Re: [liberationtech] Mega
It would be nice if it actually worked. I cannot successfully upload nor can anybody I know. It appears almost no better then OwnCloud. Big disappointment as of now, but I'm going to wait and see what is later developed. Brad Beckett On Mon, Jan 21, 2013 at 4:06 AM, Sam de Silva s...@media.com.au wrote: Hi there, I wonder if there's any feedback from this list on Kim Dotcom's Mega project - www.mega.co.nz Can it be the secure alternative to Dropbox? Best, Sam -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
[liberationtech] [silk] Security theatre, once again...
- Forwarded message from Deepa Mohan mohande...@gmail.com - From: Deepa Mohan mohande...@gmail.com Date: Fri, 18 Jan 2013 05:18:25 +0530 To: Intelligent Conversation silkl...@lists.hserus.net Subject: [silk] Security theatre, once again... Reply-To: silkl...@lists.hserus.net http://www.theatlantic.com/magazine/archive/2008/11/the-things-he-carried/307057/ If I were a terrorist, and I’m not, but if I were a terrorist—a frosty, tough-like-Chuck-Norris terrorist, say a C-title jihadist with Hezbollah or, more likely, a donkey-work operative with the Judean People’s Front—I would not do what I did in the bathroom of the Minneapolis–St. Paul International Airport, which was to place myself in front of a sink in open view of the male American flying public and ostentatiously rip up a sheaf of counterfeit boarding passes that had been created for me by a frenetic and acerbic security expert named Bruce Schneier. He had made these boarding passes in his sophisticated underground forgery works, which consists of a Sony Vaio laptop and an HP LaserJet printer, in order to prove that the Transportation Security Administration, which is meant to protect American aviation from al-Qaeda, represents an egregious waste of tax dollars, dollars that could otherwise be used to catch terrorists before they arrive at the Minneapolis–St. Paul International Airport, by which time it is, generally speaking, too late. I could have ripped up these counterfeit boarding passes in the privacy of a toilet stall, but I chose not to, partly because this was the renowned Senator Larry Craig Memorial Wide-Stance Bathroom, and since the commencement of the Global War on Terror this particular bathroom has been patrolled by security officials trying to protect it from gay sex, and partly because I wanted to see whether my fellow passengers would report me to the TSA for acting suspiciously in a public bathroom. No one did, thus thwarting, yet again, my plans to get arrested, or at least be the recipient of a thorough sweating by the FBI, for dubious behavior in a large American airport. Suspicious that the measures put in place after the attacks of September 11 to prevent further such attacks are almost entirely for show—security theater is the term of art—I have for some time now been testing, in modest ways, their effectiveness. Because the TSA’s security regimen seems to be mainly thing-based—most of its 44,500 airport officers are assigned to truffle through carry-on bags for things like guns, bombs, three-ounce tubes of anthrax, Crest toothpaste, nail clippers, Snapple, and so on—I focused my efforts on bringing bad things through security in many different airports, primarily my home airport, Washington’s Reagan National, the one situated approximately 17 feet from the Pentagon, but also in Los Angeles, New York, Miami, Chicago, and at the Wilkes-Barre/Scranton International Airport (which is where I came closest to arousing at least a modest level of suspicion, receiving a symbolic pat-down—all frisks that avoid the sensitive regions are by definition symbolic—and one question about the presence of a Leatherman Multi-Tool in my pocket; said Leatherman was confiscated and is now, I hope, living with the loving family of a TSA employee). And because I have a fair amount of experience reporting on terrorists, and because terrorist groups produce large quantities of branded knickknacks, I’ve amassed an inspiring collection of al-Qaeda T-shirts, Islamic Jihad flags, Hezbollah videotapes, and inflatable Yasir Arafat dolls (really). All these things I’ve carried with me through airports across the country. I’ve also carried, at various times: pocketknives, matches from hotels in Beirut and Peshawar, dust masks, lengths of rope, cigarette lighters, nail clippers, eight-ounce tubes of toothpaste (in my front pocket), bottles of Fiji Water (which is foreign), and, of course, box cutters. I was selected for secondary screening four times—out of dozens of passages through security checkpoints—during this extended experiment. At one screening, I was relieved of a pair of nail clippers; during another, a can of shaving cream. During one secondary inspection, at O’Hare International Airport in Chicago, I was wearing under my shirt a spectacular, only-in-America device called a “Beerbelly,” a neoprene sling that holds a polyurethane bladder and drinking tube. The Beerbelly, designed originally to sneak alcohol—up to 80 ounces—into football games, can quite obviously be used to sneak up to 80 ounces of liquid through airport security. (The company that manufactures the Beerbelly also makes something called a “Winerack,” a bra that holds up to 25 ounces of booze and is recommended, according to the company’s Web site, for PTA meetings.) My Beerbelly, which fit comfortably over my beer belly, contained two cans’ worth of Bud Light at the time of the inspection. It went undetected. The eight-ounce bottle of water in my carry-on bag,
[liberationtech] Techno-Activism 3rd Mondays Berlin reminder
Hi all, just a reminder that the 1st Techno-Activism 3rd Mondays Berlin will be getting underway in a couple of hours at 19:00. Details of the event and those in NYC and San Francisco at http://wiki.openitp.org/events:techno-activism_3rd_mondays Hope to see some of you there ;-) Cheers, Chris -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Opensource SDK for SIM hacking
Jacob, After digging in to these projects with the team, I've got a better answer for you. The low level C work is great and portable, and it may be something that we can contribute to and leverage in any of the solutions that we produce. The fact that the higher tiers are in Python is both good and bad. Basically, it would be difficult to side with Python 100% as it would rule out all unmodified Windows systems to run the software - as in no windows distribution comes with the Python runtime and anyone who wanted to use OSK would need to download Python first. This is probably fine for developers but no so much for the everyone else. Kennedy (a contributor the project) came up with a lovely idea for incorporating support for several different host OS's: Basically you download OSK to a USB key, when its inserted into a computer it checks the host for things like Python, Mono, etc. and then launches a version of OSK that can run on the host. For us its really about being able to offer support for as many different platforms as possible and as many different device connection options as possible (AT in addition to APDU) to lower as many barriers to entry for the solution as much as possible. Almost all of these projects are 100% developer focused. Our goal is to make the environment more friendly for developer and the end users who aren't. - The Abayima Team On Mon, Jan 21, 2013 at 7:51 AM, Jon Gosier j...@abayima.com wrote: Thanks Jacob! We weren't aware of any of these and if they offer the solutions we need we'll just build on them (of course contributing as well). So much appreciated! As for where we sit in the ecosystem, where we don't have to recreate the wheel in low-level programming, we won't. We ultimately care mostly about the GUI and ease-of-use, to enable projects related to humanitarian and journalist needs in developing countries. Jon, Abayima.com On Mon, Jan 21, 2013 at 6:46 AM, Jacob Appelbaum ja...@appelbaum.netwrote: Jon Gosier: Hey all, Thought I would share our Open SIM Kit (http://opensimkit.com) project with the list. The project aims to be an open source SDK of sorts for hacking SIM cards. In practice, this allows users to modify the contents of SIM cards. The goals of the project: Hi, How does this compare with the suite of tools that Harald Welte/Osmocom/Syscom and others have been working on for the last ~5+ years? These are the projects that come to mind: Osmocom SIMtrace is a software and hardware system for passively tracing SIM-ME communication between the SIM card and the mobile phone.: http://bb.osmocom.org/trac/wiki/SIMtrace Osmocom Card Operating System (COS): http://cgit.osmocom.org/cgit/osmo-cos/ A command line tool for (U)SIM authentication http://cgit.osmocom.org/cgit/osmo-sim-auth/ A python tool to program magic SIMs: http://cgit.osmocom.org/cgit/pysim/ Henryk Ploetz' smardcard shell: http://cgit.osmocom.org/cgit/cyberflex-shell/ Also, I believe that Shady.tel has been using these tools (and a vendor in China) to produce full SIM cards with fully programmable k{i}. Can you explain where your new project fits in the current ecosystem? All the best, Jacob -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Jon Gosier Founder, Abayima Mobile: (520) 301-7906 Abayima.com http://abayima.com/ | @abayima http://twitter.com/abayima | Bio http://jongosier.com/bio *TED Senior Fellow Alum* -- Jon Gosier Founder, Abayima Mobile: (520) 301-7906 Abayima.com http://abayima.com/ | @abayima http://twitter.com/abayima | Bio http://jongosier.com/bio *TED Senior Fellow Alum* -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Mega
From what I've seen, it uses insecure means of encryption -- using Math.random and mouse input to encrypt documents. ~Griffin On Mon, Jan 21, 2013 at 8:02 AM, SAM ANDERSON blackeduca...@mac.com wrote: From what I have read, Mega is still being built. It's supposed to be ready for the public a few days from now. Sam Anderson -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Skype Open Letter: CALL FOR SIGNATORIES
Can you add Fran Parker as an individual please. Thanks. Nadim Kobeissi wrote: Added. Thank you! NK On Fri, Jan 18, 2013 at 10:18 PM, Martin Johnsongreatf...@greatfire.orgwrote: GreatFire.org would like to sign. Thanks very much for doing this. Martin Johnson Founder https://GreatFire.org - Monitoring Online Censorship In China. https://FreeWeibo.com - Uncensored, Anonymous Sina Weibo Search. https://Unblock.cn.com - We Can Unblock Your Website In China. On Sat, Jan 19, 2013 at 8:56 AM, Nadim Kobeissina...@nadim.cc wrote: Amazing :) Thanks for your support, everyone! NK On Fri, Jan 18, 2013 at 3:31 PM, Petter Ericsonpett...@acc.umu.sewrote: Hi! Good work :) First: some nitpicking: third-parties in the second paragraph should probably lose the hyphen. Second: I would be very happy to see a Telecomix signature on this letter :) Best regards /P On 18 January, 2013 - Nadim Kobeissi wrote: Okay everyone, the *final draft* has been posted online, with the gracious collaboration of the EFF. Please take a look at it, make sure you want to keep your signature there (or add it!) http://www.skypeopenletter.com/draft/ We'll be publishing next week. NK On Thu, Jan 17, 2013 at 4:29 AM, Grégoire Pougetgrego...@rsf.org wrote: We'd like to see the final / rewritten version of the letter first but Reporters Without Bordershttp://rsf.org would be happy to sign it. Best, Le 17/01/2013 08:01, Nadim Kobeissi a écrit : Thanks for your expert advice, Chris. We're currently in the process of reworking the letter with assistance from the EFF and we'll take what you said into consideration. NK On Thu, Jan 17, 2013 at 1:58 AM, Christopher Soghoian ch...@soghoian.netwrote: You may want to consider rewriting your law enforcement/government surveillance section: As a result of the service being acquired by Microsoft in 2011, it may now be required to comply with CALEA due to the company being headquartered in Redmond, Washington. Furthermore, as a US-based communication provider, Skype would therefore be required to comply with the secretive practice of National Security Letters. You don't articulate why being subject to CALEA is bad. Are the people signing the letter arguing that law enforcement should never have access to real-time intercepts of skype voice/video communications? If so, say that, and why. If not, CALEA merely mandates access capabilities, it doesn't specify under what situations the government can perform an interception, Also, if you want to raise the issue of secretive surveillance practices, NSLs wouldn't be at the top of my list (yes, they don't require a judge, but they can at best be used to obtain communications metadata). I would instead focus your criticism of the fact that US surveillance law does not sufficiently protect communications between two non-US persons, and in particular, the government can intercept such communications without even having to demonstrate probable cause to a judge. Specifically, non-US persons have a real reason to fear FISA Amendments Act of 2008 section 702 Section 702 of the FISA Amendments Act of 2008 (FAA), codified as 50 U.S.C. 1181a, which allows the Attorney General and the Director of National Intelligence (DNI) to authorize jointly the targeting of non-United States persons for the purposes of gathering intelligence for a period of up to one year. 50 U.S.C. 1881a(1). Section 702 contains restrictions, including the requirement that the surveillance may not intentionally target any person known at the time of acquisition to be located in the United States. 50 U.S.C. § 1881a(b)(1). The Attorney General and DNI must submit to the FISC an application for an order (mass acquisition order) for the surveillance either before their joint authorization or within seven days thereof. The FAA sets out a procedure by which the Attorney General and DNI must obtain certification from FISC for their program, which includes an assurance that the surveillance is designed to limit surveillance to persons located outside of the United States. However, the FAA does not require the government to identify targets of surveillance, and the FISC does not consider individualized probable cause determinations or supervise the program. (from: http://epic.org/amicus/fisa/clapper/) While I am happy to provide feedback, I'm in no way authorized to sign on to this letter on behalf of the ACLU. On Wed, Jan 16, 2013 at 11:58 AM, Nadim Kobeissina...@nadim.cc wrote: Dear Privacy Advocates and Internet Freedom Activists, I call on you to review the following draft for our Open Letter to Skype and present your name or the name of your organization as signatories: http://www.skypeopenletter.com/draft/ The letter will be released soon. Feedback is also welcome. Thank you, NK -- Unsubscribe, change to digest, or change password at:
Re: [liberationtech] Mega
Mega is using server-side Javascript for crypto, so you're trusting them just like you'd trust Dropbox. Other people have reported issues with their implementation, including using weak randomness. I skimmed through their implementation and found some portions that indicate they don't know what they're doing, specifically how they're handling authenticated encryption. I wouldn't use Mega in it's current form. On Mon, Jan 21, 2013 at 4:06 AM, Sam de Silva s...@media.com.au wrote: I wonder if there's any feedback from this list on Kim Dotcom's Mega project - www.mega.co.nz Can it be the secure alternative to Dropbox? -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Mega
Hasn't Retroshare also been under criticism for a lack of audit? NK On Mon, Jan 21, 2013 at 2:42 PM, Randolph D. rdohm...@gmail.com wrote: the secure alternative is htp://retroshare.sf.net without payment, without google chrome sponsoring, without central servers. a full alternative. 2013/1/21 Sam de Silva s...@media.com.au Hi there, I wonder if there's any feedback from this list on Kim Dotcom's Mega project - www.mega.co.nz Can it be the secure alternative to Dropbox? Best, Sam -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Mega
micah anderson: Nadim Kobeissi na...@nadim.cc writes: Hasn't Retroshare also been under criticism for a lack of audit? I've always wondered why something like Mega gets a lot of attention and people audit it pretty much immediately, but something like Retroshare, which has been around for a while never has the eye of Sauron pass over it. I've wondered the same thing. I think it is because it is small, makes wild claims, it calls a lot of attention to itself and is written in a context that many people seem to love to hate. So, to those of you who immediately tore Mega apart when it was launched, I ask you... why did you swarm over the latest new thing that nobody has even used, but haven't touched something like Retroshare (or even more core componants that we depend on)? Why does something like Mega get all the attention of crypto researchers, but nobody has bothered to look at Retroshare? I'm not sure that it has no one looking. It uses GnuPG/OpenPGP, it uses email (or a manual paste) to connect up users, it doesn't seem to provide any anonymity for discovery of friend to friend connections, what little anonymity it provides is called TurtleHopping ( http://retroshare.sourceforge.net/wiki/index.php/Documentation:TurtleHopping ) and it is questionable at best, and so on. In any case, lack of audit means only one thing - it should be audited. I wonder why nobody has. Other than weird claims like (There's absolutely no way to know where turtle packets come from and where they go - http://retroshare.sourceforge.net/wiki/index.php/Documentation:TurtleHopping#Anonymity_issues apparently the older version of https://retroshareteam.wordpress.com/2012/11/03/retroshares-anonymous-routing-model/ ). Their anonymity model is... not impressive ( http://en.wikipedia.org/wiki/Retroshare#Anonymity) from what I've seen. I'm not clear on most of the Retroshare design. Is there a threat model? Or the way they wish to model an adversary? What bugs would be out of scope (gnupg bugs, openssl bugs, libssh bugs, etc) and what would be reasonable to report? The project seems like it is nice but it is seriously odd. For example, consider this: Friend to Friend (F2F) is the new paradigm after peer-to-peer (P2P). In a P2P network you connect to random peers all over the world. A F2F network only connects with to your trusted friends. This makes the network significantly more private and secure. I'm fairly certain this isn't a new paradigm... There are lots of questions that come to mind when looking at their wiki and at their design documents. For example with these long term keys, they support a model of sharing with friends, what happens if the keys are compromised? Does it provide forward secrecy, Non-repudiation or repudiation? I admit, I didn't look closely but a strongly identifiable file sharing network sure has some important design considerations. A few other quick issues that come to mind include the use of Speex for VoIP (Variable bitrate operation? ruh roh!; the authors of Speex suggest using Opus as it has support for both CBR/VBR), they seem to have a lot of older versions of third party software hard coded into their build files ( see openpgpsdk.pro for more details ), they seem to play fast and loose with some traditionally unsafe C/C++ stuff rather than defensively, they seed some RNG use with time (srand(time(NULL)); in services/p3service.cc:240 - it might be better to use OpenSSL's random byte generating functions) and so on. If anyone wants to dive in - the source code is easy to grab: svn checkout svn://svn.code.sf.net/p/retroshare/code/trunk \ retroshare-code I'm not sure that this counts as anything more than a giggle test and I did giggle a bit. Though I appreciate the ideas and the effort, I'm fairly certain I won't use it or suggest using it to others without deeper auditing. Hope that helps, Jake -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Mega
On 01/21/2013 08:42 PM, Randolph D. wrote: the secure alternative is htp://retroshare.sf.net http://retroshare.sf.net without payment, without google chrome sponsoring, without central servers. a full alternative. 2013/1/21 Sam de Silva s...@media.com.au mailto:s...@media.com.au Hi there, I wonder if there's any feedback from this list on Kim Dotcom's Mega project - www.mega.co.nz http://www.mega.co.nz Can it be the secure alternative to Dropbox? Best, Sam -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech Retroshare is great, but not an alternative. Retroshare is torrent software with PGP encryption, and Mega is a one click hoster. Of course you can never trust a company like Mega with your personal data, but if you encrypt them then it should be no problem. I hope that there's soon a software like cloudfogger, but for Mega. -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Finishing what Aaron Swartz started with PACER
I looked into Aaron Greenspan's proposed Operation Asymptote, and I wanted to recommend it as an effective and poetic tribute to Aaron Swartz's memory. Here's some background on how it works. PACER stands for Public Access to Court Electronic Records. It's a network of servers hosting case and docket information from federal district, bankruptcy, and appellate courts. http://www.pacer.gov/ As far as open government history is concerned, PACER was ahead of its time, initially providing terminal access in libraries and office buildings as early as 1988, then moving to the web in 2001. http://en.wikipedia.org/wiki/PACER_(law) Its network architecture and system design have not kept pace with the times. Neither has its fee structure, which was increased to $0.10 per page in September 2011. Charges are even applied to search results, where a page is defined as 4,320 bytes. I suppose one could argue it makes sense that the Administrative Office of the United States Courts should charge a nominal fee for documents which are in the public domain if you consider the cost of running and securing the service, maybe even upgrading it now and then. But that's not what the fees are exclusively used for. In fact, PACER makes a sizable profit and some of those funds are used in a slushy way by the U.S. Courts, enabling at least one court to purchase flat screen LCDs and audio speakers installed in court benches: http://managingmiracles.blogspot.com/2010/05/what-is-electronic-public-access-to.html What other options are out there for accessing federal case law? Open government pioneer Carl Malamud says commercial ventures such as Lexis-Nexis, West Law, and Bloomberg Law compete for a $6.5 billion market built around extracting rents from this public commons: Countless government lawyers, public interest lawyers, and solo practitioners are quick to point out that they are priced out of the market and cannot afford access to the tools they need for their job. For the rest of us, the law truly has been locked up behind a cash register, affordable only to those who can pay the enormous price. We are a nation of laws, but the laws are not publicly available. This is a fundamental issue for democracy, for if we are a nation of laws, we must be able to consult the cases and codes of our government. https://public.resource.org/uscourts.gov/index.html This brings to mind something important Jacob Appelbaum said the other day: The old phrase Ignorance of the law is no excuse really rings hollow in an era of secret law. https://twitter.com/ioerror/status/291357557577117698 The PACER system excludes a segment of the public as well as law practitioners who cannot afford access to the case law, which enforces its own form of ignorance. When Aaron Swartz met Steve Schultze in 2008 and learned about the PACER system, it seems he recognized an injustice and decided to do something about it. And as seems emblematic of what I have learned of Aaron Swartz's ways, he outsmarted an institution with the assistance of technology. Here's Steve Schultze's description of meeting Aaron Swartz, the idea for a Thumb Drive Corps to liberate PACER documents from 16 public libraries temporarily granted free access, and Aaron Swartz's automation of that process so he could download 2.7 million files in two days: http://blog.law.cornell.edu/voxpop/2011/02/03/pacer-recap-and-the-movement-to-free-american-case-law/ Steve's post also describes the provenance of the technology underlying Aaron Greenspan's proposed Operation Asymptote, the RECAP Firefox plugin. I called up one of the authors [of the paper Government Data and the Invisible Hand], Ed Felten, and he told me to come down to Princeton to give a talk about PACER. Afterwards, two graduate students, Harlan Yu and Tim Lee, came up to me and made an interesting suggestion. They proposed a Firefox extension that anyone using PACER could install. As users paid for documents, those documents would automatically be uploaded to a public archive. As users browsed dockets, if any documents were available for free, the system would notify them of that, so that the users could avoid charges. It was a beautiful quid-pro-quo, and a way to crowdsource the PACER liberation effort in a way that would build on the existing document set. As a result, we have the RECAP collection at The Internet Archive which as of this writing consists of 851,083 items: http://archive.org/details/usfederalcourts Here's the RECAP website where you can install the plugin, or browse the archive: https://www.recapthelaw.org/ http://archive.recapthelaw.org/ And here's the next piece of the puzzle: The Judicial Conference of the United States approved a measure in March 2010 stating that you will not owe a [PACER] fee unless your account accrues more than $10.00 of usage in a given quarter. In September 2011, this amount was increased to $15.00. If