Krassimir Tzvetanov:
> To the best of my knowledge in Russia (no, I'm not Russian nor have lived
> there so I'm not 100% sure) you need to submit a copy of the private key if
> you are operating a website providing encryption on their territory to
> allow for legal intercept.
>
> They also have ot
Mark Seiden:
> i think we are having a misunderstanding here.
>
> any sort of opt-in or opt out doesn't work in the account takeover scenario,
> which is
> very common these days.
>
> the bad guy will always have a relationship through the buddy list, which is
> exactly
> why they are using ta
James A. Donald:
> On 2013-05-20 7:49 PM, Mark Seiden wrote:
>> i think we are having a misunderstanding here.
>>
>> any sort of opt-in or opt out doesn't work in the account takeover
>> scenario, which is
>> very common these days.
>
> No one on my buddy list has been taken over, or if they have,
Jeffrey Walton:
> On Mon, May 20, 2013 at 8:55 PM, Jacob Appelbaum wrote:
>> James A. Donald:
>>> ...
>>>
>>> Zombie computers are seldom of high value.
>>
>> Some malware is designed to keep people communicating, under heavy
>> watch; it is
James A. Donald:
>
>> James A. Donald:
>>> No one on my buddy list has been taken over, or if they have, they
>>> took care of it before I noticed.
>
> On 2013-05-21 10:55 AM, Jacob Appelbaum wrote:
>
>> That is - how would they notice and if they we
>
> This presupposes custom malware written for the specific target.
>
Not always. It presumes that someone may pack a binary just for a single
target - this is however an automated process for lots of malware packages.
> Highly customized spearphish attacks are unlikely to be detected, but
> r
James A. Donald:
>> > Cops just don't put that much work in.
>
> On 2013-05-22 5:41 PM, Jacob Appelbaum wrote:
>> Yes, yes they do:
>>
>>
> http://www.scmagazine.com/finfisher-command-and-control-hubs-turn-up-in-11-new-countries/article/291252/
>
>
( James - Please don't write my privately off-list about on-list topics. )
James A. Donald:
> On 2013-05-22 7:59 PM, Jacob Appelbaum wrote:
>> http://www.guardian.co.uk/commentisfree/2013/may/04/telephone-calls-recorded-fbi-boston
>>
>
>>
> Yes: Recorded at th
Dear Eric,
Eric S Johnson:
> Sauer: We answer to this question: We provide a safe communication option
> available. I will not tell you whether we can listen to it or not.
>
> In other words, no evidence there, either.
>
>
There is also no useful definition of safe. Does that include secure?
Cool Hand Luke:
> On 06/28, Nico Williams wrote:
How would one fabricate a digital key?
>
>> They probably meant something that sounds close. E.g., minted a
>> certificate, or a ticket, or token, or whatever the thing is, by
>> subverting an issuing authority or its processes (possibly via s
Natanael:
> I would like to point out that the developers of the anonymizing network
> I2P are looking for more external review of the codebase (it's in Java, by
> the way). Everybody who knows how to do security reviews of source code and
> has time to spare should take a look at it.
>
I've prev
Natanael:
> I'm not seeing that many options though. The Phantom project died pretty
> fast;
> https://code.google.com/p/phantom/
> https://groups.google.com/forum/#!forum/phantom-protocol
> http://phantom-anon.blogspot.se/
>
> So who's out there developing any useful protocols for anonymization t
Nadim Kobeissi:
>
> On 2013-06-29, at 11:48 PM, Jacob Appelbaum
> wrote:
>
>> Natanael:
>>> I'm not seeing that many options though. The Phantom project died
>>> pretty fast; https://code.google.com/p/phantom/
>>> https://groups.google.com/
Nadim Kobeissi:
>>
>> Read my email more carefully next time. I specifically encouraged
>> experimentation in a way that seems reasonably safe:
>
> There's no need to be so patronizing — I'm aware that you recommended TAILS
> (which is also a Tor project).
>
I'm sorry to write with more bad new
Michael Rogers:
>> So who's out there developing any useful protocols for
>> anonymization today? *Anybody*? Could we try to start a new project
>> (if needed) to create one?
>
> I'd love to see a revitalisation of remailer research, focussing on
> unlinkability (which we know many people would be
aort...@alu.itba.edu.ar:
> I believe Anonymity is a problem orders of magnitude bigger than privacy.
I agree - though most people think the two terms mean the same thing.
Lots of different terms are a similar set of things for different people.
> Tor seems like the only serious project aiming at
Yosem Companys:
> Speaking of which...
>
> If you had an extra $2-3K to give to a liberationtech or crypto project,
> who do you think would benefit the most?
>
Tails. They could use support:
https://tails.boum.org
All the best,
Jacob
___
cryptogr
hRyan Hurst:
> Though it wouldn't necessarily advance anonymity or cryptography knowledge I
> think funding of a public repository that had reviewed, stable packages or
> for the most popular distributions fnginx, apache and openssl that came with
> the most secure stuff enabled; for example today
Ethan Heilman:
>> The way I read that (and combined with the overall disclosures that they
> are basically collecting everything they can get their hands on) the NSA
> has now been de-militarised, or civilianised if you prefer that term. In
> the sense that, information regarding criminal activity
Ben Laurie:
> On 1 July 2013 12:32, Tom Ritter wrote:
>> On 1 July 2013 05:04, Ben Laurie wrote:
>>> On 1 July 2013 01:55, Jacob Appelbaum wrote:
>>>> So then - what do you suggest to someone who wants to leak a document to
>>>> a press agency that h
Michael Rogers:
> On 01/07/13 01:55, Jacob Appelbaum wrote:
>> It is also why we have multiple implementations as well. There is a
>> Java version of Tor that is nearly ready for release and it will
>> solve a number of the C implementation concerns and exchange them
>>
ianG:
>> You can have privacy by using OTR and that's good in many situations, but
>> won't protect you from somebody with enough money to hire techs and put
>> some taps.
>
>
> The threat is always on the node, never on the wire...
>
It is both. DPI does not merely mean inspection and it hasn'
aort...@alu.itba.edu.ar:
>>> The more interesting point is high vs low latency. I really like the
>>> idea of having a high-latency option in Tor. It would still need to
>>> have a lot of users to actually be useful, though. But it seems there
>>> are various protocols that would be ore high-latenc
Nadim Kobeissi:
> Hello everyone,
> I urge you to read our response at the Cryptocat Development Blog, which
> strongly clarifies the situation:
>
> https://blog.crypto.cat/2013/07/new-critical-vulnerability-in-cryptocat-details/
>
Has there been a rotation of the certificate and keying materia
Nadim Kobeissi:
>
> On 2013-07-05, at 3:15 AM, Jacob Appelbaum wrote:
>
>> Nadim Kobeissi:
>>> Hello everyone,
>>> I urge you to read our response at the Cryptocat Development Blog, which
>>> strongly clarifies the situation:
>>>
>>>
Nadim Kobeissi:
>
> On 2013-07-05, at 6:15 AM, Matthew Green
> wrote:
>
>>
>>
>> On Jul 5, 2013, at 12:01 AM, Jacob Appelbaum
>> wrote:
>>
>>> Nadim Kobeissi:
>>>>
>>>> On 2013-07-05, at 3:15 AM, Jacob Appelbaum
&g
Nadim Kobeissi:
> Sorry, I wasn't meaning to avoid any questions. I simply forgot to
> answer them. It's best to assume good will from others on a
> discussion list.
Glad to hear it.
>
> I do not know how many users choose forward secret protocols, nor do
> I imagine there is a standardized or e
Kevin W. Wall:
> On Tue, Dec 31, 2013 at 3:10 PM, John Young wrote:
>
>> 30c3 slides from Jacob Appelbaum:
>>
>> http://cryptome.org/2013/12/appelbaum-30c3.pdf (3.8MB)
>>
>
> And you can find his actual prez here:
> <https://www.youtube.com/watch?v=b0w3
Hi Tom,
Have you seen the cellebrite gear and their forensics tools?
My understanding is that their UFED gear attempts to exploit various
bugs in phones.
https://wikileaks.org/spyfiles/list/company-name/cellebrite.html
Here is one of their people talking about exploiting 0day bugs to gain
acce
Hi Tom,
On 3/2/14, Tom Ritter wrote:
> On Mar 2, 2014 11:47 AM, "Kevin" wrote:
>> Tom:
>> Pherhaps I am in the dark about this, but I'm sure attacking android is
> quite simple as mobile security is farely new. I have to wonder why you
> are asking?
>
> If it's simple, surely there are product
On 8/19/14, Tom Ritter wrote:
> On 18 August 2014 23:29, Tony Arcieri wrote:
>> Anyone know why this hasn't gained adoption?
>>
>> http://tools.ietf.org/html/rfc2817
>>
>> I've been watching various efforts at widespread opportunistic
>> encryption,
>> like TCPINC and STARTTLS in SMTP. It's made
31 matches
Mail list logo
