Re: [liberationtech] Call for Open Letter on Skype

[Nadim Kobeissi]

On Thu, Dec 27, 2012 at 6:34 AM, Christopher Soghoian wrote:

> I can't believe that I am saying this, but can we tone down the paranoia a
> bit please?


I'm not sure I understand. How is it totally reasonable to critique Skype
endlessly regarding its unclear policies and circumstantial evidence of it
revealing private information to whoever asks, bu paranoid to correlate
this with an interception patent filed by its parent company (which has had
its own interception and surveillance guides leaked) that even mentions
Skype?


>


> Large US technology companies are stockpiling patents, left, right and
> center, primarily because of the costly patent wars that are ravaging the
> industry. Back in 2011, Microsoft (and a consortium of other companies,
> including Apple) bought telecom giant Nortel's portfolio of patents for 4.5
> billion. I guarantee you there are a few surveillance related technologies
> in that portfolio of 6000 telco patents. That doesn't mean Microsoft wanted
> to implement Nortel's patented surveillance technologies - but rather, that
> it thought a partial share in that portfolio would give it leverage in its
> war against Google and others.
>
> If you want a good primer on this toxic aspect to the american legal
> system and the IT industry, I can't think of anything better than this
> episode of This American Life:
> http://www.thisamericanlife.org/radio-archives/episode/441/when-patents-attack
>
> Microsoft filed the Skype interception patent (which really isn't directed
> at Skype - the word Skype appears twice, in a patent filing that is over
> 9000 words) in 2009, two years before the company bought Skype.
>
> Companies file patents all the time for technologies they don't intend to
> ever use.
>
> Now, don't get me wrong, there are lots of things that Microsoft does that
> concern me. The total silence from the C-level suite about Stuxnet and
> Flame is shocking, while their continued refusal to include disk encryption
> functionality in the consumer version of Windows that comes with most new
> PCs is absolutely disgraceful.
>
> However, the mere filing of a patent for an interception technology,
> without any evidence to suggest that Microsoft has implemented it Skype, is
> simply not a good reason to get out the pitchforks.
>
> Regards,
>
> Chris
>
> On Wed, Dec 26, 2012 at 2:53 PM, The Doctor  wrote:
>
>>
>>
>> There is no reason to expect that anything good for anyone other than
>> them will come from such a letter.  Not with this on deck:
>>
>>
>> http://appft.uspto.gov/netacgi/nph-Parser?Sect1=PTO2&Sect2=HITOFF&p=1&u=%2Fnetahtml%2FPTO%2Fsearch-bool.html&r=1&f=G&l=50&co1=AND&d=PG01&s1=20110153809&OS=20110153809&RS=20110153809
>>
>> http://www.theregister.co.uk/2011/06/29/microsoft_skype/
>>
>>
>> https://www.computerworld.com/s/article/9218002/Microsoft_seeks_patent_for_spy_tech_for_Skype
>>
>> It would make no sense at all for them to do the work to file a patent
>> on CALEA intercept of Skype traffic and then not do anything with it.
>
>
> --
> Unsubscribe, change to digest, or change password at:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Why Skype (real-time) is losing out to WeChat (async)

[David Gessel]

A minor semantic quibble, but "push-to-talk(1)" is "walkie talkie" mode that 
typically implies "live," "instant," and "synchronous" communications with the 
caveat that it is historically half duplex which remains useful in high-noise 
situations.

"Push Voice" would imply push notifications indicating the availability of 
stored audio files probably containing voice data (voice store and forward 
(2)).  


(1) https://en.wikipedia.org/wiki/Push-to-talk
(2) http://www.answers.com/topic/voice-store-and-forward


 Original Message 
Subject: [liberationtech] Why Skype (real-time) is losing out to WeChat (async)
From: Nathan of Guardian 
To: liberationtech@lists.stanford.edu 
Date: Mon Dec 24 2012 07:10:28 GMT+0100

> 
> I know in the LibTech and broader global activist/NGO community, there
> is still quite a bit of focus on Skype. However, during my recent time
> in India with the Tibetan community there, I have seen Skype, on mobiles
> at least, almost thoroughly replaced by WeChat, a WhatsApp/Kakao clone
> made by TenCent, the same Chinese company who created QQ. To my personal
> horror, we have gone from a somewhat secure Skype with a questionable
> backdoor policy, to a non-https, China-hosted service who is a known
> collaborator with the Chinese government.
> 
> The only I thing I felt productive to do (other than scream and pull out
> my hair) was to think about why this is happening from a user
> perspective. Why is a text messaging/push-to-talk model winning out over
> an instant messaging/VoIP model, in places like Africa and Asia,
> regardless of known increased risk and decreased privacy and safety?
> 
> Other than the typical "users are dumb" answer, I think there are some
> deeper useful factors to consider. Overall, I think we are seeing that
> when smartphones are plentiful, but bandwidth is still a challenge, we
> need to think about communications in a more asynchronous model than
> real-time. I don't think this community should get too caught up in
> building "Skype replacements". I think more we should think about what
> features otherwise great, secure apps like Cryptocat, RedPhone,
> TextSecure, Gibberbot, etc are missing to make it possible for them to
> replace the functionality and experience users are expecting today.
> 
> Why Skype/real-time is losing
> 
> 1) Noticeable impact on mobile battery life if left logged in all the
> time (holding open sockets to multiple servers? less efficient use of push?)
> 
> 2) Real-time, full duplex communications requires constant, decent
> bandwidth; degradation is very noticeable, especially with video
> 
> 3) App is very large (a good amount of native code), and a bit laggy
> during login and contacts lookup
> 
> 4) Old and tired (aka not shiny) perception of brand; too much push of
> "pay" services
> 
> 5) Requires "new" username and password (aka not based on existing phone
> number), and lookup/adding of new contacts
> 
> 6) US/EU based super-nodes may increase latency issues; vs China/Asia
> based servers
> 
> Why WeChat (and WhatsApp, Kakao, etc) async are winning
> 
> 1) Push-to-talk voice negates nearly all bandwidth, throughput and
> latency issues of mobile.
> 
> 2) Push-to-talk is better than instant messaging for low literacy,
> mixed-written language communities; The "bootstrap" process for Skype is
> very text heavy still
> 
> 3) Apps feel more lightweight both from size, and from network stack
> (mostly just using HTTPS with some push mechanism)
> 
> 5) Shiny, new hotness, with fun themes, personalization, and focus on "free"
> 
> 6) Picture, video, file sharing made very easy - aka a first order
> operation, not a secondary feature; chats are a seamless mix of media
> 
> 7) Persistent, group chat/messaging works very well (since its just
> async/store and forward, its very easy to send many-to-many)
> 
> 8) Identity often based on existing phone number, so signup is easy, and
> messaging to existing contacts is seamless
> 
> 9) More viral - you can message people not on the service, and they will
> be spammed to sign up for the service
> 
> Anyone want to call b.s. on this theory? Is my thinking headed in the
> right direction? Should we try to turn Gibberbot into a more-secure
> WhatsApp/WeChat clone?
> 
> All the best from the Himalayas,
> Nathan
> 
> --
> Unsubscribe, change to digest, or change password at: 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Why Skype (real-time) is losing out to WeChat (async)

[Nathan of Guardian]

On 12/27/2012 06:29 PM, David Gessel wrote:
> A minor semantic quibble, but "push-to-talk(1)" is "walkie talkie" mode that 
> typically implies "live," "instant," and "synchronous" communications with 
> the caveat that it is historically half duplex which remains useful in 
> high-noise situations.
>
> "Push Voice" would imply push notifications indicating the availability of 
> stored audio files probably containing voice data (voice store and forward 
> (2)).  
I am definitely talking about Push-to-Talk.

What is interesting about the shift from VoIP to Push-to-talk is that
half duplex over TCP (PTT) is insanely easier to implement than full
duplex over UDP (VoIP).

Best,
 Nathan

--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Why Skype (real-time) is losing out to WeChat (async)

[Julian Oliver]

..on Thu, Dec 27, 2012 at 08:05:00PM +0545, Nathan of Guardian wrote:
> On 12/27/2012 06:29 PM, David Gessel wrote:
> > A minor semantic quibble, but "push-to-talk(1)" is "walkie talkie" mode 
> > that typically implies "live," "instant," and "synchronous" communications 
> > with the caveat that it is historically half duplex which remains useful in 
> > high-noise situations.
> >
> > "Push Voice" would imply push notifications indicating the availability of 
> > stored audio files probably containing voice data (voice store and forward 
> > (2)).  
> I am definitely talking about Push-to-Talk.
> 
> What is interesting about the shift from VoIP to Push-to-talk is that
> half duplex over TCP (PTT) is insanely easier to implement than full
> duplex over UDP (VoIP).

Excellent point to foreground. Sends me daydreaming about WebRTC and a 
tag:


https://hacks.mozilla.org/2012/09/full-webrtc-support-is-soon-coming-to-a-web-browser-near-you/

Cheers,

-- 
Julian Oliver
http://julianoliver.com
http://criticalengineering.org
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Why Skype (real-time) is losing out to WeChat (async)

[Nadim Kobeissi]

On Thu, Dec 27, 2012 at 4:20 PM, Nathan of Guardian <
nat...@guardianproject.info> wrote:

> On 12/27/2012 06:29 PM, David Gessel wrote:
> > A minor semantic quibble, but "push-to-talk(1)" is "walkie talkie" mode
> that typically implies "live," "instant," and "synchronous" communications
> with the caveat that it is historically half duplex which remains useful in
> high-noise situations.
> >
> > "Push Voice" would imply push notifications indicating the availability
> of stored audio files probably containing voice data (voice store and
> forward (2)).
> I am definitely talking about Push-to-Talk.
>
> What is interesting about the shift from VoIP to Push-to-talk is that
> half duplex over TCP (PTT) is insanely easier to implement than full
> duplex over UDP (VoIP).
>

>From Cryptocat's perspective this is also true.


>
> Best,
>  Nathan
>
> --
> Unsubscribe, change to digest, or change password at:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Call for Open Letter on Skype

[Grégoire Pouget]

The Skype open letter is a great idea. Skype is still widely used
amongst journalists and human rights activists and security (or the lack
of) is a major concern for us. Reporters Without Borders would endorse
an open letter asking Skype to clarify its security policy.

Best,

Le 22/12/2012 17:59, James S. Tyre a écrit :
>
> Just a quick note that some (many?) orgs that might be interested,
> including EFF, are closed until after the new year.  (I'm an EFF
> Fellow, but not a staffer, and this wouldn't be my decision to make). 
> Nothing wrong with seeing who's interested now, but probably better
> not to close off the letter and until after some orgs have re-opened.
>
>  
>
> --
>
> James S. Tyre
>
> Law Offices of James S. Tyre
>
> 10736 Jefferson Blvd., #512
>
> Culver City, CA 90230-4969
>
> 310-839-4114/310-839-4602(fax)
>
> jst...@jstyre.com
>
> Policy Fellow, Electronic Frontier Foundation
>
> https://www.eff.org
>

-- 
Grégoire Pouget,
Reporters sans frontières / Reporters Without Borders
skype : rsf_gregoire - Tél : +33 1 44 83 84 71
GPG : 8B57 7B88 383D 78B2 B727 C8A8 CA7A 32E8 2BBC 1ECE

--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Call for Open Letter on Skype

[Ryan Gallagher]

Chris, I think you're right to express a note of caution with regards
jumping to conclusions about the patent. However, the patent is still
relevant to the discussion at hand here. At the very least, the patent is
contributing to a sense of mistrust and that is why it needs to be
addressed.

The questions I want answers to are really quite simple. Can Skype
facilitate a lawful interception request of user calls when presented with
an applicable warrant/court order? If not, does Skype have any plans to
integrate lawful intercept capabilities in the future? What types of data
can Skype hand over to LEAs where presented with a valid warrant/court
order? Has the Microsoft VoIP intercept patent been integrated into the
Skype architecture? If not, are there any plans to integrate the Microsoft
VoIP intercept patent with Skype at any time in the future? (Other
pertinent questions have been asked by others; see here:
https://www.privacyinternational.org/blog/skype-please-act-like-the-responsible-global-citizen-you-claim-to-be
)

As I previously mentioned to you in a separate email, I also think it's
worth noting that although the patent was originally filed in 2009,
Microsoft was still actively pursing the patent as of September 2011, four
months after it acquired Skype, filing various amendments and a request for
continued examination following the publication of the patent in June 2011.
I do not think this constitutes evidence that the patent is being or has
been integrated into Skype, but I do think it illustrates why the patent is
of continuing relevance to any discussion around Skype's security.

Ultimately, Skype has more than 600 million users. As I see it, those users
-- many of whom are citizens, activists or journalists operating in
sensitive environments -- should have a right to know exactly what Skype
can and cannot do with their communications. All I'd like to see is a bit
of transparency.

Best,

Ryan

On Thu, Dec 27, 2012 at 4:34 AM, Christopher Soghoian wrote:

> I can't believe that I am saying this, but can we tone down the paranoia a
> bit please?
>
> Large US technology companies are stockpiling patents, left, right and
> center, primarily because of the costly patent wars that are ravaging the
> industry. Back in 2011, Microsoft (and a consortium of other companies,
> including Apple) bought telecom giant Nortel's portfolio of patents for 4.5
> billion. I guarantee you there are a few surveillance related technologies
> in that portfolio of 6000 telco patents. That doesn't mean Microsoft wanted
> to implement Nortel's patented surveillance technologies - but rather, that
> it thought a partial share in that portfolio would give it leverage in its
> war against Google and others.
>
> If you want a good primer on this toxic aspect to the american legal
> system and the IT industry, I can't think of anything better than this
> episode of This American Life:
> http://www.thisamericanlife.org/radio-archives/episode/441/when-patents-attack
>
> Microsoft filed the Skype interception patent (which really isn't directed
> at Skype - the word Skype appears twice, in a patent filing that is over
> 9000 words) in 2009, two years before the company bought Skype.
>
> Companies file patents all the time for technologies they don't intend to
> ever use.
>
> Now, don't get me wrong, there are lots of things that Microsoft does that
> concern me. The total silence from the C-level suite about Stuxnet and
> Flame is shocking, while their continued refusal to include disk encryption
> functionality in the consumer version of Windows that comes with most new
> PCs is absolutely disgraceful.
>
> However, the mere filing of a patent for an interception technology,
> without any evidence to suggest that Microsoft has implemented it Skype, is
> simply not a good reason to get out the pitchforks.
>
> Regards,
>
> Chris
>
> On Wed, Dec 26, 2012 at 2:53 PM, The Doctor  wrote:
>
>>
>>
>> There is no reason to expect that anything good for anyone other than
>> them will come from such a letter.  Not with this on deck:
>>
>>
>> http://appft.uspto.gov/netacgi/nph-Parser?Sect1=PTO2&Sect2=HITOFF&p=1&u=%2Fnetahtml%2FPTO%2Fsearch-bool.html&r=1&f=G&l=50&co1=AND&d=PG01&s1=20110153809&OS=20110153809&RS=20110153809
>>
>> http://www.theregister.co.uk/2011/06/29/microsoft_skype/
>>
>>
>> https://www.computerworld.com/s/article/9218002/Microsoft_seeks_patent_for_spy_tech_for_Skype
>>
>> It would make no sense at all for them to do the work to file a patent
>> on CALEA intercept of Skype traffic and then not do anything with it.
>
>
> --
> Unsubscribe, change to digest, or change password at:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

[liberationtech] Modern FIDONET for net disable countries?

[Jerzy Łogiewa]

Hello!

I wonder, is some FIDONET type service existing for countries where all telecom 
is disabled? Kind of "sneakernet" for large packets of messages to be delivered.

1- I write message to [username, address or hash], encrypt with public/private 
pair.
2- Trusted "sneakernet" collector with some software physically arrives and 
grabs my message, updates my 'ball' (or blob?) of crypted messages, in case 
other sneakernet collector comes.
3- Maybe when delivery is 100% confirmed this gets added to ball so it can be 
pruned?

And so on. Bitcoin style blockchain confirmation seems useful?

Does any service like this existing now?

--
Jerzy Łogiewa -- jerz...@interia.eu

--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

[liberationtech] Infosec FBI - cell tech query y info MX

[Lisa Brownlee]

Holiday greetings from MX Libtech colleagues!

Could someone please inform me:

1. What cellphone the FBI currently deploys and whether any special
tracking SW is installed and if so, name and source of program? The secure
phone of choice here is the iPhone deployed with proprietary
geolocalization tracking software, not uniformly deployed throughout
security forces.

2 Prognosis for US/MX compatibility after Sprint/Nextel demerger. It would
be handy to not have to deploy three or more cellphones! What tech standard
does Clearwire deploy?
http://dealbook.nytimes.com/2012/12/17/sprint-reaches-deal-to-buy-out-clearwire/

Gracias,

Lisa

-- 

-- 
Lisa M. Brownlee, Esq.
Mexico
Skype:  lisa.m.brownlee
lmbscholar...@gmail.com
lmbconta...@yahoo.com
Author's website at West Thomson
Reuters
About my Law Journal Press
treatise
Facebook: Lisa M
Brownlee

Author of:

Intellectual Property Due Diligence in Corporate Transactions: Investment,
Risk Assessment and Management (West Thomson Reuters)

Assets & Finance: Audits and Valuation of Intellectual Property (West
Thomson Reuters)

Federal Acquisition Regulations: Intellectual Property and Related Rights
(Law Journal Press) - discontinued by me
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Modern FIDONET for net disable countries?

[Miles Fidelman]

Jerzy Łogiewa wrote:

Hello!

I wonder, is some FIDONET type service existing for countries where all telecom is 
disabled? Kind of "sneakernet" for large packets of messages to be delivered.

1- I write message to [username, address or hash], encrypt with public/private 
pair.
2- Trusted "sneakernet" collector with some software physically arrives and 
grabs my message, updates my 'ball' (or blob?) of crypted messages, in case other 
sneakernet collector comes.
3- Maybe when delivery is 100% confirmed this gets added to ball so it can be 
pruned?

And so on. Bitcoin style blockchain confirmation seems useful?

Does any service like this existing now?


That's a rather intriguing concept, though I might look at starting from 
UUCP & NNTP, or perhaps BITNET, rather than the FIDO model - the 
software is a bit more mature, and UUCP at least is still supported.  
Mobile devices could associate themselves, via local WiFi, when in range 
of each other, and messages would just flow through normal news exchange 
protocols.


Can't speak to how useful it might be.

Miles Fidelman

--
In theory, there is no difference between theory and practice.
In practice, there is.    Yogi Berra

--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

[liberationtech] Travel with notebook habit

[Jerzy Łogiewa]

I am just reading this, 
http://www.schneier.com/blog/archives/2012/12/breaking_hard-d.html

Can we start some discussion about good notebook travel habit? I have read 
Jacob Appelbaum say he does not travel with _ANY_ drive in notebook, and this 
seem to be extreme.

Without removing drive, what is the best habit for FDE for prevent attacks as 
Schneier describe? Full power-down? No hibernate file? Any other things?

--
Jerzy Łogiewa -- jerz...@interia.eu

--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Travel with notebook habit

[liberationtech]

On Thu, 27 Dec 2012 21:51:02 +0100
Jerzy Łogiewa  wrote:

> Without removing drive, what is the best habit for FDE for prevent
> attacks as Schneier describe? Full power-down? No hibernate file? Any
> other things?

What comes to mind first is the EFF's guide:
https://www.eff.org/wp/defending-privacy-us-border-guide-travelers-carrying-digital-devices

Or https://ssd.eff.org for a full picture.

Jake is somewhat extreme, but not without reason. I wrote up my
practices after having the same conversation again and again
with people around the world. Slightly less extreme, but here's what I
do now, 
http://wiki.lewman.is/blog/2012-07-14-modern-day-weapons-dealers#how-i-travel-internationally

While it's fun to worry about the borders and foreign agents, the real
concern is the common criminal walking away with laptops and phones.

-- 
Andrew
http://tpo.is/contact
pgp 0x6B4D6475
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Call for Open Letter on Skype

[Alfredo Lopez]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 12/22/2012 05:23 AM, Nadim Kobeissi wrote:
> Dear LibTech, As pointed out by many of you, including the EFF,
> Jake Appelbaum, Chris Soghoian, myself and others, Skype has
> ignored repeated requests to clarify its privacy/security policy,
> and it continues to be used by many who depend on strong notions on
> privacy, sometimes even for their lives.
> 
> Isn't it time for an open letter regarding Skype?
> 

May First/People Link would endorse such a letter and we *do* think
it's very important for many reasons. Just tell us where to go to
review the contents when they are ready.

Abrazos,

Alfredo

- -- 
Alfredo Lopez
Co-Chair, Leadership Committee
May First/People Link
https://mayfirst.org

My Blog
http://www.alfredolopez.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJQ3MsgAAoJEDWfIjs2VOOXa3MP/RWadXaQFb6LSYUr3JQA8ZRm
fULXL3FiONNSdC//xBQZa3ee7G1/R3PW2XvL/sGXIlNyFkCEw3jn7Nm/i4Ak4PNV
M/nvrzdvPapMNwo6YxYTAxr8ucrw4CAR3NCcp94FmRVNingsAqSuBSiMxKvu66Zs
6myTjlQtsuX/25MjyYcXR4k6/aA2o35SWuEjHyQOK0xQscRXqyoXou5sIDyjh43A
XLeomR7DQNprrKTkSrkkW18MXFUviU050bgXLd3y4Rom7XRmQCSsTxzn3QYEQeDo
Tnz5vMst6dBlp2itr5DfXuv/GoJ/KmiU2JZkeECH3+ueFk2s2hORvLYlqbw5wIA/
aN5H0A404ftwJyKUDpNSg718YIibUq4Xx1zjoMkhHnvhchSkQgIgyIOWKAJE86lJ
SpPg7K4BMYQBs6XVZcSNNpR6ZszXL4jrgThlOgLcX+kapbRLQrBCrdh9xXjQauPu
Gl4SeWVeWAhid9ILrxqIEtRYLTubFXSEN24bTmmaKsz+xJZ+QNlL90bk+J548NYw
JNrMHLyuRedlYHK7F/tao68l9GVGt6pnkUioLBBRyFbMhpLO6xByntzoLbdOB3No
aHsb+QkAJpAyIXG7GYSyTsOkaRDN6lcm9p6a5eZbCQ2Gp8s9IbJ+C6zpAEsN4cwG
LOvCbiAeKF2p9DgG9wqk
=escP
-END PGP SIGNATURE-
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Travel with notebook habit

[Radek Pilar]

Full HDD encryption (including swap space and hibernate file) and
powered down or hibernated (s2disk) machine is the only way to go.

It is possible (assuming Linux system with LUKS with minor modification
of the kernel) to chroot to ramfs, drop the encryption keys, suspend the
system to RAM and ask for the keys after resume, the rest of the RAM is
still possibly readable by an attacker.


On 12/27/2012 09:51 PM, Jerzy Łogiewa wrote:
> I am just reading this, 
> http://www.schneier.com/blog/archives/2012/12/breaking_hard-d.html
> 
> Can we start some discussion about good notebook travel habit? I have read 
> Jacob Appelbaum say he does not travel with _ANY_ drive in notebook, and this 
> seem to be extreme.
> 
> Without removing drive, what is the best habit for FDE for prevent attacks as 
> Schneier describe? Full power-down? No hibernate file? Any other things?
> 
> --
> Jerzy Łogiewa -- jerz...@interia.eu
> 
> --
> Unsubscribe, change to digest, or change password at: 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 

--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Travel with notebook habit

[Julian Oliver]

..on Thu, Dec 27, 2012 at 09:51:02PM +0100, Jerzy Łogiewa wrote:
> I am just reading this,
> http://www.schneier.com/blog/archives/2012/12/breaking_hard-d.html
> 
> Can we start some discussion about good notebook travel habit? I have read
> Jacob Appelbaum say he does not travel with _ANY_ drive in notebook, and this
> seem to be extreme.
> 
> Without removing drive, what is the best habit for FDE for prevent attacks as
> Schneier describe? Full power-down? No hibernate file? Any other things?

Well, it's not the disk but what's on it. 

I don't trust closed platforms like OS X or Windows systems. Take what I write
with a grain of salt but here's my general approach on a GNU/Linux system:

First tar up all the documents/files you need at the destination, note the
md5sum and then securely copy them to a server you trust. Then start an sshd
instance on port 443 (https) on the file server, so as to get around standard
filtering on port 22 on the other end. Even some hotels filter against ssh but
none do 443.

Then set up two bootable stock Linux distributions with *full disk encryption*
on fast USB sticks andsetup user accounts. Ensure tsocks, macchanger and Tor
Browser Bundle, ssh, nmap and a few other basics are on the machine. Install Do
Not Track plugin (or similar) alongside a User Agent Switcher. Take the actual
hard disk out of the machine. Put one stick in your pocket and another in your
check-in luggage. Take a few external USB wireless internet adapters with you.

Take the plane/train/car over the border.

On arrival and when you know you have an Internet gateway, plug one of the
sticks in and boot up and get online using the external USB wireless adapter. If
you have a link using Ethernet cable (RJ45) with an onboard Ethernet adapter
then use it but only if you change your MAC address. Use macchanger to do this
like so:

sudo ifconfig eth0 down # now plug in Ethernet cable
sudo macchanger -A eth0 # A random hardware address will be assigned
sudo ifconfig eth0 up
sudo dhclient eth0

Now securely copy all the files back onto the local machine as a torified
instance (only with tsocks to avoid UDP and DNS leaks) something like so:

cd
torify scp -P 443 y...@remotehost.net:/path/to/files.tar.gz .
md5sum files.tar.gz # check it's the real deal against noted md5sum earlier
tar xvzf files.tar.gz

Avoid using any web services that track you across sites (at the least use Do
Not Track plugins and the like). Change your User Agent in the Torified browser
you use to something ubiquitous like the Android browser (most popular
smartphone by 3x in most countries). Always use SSL when connecting to mail
services and the like.

Before you fly again destroy that USB stick physically (smash with hammer and
then burn). Destroy the USB network adapter you purchased also. Buy another USB
stick, copy from the other stick you have (use 'dd' or 'cpio') and fly.

I'm sure there's a far more user friendly approach that's sane enough out in the
field. One can't expect journalists to learn the CLI (albeit I think anyone that
needs to trust their machine, isolate and mitigate network threats (among
others) ought to!).

Cheers,

-- 
Julian Oliver
http://julianoliver.com
http://criticalengineering.org
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Travel with notebook habit

[Steve Weis]

I recommend using full disk encryption and fully powering down at minimum.
You should set a BIOS password, disable booting from network or removable
media, and enable IOMMU.

I would also use a verifiable boot sequence, but that's not easy to
generalize.

Keep in mind there are still many attack vectors if someone gets physical
access to your machine. Someone can always force you to log in as well.

It is safer to have nothing incriminating in your possession at all. If
connectivity allowed, I'd run a remote VM and use the laptop as a dumb,
stateless terminal.

(Disclaimer: I'm working on a commercial solution to the physical attack
problem.)
On Dec 27, 2012 1:59 PM, "Jerzy Łogiewa"  wrote:

> I am just reading this,
> http://www.schneier.com/blog/archives/2012/12/breaking_hard-d.html
>
> Can we start some discussion about good notebook travel habit? I have read
> Jacob Appelbaum say he does not travel with _ANY_ drive in notebook, and
> this seem to be extreme.
>
> Without removing drive, what is the best habit for FDE for prevent attacks
> as Schneier describe? Full power-down? No hibernate file? Any other things?
>
> --
> Jerzy Łogiewa -- jerz...@interia.eu
>
> --
> Unsubscribe, change to digest, or change password at:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Travel with notebook habit

[Matt Mackall]

On Thu, 2012-12-27 at 23:56 +0100, Radek Pilar wrote:
> Full HDD encryption (including swap space and hibernate file) and
> powered down or hibernated (s2disk) machine is the only way to go.

Expect that if you're a target of state oppression that your laptop WILL
be taken away from you for hours at border crossings. This was a routine
occurrence for me between 2001 and 2006 or so. Fortunately for me, I
didn't warrant the big guns: the customs officers involved usually
reported their techs being completely thwarted/baffled by my Linux
screensaver.

However, it would be fairly straightforward to take apart a laptop,
install a hardware keylogger inside, and reassemble it in that sort of
timeframe, then recover your key and decrypt your laptop on your return
trip. So unless you have some sort of tamper-proof seals on your laptop,
you can't trust it once it leaves your physical possession.

Also note that encryption is NOT sufficient. Canadian customs officials
have demanded that I log in to my laptop so they could peruse my photo
collection (?!) as a condition of entering the country and/or being
released from customs. It's easy to imagine much more severe coercion if
the authorities are actually interested in your data. Not having a hard
disk is excellent defense against such coercive privacy invasions but
encryption is not. Since then, I've personally started keeping a dummy,
empty account on my laptop for basic deniability: nothing to see here
but my travel itinerary, can I go now?

But if the operational security or privacy of your laptop actually
matters and you must take a laptop, I have to agree with Jacob: don't
travel with your data. Same applies for cameras and phones.

-- 
Mathematics is the supreme nostalgia of our time.


--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

[liberationtech] Jacob Appelbaum's 29C3 keynote

[Gregory Foster]

YouTube (Dec 27) - "Jacob Appelbaum 29C3 Keynote: Not My Department":
https://www.youtube.com/watch?v=QNsePZj_Yks

Livestream recordings from the 29th Chaos Communication Congress 
(Hamburg, Germany: Dec 27-30) are being published quickly.  There's 
something intriguing here for everyone:

https://www.youtube.com/user/cccen
https://events.ccc.de/congress/2012/wiki/Main_Page

HT the always well-informed @nigroeneveld
http://twitter.com/nigroeneveld/status/284507391628828672

gf

--
Gregory Foster || gfos...@entersection.org
@gregoryfoster <> http://entersection.com/

--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech