Re: [liberationtech] Cryptography super-group creates unbreakable encryption
On Fri, Feb 15, 2013 at 01:35:53PM -0800, Adam Fisk wrote: At the risk of getting swept up in this by consciously saying something unpopular, I want to put my shoulder against the wheel of the open source process produces more secure software machine. [snip] I've been thinking about your (excellent) comments for several weeks now. And I'm going to argue that open source doesn't necessarily produce more secure software, but it's a prerequisite for any credible attempt. And that in this particular case, there's just no substitute for it. But before I get started, let me pointed out that I'm very much *not* arguing that the contrapositive is true, that open source == chewy goodness automatically. We've all seen open source code that was junk. Lots of it. We've all probably written some, too; I know I have. So here goes: Consider this hypothetical: you have the imaginary disease Bieberitis, which progressively imposes the characteristics of Justin Bieber on you, then kills you. So not only do you die, you die badly. Clearly: it's an awful fate. There are only two drugs available to treat this disease. Drug A has a history that looks something like this: the basic biochemistry has been known for 18 years. It's been studied at multiple universities and research institutions. There are numerous published papers on it. Early animal trials were conducted 15 years ago, and those results were published as well, leading to another round of animal trials with a slightly different formulation and more publication. Following review by independent agencies 12 years ago, limited human trials were held, with still more publication. A lengthy review and debate ensued, the drug was discussed and debated at numerous conferences and meetings, other (new) researchers weighed in with their papers, and a second round of human trials took place 9 years ago. Following that, review by multiple government agencies commenced. Additional work continued in parallel on refinement of dosage and delivery. Eventually, following another blizzard of paperwork and publication, the drug was approved -- and is now available to you. Studies are still ongoing, of course, and it's expected that half a dozen more papers will be published in referreed journals this year. So: drug A has a long history. Lots of clueful eyeballs have investigated it personally, and many more clueful eyeballs have read the published body of work, thought about it, argued about it, reviewed it, critiqued it, supported it, rebutted it, and otherwise been involved in the process. Moreover: nearly all those clueful eyeballs are INDEPENDENT clueful eyeballs, who have, in many cases, substantial motivation to disprove claims made -- since one of the best ways to make one's academic reputation is to perform ingenious, ground-breaking work which demonstrates that something everyone agrees on is completely wrong. Now, about drug B: drug B has no publications associated with it. It's never been independently reviewed. It has none of the lengthy history of A. What's it got? It's got a shiny color brochure written by the marketing department that tells you how great it is, because it was developed by some of the top people ever. Really. Top people. As in: Major Eaton: We have top men working on it now. Indiana Jones: Who? Major Eaton: Top...men. That's it. That's all you get. Promises. Assurances. Hand-waving. Top...men. Now: which drug are you going to take? Of course the obvious answer is A, since B is more commonly known as snake oil. It's garbage. No thinking, responsible person would ever choose B, because -- absent the history and the research and the publication and everything else -- it might be the instant cure for Bieberitis, or it might be sugar pills, or it might be poison. There's no way to know. All serious fields of intellectual endeavor use the same model as I outlined in the development of drug A, which I'll lump under the rubric peer review. Architecture and law, physics and economics, medicine and civil engineering, everybody uses this. And they use it because, despite its flaws, it works really, really well. It's an essential component of the scientific method. It's how we make forward progress, however slowly. Fields of study that don't use this are crap. Astrology, creationism, alchemy, homeopathy, phrenology, and yes, closed-source software: all crap. There is no way we should accept what any closed-source vendor claims about their code. There is no reason to, no matter who they are, no matter how much we trust them, no matter how pure their motives are. Heck, we often can't even trust OUR OWN CODE to do what we think we want it to do, even when we're staring right at it -- so why in the world should we make the fantastic leap of faith to trust someone else's when we can't even see it? Closed-source software is the equivalent of drug B. We're expected to take the authors' word that it
Re: [liberationtech] Cryptography super-group creates unbreakable encryption
Rich, That was the best email I have ever read on this mailing list. Congratulations and thank you. Please post this as a blog post somewhere. NK On Tue, Mar 5, 2013 at 6:23 PM, Rich Kulawiec r...@gsp.org wrote: On Fri, Feb 15, 2013 at 01:35:53PM -0800, Adam Fisk wrote: At the risk of getting swept up in this by consciously saying something unpopular, I want to put my shoulder against the wheel of the open source process produces more secure software machine. [snip] I've been thinking about your (excellent) comments for several weeks now. And I'm going to argue that open source doesn't necessarily produce more secure software, but it's a prerequisite for any credible attempt. And that in this particular case, there's just no substitute for it. But before I get started, let me pointed out that I'm very much *not* arguing that the contrapositive is true, that open source == chewy goodness automatically. We've all seen open source code that was junk. Lots of it. We've all probably written some, too; I know I have. So here goes: Consider this hypothetical: you have the imaginary disease Bieberitis, which progressively imposes the characteristics of Justin Bieber on you, then kills you. So not only do you die, you die badly. Clearly: it's an awful fate. There are only two drugs available to treat this disease. Drug A has a history that looks something like this: the basic biochemistry has been known for 18 years. It's been studied at multiple universities and research institutions. There are numerous published papers on it. Early animal trials were conducted 15 years ago, and those results were published as well, leading to another round of animal trials with a slightly different formulation and more publication. Following review by independent agencies 12 years ago, limited human trials were held, with still more publication. A lengthy review and debate ensued, the drug was discussed and debated at numerous conferences and meetings, other (new) researchers weighed in with their papers, and a second round of human trials took place 9 years ago. Following that, review by multiple government agencies commenced. Additional work continued in parallel on refinement of dosage and delivery. Eventually, following another blizzard of paperwork and publication, the drug was approved -- and is now available to you. Studies are still ongoing, of course, and it's expected that half a dozen more papers will be published in referreed journals this year. So: drug A has a long history. Lots of clueful eyeballs have investigated it personally, and many more clueful eyeballs have read the published body of work, thought about it, argued about it, reviewed it, critiqued it, supported it, rebutted it, and otherwise been involved in the process. Moreover: nearly all those clueful eyeballs are INDEPENDENT clueful eyeballs, who have, in many cases, substantial motivation to disprove claims made -- since one of the best ways to make one's academic reputation is to perform ingenious, ground-breaking work which demonstrates that something everyone agrees on is completely wrong. Now, about drug B: drug B has no publications associated with it. It's never been independently reviewed. It has none of the lengthy history of A. What's it got? It's got a shiny color brochure written by the marketing department that tells you how great it is, because it was developed by some of the top people ever. Really. Top people. As in: Major Eaton: We have top men working on it now. Indiana Jones: Who? Major Eaton: Top...men. That's it. That's all you get. Promises. Assurances. Hand-waving. Top...men. Now: which drug are you going to take? Of course the obvious answer is A, since B is more commonly known as snake oil. It's garbage. No thinking, responsible person would ever choose B, because -- absent the history and the research and the publication and everything else -- it might be the instant cure for Bieberitis, or it might be sugar pills, or it might be poison. There's no way to know. All serious fields of intellectual endeavor use the same model as I outlined in the development of drug A, which I'll lump under the rubric peer review. Architecture and law, physics and economics, medicine and civil engineering, everybody uses this. And they use it because, despite its flaws, it works really, really well. It's an essential component of the scientific method. It's how we make forward progress, however slowly. Fields of study that don't use this are crap. Astrology, creationism, alchemy, homeopathy, phrenology, and yes, closed-source software: all crap. There is no way we should accept what any closed-source vendor claims about their code. There is no reason to, no matter who they are, no matter how much we trust them, no matter how pure their motives are. Heck, we often can't even trust OUR OWN CODE to
Re: [liberationtech] Cryptography super-group creates unbreakable encryption
Another aspect of this discussion I'm a bit surprised that no one has yet raised is the simple truth that no amount of testing and source code review can (or should) anoint a tool as secure. Even with formally provably secure software, OS, hardware, etc. it is still a very hard problem to make sure the code you fuzzed, reviewed, tested, statically analyzed, etc. ends up being the code you run. We faced this in a few projects hacking US voting machines where we had to struggle with the question of how much does one get from open source... the answer was not necessarily necessary or sufficient (but that was not in a human rights context). best, Joe -- Joseph Lorenzo Hall Senior Staff Technologist Center for Democracy Technology https://www.cdt.org/ On Feb 19, 2013, at 18:36, Q. Parker ghostdan...@gmail.com wrote: On Tue, Feb 19, 2013 at 11:21:11PM +0100, Julian Oliver wrote: ..on Mon, Feb 18, 2013 at 08:00:24PM -0800, Adam Fisk wrote: I think the principle of that is great, but in practice we just can't all review all the code all the time. In practice we often end up trusting open source code that is far worse reviewed than much of the closed source code we trust. I'm not trying to attack open source -- I've been writing open source code full time for the past 13 years -- it's what I do. But I don't think we should be delusional about it. I find this an unproductive black-and-white argument. Proprietary software does not grant and encourage its own users even the /possibility/ to fully audit the service whereas open source software does. It's a no brainer, quite frankly. We need to simply stop considering proprietary solutions at all (as it's clearly ridiculous to have any case of trust built atop it) and make our starting point the wide variety of open source software, some of which is poorly engineered and some which is not. The what sucks the least scale must begin with open source, not proprietary offerings from for-profit companies with a centralised service. Again, it's a no-brainer. This is a pretty gross oversimplification that ignores a lot of realities about the nature of trust and how complicated things like large software systems are assembled. First, it seems that trust in the context of this thread means do the readers of this list trust this software which has come to mean, from my reading, do the members of this list have unfettered access to the source code. That's a rather narrow view of trust. There are all sorts of reasons a human rights activist might choose to trust a vendor. After all, for a non-technical user, what's to recommend the opinion of a volunteer over the opinion of a number of professionals working at a relatively small firm? The first is wholly dependent on the expertise and access of the volunteer. The second is wholly dependent on the expertise and access of the professional. The latter, however, comes with the sense of trust that people tend to have for somebody whose livelihood depends upon maintaining a track record of fulfilling obligations to customers with competence and good faith. It's not so simple as volunteer is better than vendor. Second, I think it's hard to defend the claim that end users always know more about the inner workings of large open source projects than they do closed ones at private firms. Does everybody who uses Debian observe key-signing parties among Debian developers? No, they don't. Do I use open firmware? Do I know with absolute certainty what every piece of hardware in my laptop is doing? No, not really. We make decisions about which systems we should trust and in what way based on a complicated series of risk assessments, each based on a lot of factors. I think the assertion that open source projects are always of higher quality by virtue of being open and that the issue is just that simple is hard to defend. For most users, the code being open doesn't make it any more possible for them to review it. They'd still have to trust another reviewer, right? It's not so simple as open versus closed source. Third, I think responses on the list tend to be excessively hostile toward for-profit firms that hope to make a living by selling/making software. A good many such firms have contributed substantially to the Linux kernel and the Debian distribution. There are a lot of competing interests at play, as made obvious by the parallel thread about Ubuntu's Dash product search. But I'm sure there are a lot of list members who've thoroughly enjoyed the conveniences afforded them by the Ubuntu distro, for example, only to break into hysterics over the in-built product search (which should be opt-in but is disabled pretty easily) without offering up any alternative suggestions for paying Canonical developers. Does it make sense to expect all security work to happen with grant money? Do we
Re: [liberationtech] Cryptography super-group creates unbreakable encryption
On Fri, Feb 15, 2013 at 2:01 PM, Nadim Kobeissi na...@nadim.cc wrote: On Fri, Feb 15, 2013 at 4:35 PM, Adam Fisk af...@bravenewsoftware.org wrote: I'm certainly more confident in the overall security of silent circle in its first release than I was in the overall security of cryptocat. Of course this is true. The first release of Cryptocat was made in early 2011 by me back when I was in my second year of university and only barely beginning to understand proper programming and security practice. It was an experimental product full of holes and by no means secure. The first release of Silent Circle was by a team of superheroes with 25 years of experience in being totally badass. Big difference! That's really my point exactly -- there are many things that determine the security of a piece of software. But when your model is closed-source, you're not participating in reviewable, verifiable security practice and you're negatively affecting the practical cryptography industry as a whole. Look at Cryptocat — it progressed from a toy into a real product that I'm proud of, and that fully passed a security audit with a 100/100 score just last week (https://blog.crypto.cat/2013/02/cryptocat-passes-security-audit-with-flying-colors/) after two years of hard work, restructuring and redesigning the whole thing, and getting alternatively beaten up and helped by experts in the field.— This would have *never* happened had we not been open source from the beginning. Sure. Again, I believe that open source is a beneficial license for security, but we have to keep in mind that it's a means to an end -- secure code -- and that it's not the only means. I think you were beaten up unfairly under the circumstances for cryptocat 1, and I similarly think we're beating up Silent Circle unfairly. Being open source is a painful but necessary process. It invites criticism, bone-breaking and having to admit bad design, apologize for your mistakes and work hard on fixing them. But only through that process you create something great that benefits the security community by offering opportunities to learn. Sure, Silent Circle started off as a good product, but by being closed-source they disregard the proper practice of what makes this industry progress in terms of engineering, and they cast a shadow of uncertainty and closed progress upon themselves, too. There are just so many aspects that go into software licensing that I just don't draw that same line. If the goal is secure code, I again think the key is having an adequate number of capable people analyzing and dissecting that code on a constant basis. That can mean closed source code audits, and it can mean having a full time security team analyzing and improving the code at all times (Google, Facebook, many others) regardless of the software license. Open source is awesome, and I believe in it wholeheartedly, but I don't think if an organization doesn't open source their code they're automatically crazy and kicked out of the club. -a -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Cryptography super-group creates unbreakable encryption
Adam, There is a difference between telling someone you should *trust* this software and telling them this software is probably going to work for you because of X Y Z. I feel like you are conflating two different issues. I firmly believe you should *never* just *trust* encryption software that is not open to independent auditing at *any time.* However, we don't live in an open source utopia yet, so yes, we make judgement calls based on what information *is* available to the public. But I think you're making a bit of a tempest in a teapot here. (Yes I realize I am possibly the last person who should be making such comments, though I'm trying to be better about it.) Whether or not code *IS* secure is not the issue. It is whether or not you should *TRUST* code that cannot be *VERIFIED SECURE* and verified *INDEPENDENTLY AT ANY TIME*. You might believe Apple or Google are secure, in fact I would be willing to believe Facebook is doing its damnedest to keep their servers and users data secure, **within their closed paradigms** which may or may not line up with my needs as an individual user at any given time. And I can't engage in informed consent in that process, except where I consent that I do not get to know Corporation X's paradigm. regards Brian PS even crypto-gods are fallible. and that's not a bad thing, its just human nature. On Tue, Feb 19, 2013 at 10:00 AM, Adam Fisk a...@littleshoot.org wrote: On Fri, Feb 15, 2013 at 2:01 PM, Nadim Kobeissi na...@nadim.cc wrote: On Fri, Feb 15, 2013 at 4:35 PM, Adam Fisk af...@bravenewsoftware.org wrote: I'm certainly more confident in the overall security of silent circle in its first release than I was in the overall security of cryptocat. Of course this is true. The first release of Cryptocat was made in early 2011 by me back when I was in my second year of university and only barely beginning to understand proper programming and security practice. It was an experimental product full of holes and by no means secure. The first release of Silent Circle was by a team of superheroes with 25 years of experience in being totally badass. Big difference! That's really my point exactly -- there are many things that determine the security of a piece of software. But when your model is closed-source, you're not participating in reviewable, verifiable security practice and you're negatively affecting the practical cryptography industry as a whole. Look at Cryptocat — it progressed from a toy into a real product that I'm proud of, and that fully passed a security audit with a 100/100 score just last week ( https://blog.crypto.cat/2013/02/cryptocat-passes-security-audit-with-flying-colors/ ) after two years of hard work, restructuring and redesigning the whole thing, and getting alternatively beaten up and helped by experts in the field.— This would have *never* happened had we not been open source from the beginning. Sure. Again, I believe that open source is a beneficial license for security, but we have to keep in mind that it's a means to an end -- secure code -- and that it's not the only means. I think you were beaten up unfairly under the circumstances for cryptocat 1, and I similarly think we're beating up Silent Circle unfairly. Being open source is a painful but necessary process. It invites criticism, bone-breaking and having to admit bad design, apologize for your mistakes and work hard on fixing them. But only through that process you create something great that benefits the security community by offering opportunities to learn. Sure, Silent Circle started off as a good product, but by being closed-source they disregard the proper practice of what makes this industry progress in terms of engineering, and they cast a shadow of uncertainty and closed progress upon themselves, too. There are just so many aspects that go into software licensing that I just don't draw that same line. If the goal is secure code, I again think the key is having an adequate number of capable people analyzing and dissecting that code on a constant basis. That can mean closed source code audits, and it can mean having a full time security team analyzing and improving the code at all times (Google, Facebook, many others) regardless of the software license. Open source is awesome, and I believe in it wholeheartedly, but I don't think if an organization doesn't open source their code they're automatically crazy and kicked out of the club. -a -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Brian Conley Director, Small World News http://smallworldnews.tv m: 646.285.2046 Skype: brianjoelconley -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Cryptography super-group creates unbreakable encryption
On Tue, Feb 19, 2013 at 5:05 PM, Brian Conley bri...@smallworldnews.tvwrote: PS even crypto-gods are fallible. and that's not a bad thing, its just human nature. Yep. The day after Silent Phone code was published, someone found a privacy issue: https://github.com/SilentCircle/silent-phone-base/issues/3 It's definitely true that the people behind Silent Circle are badasses. But no one is excused from proper cryptography practice just because of who they are. Mistakes exist in all software and it's totally okay and normal for your software to have mistakes — just follow the proper procedure from the first step. On Tue, Feb 19, 2013 at 10:00 AM, Adam Fisk a...@littleshoot.org wrote: On Fri, Feb 15, 2013 at 2:01 PM, Nadim Kobeissi na...@nadim.cc wrote: On Fri, Feb 15, 2013 at 4:35 PM, Adam Fisk af...@bravenewsoftware.org wrote: I'm certainly more confident in the overall security of silent circle in its first release than I was in the overall security of cryptocat. Of course this is true. The first release of Cryptocat was made in early 2011 by me back when I was in my second year of university and only barely beginning to understand proper programming and security practice. It was an experimental product full of holes and by no means secure. The first release of Silent Circle was by a team of superheroes with 25 years of experience in being totally badass. Big difference! That's really my point exactly -- there are many things that determine the security of a piece of software. But when your model is closed-source, you're not participating in reviewable, verifiable security practice and you're negatively affecting the practical cryptography industry as a whole. Look at Cryptocat — it progressed from a toy into a real product that I'm proud of, and that fully passed a security audit with a 100/100 score just last week ( https://blog.crypto.cat/2013/02/cryptocat-passes-security-audit-with-flying-colors/ ) after two years of hard work, restructuring and redesigning the whole thing, and getting alternatively beaten up and helped by experts in the field.— This would have *never* happened had we not been open source from the beginning. Sure. Again, I believe that open source is a beneficial license for security, but we have to keep in mind that it's a means to an end -- secure code -- and that it's not the only means. I think you were beaten up unfairly under the circumstances for cryptocat 1, and I similarly think we're beating up Silent Circle unfairly. Being open source is a painful but necessary process. It invites criticism, bone-breaking and having to admit bad design, apologize for your mistakes and work hard on fixing them. But only through that process you create something great that benefits the security community by offering opportunities to learn. Sure, Silent Circle started off as a good product, but by being closed-source they disregard the proper practice of what makes this industry progress in terms of engineering, and they cast a shadow of uncertainty and closed progress upon themselves, too. There are just so many aspects that go into software licensing that I just don't draw that same line. If the goal is secure code, I again think the key is having an adequate number of capable people analyzing and dissecting that code on a constant basis. That can mean closed source code audits, and it can mean having a full time security team analyzing and improving the code at all times (Google, Facebook, many others) regardless of the software license. Open source is awesome, and I believe in it wholeheartedly, but I don't think if an organization doesn't open source their code they're automatically crazy and kicked out of the club. -a -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Brian Conley Director, Small World News http://smallworldnews.tv m: 646.285.2046 Skype: brianjoelconley -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Cryptography super-group creates unbreakable encryption
..on Mon, Feb 18, 2013 at 08:00:24PM -0800, Adam Fisk wrote: I think the principle of that is great, but in practice we just can't all review all the code all the time. In practice we often end up trusting open source code that is far worse reviewed than much of the closed source code we trust. I'm not trying to attack open source -- I've been writing open source code full time for the past 13 years -- it's what I do. But I don't think we should be delusional about it. I find this an unproductive black-and-white argument. Proprietary software does not grant and encourage its own users even the /possibility/ to fully audit the service whereas open source software does. It's a no brainer, quite frankly. We need to simply stop considering proprietary solutions at all (as it's clearly ridiculous to have any case of trust built atop it) and make our starting point the wide variety of open source software, some of which is poorly engineered and some which is not. The what sucks the least scale must begin with open source, not proprietary offerings from for-profit companies with a centralised service. Again, it's a no-brainer. Cheers, -- Julian Oliver http://julianoliver.com http://criticalengineering.org -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Cryptography super-group creates unbreakable encryption
I don't think anyone would claim that every piece of free software is automatically more secure than every piece of proprietary software, because as you say there are many other factors involved. Nor would I! But in your definition of security, you seem to be discounting the user's ability to verify things for herself, or to commission a 3rd party to verify things for her. You seem to be treating security merely as a trust issue, or an available/obvious/likely exploits issue. I really think it's just a matter of building something that works, that actually is secure, and I think there are many factors that go into that. Open source can be a great advantage, but not if none of those users actually do go and verify things for themselves. The reality is that none of us have the time to verify the security of all the tools we use, and that's even if everyone had the expertise. We all trust the vast majority of the tools we use as a result. That's not by any means to say that security should be based on that trust - it should be based on peer review, continuous research, and careful coding. All of that takes a great deal of time and often money, however, and poorly funded open source projects usually fall way short because they've got one part of the structure right but not the others. Proprietary software clearly falls way short all the time too. All that said, there's just an astounding degree of cooperation in this community of people devoting countless hours to improving the security of so many tools, and that's certainly to be applauded, but those people are largely fighting an uphill battle because they're underfunded. That's a limit on the definition that doesn't work for me. Software that I can't look at or ask someone to look at is by definition insecure in one important way. I think the principle of that is great, but in practice we just can't all review all the code all the time. In practice we often end up trusting open source code that is far worse reviewed than much of the closed source code we trust. I'm not trying to attack open source -- I've been writing open source code full time for the past 13 years -- it's what I do. But I don't think we should be delusional about it. Your points also doesn't disprove the claim that, if you are designing a new project that you want to be secure, a free software approach should be chosen. You should do lots of other things right too, of course, that have nothing to do with licensing. Totally agreed! It can just be overemphasized amongst the list of factors -- it's a super important one to be sure, but not the only one. -Adam -john -- John Sullivan | Executive Director, Free Software Foundation GPG Key: 61A0963B | http://status.fsf.org/johns | http://fsf.org/blogs/RSS Do you use free software? Donate to join the FSF and support freedom at http://www.fsf.org/register_form?referrer=8096. -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- -- Adam pgp A998 2B6E EF1C 373E 723F A813 045D A255 901A FD89 -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Cryptography super-group creates unbreakable encryption
Adam Fisk wrote: but there are many other factors at play, including the resources and expertise an organization is able to devote to the problem. Apple, for example, has an overall great security track record, with most of that code closed source. Umm last time I looked, most of the guts, and the attack surface, of MacOS are NOT closed source, they're derived from BSD unix and the code is mostly open source. The proprietary stuff is a relatively thin layer on top of that. Having said that, if you want to look at folks with LOTS of money and expertise to apply - and a pretty good track - look at NSA. Then again, it's pretty hard to tell about the security provided by closed source systems - are they really secure, or is it a matter of security by obscurity (think of those NSA chips that are designed to self-destruct if you try to dissect them), and the various crypto systems that have been compromised because human beings stole crypto boxes from embassies. One of the real problems with closed-source systems is that you create a target of opportunity - compromise the organization behind the technology and you can either identify vulnerabilities, or insert them surreptitiously. Miles Fidelman -- In theory, there is no difference between theory and practice. In practice, there is. Yogi Berra -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Cryptography super-group creates unbreakable encryption
When I say million, I always mean billion... On Fri, Feb 15, 2013 at 1:35 PM, Adam Fisk a...@bravenewsoftware.org wrote: At the risk of getting swept up in this by consciously saying something unpopular, I want to put my shoulder against the wheel of the open source process produces more secure software machine. The reasons for software licensing are complex, as we all know, but I'm certainly more confident in the overall security of silent circle in its first release than I was in the overall security of cryptocat 1. Why? Because there are much more experienced people involved (not meant as a jab Nadim - PZ had about a 25 year head start if not more) and also because they have judiciously sought the review of experts prior to release. If you have to choose between open and closed in terms of the potential for building a secure architecture, of course open is overall better, but there are many other factors at play, including the resources and expertise an organization is able to devote to the problem. Apple, for example, has an overall great security track record, with most of that code closed source. Having $100 million in the bank helps. A lot. It helps a lot more than the license. In fact the overall number of eyes on the code is likely the more relevant factor - the precise area where open source ostensibly scores such a resounding victory, but only if in fact more experienced eyes review the code than they do comparable closed source systems. It just seems healthier to recognize this is a complex issue, and I don't think reducing it to open versus closed source does that complexity justice. -Adam On Wednesday, February 6, 2013, Nadim Kobeissi wrote: What I'm trying to point out is that Silent Circle can call itself a super-group creating unbreakable encryption, market closed-source software towards activists, and some experts will still speak out for them favourably. NK On Wed, Feb 6, 2013 at 11:21 PM, Brian Conley bri...@smallworldnews.tv wrote: C'mon Nadim, that's a bit of a cheap shot, no? Do you disagree fundamentally with anything he said there? Brian On Feb 6, 2013, at 19:56, Nadim Kobeissi na...@nadim.cc wrote: Chris Soghoian gives Silent Circle's unbreakable encryption an entire article's worth of lip service here, it must be really unbreakable: http://www.theverge.com/2013/2/6/3950664/phil-zimmermann-wants-to-save-you-from-your-phone NK On Wed, Feb 6, 2013 at 10:49 PM, Brian Conley bri...@smallworldnews.tv wrote: I heard they have a super secret crypto clubhouse in the belly of an extinct volcano. Other rumors suggest they built their lab in the liberated tunnels beneath bin ladens secret lair in Pakistan... Sent from my iPad On Feb 6, 2013, at 19:42, Nadim Kobeissi na...@nadim.cc wrote: Actual headline. http://www.extremetech.com/mobile/147714-cryptography-super-group-creates-unbreakable-encryption-designed-for-mass-market NK -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Sent from Gmail Mobile -- Adam pgp A998 2B6E EF1C 373E 723F A813 045D A255 901A FD89 -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Cryptography super-group creates unbreakable encryption
On 2/14/13 8:36 AM, Jacob Appelbaum wrote: The live code review with ascii art was really something to behold. It was some kind of new art form that isn't very good but at the same time is nearly impossible to not watch... Something interesting happened yesterday, here a summary in case someone would like to get on it again * After few hours the pad was vandalized insulting nadim https://pad.riseup.net/p/silentcircle * A Backup of the Pad content has been put read-only online (with some comments and further analysis to be done) * http://pastebit.com/pastie/12001 * http://pastebin.com/dKRPrGMN * SilentCircle source code has been temporarly removed from Github: https://github.com/SilentCircle/silent-phone-base * Nadim opened a ticket to ask about the code back: https://github.com/SilentCircle/silent-phone-base/issues/1 * A new (different) version of the code has been uploaded online: https://github.com/SilentCircle/silent-phone-base * Someone in the meantime put the original code back online (as a zip archive): http://jednorog.sneakyness.com/1U060B2S3I1P * A diff between the original SC opensource release and the modified SC opensource release reveal some code difference * Output of git diff original/silent-phone-base new/silent-phone-base/ sc.patch is available at http://temp-share.com/show/f3Yg95cXn -naif -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Cryptography super-group creates unbreakable encryption
On 14 February, 2013 - Fabio Pietrosanti (naif) wrote: On 2/14/13 8:36 AM, Jacob Appelbaum wrote: The live code review with ascii art was really something to behold. It was some kind of new art form that isn't very good but at the same time is nearly impossible to not watch... Something interesting happened yesterday, here a summary in case someone would like to get on it again * After few hours the pad was vandalized insulting nadim https://pad.riseup.net/p/silentcircle * A Backup of the Pad content has been put read-only online (with some comments and further analysis to be done) * http://pastebit.com/pastie/12001 * http://pastebin.com/dKRPrGMN * SilentCircle source code has been temporarly removed from Github: https://github.com/SilentCircle/silent-phone-base * Nadim opened a ticket to ask about the code back: https://github.com/SilentCircle/silent-phone-base/issues/1 * A new (different) version of the code has been uploaded online: https://github.com/SilentCircle/silent-phone-base * Someone in the meantime put the original code back online (as a zip archive): http://jednorog.sneakyness.com/1U060B2S3I1P * A diff between the original SC opensource release and the modified SC opensource release reveal some code difference * Output of git diff original/silent-phone-base new/silent-phone-base/ sc.patch is available at http://temp-share.com/show/f3Yg95cXn -naif -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech A quick scan through the patch seems to indicate it is _mostly_ formatting changes. A version bump 14322 to 14326 on the CFBundleVersion. And various license headers (BSD-style afaict - not a license expert) Oh, and they removed an snprintf, and const-declared an argument. Also a new android make file and a tina_exp.h header. All in all, nothing _too_ exciting I don't think... Non-formatting/licensing changes extracted below: diff --git a/original/silent-phone-base/silentphone/apple/ios/Classes/CallManeger.mm b/new/silent-phone-base/silentphone/apple/ios/Classes/CallManeger.mm index ac8cf87..d185e90 100644 --- a/original/silent-phone-base/silentphone/apple/ios/Classes/CallManeger.mm +++ b/new/silent-phone-base/silentphone/apple/ios/Classes/CallManeger.mm @@ -70,7 +70,7 @@ NSString *toNSFromTB(CTStrBase *b); } -(void)redraw{ - + if(!calls-getCallCnt()){ [[self navigationController] popViewControllerAnimated:YES]; return; @@ -99,14 +99,14 @@ NSString *toNSFromTB(CTStrBase *b); - (id)initWithStyle:(UITableViewStyle)style { ... - (void) viewWillAppear:(BOOL)animated @@ -129,7 +129,7 @@ NSString *toNSFromTB(CTStrBase *b); - (void)viewDidDisappear:(BOOL)animated{ ... @@ -143,22 +143,22 @@ NSString *toNSFromTB(CTStrBase *b); ... } - (void)viewDidUnload { ... @@ -166,18 +166,18 @@ NSString *toNSFromTB(CTStrBase *b); - (BOOL)shouldAutorotateToInterfaceOrientation:(UIInterfaceOrientation)interfaceOrientation ... - (NSInteger)numberOfSectionsInTableView:(UITableView *)tableView ... - (NSInteger)tableView:(UITableView *)tableView numberOfRowsInSection:(NSInteger)section ... @@ -188,13 +188,13 @@ NSString *toNSFromTB(CTStrBase *b); ... -(void)tableView:(UITableView *)tableView willDisplayCell:(UITableViewCell *)cell forRowAtIndexPath:(NSIndexPath *)indexPath{ ... @@ -207,7 +207,7 @@ NSString *toNSFromTB(CTStrBase *b); ... - (UITableViewCell *)tableView:(UITableView *)tableView cellForRowAtIndexPath:(NSIndexPath *)indexPath ... @@ -486,14 +492,14 @@ NSString *toNSFromTB(CTStrBase *b); - (void)tableView:(UITableView *)tableView didSelectRowAtIndexPath:(NSIndexPath *)indexPath ... diff --git a/original/silent-phone-base/silentphone/apple/ios/VoipPhone/VoipPhone-Info.plist b/new/silent-phone-base/silentphone/apple/ios/VoipPhone/VoipPhone-Info.plist index 319dbde..0431a76 100755 --- a/original/silent-phone-base/silentphone/apple/ios/VoipPhone/VoipPhone-Info.plist +++ b/new/silent-phone-base/silentphone/apple/ios/VoipPhone/VoipPhone-Info.plist keyCFBundleVersion/key - string14322/string + string14326/string diff --git a/new/silent-phone-base/silentphone/codecs/vTiVi/android/jni/Android.mk b/new/silent-phone-base/silentphone/codecs/vTiVi/android/jni/Android.mk new file mode 100644 ... diff --git a/new/silent-phone-base/silentphone/codecs/vTiVi/android/jni/tina_exp.h b/new/silent-phone-base/silentphone/codecs/vTiVi/android/jni/tina_exp.h new file mode 100644 ... diff --git a/original/silent-phone-base/silentphone/encrypt/zrtp/libwerner_zrtp.a b/original/silent-phone-base/silentphone/encrypt/zrtp/libwerner_zrtp.a deleted file mode 100644 ... diff --git a/original/silent-phone-base/silentphone/utils/CTCoutryCode.cpp b/new/silent-phone-base/silentphone/utils/CTCoutryCode.cpp index dd67a09..a36db86 100755 --- a/original/silent-phone-base/silentphone/utils/CTCoutryCode.cpp +++
Re: [liberationtech] Cryptography super-group creates unbreakable encryption
The collaborative platform which we've been using to inspect Silent Circle's code (and where we were making good progress) has been continuously vandalized for the past seven hours straight. Yes, that's someone who's been on that pad for literally seven hours trying to prevent collaboration. They've specifically been flooding the pad with insults directed at me, and nothing else. This happened shortly after Silent Circle code was taken offline for around 20 minutes. This really makes me wonder who would have the tenacity to attempt to stop collaborative auditing of Silent Circle for seven straight hours, and would coincidentally happen to have some apparently very real hatred towards me. NK On Thu, Feb 14, 2013 at 8:54 AM, Joseph Lorenzo Hall j...@cdt.org wrote: On Feb 14, 2013, at 7:35, Petter Ericson pett...@acc.umu.se wrote: And various license headers (BSD-style afaict - not a license expert) I'm no licensing expert but do think about them a lot... it looks like a non-commercial-uses version of a BSD-style license. That's much better than what I've seen before with code released for review and testing only-like licenses. best, Joe -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Cryptography super-group creates unbreakable encryption
Hi guys, Let's set up another pad for collaboration, which hopefully will not get vandalized. Please try not to share this pad on Twitter or outside LibTech. https://pad.riseup.net/p/silentcircle9504 NK On Thu, Feb 14, 2013 at 9:43 AM, Nadim Kobeissi na...@nadim.cc wrote: The collaborative platform which we've been using to inspect Silent Circle's code (and where we were making good progress) has been continuously vandalized for the past seven hours straight. Yes, that's someone who's been on that pad for literally seven hours trying to prevent collaboration. They've specifically been flooding the pad with insults directed at me, and nothing else. This happened shortly after Silent Circle code was taken offline for around 20 minutes. This really makes me wonder who would have the tenacity to attempt to stop collaborative auditing of Silent Circle for seven straight hours, and would coincidentally happen to have some apparently very real hatred towards me. NK On Thu, Feb 14, 2013 at 8:54 AM, Joseph Lorenzo Hall j...@cdt.org wrote: On Feb 14, 2013, at 7:35, Petter Ericson pett...@acc.umu.se wrote: And various license headers (BSD-style afaict - not a license expert) I'm no licensing expert but do think about them a lot... it looks like a non-commercial-uses version of a BSD-style license. That's much better than what I've seen before with code released for review and testing only-like licenses. best, Joe -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Cryptography super-group creates unbreakable encryption
Nadim, While I ~entirely~ agree this sucks and you're been mercilessly and tastelessly trolled - if you're inferring there was any relation to the SC code being swapped out - that's an irrelevant and unnecessary stretch. Lets look at it from the other side w/ the same irrelevant and unnecessary stretching.. Early in the pad you admitted to jumping the gun and people were already calling you out. You even, if you recall, said there may be a point to criticizing you for all the LOLing comments and such. You were - for all intents and purposes - an ass early on. You did admit that in a lengthy back-and-forth with one of the anonymous parties before the whole conversation and your LOLing were deleted. I think deleted by you with humility and the intention of drawing attention back to the task at hand - or one could speculate you just don't want any evidence you were a jerk (and that would be unfair I think you'd agree). Whoever (or how many ever) are/were trolling you were bringing up Slashdot, the CSIS incident, Cryptocat, etc. etc. and seems to have it out for you. I'm not convinced that's at all related to SC itself - just mostly pissing on you for behavior. I only write that narrative out because you repeatedly exclude yourself from ~any~ criticism when it comes to reporting back to the list. This too, like the mysterious trolling, can lead to conspiracy chains of thoughts. And I'm certain you don't appreciate that unfounded inference than any other party does. So don't further promote that cycle. Regarding the SC code swap itself - as I pointed out (but has also been lost in the noise) there were two different github profiles to the same person and it appeared that all that really happened (besides a codebase update) was that the acct he was using for non-SC stuff was used to initially upload silent-phone-base and that whole account's worth of stuff was pulled and re-uploaded under the account that originally setup all the SC stuff. Occam's Razor applies here. -Ali On Thu, Feb 14, 2013 at 9:43 AM, Nadim Kobeissi na...@nadim.cc wrote: The collaborative platform which we've been using to inspect Silent Circle's code (and where we were making good progress) has been continuously vandalized for the past seven hours straight. Yes, that's someone who's been on that pad for literally seven hours trying to prevent collaboration. They've specifically been flooding the pad with insults directed at me, and nothing else. This happened shortly after Silent Circle code was taken offline for around 20 minutes. This really makes me wonder who would have the tenacity to attempt to stop collaborative auditing of Silent Circle for seven straight hours, and would coincidentally happen to have some apparently very real hatred towards me. NK On Thu, Feb 14, 2013 at 8:54 AM, Joseph Lorenzo Hall j...@cdt.org wrote: On Feb 14, 2013, at 7:35, Petter Ericson pett...@acc.umu.se wrote: And various license headers (BSD-style afaict - not a license expert) I'm no licensing expert but do think about them a lot... it looks like a non-commercial-uses version of a BSD-style license. That's much better than what I've seen before with code released for review and testing only-like licenses. best, Joe -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Cryptography super-group creates unbreakable encryption
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 All, First of all, hi, I'm Lex van Roon from the Netherlands, and I've been a lurker of this list up until now. Seeing the issues you guys have had with keeping the silentcircle pad up running, I've setup a pad on one of my colo boxen on which I have root access. This way, I can maintain a black- or whitelist for access towards this pad. Let me know if you need this service, and if you need it, what your requirements are for it. Kind Regards, Lex van Roon - -- LRO-RIPE | 398E38C3 | 748D 6359 389B 4E5A 4A44 82F5 BEC5 07FD 398E 38C3 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJRHQ6ZAAoJEL7FB/05jjjDtEgH/iTPlwdDS+vvCLKbUYj04dA+ mxqh25oREsxNYjpnASCSsWFIj4rZM8nABiCLZgjl2Sr0f4iEMMuwSYBo1gs8bSy2 TjJ/iuVq6eSGMxiww4yygfNQv8USXVlLavdkzZdhAEzxXx4K4Dlsmi8VU4PMiaaX +O2r4FmWGBQPZkhA9JHHBU+Uepl5Xtsli8Q9gsRfKb4Hcwc3HRb2s33SexD09Y06 kK7yoWwvuzy6oB1rU6PZTfdn8qLZOWIxo/gNmitL8Eu4TQLCnggdbGQ73K6F1ERe ntihaHt3mXKqwvgbBHoHUpmlelppqK/qjSh+DFY3y8VRO5Ccc7RxsCoDQVT0LaI= =1QfZ -END PGP SIGNATURE- -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Cryptography super-group creates unbreakable encryption
looks like the Silent Circle code is up on github? https://github.com/SilentCircle-- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Cryptography super-group creates unbreakable encryption
This is good news! Still far from a complete source code release, but it's good that they're progressing, even if very slowly. Once all of the code is out I'll finally shut up about Silent Circle. NK On Wed, Feb 13, 2013 at 5:51 PM, Joseph Lorenzo Hall j...@cdt.org wrote: looks like the Silent Circle code is up on github? https://github.com/SilentCircle -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Cryptography super-group creates unbreakable encryption
Here some notes i collected with a quick review of the source code: https://pad.riseup.net/p/silentcircle -naif On 2/14/13 1:36 AM, Nadim Kobeissi wrote: This is good news! Still far from a complete source code release, but it's good that they're progressing, even if very slowly. Once all of the code is out I'll finally shut up about Silent Circle. NK -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Cryptography super-group creates unbreakable encryption
Fabio Pietrosanti (naif): Here some notes i collected with a quick review of the source code: I can see the headlines now... Cryptography super-group more like a cover band Cryptography Boy Band covers Latvian super-group Cryptography super-group? More like Milli Vanilli! or perhaps simply: SilentCircle's premiere product was outsourced, and based on out-of-date security libraries with known bugs Finally, just to be clear, I have nothing against re-using code, especially open-source projects that are complimentary. This is exactly what we have done for our work on OSTN/OStel. I do have a problem with people representing software they license from someone else as their own brilliant, weaved-by-the-gods invention. +n -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Cryptography super-group creates unbreakable encryption
So to recap: It hasn't been a few hours since Silent Circle released *some* of their source code, and we already know that: 1. Silent Circle isn't in built to be a secure communications platform, but is simply a rebranding of TiviPhone, a latvian-made VoIP software, with added encryption libraries, 2. The encryption libraries are themselves not developed by Silent Circle, but are third party libraries, 3. The third party librares are in some cases outdated, even in the face of security advisories, 4. There's a good possibility of a buffer overflow being there somewhere, with over 40 uses of snprintf(). I know what I'm doing this weekend! :D NK On Wed, Feb 13, 2013 at 11:33 PM, Nathan of Guardian nat...@guardianproject.info wrote: Fabio Pietrosanti (naif): Here some notes i collected with a quick review of the source code: I can see the headlines now... Cryptography super-group more like a cover band Cryptography Boy Band covers Latvian super-group Cryptography super-group? More like Milli Vanilli! or perhaps simply: SilentCircle's premiere product was outsourced, and based on out-of-date security libraries with known bugs Finally, just to be clear, I have nothing against re-using code, especially open-source projects that are complimentary. This is exactly what we have done for our work on OSTN/OStel. I do have a problem with people representing software they license from someone else as their own brilliant, weaved-by-the-gods invention. +n -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Cryptography super-group creates unbreakable encryption
Fabio just discovered that Silent Phone derives device IDs by hashing the device IMEI with MD5... WOW NK On Wed, Feb 13, 2013 at 11:51 PM, Nadim Kobeissi na...@nadim.cc wrote: So to recap: It hasn't been a few hours since Silent Circle released *some* of their source code, and we already know that: 1. Silent Circle isn't in built to be a secure communications platform, but is simply a rebranding of TiviPhone, a latvian-made VoIP software, with added encryption libraries, 2. The encryption libraries are themselves not developed by Silent Circle, but are third party libraries, 3. The third party librares are in some cases outdated, even in the face of security advisories, 4. There's a good possibility of a buffer overflow being there somewhere, with over 40 uses of snprintf(). I know what I'm doing this weekend! :D NK On Wed, Feb 13, 2013 at 11:33 PM, Nathan of Guardian nat...@guardianproject.info wrote: Fabio Pietrosanti (naif): Here some notes i collected with a quick review of the source code: I can see the headlines now... Cryptography super-group more like a cover band Cryptography Boy Band covers Latvian super-group Cryptography super-group? More like Milli Vanilli! or perhaps simply: SilentCircle's premiere product was outsourced, and based on out-of-date security libraries with known bugs Finally, just to be clear, I have nothing against re-using code, especially open-source projects that are complimentary. This is exactly what we have done for our work on OSTN/OStel. I do have a problem with people representing software they license from someone else as their own brilliant, weaved-by-the-gods invention. +n -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Cryptography super-group creates unbreakable encryption
Wait, wait, i just read some code around but without taking care much about the logic of the code itself. So there are stuff that should be checked more in details by someone else, notes also by other people ended up on that sort of collaborative/caotic pad https://pad.riseup.net/p/silentcircle . -naif On 2/14/13 5:54 AM, Nadim Kobeissi wrote: Fabio just discovered that Silent Phone derives device IDs by hashing the device IMEI with MD5... WOW NK -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Cryptography super-group creates unbreakable encryption
The TiVi rebranding page is gone but the cache: https://webcache.googleusercontent.com/search?q=cache:http://rebrand.tiviphone.com/ It would be utterly bizarre if Silent Circle started as a $199 euro investment. I just can't swallow that. Not, by default, a negative attribute - just - whacky. I really hope they start responding more specifically soon. -Ali On Thu, Feb 14, 2013 at 12:01 AM, Fabio Pietrosanti (naif) li...@infosecurity.ch wrote: Wait, wait, i just read some code around but without taking care much about the logic of the code itself. So there are stuff that should be checked more in details by someone else, notes also by other people ended up on that sort of collaborative/caotic pad https://pad.riseup.net/p/silentcircle . -naif On 2/14/13 5:54 AM, Nadim Kobeissi wrote: Fabio just discovered that Silent Phone derives device IDs by hashing the device IMEI with MD5... WOW NK -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Cryptography super-group creates unbreakable encryption
Who is light green on the etherpad?? NK On Thu, Feb 14, 2013 at 12:13 AM, Ali-Reza Anghaie a...@packetknife.comwrote: The TiVi rebranding page is gone but the cache: https://webcache.googleusercontent.com/search?q=cache:http://rebrand.tiviphone.com/ It would be utterly bizarre if Silent Circle started as a $199 euro investment. I just can't swallow that. Not, by default, a negative attribute - just - whacky. I really hope they start responding more specifically soon. -Ali On Thu, Feb 14, 2013 at 12:01 AM, Fabio Pietrosanti (naif) li...@infosecurity.ch wrote: Wait, wait, i just read some code around but without taking care much about the logic of the code itself. So there are stuff that should be checked more in details by someone else, notes also by other people ended up on that sort of collaborative/caotic pad https://pad.riseup.net/p/silentcircle . -naif On 2/14/13 5:54 AM, Nadim Kobeissi wrote: Fabio just discovered that Silent Phone derives device IDs by hashing the device IMEI with MD5... WOW NK -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Cryptography super-group creates unbreakable encryption
The last useful version of the Silent Circle pad before troll-erasing is at http://pastebit.com/pastie/12001 if you want to DL it.. Useful has varying definitions. Cheers, -Ali On Thu, Feb 14, 2013 at 12:30 AM, Nadim Kobeissi na...@nadim.cc wrote: Who is light green on the etherpad?? NK On Thu, Feb 14, 2013 at 12:13 AM, Ali-Reza Anghaie a...@packetknife.comwrote: The TiVi rebranding page is gone but the cache: https://webcache.googleusercontent.com/search?q=cache:http://rebrand.tiviphone.com/ It would be utterly bizarre if Silent Circle started as a $199 euro investment. I just can't swallow that. Not, by default, a negative attribute - just - whacky. I really hope they start responding more specifically soon. -Ali On Thu, Feb 14, 2013 at 12:01 AM, Fabio Pietrosanti (naif) li...@infosecurity.ch wrote: Wait, wait, i just read some code around but without taking care much about the logic of the code itself. So there are stuff that should be checked more in details by someone else, notes also by other people ended up on that sort of collaborative/caotic pad https://pad.riseup.net/p/silentcircle . -naif On 2/14/13 5:54 AM, Nadim Kobeissi wrote: Fabio just discovered that Silent Phone derives device IDs by hashing the device IMEI with MD5... WOW NK -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Cryptography super-group creates unbreakable encryption
Well so we've learned a few things: 1. The limits of completely open/anonymous spaces 2. Why anarchists operate in affinity groups and not everyone has equal right hooray! 3. Someone is obviously threatened by nadim(be proud not frustrated Nadim!) 4. People are still utter douchebags. I'm looking at you unnamed. Thanks Ali. Sent from my iPad On Feb 13, 2013, at 22:26, Ali-Reza Anghaie a...@packetknife.com wrote: Before the pad was ruined we also found out that: - TiViPhone seems to be part of Silent Circle, (c) and all.. the lead developers are listed on SC's founding page. - Likewise the libraries notes, except PolarSSL, also seem to be develop led by people now working for Silent Circle. - Nadim admittingly jumped the gun on snprintf() issue - We can't verify the libraries used or any of the code against the binary builds Etc. So the skewering was premature. The pad, with other commentary, before it was ruined is DLable at http://pastebit.com/pastie/12001 .. the revision history slider still works but who knows how long as someone is mercilessly trolling Nadim through it now. -Ali On Wed, Feb 13, 2013 at 11:51 PM, Nadim Kobeissi na...@nadim.cc wrote: So to recap: It hasn't been a few hours since Silent Circle released *some* of their source code, and we already know that: Silent Circle isn't in built to be a secure communications platform, but is simply a rebranding of TiviPhone, a latvian-made VoIP software, with added encryption libraries, The encryption libraries are themselves not developed by Silent Circle, but are third party libraries, The third party librares are in some cases outdated, even in the face of security advisories, There's a good possibility of a buffer overflow being there somewhere, with over 40 uses of snprintf(). I know what I'm doing this weekend! :D NK On Wed, Feb 13, 2013 at 11:33 PM, Nathan of Guardian nat...@guardianproject.info wrote: Fabio Pietrosanti (naif): Here some notes i collected with a quick review of the source code: I can see the headlines now... Cryptography super-group more like a cover band Cryptography Boy Band covers Latvian super-group Cryptography super-group? More like Milli Vanilli! or perhaps simply: SilentCircle's premiere product was outsourced, and based on out-of-date security libraries with known bugs Finally, just to be clear, I have nothing against re-using code, especially open-source projects that are complimentary. This is exactly what we have done for our work on OSTN/OStel. I do have a problem with people representing software they license from someone else as their own brilliant, weaved-by-the-gods invention. +n -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Cryptography super-group creates unbreakable encryption
Overall, I am dissatisfied with Chris totally ignoring my point regarding hype in the media. Chris selectively criticizes projects he doesn't like when the media hypes them up, but when it's Silent Circle, even calling it unbreakable crypto doesn't get anything out of him but dozens of quotations all over their media blitz. I remain convinced that he is being absolutely unfair and biased. NK On Thu, Feb 7, 2013 at 8:14 PM, Christopher Soghoian ch...@soghoian.netwrote: See Inline On Thu, Feb 7, 2013 at 12:15 PM, Andy Isaacson a...@hexapodia.org wrote: Silent Circle may be an excellent privacy app. It might not have any significant security problems. It might even do a good job of mitigating important platform-based attacks and supporting important new use cases (the burn after reading feature). When it's actually open source I'll take a look and if it is good, I'll recommend it to users. Until that open review happens, I think it's inappropriate for voices in our community to commend or recommend such a proprietary system. Each person makes their own choices, of course, and nobody should base their actions solely on what *I* think is right, but I hope you can hear my concerns and consider the outcomes of your actions. Twitter's official client and server code are not open source. That hasn't stopped the good folks at EFF, as well as many other privacy advocates from praising the company's law enforcement transparency policies, as well as Twitter's willingness to go the extra mile when responding to various forms of legal process. Much of Google's code, including all of the Gmail backend code is not open source, but that hasn't stopped privacy advocates from legitimately praising the company for voluntarily publishing some really useful data on government requests and DMCA takedown demands. Although I have not recommended Silent Circle to anyone, I believe that it is entirely legitimate to praise the company for its commitment to transparency regarding law enforcement requests and the company's overall law enforcement policy. Hell, looking at the list of companies ranked on EFF's Who's got your back website, closed source is by far the norm, not the exception. That hasn't stopped EFF from giving out gold stars where they feel they are deserved. See: https://www.eff.org/pages/when-government-comes-knocking-who-has-your-back In fact, for many of the factors that I am most interested in, source code is completely irrelevant. Client source code does not reveal a company's data retention policy, and server data retention configurations are impossible to verify. Source code does not reveal whether a company will tell its users about subpoenas submitted for user data where not prevented from doing so by a gag order. Source code will not reveal a company's willingness to spend hundreds of thousands of dollars on legal bills to fight an improper request submitted by lawyers at the Department of Justice. For such things, you have to evaluate the company on its public policy (and, once the policy is put into action, you can judge the company via its track record). By all means, continue to harass Silent Circle about its source code. Likewise, please do hold journalists accountable for the bogus headlines they, or their editors have selected. But do not dismiss my legitimate interest in the law enforcement legal policies adopted by companies. These policies are often just as important, yet impossible to verify, even when companies publish their source code. Cheers, Chris -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Cryptography super-group creates unbreakable encryption
At this point, I'd like to realize that I'm no longer contributing productively to this conversation. I've stated my points, would like to apologize should anyone have felt offended, and am going to bow out. NK On Fri, Feb 8, 2013 at 11:48 AM, Nadim Kobeissi na...@nadim.cc wrote: Overall, I am dissatisfied with Chris totally ignoring my point regarding hype in the media. Chris selectively criticizes projects he doesn't like when the media hypes them up, but when it's Silent Circle, even calling it unbreakable crypto doesn't get anything out of him but dozens of quotations all over their media blitz. I remain convinced that he is being absolutely unfair and biased. NK On Thu, Feb 7, 2013 at 8:14 PM, Christopher Soghoian ch...@soghoian.netwrote: See Inline On Thu, Feb 7, 2013 at 12:15 PM, Andy Isaacson a...@hexapodia.org wrote: Silent Circle may be an excellent privacy app. It might not have any significant security problems. It might even do a good job of mitigating important platform-based attacks and supporting important new use cases (the burn after reading feature). When it's actually open source I'll take a look and if it is good, I'll recommend it to users. Until that open review happens, I think it's inappropriate for voices in our community to commend or recommend such a proprietary system. Each person makes their own choices, of course, and nobody should base their actions solely on what *I* think is right, but I hope you can hear my concerns and consider the outcomes of your actions. Twitter's official client and server code are not open source. That hasn't stopped the good folks at EFF, as well as many other privacy advocates from praising the company's law enforcement transparency policies, as well as Twitter's willingness to go the extra mile when responding to various forms of legal process. Much of Google's code, including all of the Gmail backend code is not open source, but that hasn't stopped privacy advocates from legitimately praising the company for voluntarily publishing some really useful data on government requests and DMCA takedown demands. Although I have not recommended Silent Circle to anyone, I believe that it is entirely legitimate to praise the company for its commitment to transparency regarding law enforcement requests and the company's overall law enforcement policy. Hell, looking at the list of companies ranked on EFF's Who's got your back website, closed source is by far the norm, not the exception. That hasn't stopped EFF from giving out gold stars where they feel they are deserved. See: https://www.eff.org/pages/when-government-comes-knocking-who-has-your-back In fact, for many of the factors that I am most interested in, source code is completely irrelevant. Client source code does not reveal a company's data retention policy, and server data retention configurations are impossible to verify. Source code does not reveal whether a company will tell its users about subpoenas submitted for user data where not prevented from doing so by a gag order. Source code will not reveal a company's willingness to spend hundreds of thousands of dollars on legal bills to fight an improper request submitted by lawyers at the Department of Justice. For such things, you have to evaluate the company on its public policy (and, once the policy is put into action, you can judge the company via its track record). By all means, continue to harass Silent Circle about its source code. Likewise, please do hold journalists accountable for the bogus headlines they, or their editors have selected. But do not dismiss my legitimate interest in the law enforcement legal policies adopted by companies. These policies are often just as important, yet impossible to verify, even when companies publish their source code. Cheers, Chris -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Cryptography super-group creates unbreakable encryption
An entire article's worth of lip service? “I’m agnostic about this,” he says, “I don’t really care if Silent Circle captures this market, just as long as somebody does.” I spent the entire interview with the Verge writer complaining about the crappy security delivered by the wireless carriers, which, I think, is entirely accurate, and consistent with my other efforts to shine light upon the carriers' awful security. See this in-depth today's Washington Post, for example: http://www.washingtonpost.com/business/technology/android-phones-vulnerable-to-hackers/2013/02/01/f3248922-6723-11e2-9e1b-07db1d2ccd5b_print.html It is clear that you seem to have developed a foaming-in-the-mouth, irrational hate of Silent Circle. As such, anyone who fails to denounce Phil Zimmermann as the great Satan is, in your eyes, some kind of corrupt shill. I proudly stand by every single statement quoted in that Verge story. Chris On Wed, Feb 6, 2013 at 8:56 PM, Nadim Kobeissi na...@nadim.cc wrote: Chris Soghoian gives Silent Circle's unbreakable encryption an entire article's worth of lip service here, it must be really unbreakable: http://www.theverge.com/2013/2/6/3950664/phil-zimmermann-wants-to-save-you-from-your-phone NK On Wed, Feb 6, 2013 at 10:49 PM, Brian Conley bri...@smallworldnews.tvwrote: I heard they have a super secret crypto clubhouse in the belly of an extinct volcano. Other rumors suggest they built their lab in the liberated tunnels beneath bin ladens secret lair in Pakistan... Sent from my iPad On Feb 6, 2013, at 19:42, Nadim Kobeissi na...@nadim.cc wrote: Actual headline. http://www.extremetech.com/mobile/147714-cryptography-super-group-creates-unbreakable-encryption-designed-for-mass-market NK -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Cryptography super-group creates unbreakable encryption
On 02/07/2013 04:42 AM, Nadim Kobeissi wrote: Actual headline. http://www.extremetech.com/mobile/147714-cryptography-super-group-creates-unbreakable-encryption-designed-for-mass-market NK Notionally there is no unbreakable encryption. Practically there is a unbreakable encryption (AES, SHA-3); our standarts are more than adequate. The risk with encryptions is more the possibility of a hardware hack. Or a bad guy beating the shit out of you with a 5 Dollar Wrench until you tell him the password. In real life no one will use a super computer to break our hardcore encrypted harddrives. Andreas -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Cryptography super-group creates unbreakable encryption
On Thu, Feb 7, 2013 at 11:41 AM, Andreas Bader noergelpi...@hotmail.de wrote: Notionally there is no unbreakable encryption. Practically there is a unbreakable encryption (AES, SHA-3); our standarts are more than adequate. The risk with encryptions is more the possibility of a hardware hack. Or a bad guy beating the shit out of you with a 5 Dollar Wrench until you tell him the password. In real life no one will use a super computer to break our hardcore encrypted harddrives. I think Nadim was being sarcastic. I'm also eager to see what comes from this. I too think it's rather odd that these supposedly respectable cryptographers are so blatantly ignoring Kirchoff's principle. Quickly skimmed the article; it seems that you have to trust them to *actually* encrypt your stuff on your phone before storing it on their servers. As with so many others, it'd behoove them to put their code where their mouths are; I don't mind them making money off of this, but at least they should stop leveraging their big names in the industry to get a lot of media attention around them selling snake-oil. JC -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Cryptography super-group creates unbreakable encryption
On 02/07/2013 11:58 AM, Jens Christian Hillerup wrote: On Thu, Feb 7, 2013 at 11:41 AM, Andreas Bader noergelpi...@hotmail.de wrote: Notionally there is no unbreakable encryption. Practically there is a unbreakable encryption (AES, SHA-3); our standarts are more than adequate. The risk with encryptions is more the possibility of a hardware hack. Or a bad guy beating the shit out of you with a 5 Dollar Wrench until you tell him the password. In real life no one will use a super computer to break our hardcore encrypted harddrives. I think Nadim was being sarcastic. I'm also eager to see what comes from this. I too think it's rather odd that these supposedly respectable cryptographers are so blatantly ignoring Kirchoff's principle. Quickly skimmed the article; it seems that you have to trust them to *actually* encrypt your stuff on your phone before storing it on their servers. As with so many others, it'd behoove them to put their code where their mouths are; I don't mind them making money off of this, but at least they should stop leveraging their big names in the industry to get a lot of media attention around them selling snake-oil. JC -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech Didn't get it, sorry. I always forget that you can have humor in such a serious world. :-) Andreas -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Cryptography super-group creates unbreakable encryption
Small follow-up: Maybe it's true I look like my goal here is just to foam at the mouth at Silent Circle. Maybe it looks like I'm just here to annoy Chris, and I'm truly sorry. These are not my goals, even if my method seems forced. I've tried writing multiple blog posts about Silent Circle, contacting Silent Circle, asking journalists to *please* mention the importance of free, open source in cryptography, and so on. All of this has failed. It has simply become clear to me that Silent Circle enjoys a double standard because of the reputation of those behind it. Silent Circle may be developed by Gods, but this is just quite plainly unfair. If someone repeatedly claims, towards activists, to have developed unbreakable encryption, markets it closed-source for money, and receives nothing but nods of recognition and applause from the press and even from *security experts* (?!) then something is seriously wrong! No one should be allowed to commit these wrongs, not even Silent Circle. I feel like I'm fighting for our own sanity here. Look at what you're allowing to happen! NK On Thu, Feb 7, 2013 at 10:15 AM, Nadim Kobeissi na...@nadim.cc wrote: On Thu, Feb 7, 2013 at 4:11 AM, Christopher Soghoian ch...@soghoian.netwrote: It is clear that you seem to have developed a foaming-in-the-mouth, irrational hate of Silent Circle. As such, anyone who fails to denounce Phil Zimmermann as the great Satan is, in your eyes, some kind of corrupt shill. Chris, You have repeatedly stood up asking VoIP software to be more transparent about their encryption. You have repeatedly stood up when the media overblew coverage into hype. However, Silent Circle remains *the only case* where you remain mentioned regularly in articles on the company, where you make a point to completely ignore that they are posting everywhere on their social media that they are developing unbreakable encryption, and marketing it, closed-source, towardsactivists. When I confront you about this, you publicly accuse me of soliciting a hit piece (!!) against Silent Circle. That is what I have a problem with: A huge, clear, obvious double standard strictly made available for Silent Circle. I proudly stand by every single statement quoted in that Verge story. Chris On Wed, Feb 6, 2013 at 8:56 PM, Nadim Kobeissi na...@nadim.cc wrote: Chris Soghoian gives Silent Circle's unbreakable encryption an entire article's worth of lip service here, it must be really unbreakable: http://www.theverge.com/2013/2/6/3950664/phil-zimmermann-wants-to-save-you-from-your-phone NK On Wed, Feb 6, 2013 at 10:49 PM, Brian Conley bri...@smallworldnews.tvwrote: I heard they have a super secret crypto clubhouse in the belly of an extinct volcano. Other rumors suggest they built their lab in the liberated tunnels beneath bin ladens secret lair in Pakistan... Sent from my iPad On Feb 6, 2013, at 19:42, Nadim Kobeissi na...@nadim.cc wrote: Actual headline. http://www.extremetech.com/mobile/147714-cryptography-super-group-creates-unbreakable-encryption-designed-for-mass-market NK -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Cryptography super-group creates unbreakable encryption
Hello all, I'm no sec expert but to me, it's so obvious that Nadim is right on this. Perhaps the form is not perfect, but if he's the only one fighting for our own sanity here, as he says, that's no surprise. We should all be asking Silent Circle to commit to their statement and show us the source code of their so-called unbreakable encryption tools. Again, I'm no sec expert and I won't be the guy who will do the hard task of auditing and reviewing this code. But as a user, as a citizen and perhaps an activist, I want the source code of such tools to be reviewed widely and publicly before using and promoting it. My 2 euro cents, Julien Le 07 févr. - 10:31, Nadim Kobeissi a écrit : Small follow-up: Maybe it's true I look like my goal here is just to foam at the mouth at Silent Circle. Maybe it looks like I'm just here to annoy Chris, and I'm truly sorry. These are not my goals, even if my method seems forced. I've tried writing multiple blog posts about Silent Circle, contacting Silent Circle, asking journalists to *please* mention the importance of free, open source in cryptography, and so on. All of this has failed. It has simply become clear to me that Silent Circle enjoys a double standard because of the reputation of those behind it. Silent Circle may be developed by Gods, but this is just quite plainly unfair. If someone repeatedly claims, towards activists, to have developed unbreakable encryption, markets it closed-source for money, and receives nothing but nods of recognition and applause from the press and even from *security experts* (?!) then something is seriously wrong! No one should be allowed to commit these wrongs, not even Silent Circle. I feel like I'm fighting for our own sanity here. Look at what you're allowing to happen! NK On Thu, Feb 7, 2013 at 10:15 AM, Nadim Kobeissi na...@nadim.cc wrote: On Thu, Feb 7, 2013 at 4:11 AM, Christopher Soghoian ch...@soghoian.netwrote: It is clear that you seem to have developed a foaming-in-the-mouth, irrational hate of Silent Circle. As such, anyone who fails to denounce Phil Zimmermann as the great Satan is, in your eyes, some kind of corrupt shill. Chris, You have repeatedly stood up asking VoIP software to be more transparent about their encryption. You have repeatedly stood up when the media overblew coverage into hype. However, Silent Circle remains *the only case* where you remain mentioned regularly in articles on the company, where you make a point to completely ignore that they are posting everywhere on their social media that they are developing unbreakable encryption, and marketing it, closed-source, towardsactivists. When I confront you about this, you publicly accuse me of soliciting a hit piece (!!) against Silent Circle. That is what I have a problem with: A huge, clear, obvious double standard strictly made available for Silent Circle. I proudly stand by every single statement quoted in that Verge story. Chris On Wed, Feb 6, 2013 at 8:56 PM, Nadim Kobeissi na...@nadim.cc wrote: Chris Soghoian gives Silent Circle's unbreakable encryption an entire article's worth of lip service here, it must be really unbreakable: http://www.theverge.com/2013/2/6/3950664/phil-zimmermann-wants-to-save-you-from-your-phone NK On Wed, Feb 6, 2013 at 10:49 PM, Brian Conley bri...@smallworldnews.tvwrote: I heard they have a super secret crypto clubhouse in the belly of an extinct volcano. Other rumors suggest they built their lab in the liberated tunnels beneath bin ladens secret lair in Pakistan... Sent from my iPad On Feb 6, 2013, at 19:42, Nadim Kobeissi na...@nadim.cc wrote: Actual headline. http://www.extremetech.com/mobile/147714-cryptography-super-group-creates-unbreakable-encryption-designed-for-mass-market NK -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Cryptography super-group creates unbreakable encryption
On Thu, Feb 7, 2013 at 10:31 AM, Nadim Kobeissi na...@nadim.cc wrote: I've tried writing multiple blog posts about Silent Circle, contacting Silent Circle, asking journalists to *please* mention the importance of free, open source in cryptography, and so on. All of this has failed. It has simply become clear to me that Silent Circle enjoys a double standard because of the reputation of those behind it. Silent Circle may be developed by Gods, but this is just quite plainly unfair. If someone repeatedly claims, towards activists, to have developed unbreakable encryption, markets it closed-source for money, and receives nothing but nods of recognition and applause from the press and even from *security experts* (?!) then something is seriously wrong! No one should be allowed to commit these wrongs, not even Silent Circle. It's definitely not for nothing. *Any* project with that amount of hype around it should be taken skeptically by media covering it, but until very recently, that has not been the case with Silent Circle. You and other vocal proponents of open-source crypto have changed the dialogue. Nothing is perfect, but it's getting there. (There being more even-handed media coverage. I don't actually expect them to open source anything.) There are many double standards in tech and especially tech-focused journalism. Phil Zimmerman is going to have less pushback on his product/service than an MIT grad student would, and the MIT grad student would have less skepticism directed their way than a graduate of the Univeristy of Edinburgh -- on down the line. And personal relationships affect these structures at every level. Anyone who thinks class stratification doesn't exist just because we're Internauts is mistaken. ~Griffin -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Cryptography super-group creates unbreakable encryption
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Nadim Kobeissi: Small follow-up: Maybe it's true I look like my goal here is just to foam at the mouth at Silent Circle. Maybe it looks like I'm just here to annoy Chris, and I'm truly sorry. These are not my goals, even if my method seems forced. I've tried writing multiple blog posts about Silent Circle, contacting Silent Circle, asking journalists to *please* mention the importance of free, open source in cryptography, and so on. All of this has failed. It has simply become clear to me that Silent Circle enjoys a double standard because of the reputation of those behind it. Silent Circle may be developed by Gods, but this is just quite plainly unfair. If someone repeatedly claims, towards activists, to have developed unbreakable encryption, markets it closed-source for money, and receives nothing but nods of recognition and applause from the press and even from *security experts* (?!) then something is seriously wrong! No one should be allowed to commit these wrongs, not even Silent Circle. I feel like I'm fighting for our own sanity here. Look at what you're allowing to happen! I've been monitoring this discussion about Silent Circle and the one on cryptogra...@randombit.net Software such as TrueCrypt would never have gained the popularity and widespread usage if it were closed source. Likewise things like SSL and TLS would not have gained widespread usage without standards bodies and technical specifications. I don't see Silent Circle being anything revolutionary. Encryption software which encrypts the contents before uploading it to the cloud already exists, see Cyphertite. They have actually released their source. I also don't see how any burn function of software on sensitive data has any useful purpose. I see that as a false sense of security. If someone were to take a photo of the phone with another phone, it would be circumvented. I also don't see any problem in Silent Circle releasing source, and using a restrictive license if they so please, the point is while it is closed source we're really just expected to trust these big names. Rich and popular men can be bought and sold, so really their identities or names mean nothing to me. We need independent verifiable proof by people who understand the most inner workings of the implementations of the encryption to say yes this works, and also people attempting to break it. Also by saying unbreakable encryption do they mean to say they've developed encryption technology using unbreakable ciphers? or is it just the implementation of them. To me it seems like a massive marketing campaign if they're using social media as much as people say they are this would further support this. Also unbreakable encryption is similar to saying to you've made an unsinkable ship, and we all know what happened last time someone said that. I also think journalists publishing about Secret Circle should find independent qualified sources to verify the claims of it being unbreakable before publishing it. To me that seems like good journalism vs bad. - -- scarp | A4F7 25DB 2529 CB1A 605B 3CB4 5DA0 4859 0FD4 B313 -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJRE9HGAAoJEF2gSFkP1LMTiT0P/RP6WeR9MEBX3ps8O/9dFaAt nsxh47sU9cTlbsxkRQJaRgVMUIWMGNBW2Zm6IdkZtXB63O1fm2jzt/6Oy7+2HJ80 s9WBVD3hKJd0lKED0Qj9aPIwdaSl0+7cu9GkdnwptpW6rLTyZGpk0aV1NI0CTSLQ 30BPYzb2LYFOrNt+F3KIZODX7czPHlCqxhLjvRuJ5+392qYnLE6f8/I2RiS4BKD3 cVULmzRvg05RiJRHuTsYtgum8CicKK6OENoFqmvfu8Y80I04Gy6H/toD8IGZvTKC AnW2SkDfyUW2wxJ5Bm5YL7+u3LQlgpB9C9e44pbUjEcFJVD0A6NHhkEuKDZ/NEU6 F/I5bKsI5m3v0FKKt7xKO1UTC4uIzmN4yLyVo32qz++N3ejiYyvrLHTuTWRQkCoT GyrShIQvzvAlt6qOYPdOdMYNVq/E4dlF51aDD+9Oiq3uua6EAQSwbT/Tx+eAj4C4 n2Pin1fYOBm1mm1V7llgtj7BStPbfOOZaywE7XIFfXpAdQS4I3N+xcp1owmD6wg7 EuJ77z7mM/lE7g2vuaMYQKTqeH16tXb6V5B639q8FLdYu/NNDRuN11GnMhvuTmqX tYTM6/4/cQyk0wC1ggzLAPjqdJ8RrxbvSSVuSl29PTIr2Wkdee8YudEYSeg2BBlx hZdbWhuhzGHZKEsfU27a =o2k+ -END PGP SIGNATURE- -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Cryptography super-group creates unbreakable encryption
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Jens Christian Hillerup: Hear-hear. They don't need to open-source their software to convince me, as long as they are open about their protocol at least. And what if there's a second set of decryption master keys? You're willing to trust them because they say We're famous guys, we won't do anything bad, and plus we hate naughty governments. In any case if they can match a person of interest with a with an account (through other means) they can apply rubber-hose cryptanalysis or key disclosure law to the user or recipient to really find out what they've been sending and receiving with it. The fact you can't buy into this service anonymously, so at least payment credentials will be available. Even if Phil says he won't be bad what is to stop Apple revealing your iTunes account purchased this application in AppStore when the necessary legal screws are applied to them. - -- scarp | A4F7 25DB 2529 CB1A 605B 3CB4 5DA0 4859 0FD4 B313 -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJRE9d6AAoJEF2gSFkP1LMTpVcQAIe/fslf4ahQ/yUUIKUElCKP 7fhpCc6WYmrl5JPQUsYqiL7SOBkBHFtgrqj9eoe00QqRKFb/+BTi5va58KINyIBk /YS8AyMHz+tQvkqPrLmLVPGdweR423oZEmZhywsuhqPkc1dcd+o/lZrLilLxueV4 nJblJFtf1BqtG/P/PNb3kCH8A5XRZBJvk1Brns2Aa3M9AisI5wUzj+gxFgLUIIo1 PRwhTTEyQhkpsa9nfWBiwT6CrdEema4gnxhHB4l42Tf51d8AhYemc/w8p3i+1RMR d1g7x28K8uVsT3D0irBfmD/EIuhhAAGIBHqpb94c5u0vnbSqNJ+wYpm8XVnYUGbM X7WytDxVrXa6QMHjpjx0Vev6zz+4BmdjmXUnkgM9JS2yWZzxfdK36th53z3LokR6 A+Aa6IIaT90MclUHhCNXJcd/ifa0+637dNlEsqHc5ir94GuU/npTwEFdSOIY/RKV 9in+kqrKRr1YvEuIIJ+trTtrCAb2zhKKgIB9vWqDGoAbZ4c1zU8yDHAlqfc519Yj SdMLu4u71TN8EeZFvxBWlyNqHMEmzanG8dlkZQBeVgohbdxM1fCB3ERoWWgogmG2 mhMUV2fDYHUVdUV24z0awFjXeISqlbmRuo/7rxad1RclQc1zsymm9haTf6WkJrIC 6j5HoVOUiZO4pBIfkpMG =nYLq -END PGP SIGNATURE- -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Cryptography super-group creates unbreakable encryption
Can Silent Circle promoters explain why Zimmerman is excused from Kerckhoffs's principle? Is it because something unverifiable is allegedly better than nothing? Even if we had divine knowledge to tell us Silent Circle is secure, isn't it an overriding problem to encourage lock-in of closed source being acceptable for something as common as text-messaging? It is good to have a scrappy talented young person such as Nadim being pesky to older, accepted people. On 02/07/2013 09:45 AM, Julien Rabier wrote: Hello all, I'm no sec expert but to me, it's so obvious that Nadim is right on this. Perhaps the form is not perfect, but if he's the only one fighting for our own sanity here, as he says, that's no surprise. We should all be asking Silent Circle to commit to their statement and show us the source code of their so-called unbreakable encryption tools. Again, I'm no sec expert and I won't be the guy who will do the hard task of auditing and reviewing this code. But as a user, as a citizen and perhaps an activist, I want the source code of such tools to be reviewed widely and publicly before using and promoting it. My 2 euro cents, Julien Le 07 févr. - 10:31, Nadim Kobeissi a écrit : Small follow-up: Maybe it's true I look like my goal here is just to foam at the mouth at Silent Circle. Maybe it looks like I'm just here to annoy Chris, and I'm truly sorry. These are not my goals, even if my method seems forced. I've tried writing multiple blog posts about Silent Circle, contacting Silent Circle, asking journalists to *please* mention the importance of free, open source in cryptography, and so on. All of this has failed. It has simply become clear to me that Silent Circle enjoys a double standard because of the reputation of those behind it. Silent Circle may be developed by Gods, but this is just quite plainly unfair. If someone repeatedly claims, towards activists, to have developed unbreakable encryption, markets it closed-source for money, and receives nothing but nods of recognition and applause from the press and even from *security experts* (?!) then something is seriously wrong! No one should be allowed to commit these wrongs, not even Silent Circle. I feel like I'm fighting for our own sanity here. Look at what you're allowing to happen! NK On Thu, Feb 7, 2013 at 10:15 AM, Nadim Kobeissi na...@nadim.cc wrote: On Thu, Feb 7, 2013 at 4:11 AM, Christopher Soghoian ch...@soghoian.netwrote: It is clear that you seem to have developed a foaming-in-the-mouth, irrational hate of Silent Circle. As such, anyone who fails to denounce Phil Zimmermann as the great Satan is, in your eyes, some kind of corrupt shill. Chris, You have repeatedly stood up asking VoIP software to be more transparent about their encryption. You have repeatedly stood up when the media overblew coverage into hype. However, Silent Circle remains *the only case* where you remain mentioned regularly in articles on the company, where you make a point to completely ignore that they are posting everywhere on their social media that they are developing unbreakable encryption, and marketing it, closed-source, towardsactivists. When I confront you about this, you publicly accuse me of soliciting a hit piece (!!) against Silent Circle. That is what I have a problem with: A huge, clear, obvious double standard strictly made available for Silent Circle. I proudly stand by every single statement quoted in that Verge story. Chris On Wed, Feb 6, 2013 at 8:56 PM, Nadim Kobeissi na...@nadim.cc wrote: Chris Soghoian gives Silent Circle's unbreakable encryption an entire article's worth of lip service here, it must be really unbreakable: http://www.theverge.com/2013/2/6/3950664/phil-zimmermann-wants-to-save-you-from-your-phone NK On Wed, Feb 6, 2013 at 10:49 PM, Brian Conley bri...@smallworldnews.tvwrote: I heard they have a super secret crypto clubhouse in the belly of an extinct volcano. Other rumors suggest they built their lab in the liberated tunnels beneath bin ladens secret lair in Pakistan... Sent from my iPad On Feb 6, 2013, at 19:42, Nadim Kobeissi na...@nadim.cc wrote: Actual headline. http://www.extremetech.com/mobile/147714-cryptography-super-group-creates-unbreakable-encryption-designed-for-mass-market NK -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech --
Re: [liberationtech] Cryptography super-group creates unbreakable encryption
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Douglas Lucas: Is it because something unverifiable is allegedly better than nothing? Even if we had divine knowledge to tell us Silent Circle is secure, isn't it an overriding problem to encourage lock-in of closed source being acceptable for something as common as text-messaging? It is good to have a scrappy talented young person such as Nadim being pesky to older, accepted people. Agreed, and this is one of the larger problems people in social censorship bubbles, where basically if you don't have the tech you can't talk to the person. One of the things that encryption technologies like Off the Record Messaging try to bridge. Nobody wants to be forced to use specific technology from a specific individual or entity. It's bad enough everyone uses Facebook. Decentralization is the only way to avoid this becoming a weak link. - -- scarp | A4F7 25DB 2529 CB1A 605B 3CB4 5DA0 4859 0FD4 B313 -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJRE9zUAAoJEF2gSFkP1LMTOlgP/RE96vcmU5RwUU8TqdXlebCl P9MtBRye6gnYcMyNQIsrTOh9iY7xXUHfg/OYX09rBFS9zsfKS8rEJG8BlwJ57hEY ldO82Z/kEC7ZTJUlQN+sGt1eMruEzmPGb8T4nVA2CtvKAyUaiJ4HFQQ2C00HS3Pz qahL3qFp5qW5q2cPILsnMXLpZOzipQN4JD/TE/DgZNZ2OCGBt4DUAp+8jB/3BOAm j1a/mJR4Rd/StvR+ugIFefItk/H1DZNGZ9qWxrHVv8L0xYnXjkRZ+m4WsKTffTS4 AUOqFZKxU6Krg5cl63KzsA92Fdv7TsZwQeVIl9sl0swOLMZ4h8FKkw19YFTYx4s6 CwzbJ8+knwSPLXyyWrdE1cBEhTrAtQb4lWLMOxCEROV50OqbkcQyxT26Vsl89BpD Q9qVdKRTn1QwfGcODO6XfT+wlruByTJBMwd05nWAuQmqg6kgPQTIT1gjEmbC8H5p 32P106p72egFC/7r1lr9rtl1zKRE6DckfOnN7J9b7lO/C2b6AeF0w2/GYU3Fd7Ko CtWgH3xUBWJ/0sbz3ssVpm7OWtVSOQ/SZqGHy1OxrkvxDlRpjizRp5n0G6VQ5Hcz 3RppIEEIK5zU5LAOedkcMtkNAG053fkj8XlfsQy4de0bAdlxjI9bB7XLw9O+GHrX baDxW7pwheACW9RcAGEz =Elw9 -END PGP SIGNATURE- -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Cryptography super-group creates unbreakable encryption
On Thu, Feb 7, 2013 at 8:36 AM, Douglas Lucas d...@riseup.net wrote: Can Silent Circle promoters explain why Zimmerman is excused from Kerckhoffs's principle? Is it because something unverifiable is allegedly better than nothing? Even if we had divine knowledge to tell us Silent Circle is secure, isn't it an overriding problem to encourage lock-in of closed source being acceptable for something as common as text-messaging? Even if it were acceptable because we trust the source this time that won't be clear to the public— and the next unscrupulous sake oil salesman who comes around using identical marketing will look just as trustworthy to the public. Accordingly, this work still demands a strong negative reaction if we're to continue to established in people's mind that snazzy names, buzzword technobable, and big claims do not show security products to be trustworthy: Only independent auditing and open code do. -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Cryptography super-group creates unbreakable encryption
Chris, You have repeatedly stood up asking VoIP software to be more transparent about their encryption. You have repeatedly stood up when the media overblew coverage into hype. I've never asked Skype to release the source code to their products, nor have I berated Apple, Facebook or Microsoft for not releasing the source code to their products. I have, however, asked Skype to be more transparent about the extent to which it can provide communications interception assistance to law enforcement and intelligence agencies. There is a big difference. If you don't want to use Silent Circle without seeing the source code, that is an entirely legitimate point of view (and in fact, one that I share, and that I expressed to Ryan Gallagher last year): http://www.slate.com/articles/technology/future_tense/2012/10/silent_circle_mike_janke_s_iphone_app_makes_encryption_easy_governments.single.html Christopher Soghoian, principal technologist at the ACLU's Speech Privacy and Technology Project, said he was excited to see a company like Silent Circle visibly competing on privacy and security but that he was waiting for it to go open source and be audited by independent security experts before he would feel comfortable using it for sensitive communications. Even though I am not using Silent Circle for sensitive conversations, I am still absolutely delighted to see them be as proactive as they have been about embracing and documenting progressive law enforcement policies. https://silentcircle.com/web/law-compliance/ My area of research is the intersection of law, policy and technology. As such, I am most interested in companies' surveillance policies, their commitment to transparency, and their stated willingness to tell the government to GTFO if they come and ask for backdoors. On this front, Silent Circle is extremely interesting, probably more so than any other Internet company. For many people on this list, source code is their #1 priority. That is fine. However, it is not my priority. I am more concerned with surveillance policy, because that is what I study and where I think I can be most effective in applying pressure. What I resent though, is Nadim's repeated, malicious attempts to drag my name through the mud, simply because I will not join his witch hunt against Silent Circle. Since he cannot find a single example of me saying anything false in the handful of interviews I have given to journalists writing about this company, instead he criticizes me for not throwing rocks at Phil Zimmermann. -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Cryptography super-group creates unbreakable encryption
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 scarp: Douglas Lucas: Is it because something unverifiable is allegedly better than nothing? Even if we had divine knowledge to tell us Silent Circle is secure, isn't it an overriding problem to encourage lock-in of closed source being acceptable for something as common as text-messaging? It is good to have a scrappy talented young person such as Nadim being pesky to older, accepted people. Agreed, and this is one of the larger problems people in social censorship bubbles, where basically if you don't have the tech you can't talk to the person. One of the things that encryption technologies like Off the Record Messaging try to bridge. Nobody wants to be forced to use specific technology from a specific individual or entity. It's bad enough everyone uses Facebook. Decentralization is the only way to avoid this becoming a weak link. Which brings me to another point, what if in 1991 Phil Zimmermann said you must use his bbs/email server to use PGP, and wouldn't release the source for the encrypting client? I wonder if it would be as popular as it is today if that was the case. I find it also amusing: https://en.wikipedia.org/wiki/Pretty_Good_Privacy#Criminal_investigation Shortly after its release, PGP encryption found its way outside the United States, and in February 1993 Zimmermann became the formal target of a criminal investigation by the US Government for munitions export without a license. Cryptosystems using keys larger than 40 bits were then considered munitions within the definition of the US export regulations; PGP has never used keys smaller than 128 bits so it qualified at that time. Penalties for violation, if found guilty, were substantial. After several years, the investigation of Zimmermann was closed without filing criminal charges against him or anyone else. Zimmermann challenged these regulations in a curious way. He published the entire source code of PGP in a hardback book,[13] To me this seems like a big middle finger to totalitarian government dictating how and who it must be used by. Of course by this point the government couldn't stop people using it even if they wanted to, the source was everywhere. Given his interest in anti-nuclear activism, I wonder if in today's world that could have been construed as anti-government and possibly a person of interest by the government. The other question is what's to stop Apple being legally forced to push a modified copy of this software to a person's phone that has a backdoor? While people might say this isn't possible due to XXX law, what is to prevent one being created that changes that. Encryption technology's effectiveness should not be based on what the government is allowed and not allowed to do. I guess this is an inherent problem with storing data in the cloud. For an annual price of $20/month (closer to $30/month on their 3-month plan) Poorer people of poorer nations won't be able to afford this, and neither will the average citizen care enough to pay this. I don't imagine some factory worker in china for example who earns 50 cents a day being able to pay for this so he can talk about how shitty the conditions are. To me it seems like it will only get used by businesses and enterprise needing security abroad rather than activists residing in areas where they would need it in order to have some semblance of freedom. - -- scarp | A4F7 25DB 2529 CB1A 605B 3CB4 5DA0 4859 0FD4 B313 -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJRE+N1AAoJEF2gSFkP1LMT4HAQAJOKz9LOqn0eY7/TDB5T4dhH VuHzEq58jWeCedz4S2YMJx1oqymTLtuVAx8Z3K3KUrqlJZUOw3bWoqjK9QyfvnmD fGdsqXY9GlUDEEc33DENXhAuRyFSuDMluu01DbB0c8HK4o64U1fiA7DrH9lXEGcT vxBCBzh3fuenfcsxqAQMxNv0D8owSMfDsyeGhm52bUeaiCZ5HzXcUcHEiRJ1Ij9Q nb1alnBFokyY8XJR6CdLvETgoCthnPM2JM3ZbHsybqHKQxCMU/35eO2+T1AbZN+n XeJPwp42BLH7S44sPpQJ3huE1JBxrbRY3zv1tIZgWnm50mmUHOuOQhQQUgDFUzRk zf1WksZqtonHtC5NerXvLASnBx38cEfAOSrQCJHWS7cVsc1IXbk6bGK9VCNUzTpe IS9x+D2Ch5xBwNQayBGrE93mjwwoEwkXVnTDLPJVlktU7lI6DZkvY+r0OYDEmIfC 3ZnFQs+/wVFzdk0I/ZZeebm2BfxB5xyf8Lvks/6F0ixy40MXXAOCfZnyI83NpdED MckjQeX9uMeNKmS7HHxgH5OYAcN+k2O6qsQVxGtURhxS5p3l1pQWREJTVcScC7u7 9I1hXp9LuMMpsG+QjVZu/EYn0cnT8qp8xU2ttYslXFkxvhGpdhvvLVN0Qy3YHpwf c0TB1wxstLSouyjw/ep2 =whpX -END PGP SIGNATURE- -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Cryptography super-group creates unbreakable encryption
On Thu, Feb 7, 2013 at 9:12 AM, Christopher Soghoian ch...@soghoian.net wrote: My area of research is the intersection of law, policy and technology. As such, I am most interested in companies' surveillance policies, their commitment to transparency, and their stated willingness to tell the government to GTFO if they come and ask for backdoors. On this front, Silent Circle is extremely interesting, probably more so than any other Internet company. You may think these are your preferences, but what you're saying makes it clear that your preferences are actually subtly different. If someone says we won't put in 'lawful surveillance' backdoors but doesn't back that up with independent auditing (which can come in the form of access to source code) and you find that acceptable then what you have is a preference for _claiming_ that there are no back doors, and not a preference for being open about what the policy is (the real policy is in the software, which the public has not observed) or a preference for there being no back doors. Considering the long history of mistakes and outright lies in security software— this is simply how it is. Doubly so when you consider that lying about a backdoor or being mistaken about severe security holes is unlikely to carry consequence more negative than being open to begin with. If there were a surety bond commensurate with the loss of life that could result from mistakes and dishonesty here and there were independent auditing... plus many of a number of other things then perhaps you could say that you cared about transparency, policy, and backdoors. For many people on this list, source code is their #1 priority. That is fine. However, it is not my priority. I am more concerned with surveillance policy, because that is what I study and where I think I can be most effective in applying pressure. You're erroneously concluding that people who disagree with you have source code [as] their #1 priority— rather, I think it would be more fair in the context of security software to characterize the position has facts as #1 priority instead of warm and fuzzy hyperbole. Source code access is simply the least expensive and most direct way to start getting any real confidence that claims match reality. Following the argument that something is not necessarily better than nothing— we'd be better off if people who weren't interested in producing trustworthy software we're pressed into making fuzzy sounding fanciful claims. If all you can be effective at doing is improving the art of marketing (potential) snake oil, then perhaps you need to reevaluate what you're working on. -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Cryptography super-group creates unbreakable encryption
On Thu, Feb 7, 2013 at 12:12 PM, Christopher Soghoian ch...@soghoian.netwrote: What I resent though, is Nadim's repeated, malicious attempts to drag my name through the mud, simply because I will not join his witch hunt against Silent Circle. Since he cannot find a single example of me saying anything false in the handful of interviews I have given to journalists writing about this company, instead he criticizes me for not throwing rocks at Phil Zimmermann. This is not at all what I am asking for. When the press mentioned my own project, Cryptocat, as a tool for activists, you threw every rock at your disposal both at the media and at my work, even though I had made every effort to label the limitations of my software and to release all source code, and even to correct the false claims made by the media. However, when the media calls Silent Circle unbreakable, and when Silent Circle posts those articles on their websites without releasing any source code, and then market their products towards activists, you in fact continue to speak in articles about them and compliment them. You cannot deny the double standard that you are instituting here, Chris. You have absolutely attacked projects that have been hyped in the media, even when they had good policies and even when they were open source. You are exercising a double standard. Stop denying it. -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Cryptography super-group creates unbreakable encryption
Alchemy is to chemistry, astrology is to astronomy, as closed-source is to open source. Closed-source is intellectual fraud. It is the equivalent of an academic paper which has a synopsis and conclusions -- but nothing else. No honest reviewer would ever approve such tripe for publication in a refereed journal of mechanical engineering or physics or medicine...yet we, in computer science, are expected to do the equivalent. We're actually expected to take someone's word that their code does what they say it does -- even though we have a mountain of evidence stretching back to the beginning of our field that says it's NEVER been true, even when the code's written by people who are smart/experienced/honest/diligent/etc. Not even Stephen Hawking gets his papers published without showing his data/reasoning/work/etc. As it should be. So yes, my response to this is source or GTFO. Extraordinary claims require extraordinary proof and in this case, there is none. ---rsk -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Cryptography super-group creates unbreakable encryption
Inline below.. On Thu, Feb 7, 2013 at 11:34 AM, scarp sc...@tormail.org wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Jens Christian Hillerup: Hear-hear. They don't need to open-source their software to convince me, as long as they are open about their protocol at least. And what if there's a second set of decryption master keys? You're willing to trust them because they say We're famous guys, we won't do anything bad, and plus we hate naughty governments. We need to verify everything they say is true - keys aren't generated on servers (with the PGP Universal option for email they allow it but discourage it). Sure, yes, absolutely we all want to verify it from source to wire.. no argument. The fact you can't buy into this service anonymously, so at least payment credentials will be available. Even if Phil says he won't be bad what is to stop Apple revealing your iTunes account purchased this application in AppStore when the necessary legal screws are applied to them. They do offer the Ronin option for anonymous purchasing of the provisioning keys - the App is free itself. -Ali -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Cryptography super-group creates unbreakable encryption
Douglas, I'm not sure many people are disagreeing with the end-goals and even Zimmerman acknolwedges the window for verifiable source proof is closing fast (longer than many would have liked as-is). My comments to Nadim are coming from a tact perspective - if the goal is to gain wider adoption and recognition for all the community work, good projects, verified projects, etc. etc. then it helps when you play in the sanboxes occupied by more than the hackers and programmers making it happen. It's not uncommon to have people, who need solutions the most, to be afraid of projects because of the main name associated with them after some cursory rant reading. Nadim = Cryptocat, Jacob = TOR, Theo = OpenBSD, etc. etc. It's easy to tell everyone else to pound sand or to roll all activist causes into one for the collective libtech us - it's not so each when we take it elsewhere. Just trying to see how we can promote things that look less like personal grips and trolls - and more like building something useful. -Ali On Thu, Feb 7, 2013 at 11:36 AM, Douglas Lucas d...@riseup.net wrote: Can Silent Circle promoters explain why Zimmerman is excused from Kerckhoffs's principle? Is it because something unverifiable is allegedly better than nothing? Even if we had divine knowledge to tell us Silent Circle is secure, isn't it an overriding problem to encourage lock-in of closed source being acceptable for something as common as text-messaging? It is good to have a scrappy talented young person such as Nadim being pesky to older, accepted people. On 02/07/2013 09:45 AM, Julien Rabier wrote: Hello all, I'm no sec expert but to me, it's so obvious that Nadim is right on this. Perhaps the form is not perfect, but if he's the only one fighting for our own sanity here, as he says, that's no surprise. We should all be asking Silent Circle to commit to their statement and show us the source code of their so-called unbreakable encryption tools. Again, I'm no sec expert and I won't be the guy who will do the hard task of auditing and reviewing this code. But as a user, as a citizen and perhaps an activist, I want the source code of such tools to be reviewed widely and publicly before using and promoting it. My 2 euro cents, Julien Le 07 févr. - 10:31, Nadim Kobeissi a écrit : Small follow-up: Maybe it's true I look like my goal here is just to foam at the mouth at Silent Circle. Maybe it looks like I'm just here to annoy Chris, and I'm truly sorry. These are not my goals, even if my method seems forced. I've tried writing multiple blog posts about Silent Circle, contacting Silent Circle, asking journalists to *please* mention the importance of free, open source in cryptography, and so on. All of this has failed. It has simply become clear to me that Silent Circle enjoys a double standard because of the reputation of those behind it. Silent Circle may be developed by Gods, but this is just quite plainly unfair. If someone repeatedly claims, towards activists, to have developed unbreakable encryption, markets it closed-source for money, and receives nothing but nods of recognition and applause from the press and even from *security experts* (?!) then something is seriously wrong! No one should be allowed to commit these wrongs, not even Silent Circle. I feel like I'm fighting for our own sanity here. Look at what you're allowing to happen! NK On Thu, Feb 7, 2013 at 10:15 AM, Nadim Kobeissi na...@nadim.cc wrote: On Thu, Feb 7, 2013 at 4:11 AM, Christopher Soghoian ch...@soghoian.netwrote: It is clear that you seem to have developed a foaming-in-the-mouth, irrational hate of Silent Circle. As such, anyone who fails to denounce Phil Zimmermann as the great Satan is, in your eyes, some kind of corrupt shill. Chris, You have repeatedly stood up asking VoIP software to be more transparent about their encryption. You have repeatedly stood up when the media overblew coverage into hype. However, Silent Circle remains *the only case* where you remain mentioned regularly in articles on the company, where you make a point to completely ignore that they are posting everywhere on their social media that they are developing unbreakable encryption, and marketing it, closed-source, towardsactivists. When I confront you about this, you publicly accuse me of soliciting a hit piece (!!) against Silent Circle. That is what I have a problem with: A huge, clear, obvious double standard strictly made available for Silent Circle. I proudly stand by every single statement quoted in that Verge story. Chris On Wed, Feb 6, 2013 at 8:56 PM, Nadim Kobeissi na...@nadim.cc wrote: Chris Soghoian gives Silent Circle's unbreakable encryption an entire article's worth of lip service here, it must be really unbreakable:
Re: [liberationtech] Cryptography super-group creates unbreakable encryption
Just as a reminder, please let's all try to refrain from engaging in any personal attacks. We're all build and use liberationtech to make a difference in various ways, and we're bound to have disagreements. But let's not forget that we're all working toward the same broad goal of making people's lives better. Otherwise, we would likely not be on this list. Best, YC On Thu, Feb 7, 2013 at 11:21 AM, Ali-Reza Anghaie a...@packetknife.comwrote: Douglas, I'm not sure many people are disagreeing with the end-goals and even Zimmerman acknolwedges the window for verifiable source proof is closing fast (longer than many would have liked as-is). My comments to Nadim are coming from a tact perspective - if the goal is to gain wider adoption and recognition for all the community work, good projects, verified projects, etc. etc. then it helps when you play in the sanboxes occupied by more than the hackers and programmers making it happen. It's not uncommon to have people, who need solutions the most, to be afraid of projects because of the main name associated with them after some cursory rant reading. Nadim = Cryptocat, Jacob = TOR, Theo = OpenBSD, etc. etc. It's easy to tell everyone else to pound sand or to roll all activist causes into one for the collective libtech us - it's not so each when we take it elsewhere. Just trying to see how we can promote things that look less like personal grips and trolls - and more like building something useful. -Ali On Thu, Feb 7, 2013 at 11:36 AM, Douglas Lucas d...@riseup.net wrote: Can Silent Circle promoters explain why Zimmerman is excused from Kerckhoffs's principle? Is it because something unverifiable is allegedly better than nothing? Even if we had divine knowledge to tell us Silent Circle is secure, isn't it an overriding problem to encourage lock-in of closed source being acceptable for something as common as text-messaging? It is good to have a scrappy talented young person such as Nadim being pesky to older, accepted people. On 02/07/2013 09:45 AM, Julien Rabier wrote: Hello all, I'm no sec expert but to me, it's so obvious that Nadim is right on this. Perhaps the form is not perfect, but if he's the only one fighting for our own sanity here, as he says, that's no surprise. We should all be asking Silent Circle to commit to their statement and show us the source code of their so-called unbreakable encryption tools. Again, I'm no sec expert and I won't be the guy who will do the hard task of auditing and reviewing this code. But as a user, as a citizen and perhaps an activist, I want the source code of such tools to be reviewed widely and publicly before using and promoting it. My 2 euro cents, Julien Le 07 févr. - 10:31, Nadim Kobeissi a écrit : Small follow-up: Maybe it's true I look like my goal here is just to foam at the mouth at Silent Circle. Maybe it looks like I'm just here to annoy Chris, and I'm truly sorry. These are not my goals, even if my method seems forced. I've tried writing multiple blog posts about Silent Circle, contacting Silent Circle, asking journalists to *please* mention the importance of free, open source in cryptography, and so on. All of this has failed. It has simply become clear to me that Silent Circle enjoys a double standard because of the reputation of those behind it. Silent Circle may be developed by Gods, but this is just quite plainly unfair. If someone repeatedly claims, towards activists, to have developed unbreakable encryption, markets it closed-source for money, and receives nothing but nods of recognition and applause from the press and even from *security experts* (?!) then something is seriously wrong! No one should be allowed to commit these wrongs, not even Silent Circle. I feel like I'm fighting for our own sanity here. Look at what you're allowing to happen! NK On Thu, Feb 7, 2013 at 10:15 AM, Nadim Kobeissi na...@nadim.cc wrote: On Thu, Feb 7, 2013 at 4:11 AM, Christopher Soghoian ch...@soghoian.netwrote: It is clear that you seem to have developed a foaming-in-the-mouth, irrational hate of Silent Circle. As such, anyone who fails to denounce Phil Zimmermann as the great Satan is, in your eyes, some kind of corrupt shill. Chris, You have repeatedly stood up asking VoIP software to be more transparent about their encryption. You have repeatedly stood up when the media overblew coverage into hype. However, Silent Circle remains *the only case* where you remain mentioned regularly in articles on the company, where you make a point to completely ignore that they are posting everywhere on their social media that they are developing unbreakable encryption, and marketing it, closed-source, towardsactivists. When I confront you about this, you publicly accuse me of soliciting a hit piece (!!) against Silent Circle. That is
Re: [liberationtech] Cryptography super-group creates unbreakable encryption
And even the proponents already have. Here, elsewhere, .. Nobody is happy at technically ignorant gee-whiz journalism. The discussion has been, a few times now, how we tend to speak out about it. And what busses people on the same side seem willing to throw each other under. Gods know why. -Ali On Feb 7, 2013 3:46 PM, Jillian C. York jilliancy...@gmail.com wrote: I'm not going to get into the politics or pettiness of this because frankly, I don't care. But this headlinehttp://www.extremetech.com/mobile/147714-cryptography-super-group-creates-unbreakable-encryption-designed-for-mass-marketand the accompanying claims of unbreakability are so incredibly egregious that I would expect *every single person on this list* to speak out against those (claims, that is), regardless of their feelings on the actual product. On Thu, Feb 7, 2013 at 12:20 PM, Yosem Companys compa...@stanford.eduwrote: Just as a reminder, please let's all try to refrain from engaging in any personal attacks. We're all build and use liberationtech to make a difference in various ways, and we're bound to have disagreements. But let's not forget that we're all working toward the same broad goal of making people's lives better. Otherwise, we would likely not be on this list. Best, YC On Thu, Feb 7, 2013 at 11:21 AM, Ali-Reza Anghaie a...@packetknife.comwrote: Douglas, I'm not sure many people are disagreeing with the end-goals and even Zimmerman acknolwedges the window for verifiable source proof is closing fast (longer than many would have liked as-is). My comments to Nadim are coming from a tact perspective - if the goal is to gain wider adoption and recognition for all the community work, good projects, verified projects, etc. etc. then it helps when you play in the sanboxes occupied by more than the hackers and programmers making it happen. It's not uncommon to have people, who need solutions the most, to be afraid of projects because of the main name associated with them after some cursory rant reading. Nadim = Cryptocat, Jacob = TOR, Theo = OpenBSD, etc. etc. It's easy to tell everyone else to pound sand or to roll all activist causes into one for the collective libtech us - it's not so each when we take it elsewhere. Just trying to see how we can promote things that look less like personal grips and trolls - and more like building something useful. -Ali On Thu, Feb 7, 2013 at 11:36 AM, Douglas Lucas d...@riseup.net wrote: Can Silent Circle promoters explain why Zimmerman is excused from Kerckhoffs's principle? Is it because something unverifiable is allegedly better than nothing? Even if we had divine knowledge to tell us Silent Circle is secure, isn't it an overriding problem to encourage lock-in of closed source being acceptable for something as common as text-messaging? It is good to have a scrappy talented young person such as Nadim being pesky to older, accepted people. On 02/07/2013 09:45 AM, Julien Rabier wrote: Hello all, I'm no sec expert but to me, it's so obvious that Nadim is right on this. Perhaps the form is not perfect, but if he's the only one fighting for our own sanity here, as he says, that's no surprise. We should all be asking Silent Circle to commit to their statement and show us the source code of their so-called unbreakable encryption tools. Again, I'm no sec expert and I won't be the guy who will do the hard task of auditing and reviewing this code. But as a user, as a citizen and perhaps an activist, I want the source code of such tools to be reviewed widely and publicly before using and promoting it. My 2 euro cents, Julien Le 07 févr. - 10:31, Nadim Kobeissi a écrit : Small follow-up: Maybe it's true I look like my goal here is just to foam at the mouth at Silent Circle. Maybe it looks like I'm just here to annoy Chris, and I'm truly sorry. These are not my goals, even if my method seems forced. I've tried writing multiple blog posts about Silent Circle, contacting Silent Circle, asking journalists to *please* mention the importance of free, open source in cryptography, and so on. All of this has failed. It has simply become clear to me that Silent Circle enjoys a double standard because of the reputation of those behind it. Silent Circle may be developed by Gods, but this is just quite plainly unfair. If someone repeatedly claims, towards activists, to have developed unbreakable encryption, markets it closed-source for money, and receives nothing but nods of recognition and applause from the press and even from *security experts* (?!) then something is seriously wrong! No one should be allowed to commit these wrongs, not even Silent Circle. I feel like I'm fighting for our own sanity here. Look at what you're allowing to happen! NK On Thu, Feb 7, 2013 at 10:15 AM, Nadim Kobeissi na...@nadim.cc wrote: On Thu, Feb 7, 2013 at
Re: [liberationtech] Cryptography super-group creates unbreakable encryption
On Thu, Feb 7, 2013 at 5:34 PM, scarp sc...@tormail.org wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Jens Christian Hillerup: Hear-hear. They don't need to open-source their software to convince me, as long as they are open about their protocol at least. And what if there's a second set of decryption master keys? You're willing to trust them because they say We're famous guys, we won't do anything bad, and plus we hate naughty governments. No, I think we agree. I meant by protocol that it'd be possible for me to create a client for the service from scratch (maybe even the server part, too, but not strictly needed), i.e. I get to choose the encryption key(s), etc. Sorry for the misunderstanding. JC -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Cryptography super-group creates unbreakable encryption
The latest unbreakable even by a supercomputer article includes artistic, black and white photographs of Phil Zimmermann and John Callas: http://www.dailymail.co.uk/sciencetech/article-2274597/How-foil-eavesdroppers-The-smartphone-encryption-app-promises-make-communications-private-again.html#axzz2KDR1XKE6 NK On Thu, Feb 7, 2013 at 4:15 PM, Ali-Reza Anghaie a...@packetknife.comwrote: And even the proponents already have. Here, elsewhere, .. Nobody is happy at technically ignorant gee-whiz journalism. The discussion has been, a few times now, how we tend to speak out about it. And what busses people on the same side seem willing to throw each other under. Gods know why. -Ali On Feb 7, 2013 3:46 PM, Jillian C. York jilliancy...@gmail.com wrote: I'm not going to get into the politics or pettiness of this because frankly, I don't care. But this headlinehttp://www.extremetech.com/mobile/147714-cryptography-super-group-creates-unbreakable-encryption-designed-for-mass-marketand the accompanying claims of unbreakability are so incredibly egregious that I would expect *every single person on this list* to speak out against those (claims, that is), regardless of their feelings on the actual product. On Thu, Feb 7, 2013 at 12:20 PM, Yosem Companys compa...@stanford.eduwrote: Just as a reminder, please let's all try to refrain from engaging in any personal attacks. We're all build and use liberationtech to make a difference in various ways, and we're bound to have disagreements. But let's not forget that we're all working toward the same broad goal of making people's lives better. Otherwise, we would likely not be on this list. Best, YC On Thu, Feb 7, 2013 at 11:21 AM, Ali-Reza Anghaie a...@packetknife.comwrote: Douglas, I'm not sure many people are disagreeing with the end-goals and even Zimmerman acknolwedges the window for verifiable source proof is closing fast (longer than many would have liked as-is). My comments to Nadim are coming from a tact perspective - if the goal is to gain wider adoption and recognition for all the community work, good projects, verified projects, etc. etc. then it helps when you play in the sanboxes occupied by more than the hackers and programmers making it happen. It's not uncommon to have people, who need solutions the most, to be afraid of projects because of the main name associated with them after some cursory rant reading. Nadim = Cryptocat, Jacob = TOR, Theo = OpenBSD, etc. etc. It's easy to tell everyone else to pound sand or to roll all activist causes into one for the collective libtech us - it's not so each when we take it elsewhere. Just trying to see how we can promote things that look less like personal grips and trolls - and more like building something useful. -Ali On Thu, Feb 7, 2013 at 11:36 AM, Douglas Lucas d...@riseup.net wrote: Can Silent Circle promoters explain why Zimmerman is excused from Kerckhoffs's principle? Is it because something unverifiable is allegedly better than nothing? Even if we had divine knowledge to tell us Silent Circle is secure, isn't it an overriding problem to encourage lock-in of closed source being acceptable for something as common as text-messaging? It is good to have a scrappy talented young person such as Nadim being pesky to older, accepted people. On 02/07/2013 09:45 AM, Julien Rabier wrote: Hello all, I'm no sec expert but to me, it's so obvious that Nadim is right on this. Perhaps the form is not perfect, but if he's the only one fighting for our own sanity here, as he says, that's no surprise. We should all be asking Silent Circle to commit to their statement and show us the source code of their so-called unbreakable encryption tools. Again, I'm no sec expert and I won't be the guy who will do the hard task of auditing and reviewing this code. But as a user, as a citizen and perhaps an activist, I want the source code of such tools to be reviewed widely and publicly before using and promoting it. My 2 euro cents, Julien Le 07 févr. - 10:31, Nadim Kobeissi a écrit : Small follow-up: Maybe it's true I look like my goal here is just to foam at the mouth at Silent Circle. Maybe it looks like I'm just here to annoy Chris, and I'm truly sorry. These are not my goals, even if my method seems forced. I've tried writing multiple blog posts about Silent Circle, contacting Silent Circle, asking journalists to *please* mention the importance of free, open source in cryptography, and so on. All of this has failed. It has simply become clear to me that Silent Circle enjoys a double standard because of the reputation of those behind it. Silent Circle may be developed by Gods, but this is just quite plainly unfair. If someone repeatedly claims, towards activists, to have developed unbreakable encryption, markets it closed-source for money, and receives nothing but nods of
Re: [liberationtech] Cryptography super-group creates unbreakable encryption
“I tell them go ahead and use Skype — I don’t even want to talk to you. This is for serious people interested in serious cryptography,” Zimmermann said. “We are not Facebook. We are the opposite of Facebook.” http://bits.blogs.nytimes.com/2013/02/05/security-pioneer-creates-service-to-encrypt-phone-calls-and-text-messages/ NK On Thu, Feb 7, 2013 at 4:32 PM, Nadim Kobeissi na...@nadim.cc wrote: The latest unbreakable even by a supercomputer article includes artistic, black and white photographs of Phil Zimmermann and John Callas: http://www.dailymail.co.uk/sciencetech/article-2274597/How-foil-eavesdroppers-The-smartphone-encryption-app-promises-make-communications-private-again.html#axzz2KDR1XKE6 NK On Thu, Feb 7, 2013 at 4:15 PM, Ali-Reza Anghaie a...@packetknife.comwrote: And even the proponents already have. Here, elsewhere, .. Nobody is happy at technically ignorant gee-whiz journalism. The discussion has been, a few times now, how we tend to speak out about it. And what busses people on the same side seem willing to throw each other under. Gods know why. -Ali On Feb 7, 2013 3:46 PM, Jillian C. York jilliancy...@gmail.com wrote: I'm not going to get into the politics or pettiness of this because frankly, I don't care. But this headlinehttp://www.extremetech.com/mobile/147714-cryptography-super-group-creates-unbreakable-encryption-designed-for-mass-marketand the accompanying claims of unbreakability are so incredibly egregious that I would expect *every single person on this list* to speak out against those (claims, that is), regardless of their feelings on the actual product. On Thu, Feb 7, 2013 at 12:20 PM, Yosem Companys compa...@stanford.eduwrote: Just as a reminder, please let's all try to refrain from engaging in any personal attacks. We're all build and use liberationtech to make a difference in various ways, and we're bound to have disagreements. But let's not forget that we're all working toward the same broad goal of making people's lives better. Otherwise, we would likely not be on this list. Best, YC On Thu, Feb 7, 2013 at 11:21 AM, Ali-Reza Anghaie a...@packetknife.comwrote: Douglas, I'm not sure many people are disagreeing with the end-goals and even Zimmerman acknolwedges the window for verifiable source proof is closing fast (longer than many would have liked as-is). My comments to Nadim are coming from a tact perspective - if the goal is to gain wider adoption and recognition for all the community work, good projects, verified projects, etc. etc. then it helps when you play in the sanboxes occupied by more than the hackers and programmers making it happen. It's not uncommon to have people, who need solutions the most, to be afraid of projects because of the main name associated with them after some cursory rant reading. Nadim = Cryptocat, Jacob = TOR, Theo = OpenBSD, etc. etc. It's easy to tell everyone else to pound sand or to roll all activist causes into one for the collective libtech us - it's not so each when we take it elsewhere. Just trying to see how we can promote things that look less like personal grips and trolls - and more like building something useful. -Ali On Thu, Feb 7, 2013 at 11:36 AM, Douglas Lucas d...@riseup.net wrote: Can Silent Circle promoters explain why Zimmerman is excused from Kerckhoffs's principle? Is it because something unverifiable is allegedly better than nothing? Even if we had divine knowledge to tell us Silent Circle is secure, isn't it an overriding problem to encourage lock-in of closed source being acceptable for something as common as text-messaging? It is good to have a scrappy talented young person such as Nadim being pesky to older, accepted people. On 02/07/2013 09:45 AM, Julien Rabier wrote: Hello all, I'm no sec expert but to me, it's so obvious that Nadim is right on this. Perhaps the form is not perfect, but if he's the only one fighting for our own sanity here, as he says, that's no surprise. We should all be asking Silent Circle to commit to their statement and show us the source code of their so-called unbreakable encryption tools. Again, I'm no sec expert and I won't be the guy who will do the hard task of auditing and reviewing this code. But as a user, as a citizen and perhaps an activist, I want the source code of such tools to be reviewed widely and publicly before using and promoting it. My 2 euro cents, Julien Le 07 févr. - 10:31, Nadim Kobeissi a écrit : Small follow-up: Maybe it's true I look like my goal here is just to foam at the mouth at Silent Circle. Maybe it looks like I'm just here to annoy Chris, and I'm truly sorry. These are not my goals, even if my method seems forced. I've tried writing multiple blog posts about Silent Circle, contacting Silent Circle, asking journalists to *please* mention the importance of free, open source in cryptography, and so
Re: [liberationtech] Cryptography super-group creates unbreakable encryption
I do have to wonder why they've twice mentioned embargoes countries they couldn't sell to legally anyway. Is there something I'm missing about ~selling~ dissidents solutions in Iran and NK? US Government have an exception for that? -Ali On Feb 7, 2013 4:38 PM, Nadim Kobeissi na...@nadim.cc wrote: “I tell them go ahead and use Skype — I don’t even want to talk to you. This is for serious people interested in serious cryptography,” Zimmermann said. “We are not Facebook. We are the opposite of Facebook.” http://bits.blogs.nytimes.com/2013/02/05/security-pioneer-creates-service-to-encrypt-phone-calls-and-text-messages/ NK On Thu, Feb 7, 2013 at 4:32 PM, Nadim Kobeissi na...@nadim.cc wrote: The latest unbreakable even by a supercomputer article includes artistic, black and white photographs of Phil Zimmermann and John Callas: http://www.dailymail.co.uk/sciencetech/article-2274597/How-foil-eavesdroppers-The-smartphone-encryption-app-promises-make-communications-private-again.html#axzz2KDR1XKE6 NK On Thu, Feb 7, 2013 at 4:15 PM, Ali-Reza Anghaie a...@packetknife.comwrote: And even the proponents already have. Here, elsewhere, .. Nobody is happy at technically ignorant gee-whiz journalism. The discussion has been, a few times now, how we tend to speak out about it. And what busses people on the same side seem willing to throw each other under. Gods know why. -Ali On Feb 7, 2013 3:46 PM, Jillian C. York jilliancy...@gmail.com wrote: I'm not going to get into the politics or pettiness of this because frankly, I don't care. But this headlinehttp://www.extremetech.com/mobile/147714-cryptography-super-group-creates-unbreakable-encryption-designed-for-mass-marketand the accompanying claims of unbreakability are so incredibly egregious that I would expect *every single person on this list* to speak out against those (claims, that is), regardless of their feelings on the actual product. On Thu, Feb 7, 2013 at 12:20 PM, Yosem Companys compa...@stanford.eduwrote: Just as a reminder, please let's all try to refrain from engaging in any personal attacks. We're all build and use liberationtech to make a difference in various ways, and we're bound to have disagreements. But let's not forget that we're all working toward the same broad goal of making people's lives better. Otherwise, we would likely not be on this list. Best, YC On Thu, Feb 7, 2013 at 11:21 AM, Ali-Reza Anghaie a...@packetknife.com wrote: Douglas, I'm not sure many people are disagreeing with the end-goals and even Zimmerman acknolwedges the window for verifiable source proof is closing fast (longer than many would have liked as-is). My comments to Nadim are coming from a tact perspective - if the goal is to gain wider adoption and recognition for all the community work, good projects, verified projects, etc. etc. then it helps when you play in the sanboxes occupied by more than the hackers and programmers making it happen. It's not uncommon to have people, who need solutions the most, to be afraid of projects because of the main name associated with them after some cursory rant reading. Nadim = Cryptocat, Jacob = TOR, Theo = OpenBSD, etc. etc. It's easy to tell everyone else to pound sand or to roll all activist causes into one for the collective libtech us - it's not so each when we take it elsewhere. Just trying to see how we can promote things that look less like personal grips and trolls - and more like building something useful. -Ali On Thu, Feb 7, 2013 at 11:36 AM, Douglas Lucas d...@riseup.netwrote: Can Silent Circle promoters explain why Zimmerman is excused from Kerckhoffs's principle? Is it because something unverifiable is allegedly better than nothing? Even if we had divine knowledge to tell us Silent Circle is secure, isn't it an overriding problem to encourage lock-in of closed source being acceptable for something as common as text-messaging? It is good to have a scrappy talented young person such as Nadim being pesky to older, accepted people. On 02/07/2013 09:45 AM, Julien Rabier wrote: Hello all, I'm no sec expert but to me, it's so obvious that Nadim is right on this. Perhaps the form is not perfect, but if he's the only one fighting for our own sanity here, as he says, that's no surprise. We should all be asking Silent Circle to commit to their statement and show us the source code of their so-called unbreakable encryption tools. Again, I'm no sec expert and I won't be the guy who will do the hard task of auditing and reviewing this code. But as a user, as a citizen and perhaps an activist, I want the source code of such tools to be reviewed widely and publicly before using and promoting it. My 2 euro cents, Julien Le 07 févr. - 10:31, Nadim Kobeissi a écrit : Small follow-up: Maybe it's true I look like my goal here is just to foam at the mouth at Silent Circle. Maybe it
Re: [liberationtech] Cryptography super-group creates unbreakable encryption
Is there something I'm missing about ~selling~ dissidents solutions in Iran and NK? US Government have an exception for that? -Ali There is a Favorable Licensing Policy for Iran on Internet Freedom that specifically mentions Fee-Based Internet Communication Services, although since published in March 2012 it is unclear whether any actual license has been approved. North Korea might have larger impediments since as I am fairly sure there is next to no access to international telephony or Internet connections. On Thu, Feb 7, 2013 at 4:47 PM, Ali-Reza Anghaie a...@packetknife.comwrote: I do have to wonder why they've twice mentioned embargoes countries they couldn't sell to legally anyway. Is there something I'm missing about ~selling~ dissidents solutions in Iran and NK? US Government have an exception for that? -Ali On Feb 7, 2013 4:38 PM, Nadim Kobeissi na...@nadim.cc wrote: “I tell them go ahead and use Skype — I don’t even want to talk to you. This is for serious people interested in serious cryptography,” Zimmermann said. “We are not Facebook. We are the opposite of Facebook.” http://bits.blogs.nytimes.com/2013/02/05/security-pioneer-creates-service-to-encrypt-phone-calls-and-text-messages/ NK On Thu, Feb 7, 2013 at 4:32 PM, Nadim Kobeissi na...@nadim.cc wrote: The latest unbreakable even by a supercomputer article includes artistic, black and white photographs of Phil Zimmermann and John Callas: http://www.dailymail.co.uk/sciencetech/article-2274597/How-foil-eavesdroppers-The-smartphone-encryption-app-promises-make-communications-private-again.html#axzz2KDR1XKE6 NK On Thu, Feb 7, 2013 at 4:15 PM, Ali-Reza Anghaie a...@packetknife.comwrote: And even the proponents already have. Here, elsewhere, .. Nobody is happy at technically ignorant gee-whiz journalism. The discussion has been, a few times now, how we tend to speak out about it. And what busses people on the same side seem willing to throw each other under. Gods know why. -Ali On Feb 7, 2013 3:46 PM, Jillian C. York jilliancy...@gmail.com wrote: I'm not going to get into the politics or pettiness of this because frankly, I don't care. But this headlinehttp://www.extremetech.com/mobile/147714-cryptography-super-group-creates-unbreakable-encryption-designed-for-mass-marketand the accompanying claims of unbreakability are so incredibly egregious that I would expect *every single person on this list* to speak out against those (claims, that is), regardless of their feelings on the actual product. On Thu, Feb 7, 2013 at 12:20 PM, Yosem Companys compa...@stanford.edu wrote: Just as a reminder, please let's all try to refrain from engaging in any personal attacks. We're all build and use liberationtech to make a difference in various ways, and we're bound to have disagreements. But let's not forget that we're all working toward the same broad goal of making people's lives better. Otherwise, we would likely not be on this list. Best, YC On Thu, Feb 7, 2013 at 11:21 AM, Ali-Reza Anghaie a...@packetknife.com wrote: Douglas, I'm not sure many people are disagreeing with the end-goals and even Zimmerman acknolwedges the window for verifiable source proof is closing fast (longer than many would have liked as-is). My comments to Nadim are coming from a tact perspective - if the goal is to gain wider adoption and recognition for all the community work, good projects, verified projects, etc. etc. then it helps when you play in the sanboxes occupied by more than the hackers and programmers making it happen. It's not uncommon to have people, who need solutions the most, to be afraid of projects because of the main name associated with them after some cursory rant reading. Nadim = Cryptocat, Jacob = TOR, Theo = OpenBSD, etc. etc. It's easy to tell everyone else to pound sand or to roll all activist causes into one for the collective libtech us - it's not so each when we take it elsewhere. Just trying to see how we can promote things that look less like personal grips and trolls - and more like building something useful. -Ali On Thu, Feb 7, 2013 at 11:36 AM, Douglas Lucas d...@riseup.netwrote: Can Silent Circle promoters explain why Zimmerman is excused from Kerckhoffs's principle? Is it because something unverifiable is allegedly better than nothing? Even if we had divine knowledge to tell us Silent Circle is secure, isn't it an overriding problem to encourage lock-in of closed source being acceptable for something as common as text-messaging? It is good to have a scrappy talented young person such as Nadim being pesky to older, accepted people. On 02/07/2013 09:45 AM, Julien Rabier wrote: Hello all, I'm no sec expert but to me, it's so obvious that Nadim is right on this. Perhaps the form is not perfect, but if he's the only one fighting for our own sanity here, as he says, that's no surprise. We should all be asking
Re: [liberationtech] Cryptography super-group creates unbreakable encryption
See Inline On Thu, Feb 7, 2013 at 12:15 PM, Andy Isaacson a...@hexapodia.org wrote: Silent Circle may be an excellent privacy app. It might not have any significant security problems. It might even do a good job of mitigating important platform-based attacks and supporting important new use cases (the burn after reading feature). When it's actually open source I'll take a look and if it is good, I'll recommend it to users. Until that open review happens, I think it's inappropriate for voices in our community to commend or recommend such a proprietary system. Each person makes their own choices, of course, and nobody should base their actions solely on what *I* think is right, but I hope you can hear my concerns and consider the outcomes of your actions. Twitter's official client and server code are not open source. That hasn't stopped the good folks at EFF, as well as many other privacy advocates from praising the company's law enforcement transparency policies, as well as Twitter's willingness to go the extra mile when responding to various forms of legal process. Much of Google's code, including all of the Gmail backend code is not open source, but that hasn't stopped privacy advocates from legitimately praising the company for voluntarily publishing some really useful data on government requests and DMCA takedown demands. Although I have not recommended Silent Circle to anyone, I believe that it is entirely legitimate to praise the company for its commitment to transparency regarding law enforcement requests and the company's overall law enforcement policy. Hell, looking at the list of companies ranked on EFF's Who's got your back website, closed source is by far the norm, not the exception. That hasn't stopped EFF from giving out gold stars where they feel they are deserved. See: https://www.eff.org/pages/when-government-comes-knocking-who-has-your-back In fact, for many of the factors that I am most interested in, source code is completely irrelevant. Client source code does not reveal a company's data retention policy, and server data retention configurations are impossible to verify. Source code does not reveal whether a company will tell its users about subpoenas submitted for user data where not prevented from doing so by a gag order. Source code will not reveal a company's willingness to spend hundreds of thousands of dollars on legal bills to fight an improper request submitted by lawyers at the Department of Justice. For such things, you have to evaluate the company on its public policy (and, once the policy is put into action, you can judge the company via its track record). By all means, continue to harass Silent Circle about its source code. Likewise, please do hold journalists accountable for the bogus headlines they, or their editors have selected. But do not dismiss my legitimate interest in the law enforcement legal policies adopted by companies. These policies are often just as important, yet impossible to verify, even when companies publish their source code. Cheers, Chris -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Cryptography super-group creates unbreakable encryption
Christopher Soghoian ch...@soghoian.net wrote: Twitter's official client and server code are not open source Much of Google's code, including all of the Gmail backend code is not open source That's a bit of a false equivalency, don't you think? Silent Circle's whole premise is that their code will encrypt data and protect it from outside parties (including the government). Twitter and Google make no such promise, and in fact their legal policies run counter to that... ~Griffin -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Cryptography super-group creates unbreakable encryption
Chris, Nicely put. Agree with your comments 100% Robert -- On 2013-02-07, at 8:14 PM, Christopher Soghoian wrote: See Inline On Thu, Feb 7, 2013 at 12:15 PM, Andy Isaacson a...@hexapodia.org wrote: Silent Circle may be an excellent privacy app. It might not have any significant security problems. It might even do a good job of mitigating important platform-based attacks and supporting important new use cases (the burn after reading feature). When it's actually open source I'll take a look and if it is good, I'll recommend it to users. Until that open review happens, I think it's inappropriate for voices in our community to commend or recommend such a proprietary system. Each person makes their own choices, of course, and nobody should base their actions solely on what *I* think is right, but I hope you can hear my concerns and consider the outcomes of your actions. Twitter's official client and server code are not open source. That hasn't stopped the good folks at EFF, as well as many other privacy advocates from praising the company's law enforcement transparency policies, as well as Twitter's willingness to go the extra mile when responding to various forms of legal process. Much of Google's code, including all of the Gmail backend code is not open source, but that hasn't stopped privacy advocates from legitimately praising the company for voluntarily publishing some really useful data on government requests and DMCA takedown demands. Although I have not recommended Silent Circle to anyone, I believe that it is entirely legitimate to praise the company for its commitment to transparency regarding law enforcement requests and the company's overall law enforcement policy. Hell, looking at the list of companies ranked on EFF's Who's got your back website, closed source is by far the norm, not the exception. That hasn't stopped EFF from giving out gold stars where they feel they are deserved. See: https://www.eff.org/pages/when-government-comes-knocking-who-has-your-back In fact, for many of the factors that I am most interested in, source code is completely irrelevant. Client source code does not reveal a company's data retention policy, and server data retention configurations are impossible to verify. Source code does not reveal whether a company will tell its users about subpoenas submitted for user data where not prevented from doing so by a gag order. Source code will not reveal a company's willingness to spend hundreds of thousands of dollars on legal bills to fight an improper request submitted by lawyers at the Department of Justice. For such things, you have to evaluate the company on its public policy (and, once the policy is put into action, you can judge the company via its track record). By all means, continue to harass Silent Circle about its source code. Likewise, please do hold journalists accountable for the bogus headlines they, or their editors have selected. But do not dismiss my legitimate interest in the law enforcement legal policies adopted by companies. These policies are often just as important, yet impossible to verify, even when companies publish their source code. Cheers, Chris -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Cryptography super-group creates unbreakable encryption
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Ali-Reza Anghaie: Inline below.. On Thu, Feb 7, 2013 at 11:34 AM, scarp sc...@tormail.org wrote: The fact you can't buy into this service anonymously, so at least payment credentials will be available. Even if Phil says he won't be bad what is to stop Apple revealing your iTunes account purchased this application in AppStore when the necessary legal screws are applied to them. They do offer the Ronin option for anonymous purchasing of the provisioning keys - the App is free itself. -Ali Ah yes, although the application is free, what I meant is Apple will still have a record that you installed it on that iTunes account. They actually send you an invoice for $0.00. It also appears BitcoinEAST resell the activation codes, so I guess you could acquire some bitcoins via mail order and that would be pretty safe way of purchasing. - -- scarp | A4F7 25DB 2529 CB1A 605B 3CB4 5DA0 4859 0FD4 B313 -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJRFHtbAAoJEF2gSFkP1LMTIjIP/iRSh/ZXHhwtXA/psF4h+YoA piRD1safggSgHTBBNfGlQEK9F+BkCChsTZKhenFYpalGv5WGlVE4Qn67i7nW//+V MkNTZ/jkSrGYbNUiL2BW9s7e2NSFAr2Z/ej121qhqFfIGeRfkwVmvUDlvWyAAfcB hRmPUcSofazupxZ5SWCyH+VsQI6wGR5Ki9R3x/MX6RcrW/g39E8eyxRJx914Gkgj wxnoA6ET8ZUa3XzUTdBKt7S7zVNN+kw3/ZwjxdW5hC6CB6fZNvEdRw6gvezbnn2p /NHQuz24wBDFMfx+S0FRv5XpJbrBKsNCVxAXbSEHPCk8IWDhOM28rZqmAHz5ygiB Bv66+hS3kvUZfWw6n41lwX7epnxvjy7rHG8y78Tyc9gpYLllvRX2rqXM5C5myLNl p8vpQdgMIuzxLOKF/saMPhFdZ4O3lN+u2qRBS7hUp7rsun1yLINWG4sn5LolBEpE VS1jULExcxi2faO/o3xN2C7zB8T6xP4o5yBNPxZfmp6vkwZ9ZCuqFRDn1PXbhyXZ NiPNr1R0RzMfPQz2ENB3oCCmXSQcZOMnZr08OuKHWuASW6Jy8gUahNiQ8Frnh67M yD/ryqRtc6QcRoOBcDqwyPOOIGUjKMztFQmo5pfmnoWGnQpkzLYUr/ypHZiAI4Cr FhtNHqbhGW6yFSZSbEV9 =KGbV -END PGP SIGNATURE- -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Cryptography super-group creates unbreakable encryption
+1. I wish I could say otherwise, but now after a few years working as a journalism trainer and in the journalism field I've been led to recognize that, whether I like it or not, and whether it is ethical or not: 1. headlines are used to grab readers and generate buzz. I'd not read the article until it was posted here, and I'm sure many others had not. That generated buzz and eyeballs. 2. journalists are again and again and again guilty of access bias. They are biased to report on the thing they have access to, whether that be because a PR firm sent them a release and made individuals available for interview, or a great many other reasons. 3. the best way to counter media spin is to make friends with journalists, put out counter press releases, and above all, not engage in personal attacks or petty bullshit. I don't like it, and I tell all my students to avoid it, but there it is. Brian On Thu, Feb 7, 2013 at 12:46 PM, Jillian C. York jilliancy...@gmail.comwrote: I'm not going to get into the politics or pettiness of this because frankly, I don't care. But this headlinehttp://www.extremetech.com/mobile/147714-cryptography-super-group-creates-unbreakable-encryption-designed-for-mass-marketand the accompanying claims of unbreakability are so incredibly egregious that I would expect *every single person on this list* to speak out against those (claims, that is), regardless of their feelings on the actual product. On Thu, Feb 7, 2013 at 12:20 PM, Yosem Companys compa...@stanford.eduwrote: Just as a reminder, please let's all try to refrain from engaging in any personal attacks. We're all build and use liberationtech to make a difference in various ways, and we're bound to have disagreements. But let's not forget that we're all working toward the same broad goal of making people's lives better. Otherwise, we would likely not be on this list. Best, YC On Thu, Feb 7, 2013 at 11:21 AM, Ali-Reza Anghaie a...@packetknife.comwrote: Douglas, I'm not sure many people are disagreeing with the end-goals and even Zimmerman acknolwedges the window for verifiable source proof is closing fast (longer than many would have liked as-is). My comments to Nadim are coming from a tact perspective - if the goal is to gain wider adoption and recognition for all the community work, good projects, verified projects, etc. etc. then it helps when you play in the sanboxes occupied by more than the hackers and programmers making it happen. It's not uncommon to have people, who need solutions the most, to be afraid of projects because of the main name associated with them after some cursory rant reading. Nadim = Cryptocat, Jacob = TOR, Theo = OpenBSD, etc. etc. It's easy to tell everyone else to pound sand or to roll all activist causes into one for the collective libtech us - it's not so each when we take it elsewhere. Just trying to see how we can promote things that look less like personal grips and trolls - and more like building something useful. -Ali On Thu, Feb 7, 2013 at 11:36 AM, Douglas Lucas d...@riseup.net wrote: Can Silent Circle promoters explain why Zimmerman is excused from Kerckhoffs's principle? Is it because something unverifiable is allegedly better than nothing? Even if we had divine knowledge to tell us Silent Circle is secure, isn't it an overriding problem to encourage lock-in of closed source being acceptable for something as common as text-messaging? It is good to have a scrappy talented young person such as Nadim being pesky to older, accepted people. On 02/07/2013 09:45 AM, Julien Rabier wrote: Hello all, I'm no sec expert but to me, it's so obvious that Nadim is right on this. Perhaps the form is not perfect, but if he's the only one fighting for our own sanity here, as he says, that's no surprise. We should all be asking Silent Circle to commit to their statement and show us the source code of their so-called unbreakable encryption tools. Again, I'm no sec expert and I won't be the guy who will do the hard task of auditing and reviewing this code. But as a user, as a citizen and perhaps an activist, I want the source code of such tools to be reviewed widely and publicly before using and promoting it. My 2 euro cents, Julien Le 07 févr. - 10:31, Nadim Kobeissi a écrit : Small follow-up: Maybe it's true I look like my goal here is just to foam at the mouth at Silent Circle. Maybe it looks like I'm just here to annoy Chris, and I'm truly sorry. These are not my goals, even if my method seems forced. I've tried writing multiple blog posts about Silent Circle, contacting Silent Circle, asking journalists to *please* mention the importance of free, open source in cryptography, and so on. All of this has failed. It has simply become clear to me that Silent Circle enjoys a double standard because of the reputation of those behind it. Silent Circle may be developed by
[liberationtech] Cryptography super-group creates unbreakable encryption
Actual headline. http://www.extremetech.com/mobile/147714-cryptography-super-group-creates-unbreakable-encryption-designed-for-mass-market NK -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Cryptography super-group creates unbreakable encryption
C'mon Nadim, that's a bit of a cheap shot, no? Do you disagree fundamentally with anything he said there? Brian On Feb 6, 2013, at 19:56, Nadim Kobeissi na...@nadim.cc wrote: Chris Soghoian gives Silent Circle's unbreakable encryption an entire article's worth of lip service here, it must be really unbreakable: http://www.theverge.com/2013/2/6/3950664/phil-zimmermann-wants-to-save-you-from-your-phone NK On Wed, Feb 6, 2013 at 10:49 PM, Brian Conley bri...@smallworldnews.tv wrote: I heard they have a super secret crypto clubhouse in the belly of an extinct volcano. Other rumors suggest they built their lab in the liberated tunnels beneath bin ladens secret lair in Pakistan... Sent from my iPad On Feb 6, 2013, at 19:42, Nadim Kobeissi na...@nadim.cc wrote: Actual headline. http://www.extremetech.com/mobile/147714-cryptography-super-group-creates-unbreakable-encryption-designed-for-mass-market NK -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Cryptography super-group creates unbreakable encryption
What I'm trying to point out is that Silent Circle can call itself a super-group creating unbreakable encryption, market closed-source software towards activists, and some experts will still speak out for them favourably. NK On Wed, Feb 6, 2013 at 11:21 PM, Brian Conley bri...@smallworldnews.tvwrote: C'mon Nadim, that's a bit of a cheap shot, no? Do you disagree fundamentally with anything he said there? Brian On Feb 6, 2013, at 19:56, Nadim Kobeissi na...@nadim.cc wrote: Chris Soghoian gives Silent Circle's unbreakable encryption an entire article's worth of lip service here, it must be really unbreakable: http://www.theverge.com/2013/2/6/3950664/phil-zimmermann-wants-to-save-you-from-your-phone NK On Wed, Feb 6, 2013 at 10:49 PM, Brian Conley bri...@smallworldnews.tvwrote: I heard they have a super secret crypto clubhouse in the belly of an extinct volcano. Other rumors suggest they built their lab in the liberated tunnels beneath bin ladens secret lair in Pakistan... Sent from my iPad On Feb 6, 2013, at 19:42, Nadim Kobeissi na...@nadim.cc wrote: Actual headline. http://www.extremetech.com/mobile/147714-cryptography-super-group-creates-unbreakable-encryption-designed-for-mass-market NK -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Cryptography super-group creates unbreakable encryption
The enemy knows the system, but some enemies are more equal than others. On 02/06/2013 10:21 PM, Brian Conley wrote: C'mon Nadim, that's a bit of a cheap shot, no? Do you disagree fundamentally with anything he said there? Brian On Feb 6, 2013, at 19:56, Nadim Kobeissi na...@nadim.cc mailto:na...@nadim.cc wrote: Chris Soghoian gives Silent Circle's unbreakable encryption an entire article's worth of lip service here, it must be really unbreakable: http://www.theverge.com/2013/2/6/3950664/phil-zimmermann-wants-to-save-you-from-your-phone NK On Wed, Feb 6, 2013 at 10:49 PM, Brian Conley bri...@smallworldnews.tv mailto:bri...@smallworldnews.tv wrote: I heard they have a super secret crypto clubhouse in the belly of an extinct volcano. Other rumors suggest they built their lab in the liberated tunnels beneath bin ladens secret lair in Pakistan... Sent from my iPad On Feb 6, 2013, at 19:42, Nadim Kobeissi na...@nadim.cc mailto:na...@nadim.cc wrote: Actual headline. http://www.extremetech.com/mobile/147714-cryptography-super-group-creates-unbreakable-encryption-designed-for-mass-market NK -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech