach out off list - wanted to remain anonymous - says that the international SIMs they send for you to put in overseas Nexus devices won't tether. Ever. No matter what I'm told otherwise. Anyhow.. enough of that. Cheers, -Ali On Wed, Feb 6, 2013 at 3:52 PM, Ali-Reza Anghaie a...@packetknife.comwrote: Always Nexus Verizon stock. My alternate ROMs don't travel with me. Verizon contacted ahead of time per their suggestions. Tethering in US and Canada fine. UK or elsewhere is no-joy. I gave up after a while and just carry my wipe'a'router and but use local WiFi. My advantage being I'm in tent data centers and hotels. I'll give the activist shuffle a try again next trip. -Ali On Feb 6, 2013 3:31 PM, Brian Conley bri...@smallworldnews.tv wrote: What Android OS are you using, Ali? It's a snap with Google Nexus running 4.0. Perhaps its an OS version or carrier-rolled OS that is the problem? Brian On Wed, Feb 6, 2013 at 12:26 PM, Ali-Reza Anghaie a...@packetknife.comwrote: I'm glad people have had luck with tethering their Android phones internationally. I've had absolutely zero - I'll have to give it another run with a locally renter provider I suppose. Anyone try in the UAE recently? Provider, hardware? Egypt? Curious. -Ali On Feb 6, 2013 3:19 PM, Griffin Boyce griffinbo...@gmail.com wrote: On Wed, Feb 6, 2013 at 1:28 AM, Nathan of Guardian nat...@guardianproject.info wrote: On 02/06/2013 01:22 PM, Ali-Reza Anghaie wrote: How can projects like Privly play into it? Carrying a Tor Router along with you or building one on-site. None of the operational matters will ever be squarely addressed by one platform but it all can be decision-treed out nicely. You could also use Orbot with wifi-tether on Android phone. It can transparent proxy all the wifi hotspot traffic over Tor. Using an android phone as a tether seems much more normal and fits the profile of an international traveler. Carrying a router around might not be the best option for staying low-profile. I like Chrome OS but am addicted to Pidgin with OTR. It's really the only thing keeping me from trying out a Chromebook. (Even Photoshop is available 'in the cloud'). If you need to install a few programs locally but like the overall idea and features, JoliOS looks to be a good option: http://www.jolicloud.com/jolios Somewhat off-topic: I reject the idea that because something isn't right for Syrians, that it's not useful. There is an incredible spectrum of threat models to consider. And usability is a factor. It's worth considering that state-sponsored Windows spyware is a major problem. But people still use it because the realistic alternative is more difficult to use (even Ubuntu has a sharp learning curve). Best, Griffin Boyce -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Brian Conley Director, Small World News http://smallworldnews.tv m: 646.285.2046 Skype: brianjoelconley -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
[liberationtech] EU NIS cybersecurity directive
Hi, Tomorrow, Thursday, a proposal for an EU Cyber Directive is supposed to get released. To be known as a proposed NIS (network and information security) Directive. An earlier draft was circulated by illoyal EC staff: https://netzpolitik.org/wp-upload/Cybersecurity-Directive-proposal.pdf https://netzpolitik.org/wp-upload/Cybersecurity-Impact-Assessment.pdf Whatever red herrings the public was alluded to in the recent past (INDECT and CLEAN-IT come to my mind): the proposed NIS-Directive is the actual fish. EDRI comment (16 Jan) : http://www.edri.org/edrigram/number11.1/cybersecurity-draft-directive-eu Anyway, sarcasm is on: https://twitter.com/agonarch/status/299291711434289152 Best, André -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Chromebooks for Risky Situations?
On Wed, Feb 06, 2013 at 10:52:23AM -0500, micah anderson wrote: - ChromeOS's update mechanism is automatic, transparent, and basically foolproof. Having bricked Ubuntu and Gentoo systems, the same is not true of Linux. I would be surprised if you actually 'bricked' these systems, since neither operating system you mention involves a procedure that has the risk of bricking a device. I suspect this is hyperbole? I've had dist-upgrade (or the GUI equivalent) make an Ubuntu system unbootable and unrecoverable without recourse to a rescue-image and deep magic grub hacking, etc. That counts as bricked when the easiest course of action is to simply reinstall the OS from scratch. It's not bricked in the sense that an Android install gone awry can require specialized hardware (JTAG dongle etc) and crypto keys to fix, but it's equivalent from a user's point of view. -andy -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Chromebooks for Risky Situations?
T N trr...@gmail.com writes: The word Linux doesn't refer to anything, other than maybe the kernel. Chrome OS is linux. But it's a massively stripped down distribution that has a radical design, including the fact that it will ONLY run if all of the cryptographic checks are verified from the root of trust. That root of trust is Google's massively large PKI public key that is burned into the firmware. For a journalist in the field, that's a great reassurance. Take your Chromebook to China. The Chinese government can not alter what you are running without either (a) modifying your hardware, which means they take possession of it for a period of time and manage to do something that is tricky to do (i.e. circumstances under which you'd no longer trust your computer anyways) or (b) you will know they tried to hack it and your Chromebook will refuse to boot, and will instead wipe away the hacks and update itself and won't boot unless the update is a legitimate one signed by Google. Yes, you can't compare Chrome OS's attack surface to a typical linux distribution, or even a highly customized linux install which doesn't have the hardware root of trust. ...but you can compare it to a Windows tablet, which doesn't let you modify the boot sector either, but I wouldn't want to be caught recommending Windows anymore than I would want to recommend Google. -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Chromebooks for Risky Situations?
Andy Isaacson a...@hexapodia.org writes: On Wed, Feb 06, 2013 at 10:52:23AM -0500, micah anderson wrote: - ChromeOS's update mechanism is automatic, transparent, and basically foolproof. Having bricked Ubuntu and Gentoo systems, the same is not true of Linux. I would be surprised if you actually 'bricked' these systems, since neither operating system you mention involves a procedure that has the risk of bricking a device. I suspect this is hyperbole? I've had dist-upgrade (or the GUI equivalent) make an Ubuntu system unbootable and unrecoverable without recourse to a rescue-image and deep magic grub hacking, etc. That counts as bricked when the easiest course of action is to simply reinstall the OS from scratch. It's not bricked in the sense that an Android install gone awry can require specialized hardware (JTAG dongle etc) and crypto keys to fix, but it's equivalent from a user's point of view. I understand where you are going with this, but when it comes to terminology, I think it serves to confuse the issue to misuse the term 'brick'. You cannot, as you say, simply reinstall the OS from scratch on a device that has been bricked. I can't wait for the day when Google accidentally pushes an update out that actually bricks their devices, because when that happens, there is no way to simply reinstall the OS from scratch. -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Unsubscribe please
May you kindly unsubscribe me from this listserb. Thanks. Dr Hayes Mabweazara Lecturer in Journalism School of Media and Performance Falmouth University Tremough Campus, Penryn England, TR11 9EZ T 0044-1326-211077 F 0044-1326-370400 M 0044-7552 732 847 E hayes.mabweaz...@falmouth.ac.uk To counter email overload, I (try to) subscribe to this policy: http://five.sentenc.es/ -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Chromebooks for Risky Situations?
Micah, Perhaps you can tell us the secret to convince all family members and colleagues to become Linux hackers able to be completely self-sufficient managing their own upgrades and modifications indefinitely? Otherwise what is your point? It seems like you are being needlessly confrontational or outright ignoring the quite reasonable counter arguments to various linux OSes,Ubuntu/gentoo/ etc etc being made here. On Feb 6, 2013 7:09 PM, micah anderson mi...@riseup.net wrote: Andy Isaacson a...@hexapodia.org writes: On Wed, Feb 06, 2013 at 10:52:23AM -0500, micah anderson wrote: - ChromeOS's update mechanism is automatic, transparent, and basically foolproof. Having bricked Ubuntu and Gentoo systems, the same is not true of Linux. I would be surprised if you actually 'bricked' these systems, since neither operating system you mention involves a procedure that has the risk of bricking a device. I suspect this is hyperbole? I've had dist-upgrade (or the GUI equivalent) make an Ubuntu system unbootable and unrecoverable without recourse to a rescue-image and deep magic grub hacking, etc. That counts as bricked when the easiest course of action is to simply reinstall the OS from scratch. It's not bricked in the sense that an Android install gone awry can require specialized hardware (JTAG dongle etc) and crypto keys to fix, but it's equivalent from a user's point of view. I understand where you are going with this, but when it comes to terminology, I think it serves to confuse the issue to misuse the term 'brick'. You cannot, as you say, simply reinstall the OS from scratch on a device that has been bricked. I can't wait for the day when Google accidentally pushes an update out that actually bricks their devices, because when that happens, there is no way to simply reinstall the OS from scratch. -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
[liberationtech] Cryptography super-group creates unbreakable encryption
Actual headline. http://www.extremetech.com/mobile/147714-cryptography-super-group-creates-unbreakable-encryption-designed-for-mass-market NK -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Cryptography super-group creates unbreakable encryption
C'mon Nadim, that's a bit of a cheap shot, no? Do you disagree fundamentally with anything he said there? Brian On Feb 6, 2013, at 19:56, Nadim Kobeissi na...@nadim.cc wrote: Chris Soghoian gives Silent Circle's unbreakable encryption an entire article's worth of lip service here, it must be really unbreakable: http://www.theverge.com/2013/2/6/3950664/phil-zimmermann-wants-to-save-you-from-your-phone NK On Wed, Feb 6, 2013 at 10:49 PM, Brian Conley bri...@smallworldnews.tv wrote: I heard they have a super secret crypto clubhouse in the belly of an extinct volcano. Other rumors suggest they built their lab in the liberated tunnels beneath bin ladens secret lair in Pakistan... Sent from my iPad On Feb 6, 2013, at 19:42, Nadim Kobeissi na...@nadim.cc wrote: Actual headline. http://www.extremetech.com/mobile/147714-cryptography-super-group-creates-unbreakable-encryption-designed-for-mass-market NK -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Cryptography super-group creates unbreakable encryption
What I'm trying to point out is that Silent Circle can call itself a super-group creating unbreakable encryption, market closed-source software towards activists, and some experts will still speak out for them favourably. NK On Wed, Feb 6, 2013 at 11:21 PM, Brian Conley bri...@smallworldnews.tvwrote: C'mon Nadim, that's a bit of a cheap shot, no? Do you disagree fundamentally with anything he said there? Brian On Feb 6, 2013, at 19:56, Nadim Kobeissi na...@nadim.cc wrote: Chris Soghoian gives Silent Circle's unbreakable encryption an entire article's worth of lip service here, it must be really unbreakable: http://www.theverge.com/2013/2/6/3950664/phil-zimmermann-wants-to-save-you-from-your-phone NK On Wed, Feb 6, 2013 at 10:49 PM, Brian Conley bri...@smallworldnews.tvwrote: I heard they have a super secret crypto clubhouse in the belly of an extinct volcano. Other rumors suggest they built their lab in the liberated tunnels beneath bin ladens secret lair in Pakistan... Sent from my iPad On Feb 6, 2013, at 19:42, Nadim Kobeissi na...@nadim.cc wrote: Actual headline. http://www.extremetech.com/mobile/147714-cryptography-super-group-creates-unbreakable-encryption-designed-for-mass-market NK -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Cryptography super-group creates unbreakable encryption
The enemy knows the system, but some enemies are more equal than others. On 02/06/2013 10:21 PM, Brian Conley wrote: C'mon Nadim, that's a bit of a cheap shot, no? Do you disagree fundamentally with anything he said there? Brian On Feb 6, 2013, at 19:56, Nadim Kobeissi na...@nadim.cc mailto:na...@nadim.cc wrote: Chris Soghoian gives Silent Circle's unbreakable encryption an entire article's worth of lip service here, it must be really unbreakable: http://www.theverge.com/2013/2/6/3950664/phil-zimmermann-wants-to-save-you-from-your-phone NK On Wed, Feb 6, 2013 at 10:49 PM, Brian Conley bri...@smallworldnews.tv mailto:bri...@smallworldnews.tv wrote: I heard they have a super secret crypto clubhouse in the belly of an extinct volcano. Other rumors suggest they built their lab in the liberated tunnels beneath bin ladens secret lair in Pakistan... Sent from my iPad On Feb 6, 2013, at 19:42, Nadim Kobeissi na...@nadim.cc mailto:na...@nadim.cc wrote: Actual headline. http://www.extremetech.com/mobile/147714-cryptography-super-group-creates-unbreakable-encryption-designed-for-mass-market NK -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Chromebooks for Risky Situations?
On 02/06/2013 08:36 PM, Brian Conley wrote: Andreas, Plenty of Syrians do have internet access, and use it on a regular basis. Also, lack of appropriateness for one use-case doesn't necessitate lack of appropriateness across the board. Linux is a great solution for many use cases, but as has been elaborated, quite a terrible one for many others. Brian There was already the case that the Syrians were isolated from the internet. If you base your communication and information on the internet then activism will break down in this scenario. Andreas -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
