Re: [liberationtech] Chromebooks for Risky Situations?

[Brian Conley]

> > My point was for something off the shelf, I know of nothing better and as
> > far as it goes... I'd say it's a step up for a lot people who should be
> > using more secure IT technologies and methods than they are (such as some
> > journalists), and they can take that step with minimal investment in time
> > and energy and a chromebook will meet their needs.
> >
>
> I'd suggest users have no hard disk and boot off of a Tails USB disk.
> Now we've reduced the attack surface to the BIOS/EFI layer - something
> that I suspect is pretty crappy all across the board.
>
>
>


I would love to be a fly on the wall of the IDF customs agent you have to
explain this to. I see no OPSEC problem whatsoever in travelling with a
laptop that has no hard disk. I cannot imagine any customs agent or other
two-bit security bureaucrat having a problem with that.

//

See what I just did there? I attacked the specific *text* of your response,
rather than what I believe to be true about you. I assume you'd not ever
recommend that interpretation of your words to someone, so how does it help
dialogue/discussion/liberation for me to engage in that line of reasoning?

Brian
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Chromebooks for Risky Situations?

[Brian Conley]

On Wed, Feb 6, 2013 at 2:16 PM, Jacob Appelbaum  wrote:

> Brian Conley:
> > Micah,
> >
> > Perhaps you can tell us the secret to convince all family members and
> > colleagues to become Linux hackers able to be completely self-sufficient
> > managing their own upgrades and modifications indefinitely?
>
> Stop supporting the use of non-free software? We're all part of the
> problem when we help people to be less free and to use proprietary
> software or proprietary services. This is both an education and a
> problem with enabling. We all suffer from it, I think.
>

What's funny about this, is that you appear to think I disagree with you on
this.

My point is, if *YOU* (any you out there of the many yous on this here
libtech list) want to advise someone  who is at risk to use free software,
YOU should take responsibility for stewarding them through the process and
making sure they know enough not to get themselves into trouble.


>
> When we encourage people to say, buy a Macbook or a Chromebook because
> we're happy to support it over say, Windows, we're making things worse.
> Largely because the choice is actually between Free Software and
> proprietary software or free software on devices where we're not
> actually able to exercise all of our freedoms.
>

I don't know a great deal about Linux. I know enough to know that smart
people I know seem to think it is better for a variety of reasons from a
security standpoint. Unfortunately where it is *not* better is for people
engaged in multimedia. It would be great if someone would support the
development of better linux-based multimedia tools. I'm not that person.

Oh, except for the last year I've been working with the good folks at the
Guardian Project and others on a secure-by-design multimedia reporting app
based in Android, and a large portion of our relatively meager funding has
been directed at UI/UX design and graphics and content in the training
portion.


>
> Thus, when we aren't helping people to get off of the non-free platforms
> or to reduce our dependency on non-free software, we're basically not
> doing a great job at educating people that we care about and otherwise
> wish to support. When we pass the buck, we're enabling them with
> harmful, sometimes seriously so, solutions.
>

See above. I am certainly doing a lot more than I used to be doing in this
realm. I hope you're not trying to suggest that I am passing the buck.

My point is that if knowledgeable individuals are not willing to spend the
time to assist less knowledgeable people to get the first leg up in the
much-less-than-obvious world of FOSS/FLOSS/Whatever, then they are just as
responsible for security risks and endangerment as people who ignorantly
recommend windows, mac, etc because as you put it "When we encourage people
to say, buy a Macbook or a Chromebook because we're happy to support it
over say, Windows, we're making things worse."

Again, just as I still haven't heard a strong argument why google hangout
is "as bad" or "worse" than Skype, I don't yet see good arguments why
Chromebook is such a bad option for "many" use cases. In fact, I don't see
why a lot of mobile devices that are wifi only might be such bad options.
However, don't worry, I won't be advocating for you to use a windows mobile
or apple tablet anytime soon.


>
> >
> > Otherwise what is your point?
> >
>
> This essay seems like a longer version of what Micah has expressed:
>
>   http://www.gnu.org/philosophy/free-sw.html
>   http://www.gnu.org/philosophy/right-to-read.html
>
> I also suggest reading these two essays by RMS:
>
>   http://www.gnu.org/philosophy/shouldbefree.html
>
>
>
> http://www.gnu.org/philosophy/when_free_software_isnt_practically_better.html


I will definitely read up, though by pointing me in this direction, you
open yourself up to replying to relevant and serious clarification
questions as follow up. (the Gunner clause ;) )

>
>
>
> He is also talking about how the threats to a user might include Google
> itself (eg: my legal cases!) or perhaps even the network you're using
> (hint: ChromeOS has no way to protect you against such an attacker, so
> no, it isn't safe to use everywhere or perhaps anywhere depending on
> your trust of the local network).
>

Again, depending on your threat model. Who said "everywhere" or "anywhere
for everyone?"


>
> > It seems like you are being needlessly confrontational or outright
> ignoring
> > the quite reasonable counter arguments to various linux
> OSes,Ubuntu/gentoo/
> > etc etc being made here.
>
> Most of arguments I've heard here boil down to privileged wealthy people
> complaining that learning and mutual aid or solidarity is simply too
> hard. The worst is when people who train people in risky situations make
> those kinds of statements.
>

LOL. I'm, frankly, quite offended if you are indeed suggesting that I am
making those statements.

Also, remember that I'm currently involved in developing what is probably
the first FOSS(FLOSS?) too

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Brian Conley]

+1.

I wish I could say otherwise, but now after a few years working as a
journalism trainer and in the journalism field I've been led to recognize
that, whether I like it or not, and whether it is ethical or not:

1. headlines are used to grab readers and generate buzz. I'd not read the
article until it was posted here, and I'm sure many others had not. That
generated buzz and eyeballs.

2. journalists are again and again and again guilty of "access bias." They
are biased to report on the thing they have access to, whether that be
because a PR firm sent them a release and made individuals available for
interview, or a great many other reasons.

3. the best way to counter media spin is to make friends with journalists,
put out counter press releases, and above all, not engage in personal
attacks or petty bullshit.

I don't like it, and I tell all my students to avoid it, but there it is.

Brian

On Thu, Feb 7, 2013 at 12:46 PM, Jillian C. York wrote:

> I'm not going to get into the politics or pettiness of this because
> frankly, I don't care.
>
> But this 
> headlineand
>  the accompanying claims of unbreakability are so incredibly egregious
> that I would expect *every single person on this list* to speak out
> against those (claims, that is), regardless of their feelings on the actual
> product.
>
>
>
> On Thu, Feb 7, 2013 at 12:20 PM, Yosem Companys wrote:
>
>> Just as a reminder, please let's all try to refrain from engaging in any
>> personal attacks.  We're all build and use liberationtech to make a
>> difference in various ways, and we're bound to have disagreements.  But
>> let's not forget that we're all working toward the same broad goal of
>> making people's lives better.  Otherwise, we would likely not be on this
>> list.
>>
>> Best,
>>
>> YC
>>
>> On Thu, Feb 7, 2013 at 11:21 AM, Ali-Reza Anghaie 
>> wrote:
>>
>>> Douglas, I'm not sure many people are disagreeing with the end-goals and
>>> even Zimmerman acknolwedges the window for verifiable source proof is
>>> closing fast (longer than many would have liked as-is).
>>>
>>> My comments to Nadim are coming from a tact perspective - if the goal is
>>> to gain wider adoption and recognition for all the community work, good
>>> projects, verified projects, etc. etc. then it helps when you play in the
>>> sanboxes occupied by more than the hackers and programmers making it happen.
>>>
>>> It's not uncommon to have people, who need solutions the most, to be
>>> afraid of projects because of the "main name" associated with them after
>>> some cursory rant reading. Nadim = Cryptocat, Jacob = TOR, Theo = OpenBSD,
>>> etc. etc.
>>>
>>> It's easy to tell everyone else to pound sand or to roll all activist
>>> causes into one for the collective libtech "us" - it's not so each when we
>>> take it elsewhere. Just trying to see how we can promote things that look
>>> less like personal grips and trolls - and more like building something
>>> useful. -Ali
>>>
>>>
>>>
>>> On Thu, Feb 7, 2013 at 11:36 AM, Douglas Lucas  wrote:
>>>
 Can Silent Circle promoters explain why Zimmerman is excused from
 Kerckhoffs's principle?

 Is it because something unverifiable is allegedly better than nothing?
 Even if we had divine knowledge to tell us Silent Circle is secure,
 isn't it an overriding problem to encourage lock-in of closed source
 being acceptable for something as common as text-messaging?

 It is good to have a scrappy talented young person such as Nadim being
 pesky to older, accepted people.


 On 02/07/2013 09:45 AM, Julien Rabier wrote:
 > Hello all,
 >
 > I'm no sec expert but to me, it's so obvious that Nadim is right on
 this.
 > Perhaps the form is not perfect, but if he's the only one fighting
 for our
 > own sanity here, as he says, that's no surprise.
 >
 > We should all be asking Silent Circle to commit to their statement
 and show
 > us the source code of their so-called unbreakable encryption tools.
 >
 > Again, I'm no sec expert and I won't be the guy who will do the hard
 task of
 > auditing and reviewing this code. But as a user, as a citizen and
 perhaps an
 > activist, I want the source code of such tools to be reviewed widely
 and
 > publicly before using and promoting it.
 >
 > My 2 euro cents,
 > Julien
 >
 > Le 07 févr. - 10:31, Nadim Kobeissi a écrit :
 >> Small follow-up:
 >> Maybe it's true I look like my goal here is just to foam at the
 mouth at
 >> Silent Circle. Maybe it looks like I'm just here to annoy Chris, and
 I'm
 >> truly sorry. These are not my goals, even if my method seems forced.
 >>
 >> I've tried writing multiple blog posts about Silent Circle,
 contacting
 >> Silent Circle, asking journalists to *please* menti

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[scarp]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Ali-Reza Anghaie:
> Inline below..
> 
> 
> On Thu, Feb 7, 2013 at 11:34 AM, scarp  wrote:
> 
> The fact you can't buy into this service anonymously, so at least
>> payment credentials will be available. Even if Phil says he won't
>> be bad what is to stop Apple revealing your iTunes account
>> purchased this application in AppStore when the necessary legal
>> screws are applied to them.
>> 
> 
> They do offer the Ronin option for anonymous purchasing of the
> provisioning keys - the App is free itself.
> 
> -Ali

Ah yes, although the application is free, what I meant is Apple will
still have a record that you installed it on that iTunes account. They
actually send you an invoice for $0.00.

It also appears BitcoinEAST resell the activation codes, so I guess
you could acquire some bitcoins via mail order and that would be
pretty safe way of purchasing.

- -- 
scarp | A4F7 25DB 2529 CB1A 605B  3CB4 5DA0 4859 0FD4 B313
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJRFHtbAAoJEF2gSFkP1LMTIjIP/iRSh/ZXHhwtXA/psF4h+YoA
piRD1safggSgHTBBNfGlQEK9F+BkCChsTZKhenFYpalGv5WGlVE4Qn67i7nW//+V
MkNTZ/jkSrGYbNUiL2BW9s7e2NSFAr2Z/ej121qhqFfIGeRfkwVmvUDlvWyAAfcB
hRmPUcSofazupxZ5SWCyH+VsQI6wGR5Ki9R3x/MX6RcrW/g39E8eyxRJx914Gkgj
wxnoA6ET8ZUa3XzUTdBKt7S7zVNN+kw3/ZwjxdW5hC6CB6fZNvEdRw6gvezbnn2p
/NHQuz24wBDFMfx+S0FRv5XpJbrBKsNCVxAXbSEHPCk8IWDhOM28rZqmAHz5ygiB
Bv66+hS3kvUZfWw6n41lwX7epnxvjy7rHG8y78Tyc9gpYLllvRX2rqXM5C5myLNl
p8vpQdgMIuzxLOKF/saMPhFdZ4O3lN+u2qRBS7hUp7rsun1yLINWG4sn5LolBEpE
VS1jULExcxi2faO/o3xN2C7zB8T6xP4o5yBNPxZfmp6vkwZ9ZCuqFRDn1PXbhyXZ
NiPNr1R0RzMfPQz2ENB3oCCmXSQcZOMnZr08OuKHWuASW6Jy8gUahNiQ8Frnh67M
yD/ryqRtc6QcRoOBcDqwyPOOIGUjKMztFQmo5pfmnoWGnQpkzLYUr/ypHZiAI4Cr
FhtNHqbhGW6yFSZSbEV9
=KGbV
-END PGP SIGNATURE-
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Robert Guerra]

Chris,

Nicely put. Agree with your comments 100%


Robert

--


On 2013-02-07, at 8:14 PM, Christopher Soghoian wrote:

> See Inline
> 
> On Thu, Feb 7, 2013 at 12:15 PM, Andy Isaacson  wrote:
> Silent Circle may be an excellent privacy app.  It might not have any
> significant security problems.  It might even do a good job of
> mitigating important platform-based attacks and supporting important new
> use cases (the "burn after reading" feature).  When it's actually open
> source I'll take a look and if it is good, I'll recommend it to users.
> 
> Until that open review happens, I think it's inappropriate for voices in
> our community to commend or recommend such a proprietary system.  Each
> person makes their own choices, of course, and nobody should base their
> actions solely on what *I* think is right, but I hope you can hear my
> concerns and consider the outcomes of your actions.
> 
> Twitter's official client and server code are not open source. That hasn't 
> stopped the good folks at EFF, as well as many other privacy advocates from 
> praising the company's law enforcement transparency policies, as well as 
> Twitter's willingness to go the extra mile when responding to various forms 
> of legal process.
> 
> Much of Google's code, including all of the Gmail backend code is not open 
> source, but that hasn't stopped privacy advocates from legitimately praising 
> the company for voluntarily publishing some really useful data on government 
> requests and DMCA takedown demands.
> 
> Although I have not recommended Silent Circle to anyone, I believe that it is 
> entirely legitimate to praise the company for its commitment to transparency 
> regarding law enforcement requests and the company's overall law enforcement 
> policy.
> 
> Hell, looking at the list of companies ranked on EFF's "Who's got your back" 
> website, closed source is by far the norm, not the exception. That hasn't 
> stopped EFF from giving out gold stars where they feel they are deserved. 
> See: 
> https://www.eff.org/pages/when-government-comes-knocking-who-has-your-back
> 
> In fact, for many of the factors that I am most interested in, source code is 
> completely irrelevant. Client source code does not reveal a company's data 
> retention policy, and server data retention configurations are impossible to 
> verify. Source code does not reveal whether a company will tell its users 
> about subpoenas submitted for user data where not prevented from doing so by 
> a gag order. Source code will not reveal a company's willingness to spend 
> hundreds of thousands of dollars on legal bills to fight an improper request 
> submitted by lawyers at the Department of Justice. For such things, you have 
> to evaluate the company on its public policy (and, once the policy is put 
> into action, you can judge the company via its track record).
> 
> By all means, continue to harass Silent Circle about its source code. 
> Likewise, please do hold journalists accountable for the bogus headlines 
> they, or their editors have selected. But do not dismiss my legitimate 
> interest in the law enforcement legal policies adopted by companies. These 
> policies are often just as important, yet impossible to verify, even when 
> companies publish their source code.
> 
> Cheers,
> 
> Chris
> --
> Unsubscribe, change to digest, or change password at: 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Chromebooks for Risky Situations?

[micah anderson]

Brian Conley  writes:

> Perhaps you can tell us the secret to convince all family members and
> colleagues to become Linux hackers able to be completely self-sufficient
> managing their own upgrades and modifications indefinitely?

I never suggested that all family members and collegues need to do any
such thing, so why should I come up with that secret? 

Is that what this thread is about? I thought this thread was a
Chromebook advertising clownfest, but I see I am wrong! It is actually
about how people are defensive about their compromises to freedom and
want to fight about that.

> Otherwise what is your point?

I have a hard time responding to that question when you don't bother
citing whatever it is you are disagreeing with and instead just top post
on top of what I wrote.

> It seems like you are being needlessly confrontational or outright ignoring
> the quite reasonable counter arguments to various linux OSes,Ubuntu/gentoo/
> etc etc being made here.

ok, you are probably right, it is just so wrong in so many ways, that I
can't do anything but snipe and run away. So I give up. I can't even
begin to start unpacking what is wrong in many of the things I've read
here, so I give up. 

I'm turning off the internet, everyone out.


--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Chromebooks for Risky Situations?

[micah anderson]

Nadim Kobeissi  writes:

> On Wed, Feb 6, 2013 at 5:16 PM, Jacob Appelbaum  wrote:
>
>>
>>
>> This is hilarious.
>>
>> I would *never* use a laptop that lacks a way to protect all your
>> traffic (eg: VPN/Tor/SSH tunnel/etc) in a place with serious
>> surveillance as an at risk person. Not only because the remote systems
>> will have your exact geographic location and because a lack of anonymity
>> allows for targeted attacks, but also because the local network is well
>> known to be seriously hostile!
>>
>>
> Thankfully, while Chrome does not support better solutions (such as Tor),
> it does in fact support VPN connections:
> http://support.google.com/chromeos/bin/answer.py?hl=en&answer=1282338

I hope they can do their VPN better in Chromebooks than they've
completely failed to do properly in Android...
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Griffin Boyce]

Christopher Soghoian  wrote:

> Twitter's official client and server code are not open source
>
> Much of Google's code, including all of the Gmail backend code is not open
> source
>

  That's a bit of a false equivalency, don't you think? Silent Circle's
whole premise is that their code will encrypt data and protect it from
outside parties (including the government). Twitter and Google make no such
promise, and in fact their legal policies run counter to that...

~Griffin
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Chromebooks for Risky Situations?

[T N]

On Thu, Feb 7, 2013 at 4:46 PM, Jacob Appelbaum  wrote:

> As I said in another thread, I hadn't seen that they supported any VPN
> endpoints; my original ChromeOS device had no VPN support at all. I'm
> glad to see that they support IPSEC and OpenVPN (gladly no PPTP!).
> Ideally, I would like to see them offer an SSH setup wizard where it
> also uses OpenSSH as a VPN transport.
>
> I plan to look into their VPN setup - I would love to see that they're
> not vulnerable to the issues in our recent vpnwed paper.
>

AFAICT, they are doing a bunch of work on expanding VPN support so
enterprises can adopt the product.

The ssh client is "interesting", check it out if you haven't.  It's openssh
in NaCl form, running inside of hterm (javascript terminal).  One claim I
saw them make was this is more secure than a typical ssh client (running
off a linux distro, say) because in addition to the careful stuff done to
avoid any possibility (cough) of a javascript exploit, the whole caboodle
is running inside of a sandbox (because inside Chrome).  I don't know what
to make of that.  Various key management, tunneling and other support has
AFAICT been coming along.



> Weaponizing an exploit and persisting something malicious aren't the
> same problem. Consider a Chrome extension that logs all the urls one
> visits in the browser, will the ChromeOS security model prevent it?
>

I see what you're saying.  Yes, the "ironic" thing about Chrome OS is that
the base OS is relatively secure, but all of that is to force you into a
browser ("web world").  What exactly does one say about that!?  A giant
step forward in a commercial OS/hardware hardening effort, and a giant
regression?  Eh, the web still scares me.  Therapy hasn't helped.  Anyways
for a journalist in certain situations, connecting to say Google Docs...
using two factor authentication... in the spirit of what started this
thread, it seems like compared to a lot of off the shelf alternatives, this
is still a giant leap forward in terms of security.  It is at the very
least an interesting debate/thing to think about (per the thread)?


> I think you're seriously missing the point here.  My remarks were well
> > qualified.  Conditionals have to met:
> >
> > - IF you want low cost (time is money, so efforts to set up a Linux
> secure
> > laptop that are time consuming are expensive, as is all the time you
> spent
> > to learn how to do these things in the first place)
>
>
> Download Tails and boot it up.
>

Really though?  "Mr. Rather, could you please download tails and boot it
up?"

"Mr. Koppel, if you have a problem with this thing I'm handing you, contact
me, I'll get a hold of the mailing list..."

I'm being facetious of course.  And I think this gets into an interesting
area about how to support secure liberation technology.  That I don't know,
so not entirely sure what to say to what you suggest.



> > - IF you want a somewhat naive user to use the device (eg. journalist)
> > - etc.
>
> Ditto.
>
> I train journalists all the time and the only people who have issues are
> journalists with Macbooks, as there is a specific problem with new apple
> hardware and booting from a USB disk. In those cases, a DVD is read only
> and does just fine.
>

Okay, that's your experience.



I'd suggest users have no hard disk and boot off of a Tails USB disk.

Now we've reduced the attack surface to the BIOS/EFI layer - something
> that I suspect is pretty crappy all across the board.
>
> While ChromeOS will complain if it is shut down, I remember that it
> won't complain about being in Developer mode if it wakes from sleep.
> Thus, it is totally possible to hand someone a compromised ChromeOS
> device that is awake, let them login and you've won without even having
> to reflash the core OS.


Are we really trying to defend against that threat model?

Re your next email, I'll address one point, though spending this time
defending Chrome OS seems a bit silly.  I'm not a shill for Google and have
nothing to gain here (and thus at some point better things to do! :-).
 What I would say is to really go (again?) to chromium.org and look at all
the lengthy discussion of their security design.  Anywho, if the dev switch
is flipped, one has root without so much as a password (until one is set).
 But so what?  Dev mode only takes effect after the switch is flipped and
machine is boot (or reboot).  In other words, gaining root on an acquired
device gets you no closer to any cached data or credentials on the Chrome
OS device, because that stuff is all encrypted and being root doesn't help
you there, the user has to be logged on in and *active* session for root to
have any access to their data.  But if the user is active, the user is
right there physically and thus the threat model is again totally
different.  The Chrome OS documentation goes into quite a bit of detail
about what threat models they can and can't defend against.  The point I
would make here is gaining root on a Chrome OS devic

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Christopher Soghoian]

See Inline

On Thu, Feb 7, 2013 at 12:15 PM, Andy Isaacson  wrote:

> Silent Circle may be an excellent privacy app.  It might not have any
> significant security problems.  It might even do a good job of
> mitigating important platform-based attacks and supporting important new
> use cases (the "burn after reading" feature).  When it's actually open
> source I'll take a look and if it is good, I'll recommend it to users.
>
> Until that open review happens, I think it's inappropriate for voices in
> our community to commend or recommend such a proprietary system.  Each
> person makes their own choices, of course, and nobody should base their
> actions solely on what *I* think is right, but I hope you can hear my
> concerns and consider the outcomes of your actions.
>

Twitter's official client and server code are not open source. That hasn't
stopped the good folks at EFF, as well as many other privacy advocates from
praising the company's law enforcement transparency policies, as well as
Twitter's willingness to go the extra mile when responding to various forms
of legal process.

Much of Google's code, including all of the Gmail backend code is not open
source, but that hasn't stopped privacy advocates from legitimately
praising the company for voluntarily publishing some really useful data on
government requests and DMCA takedown demands.

Although I have not recommended Silent Circle to anyone, I believe that it
is entirely legitimate to praise the company for its commitment to
transparency regarding law enforcement requests and the company's overall
law enforcement policy.

Hell, looking at the list of companies ranked on EFF's "Who's got your
back" website, closed source is by far the norm, not the exception. That
hasn't stopped EFF from giving out gold stars where they feel they are
deserved. See:
https://www.eff.org/pages/when-government-comes-knocking-who-has-your-back

In fact, for many of the factors that I am most interested in, source code
is completely irrelevant. Client source code does not reveal a company's
data retention policy, and server data retention configurations are
impossible to verify. Source code does not reveal whether a company will
tell its users about subpoenas submitted for user data where not prevented
from doing so by a gag order. Source code will not reveal a company's
willingness to spend hundreds of thousands of dollars on legal bills to
fight an improper request submitted by lawyers at the Department of
Justice. For such things, you have to evaluate the company on its public
policy (and, once the policy is put into action, you can judge the company
via its track record).

By all means, continue to harass Silent Circle about its source code.
Likewise, please do hold journalists accountable for the bogus headlines
they, or their editors have selected. But do not dismiss my legitimate
interest in the law enforcement legal policies adopted by companies. These
policies are often just as important, yet impossible to verify, even when
companies publish their source code.

Cheers,

Chris
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Chromebooks for Risky Situations?

[Jacob Appelbaum]

T N:
> The other things I meant to add:
> 
> Most Linux distro's are not running with their executable code on a
> readonly filesystem, and it takes some effort to convert to a RO
> configuration.
> 

If someone has root on the machine or physical access, I guess that it
won't matter as much as we'd like unless the physical media is actually
Read Only, say with a DVD.

> Also you can not login to a stock Chrome OS device as root.  That account
> has logins disabled.  You have to flip to dev mode, in which case, the
> machine will complain at every boot that it's mode has been switched (so
> you know).

If the dev switch is flipped, one may simply gain root, no?

All the best,
Jacob
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Chromebooks for Risky Situations?

[Jacob Appelbaum]

T N:
> On Wed, Feb 6, 2013 at 2:16 PM, Jacob Appelbaum  wrote:
> 
>> It runs software that is in Debian, the GNU/Linux operating system. I
>> know, I've written some of it (eg: tlsdate). They do a good job of
>> locking things down but it is basically just another distribution of Linux.
>>
> 
> I don't agree it's "basically just another linux distribution" in that most
> distros (zero?) aren't using the dm-verity Google mostly wrote and
> contributed upstream for their purposes.  The distro's could use it.
> Chrome OS is also totally stripped down compared to a typical linux
> distribution.  It's runs X but the window manager is customized and their
> own (open source, but nonetheless).

ChromeOS is just a distribution of Linux with the Linux kernel and with
a user space that performs a bunch of the same functionality as any
distro. They take more care with security than most distros but until
they're running a BSD kernel or something and drop all the code in
common with other distros, I don't see major differences.

Their main difference comes from a focus on security in a holistic sense
and I respect their efforts.

This is mostly splitting hairs but not every Linux distro is a sysV unix
clone, ChromeOS is another variant and a reasonable one.

> 
> But yes- it's a Linux kernel with an admixture of userland things, some of
> which are GNU, some of which are not.

Most of the positive security model comes from isolation and the idea
that the ChromeOS team scoped out a specific specification for each
thing they wished to solve. I appreciate the effort and I hope that most
of their work is adopted by other distros.

> 
> 
> This is hilarious.
>>
>> I would *never* use a laptop that lacks a way to protect all your
>> traffic (eg: VPN/Tor/SSH tunnel/etc) in a place with serious
>> surveillance as an at risk person.
> 
> 
> It has ssh and supports a number of VPN protocols.  What's so funny?
> 

As I said in another thread, I hadn't seen that they supported any VPN
endpoints; my original ChromeOS device had no VPN support at all. I'm
glad to see that they support IPSEC and OpenVPN (gladly no PPTP!).
Ideally, I would like to see them offer an SSH setup wizard where it
also uses OpenSSH as a VPN transport.

I plan to look into their VPN setup - I would love to see that they're
not vulnerable to the issues in our recent vpnwed paper.

> 
> 
>> Not only because the remote systems
>> will have your exact geographic location and because a lack of anonymity
>> allows for targeted attacks, but also because the local network is well
>> known to be seriously hostile!
>>
>> A persistent backdoor on your Chromebook is not actually impossible. I
>> have a few ideas for how to make it happen and I've discuss
>> security/development issues with the ChromeOS team on a nearly daily basis.
>>
> 
> Good luck with that.  Maybe you want to make some money this year at Pwnium?
> 

Weaponizing an exploit and persisting something malicious aren't the
same problem. Consider a Chrome extension that logs all the urls one
visits in the browser, will the ChromeOS security model prevent it?

> 
>> Yes, you can't compare Chrome OS's attack surface to a typical linux
>>> distribution, or even a highly customized linux install which doesn't
>> have
>>> the hardware root of trust.
>>>
>>
>> Actually, I think you can compare it - one major advantage is that you
>> can protect your network traffic and compartmentalize your risk with any
>> Secure Boot enabled Linux distro. You can also do it without secure boot
>> and it isn't terribly hard as long as you draw arbitrary lines like "the
>> EFI firmware blobs and hardware are out of scope" which is what happens
>> with Secure Boot systems anyway.
>>
> 
> I think you're seriously missing the point here.  My remarks were well
> qualified.  Conditionals have to met:
> 
> - IF you want low cost (time is money, so efforts to set up a Linux secure
> laptop that are time consuming are expensive, as is all the time you spent
> to learn how to do these things in the first place)


Download Tails and boot it up.

> - IF you want a somewhat naive user to use the device (eg. journalist)
> - etc.

Ditto.

I train journalists all the time and the only people who have issues are
journalists with Macbooks, as there is a specific problem with new apple
hardware and booting from a USB disk. In those cases, a DVD is read only
and does just fine.

> 
> All you're saying is that "If I'm a total techie weenie with nothing but
> time on my hands I can do way better than a Chromebook".
> 
> Well of course.  I don't disagree with something along those lines.  But
> that's not the practical use cases I was trying to summons.
> 

I'm not making that statement at all.

> That said, to the extent that I sort of implied a Chromebook is some kind
> of safe thing to use in China for a person at risk... well no.  I would
> not want to stand on that!  And I actually agree with what you're saying as
> far as that goes.
> 

Ok.

Re: [liberationtech] Chromebooks for Risky Situations?

[Katrin Verclas]

UAE - Etisalat, nexus 4  - tethering was easy once the data plan was procured. 
That, however, ain't simple - took time and some significant documentation. 
Only thing they did not ask for was my first-born son. 

On Feb 6, 2013, at 15:31, Brian Conley  wrote:

> What Android OS are you using, Ali?
> 
> It's a snap with Google Nexus running 4.0. Perhaps its an OS version or 
> carrier-rolled OS that is the problem?
> 
> Brian
> 
> On Wed, Feb 6, 2013 at 12:26 PM, Ali-Reza Anghaie  
> wrote:
>> I'm glad people have had luck with tethering their Android phones 
>> internationally. I've had absolutely zero - I'll have to give it another run 
>> with a locally renter provider I suppose.
>> 
>> Anyone try in the UAE recently? Provider, hardware? Egypt? Curious. -Ali
>> On Feb 6, 2013 3:19 PM, "Griffin Boyce"  wrote:
>>> 
>>> 
>>> On Wed, Feb 6, 2013 at 1:28 AM, Nathan of Guardian 
>>>  wrote:
 On 02/06/2013 01:22 PM, Ali-Reza Anghaie wrote:
 >
 > How can projects like Privly play into it? Carrying a Tor Router along
 > with you or building one on-site. None of the operational matters will
 > ever be squarely addressed by one platform but it all can be
 > decision-treed out nicely.
 
 You could also use Orbot with wifi-tether on Android phone. It can
 transparent proxy all the wifi hotspot traffic over Tor.
>>> 
>>> Using an android phone as a tether seems much more normal and fits the 
>>> profile of an international traveler. Carrying a router around might not be 
>>> the best option for staying low-profile.
>>> 
>>> I like Chrome OS but am addicted to Pidgin with OTR. It's really the only 
>>> thing keeping me from trying out a Chromebook. (Even Photoshop is available 
>>> 'in the cloud'). If you need to install a few programs locally but like the 
>>> overall idea and features, JoliOS looks to be a good option: 
>>> http://www.jolicloud.com/jolios  
>>> 
>>> Somewhat off-topic: I reject the idea that because something isn't right 
>>> for Syrians, that it's not useful. There is an incredible spectrum of 
>>> threat models to consider. And usability is a factor. It's worth 
>>> considering that state-sponsored Windows spyware is a major problem. But 
>>> people still use it because the realistic alternative is more difficult to 
>>> use (even Ubuntu has a sharp learning curve).
>>> 
>>> Best,
>>> Griffin Boyce
>>> 
>>> --
>>> Unsubscribe, change to digest, or change password at: 
>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>> 
>> --
>> Unsubscribe, change to digest, or change password at: 
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 
> 
> 
> -- 
>  
> 
> Brian Conley
> 
> Director, Small World News
> 
> http://smallworldnews.tv
> 
> m: 646.285.2046
> 
> Skype: brianjoelconley
> 
> 
> 
> --
> Unsubscribe, change to digest, or change password at: 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Collin Anderson]

> Is there something I'm missing about ~selling~ dissidents solutions in
Iran and NK? US Government have an exception for that? -Ali

There is a Favorable Licensing Policy for Iran on Internet Freedom that
specifically mentions "Fee-Based Internet Communication Services," although
since published in March 2012 it is unclear whether any actual license has
been approved. North Korea might have larger impediments since as I am
fairly sure there is next to no access to international telephony or
Internet connections.


On Thu, Feb 7, 2013 at 4:47 PM, Ali-Reza Anghaie wrote:

> I do have to wonder why they've twice mentioned embargoes countries they
> couldn't sell to legally anyway.
>
> Is there something I'm missing about ~selling~ dissidents solutions in
> Iran and NK? US Government have an exception for that? -Ali
> On Feb 7, 2013 4:38 PM, "Nadim Kobeissi"  wrote:
>
>> “I tell them go ahead and use Skype — I don’t even want to talk to you.
>> This is for serious people interested in serious cryptography,” Zimmermann
>> said. “We are not Facebook. We are the opposite of Facebook.”
>>
>> http://bits.blogs.nytimes.com/2013/02/05/security-pioneer-creates-service-to-encrypt-phone-calls-and-text-messages/
>>
>>
>> NK
>>
>>
>> On Thu, Feb 7, 2013 at 4:32 PM, Nadim Kobeissi  wrote:
>>
>>> The latest "unbreakable even by a supercomputer" article includes
>>> artistic, black and white photographs of Phil Zimmermann and John Callas:
>>>
>>> http://www.dailymail.co.uk/sciencetech/article-2274597/How-foil-eavesdroppers-The-smartphone-encryption-app-promises-make-communications-private-again.html#axzz2KDR1XKE6
>>>
>>>
>>> NK
>>>
>>>
>>> On Thu, Feb 7, 2013 at 4:15 PM, Ali-Reza Anghaie 
>>> wrote:
>>>
 And even the "proponents" already have. Here, elsewhere, .. Nobody is
 happy at technically ignorant gee-whiz journalism.

 The discussion has been, a few times now, how we tend to speak out
 about it. And what busses people on the same side seem willing to throw
 each other under. Gods know why. -Ali
  On Feb 7, 2013 3:46 PM, "Jillian C. York" 
 wrote:

> I'm not going to get into the politics or pettiness of this because
> frankly, I don't care.
>
> But this 
> headlineand
>  the accompanying claims of unbreakability are so incredibly egregious
> that I would expect *every single person on this list* to speak out
> against those (claims, that is), regardless of their feelings on the 
> actual
> product.
>
>
>
> On Thu, Feb 7, 2013 at 12:20 PM, Yosem Companys  > wrote:
>
>> Just as a reminder, please let's all try to refrain from engaging in
>> any personal attacks.  We're all build and use liberationtech to make a
>> difference in various ways, and we're bound to have disagreements.  But
>> let's not forget that we're all working toward the same broad goal of
>> making people's lives better.  Otherwise, we would likely not be on this
>> list.
>>
>> Best,
>>
>> YC
>>
>> On Thu, Feb 7, 2013 at 11:21 AM, Ali-Reza Anghaie <
>> a...@packetknife.com> wrote:
>>
>>> Douglas, I'm not sure many people are disagreeing with the end-goals
>>> and even Zimmerman acknolwedges the window for verifiable source proof 
>>> is
>>> closing fast (longer than many would have liked as-is).
>>>
>>> My comments to Nadim are coming from a tact perspective - if the
>>> goal is to gain wider adoption and recognition for all the community 
>>> work,
>>> good projects, verified projects, etc. etc. then it helps when you play 
>>> in
>>> the sanboxes occupied by more than the hackers and programmers making it
>>> happen.
>>>
>>> It's not uncommon to have people, who need solutions the most, to be
>>> afraid of projects because of the "main name" associated with them after
>>> some cursory rant reading. Nadim = Cryptocat, Jacob = TOR, Theo = 
>>> OpenBSD,
>>> etc. etc.
>>>
>>> It's easy to tell everyone else to pound sand or to roll all
>>> activist causes into one for the collective libtech "us" - it's not so 
>>> each
>>> when we take it elsewhere. Just trying to see how we can promote things
>>> that look less like personal grips and trolls - and more like building
>>> something useful. -Ali
>>>
>>>
>>>
>>> On Thu, Feb 7, 2013 at 11:36 AM, Douglas Lucas wrote:
>>>
 Can Silent Circle promoters explain why Zimmerman is excused from
 Kerckhoffs's principle?

 Is it because something unverifiable is allegedly better than
 nothing?
 Even if we had divine knowledge to tell us Silent Circle is secure,
 isn't it an overriding problem to encourage lock-in of closed source
 being acceptable for something as

Re: [liberationtech] Chromebooks for Risky Situations?

[T N]

The other things I meant to add:

Most Linux distro's are not running with their executable code on a
readonly filesystem, and it takes some effort to convert to a RO
configuration.

Also you can not login to a stock Chrome OS device as root.  That account
has logins disabled.  You have to flip to dev mode, in which case, the
machine will complain at every boot that it's mode has been switched (so
you know).


Trever


On Thu, Feb 7, 2013 at 2:41 PM, T N  wrote:

> On Wed, Feb 6, 2013 at 2:16 PM, Jacob Appelbaum wrote:
>
>> It runs software that is in Debian, the GNU/Linux operating system. I
>> know, I've written some of it (eg: tlsdate). They do a good job of
>> locking things down but it is basically just another distribution of
>> Linux.
>>
>
> I don't agree it's "basically just another linux distribution" in that
> most distros (zero?) aren't using the dm-verity Google mostly wrote and
> contributed upstream for their purposes.  The distro's could use it.
> Chrome OS is also totally stripped down compared to a typical linux
> distribution.  It's runs X but the window manager is customized and their
> own (open source, but nonetheless).
>
> But yes- it's a Linux kernel with an admixture of userland things, some of
> which are GNU, some of which are not.
>
>
> This is hilarious.
>>
>> I would *never* use a laptop that lacks a way to protect all your
>> traffic (eg: VPN/Tor/SSH tunnel/etc) in a place with serious
>> surveillance as an at risk person.
>
>
> It has ssh and supports a number of VPN protocols.  What's so funny?
>
>
>
>> Not only because the remote systems
>> will have your exact geographic location and because a lack of anonymity
>> allows for targeted attacks, but also because the local network is well
>> known to be seriously hostile!
>>
>> A persistent backdoor on your Chromebook is not actually impossible. I
>> have a few ideas for how to make it happen and I've discuss
>> security/development issues with the ChromeOS team on a nearly daily
>> basis.
>>
>
> Good luck with that.  Maybe you want to make some money this year at
> Pwnium?
>
>
> > Yes, you can't compare Chrome OS's attack surface to a typical linux
>> > distribution, or even a highly customized linux install which doesn't
>> have
>> > the hardware root of trust.
>> >
>>
>> Actually, I think you can compare it - one major advantage is that you
>> can protect your network traffic and compartmentalize your risk with any
>> Secure Boot enabled Linux distro. You can also do it without secure boot
>> and it isn't terribly hard as long as you draw arbitrary lines like "the
>> EFI firmware blobs and hardware are out of scope" which is what happens
>> with Secure Boot systems anyway.
>>
>
> I think you're seriously missing the point here.  My remarks were well
> qualified.  Conditionals have to met:
>
> - IF you want low cost (time is money, so efforts to set up a Linux secure
> laptop that are time consuming are expensive, as is all the time you spent
> to learn how to do these things in the first place)
> - IF you want a somewhat naive user to use the device (eg. journalist)
> - etc.
>
> All you're saying is that "If I'm a total techie weenie with nothing but
> time on my hands I can do way better than a Chromebook".
>
> Well of course.  I don't disagree with something along those lines.  But
> that's not the practical use cases I was trying to summons.
>
> That said, to the extent that I sort of implied a Chromebook is some kind
> of safe thing to use in China for a person at risk... well no.  I would
> not want to stand on that!  And I actually agree with what you're saying as
> far as that goes.
>
> My point was for something off the shelf, I know of nothing better and as
> far as it goes... I'd say it's a step up for a lot people who should be
> using more secure IT technologies and methods than they are (such as some
> journalists), and they can take that step with minimal investment in time
> and energy and a chromebook will meet their needs.
>
> Trever
>
>
>
>
>
>
>>
>> All the best,
>> Jake
>>
>> >
>> >
>> >
>> > On Wed, Feb 6, 2013 at 12:15 PM, Nadim Kobeissi  wrote:
>> >
>> >> The biggest (and very important) difference between Linux and
>> Chromebooks
>> >> is the hugely smaller attack surface.
>> >>
>> >>
>> >> NK
>> >>
>> >>
>> >> On Wed, Feb 6, 2013 at 2:36 PM, Brian Conley > >wrote:
>> >>
>> >>> Andreas,
>> >>>
>> >>> Plenty of Syrians do have internet access, and use it on a regular
>> basis.
>> >>>
>> >>> Also, lack of appropriateness for one use-case doesn't necessitate
>> lack
>> >>> of appropriateness across the board.
>> >>>
>> >>> Linux is a great solution for many use cases, but as has been
>> elaborated,
>> >>> quite a terrible one for many others.
>> >>>
>> >>> Brian
>> >>>
>> >>>
>> >>> On Wed, Feb 6, 2013 at 7:44 AM, Andreas Bader <
>> noergelpi...@hotmail.de>wrote:
>> >>>
>>  On 02/06/2013 04:24 PM, Tom Ritter wrote:
>> > Nadim, I'm with you.  I'm not sure it's the perfect solution for
>> 

Re: [liberationtech] Chromebooks for Risky Situations?

[T N]

On Wed, Feb 6, 2013 at 2:16 PM, Jacob Appelbaum  wrote:

> It runs software that is in Debian, the GNU/Linux operating system. I
> know, I've written some of it (eg: tlsdate). They do a good job of
> locking things down but it is basically just another distribution of Linux.
>

I don't agree it's "basically just another linux distribution" in that most
distros (zero?) aren't using the dm-verity Google mostly wrote and
contributed upstream for their purposes.  The distro's could use it.
Chrome OS is also totally stripped down compared to a typical linux
distribution.  It's runs X but the window manager is customized and their
own (open source, but nonetheless).

But yes- it's a Linux kernel with an admixture of userland things, some of
which are GNU, some of which are not.


This is hilarious.
>
> I would *never* use a laptop that lacks a way to protect all your
> traffic (eg: VPN/Tor/SSH tunnel/etc) in a place with serious
> surveillance as an at risk person.


It has ssh and supports a number of VPN protocols.  What's so funny?



> Not only because the remote systems
> will have your exact geographic location and because a lack of anonymity
> allows for targeted attacks, but also because the local network is well
> known to be seriously hostile!
>
> A persistent backdoor on your Chromebook is not actually impossible. I
> have a few ideas for how to make it happen and I've discuss
> security/development issues with the ChromeOS team on a nearly daily basis.
>

Good luck with that.  Maybe you want to make some money this year at Pwnium?


> Yes, you can't compare Chrome OS's attack surface to a typical linux
> > distribution, or even a highly customized linux install which doesn't
> have
> > the hardware root of trust.
> >
>
> Actually, I think you can compare it - one major advantage is that you
> can protect your network traffic and compartmentalize your risk with any
> Secure Boot enabled Linux distro. You can also do it without secure boot
> and it isn't terribly hard as long as you draw arbitrary lines like "the
> EFI firmware blobs and hardware are out of scope" which is what happens
> with Secure Boot systems anyway.
>

I think you're seriously missing the point here.  My remarks were well
qualified.  Conditionals have to met:

- IF you want low cost (time is money, so efforts to set up a Linux secure
laptop that are time consuming are expensive, as is all the time you spent
to learn how to do these things in the first place)
- IF you want a somewhat naive user to use the device (eg. journalist)
- etc.

All you're saying is that "If I'm a total techie weenie with nothing but
time on my hands I can do way better than a Chromebook".

Well of course.  I don't disagree with something along those lines.  But
that's not the practical use cases I was trying to summons.

That said, to the extent that I sort of implied a Chromebook is some kind
of safe thing to use in China for a person at risk... well no.  I would
not want to stand on that!  And I actually agree with what you're saying as
far as that goes.

My point was for something off the shelf, I know of nothing better and as
far as it goes... I'd say it's a step up for a lot people who should be
using more secure IT technologies and methods than they are (such as some
journalists), and they can take that step with minimal investment in time
and energy and a chromebook will meet their needs.

Trever






>
> All the best,
> Jake
>
> >
> >
> >
> > On Wed, Feb 6, 2013 at 12:15 PM, Nadim Kobeissi  wrote:
> >
> >> The biggest (and very important) difference between Linux and
> Chromebooks
> >> is the hugely smaller attack surface.
> >>
> >>
> >> NK
> >>
> >>
> >> On Wed, Feb 6, 2013 at 2:36 PM, Brian Conley  >wrote:
> >>
> >>> Andreas,
> >>>
> >>> Plenty of Syrians do have internet access, and use it on a regular
> basis.
> >>>
> >>> Also, lack of appropriateness for one use-case doesn't necessitate lack
> >>> of appropriateness across the board.
> >>>
> >>> Linux is a great solution for many use cases, but as has been
> elaborated,
> >>> quite a terrible one for many others.
> >>>
> >>> Brian
> >>>
> >>>
> >>> On Wed, Feb 6, 2013 at 7:44 AM, Andreas Bader  >wrote:
> >>>
>  On 02/06/2013 04:24 PM, Tom Ritter wrote:
> > Nadim, I'm with you.  I'm not sure it's the perfect solution for
> > everyone, but like Nathan said, if you already trust Google, I think
> > it's a good option.
> >
> > On 6 February 2013 07:12, Andreas Bader 
>  wrote:
> >> Why don't you use an old thinkpad or something with Linux, you have
>  the
> >> same price like a Chromebook but more control over the system. And
> you
> >> don't depend on the 3G and Wifi net.
> > We started with the notion of Linux, and we were attracted to
> > Chromebooks for a bunch of reasons.  Going back to Linux loses all
> the
> > things we were attracted to.
> >
> > - ChromeOS's attack surface is infinitely smaller than with Linux
> > - Th

Re: [liberationtech] Chromebooks for Risky Situations?

[Nadim Kobeissi]

On Thu, Feb 7, 2013 at 3:06 PM, Jacob Appelbaum  wrote:

>
> This is a new (to me) feature; thanks for pointing it out. I'm glad to
> see it finally landed and is in production. Would someone with a
> ChromeOS device test the VPN to see if it leaks the way that we
> described in our vpwned[0] paper?
>

Ah, no problem. It's actually been a feature since August 2011.
I do have a Chromebook and will test out the VPN and monitor traffic if I
have time this weekend.


>
> It should be rather straight forward to see if it leaks with trivial
> tests. Killing the VPN to see if it fails open should also be straight
> forward. I would be pleasantly surprised if they were not vulnerable to
> either of those issues. I asked a ChromeOS security person their
> thoughts on the matter and passed them our paper; we'll see what they say.
>
> All the best,
> Jake
>
> [0]
> https://www.usenix.org/system/files/conference/foci12/foci12-final8.pdf
>
> >>
> >>
> >
> >>>
> >>>
> >>>
> >>> On Wed, Feb 6, 2013 at 12:15 PM, Nadim Kobeissi 
> wrote:
> >>>
>  The biggest (and very important) difference between Linux and
> >> Chromebooks
>  is the hugely smaller attack surface.
> 
> 
>  NK
> 
> 
>  On Wed, Feb 6, 2013 at 2:36 PM, Brian Conley <
> bri...@smallworldnews.tv
> >>> wrote:
> 
> > Andreas,
> >
> > Plenty of Syrians do have internet access, and use it on a regular
> >> basis.
> >
> > Also, lack of appropriateness for one use-case doesn't necessitate
> lack
> > of appropriateness across the board.
> >
> > Linux is a great solution for many use cases, but as has been
> >> elaborated,
> > quite a terrible one for many others.
> >
> > Brian
> >
> >
> > On Wed, Feb 6, 2013 at 7:44 AM, Andreas Bader <
> noergelpi...@hotmail.de
> >>> wrote:
> >
> >> On 02/06/2013 04:24 PM, Tom Ritter wrote:
> >>> Nadim, I'm with you.  I'm not sure it's the perfect solution for
> >>> everyone, but like Nathan said, if you already trust Google, I
> think
> >>> it's a good option.
> >>>
> >>> On 6 February 2013 07:12, Andreas Bader 
> >> wrote:
>  Why don't you use an old thinkpad or something with Linux, you
> have
> >> the
>  same price like a Chromebook but more control over the system. And
> >> you
>  don't depend on the 3G and Wifi net.
> >>> We started with the notion of Linux, and we were attracted to
> >>> Chromebooks for a bunch of reasons.  Going back to Linux loses all
> >> the
> >>> things we were attracted to.
> >>>
> >>> - ChromeOS's attack surface is infinitely smaller than with Linux
> >>> - The architecture of ChromeOS is different from Linux - process
> >>> separation through SOP, as opposed to no process separation at all
> >>> - ChromeOS was *designed* to have you logout, and hand the device
> >> over
> >>> to someone else to login, and get no access to your stuff.  Extreme
> >>> Hardware attacks aside, it works pretty well.
> >>> - ChromeOS's update mechanism is automatic, transparent, and
> >> basically
> >>> foolproof.  Having bricked Ubuntu and Gentoo systems, the same is
> not
> >>> true of Linux.
> >>> - Verified Boot, automatic FDE, tamper-resistant hardware
> >>>
> >>> Something I'm curious about is, if any less-popular device became
> >>> popular amoung the activist community - would the government view
> is
> >>> as an indicator of interest?  Just like they block Tor, would they
> >>> block Chromebooks?  It'd have to get pretty darn popular first
> >> though.
> >>>
> >>> -tom
> >>> --
> >>>
> >> But you can't use it for political activists e.g. in Syria because
> of
> >> its dependence on the internet connection. This fact is
> authoritative.
> >> For Europe and USA and so on it might be a good solution.
> >> --
> >> Unsubscribe, change to digest, or change password at:
> >> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> >>
> >
> >
> >
> > --
> >
> >
> >
> > Brian Conley
> >
> > Director, Small World News
> >
> > http://smallworldnews.tv
> >
> > m: 646.285.2046
> >
> > Skype: brianjoelconley
> >
> >
> >
> > --
> > Unsubscribe, change to digest, or change password at:
> > https://mailman.stanford.edu/mailman/listinfo/liberationtech
> >
> 
> 
>  --
>  Unsubscribe, change to digest, or change password at:
>  https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 
> >>>
> >>>
> >>>
> >>> --
> >>> Unsubscribe, change to digest, or change password at:
> >> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> >>>
> >>
> >> --
> >> Unsubscribe, change to digest, or change password at:
> >> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> >>
> >
> >
> >
> > --
> > Unsubscribe, change to digest, or change p

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Ali-Reza Anghaie]

I do have to wonder why they've twice mentioned embargoes countries they
couldn't sell to legally anyway.

Is there something I'm missing about ~selling~ dissidents solutions in Iran
and NK? US Government have an exception for that? -Ali
On Feb 7, 2013 4:38 PM, "Nadim Kobeissi"  wrote:

> “I tell them go ahead and use Skype — I don’t even want to talk to you.
> This is for serious people interested in serious cryptography,” Zimmermann
> said. “We are not Facebook. We are the opposite of Facebook.”
>
> http://bits.blogs.nytimes.com/2013/02/05/security-pioneer-creates-service-to-encrypt-phone-calls-and-text-messages/
>
>
> NK
>
>
> On Thu, Feb 7, 2013 at 4:32 PM, Nadim Kobeissi  wrote:
>
>> The latest "unbreakable even by a supercomputer" article includes
>> artistic, black and white photographs of Phil Zimmermann and John Callas:
>>
>> http://www.dailymail.co.uk/sciencetech/article-2274597/How-foil-eavesdroppers-The-smartphone-encryption-app-promises-make-communications-private-again.html#axzz2KDR1XKE6
>>
>>
>> NK
>>
>>
>> On Thu, Feb 7, 2013 at 4:15 PM, Ali-Reza Anghaie wrote:
>>
>>> And even the "proponents" already have. Here, elsewhere, .. Nobody is
>>> happy at technically ignorant gee-whiz journalism.
>>>
>>> The discussion has been, a few times now, how we tend to speak out about
>>> it. And what busses people on the same side seem willing to throw each
>>> other under. Gods know why. -Ali
>>>  On Feb 7, 2013 3:46 PM, "Jillian C. York" 
>>> wrote:
>>>
 I'm not going to get into the politics or pettiness of this because
 frankly, I don't care.

 But this 
 headlineand
  the accompanying claims of unbreakability are so incredibly egregious
 that I would expect *every single person on this list* to speak out
 against those (claims, that is), regardless of their feelings on the actual
 product.



 On Thu, Feb 7, 2013 at 12:20 PM, Yosem Companys 
 wrote:

> Just as a reminder, please let's all try to refrain from engaging in
> any personal attacks.  We're all build and use liberationtech to make a
> difference in various ways, and we're bound to have disagreements.  But
> let's not forget that we're all working toward the same broad goal of
> making people's lives better.  Otherwise, we would likely not be on this
> list.
>
> Best,
>
> YC
>
> On Thu, Feb 7, 2013 at 11:21 AM, Ali-Reza Anghaie  > wrote:
>
>> Douglas, I'm not sure many people are disagreeing with the end-goals
>> and even Zimmerman acknolwedges the window for verifiable source proof is
>> closing fast (longer than many would have liked as-is).
>>
>> My comments to Nadim are coming from a tact perspective - if the goal
>> is to gain wider adoption and recognition for all the community work, 
>> good
>> projects, verified projects, etc. etc. then it helps when you play in the
>> sanboxes occupied by more than the hackers and programmers making it 
>> happen.
>>
>> It's not uncommon to have people, who need solutions the most, to be
>> afraid of projects because of the "main name" associated with them after
>> some cursory rant reading. Nadim = Cryptocat, Jacob = TOR, Theo = 
>> OpenBSD,
>> etc. etc.
>>
>> It's easy to tell everyone else to pound sand or to roll all activist
>> causes into one for the collective libtech "us" - it's not so each when 
>> we
>> take it elsewhere. Just trying to see how we can promote things that look
>> less like personal grips and trolls - and more like building something
>> useful. -Ali
>>
>>
>>
>> On Thu, Feb 7, 2013 at 11:36 AM, Douglas Lucas wrote:
>>
>>> Can Silent Circle promoters explain why Zimmerman is excused from
>>> Kerckhoffs's principle?
>>>
>>> Is it because something unverifiable is allegedly better than
>>> nothing?
>>> Even if we had divine knowledge to tell us Silent Circle is secure,
>>> isn't it an overriding problem to encourage lock-in of closed source
>>> being acceptable for something as common as text-messaging?
>>>
>>> It is good to have a scrappy talented young person such as Nadim
>>> being
>>> pesky to older, accepted people.
>>>
>>>
>>> On 02/07/2013 09:45 AM, Julien Rabier wrote:
>>> > Hello all,
>>> >
>>> > I'm no sec expert but to me, it's so obvious that Nadim is right
>>> on this.
>>> > Perhaps the form is not perfect, but if he's the only one fighting
>>> for our
>>> > own sanity here, as he says, that's no surprise.
>>> >
>>> > We should all be asking Silent Circle to commit to their statement
>>> and show
>>> > us the source code of their so-called unbreakable encryption tools.
>>> >
>>> > Again, I'm no sec expert and I

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Nadim Kobeissi]

“I tell them go ahead and use Skype — I don’t even want to talk to you.
This is for serious people interested in serious cryptography,” Zimmermann
said. “We are not Facebook. We are the opposite of Facebook.”
http://bits.blogs.nytimes.com/2013/02/05/security-pioneer-creates-service-to-encrypt-phone-calls-and-text-messages/


NK


On Thu, Feb 7, 2013 at 4:32 PM, Nadim Kobeissi  wrote:

> The latest "unbreakable even by a supercomputer" article includes
> artistic, black and white photographs of Phil Zimmermann and John Callas:
>
> http://www.dailymail.co.uk/sciencetech/article-2274597/How-foil-eavesdroppers-The-smartphone-encryption-app-promises-make-communications-private-again.html#axzz2KDR1XKE6
>
>
> NK
>
>
> On Thu, Feb 7, 2013 at 4:15 PM, Ali-Reza Anghaie wrote:
>
>> And even the "proponents" already have. Here, elsewhere, .. Nobody is
>> happy at technically ignorant gee-whiz journalism.
>>
>> The discussion has been, a few times now, how we tend to speak out about
>> it. And what busses people on the same side seem willing to throw each
>> other under. Gods know why. -Ali
>>  On Feb 7, 2013 3:46 PM, "Jillian C. York" 
>> wrote:
>>
>>> I'm not going to get into the politics or pettiness of this because
>>> frankly, I don't care.
>>>
>>> But this 
>>> headlineand
>>>  the accompanying claims of unbreakability are so incredibly egregious
>>> that I would expect *every single person on this list* to speak out
>>> against those (claims, that is), regardless of their feelings on the actual
>>> product.
>>>
>>>
>>>
>>> On Thu, Feb 7, 2013 at 12:20 PM, Yosem Companys 
>>> wrote:
>>>
 Just as a reminder, please let's all try to refrain from engaging in
 any personal attacks.  We're all build and use liberationtech to make a
 difference in various ways, and we're bound to have disagreements.  But
 let's not forget that we're all working toward the same broad goal of
 making people's lives better.  Otherwise, we would likely not be on this
 list.

 Best,

 YC

 On Thu, Feb 7, 2013 at 11:21 AM, Ali-Reza Anghaie 
 wrote:

> Douglas, I'm not sure many people are disagreeing with the end-goals
> and even Zimmerman acknolwedges the window for verifiable source proof is
> closing fast (longer than many would have liked as-is).
>
> My comments to Nadim are coming from a tact perspective - if the goal
> is to gain wider adoption and recognition for all the community work, good
> projects, verified projects, etc. etc. then it helps when you play in the
> sanboxes occupied by more than the hackers and programmers making it 
> happen.
>
> It's not uncommon to have people, who need solutions the most, to be
> afraid of projects because of the "main name" associated with them after
> some cursory rant reading. Nadim = Cryptocat, Jacob = TOR, Theo = OpenBSD,
> etc. etc.
>
> It's easy to tell everyone else to pound sand or to roll all activist
> causes into one for the collective libtech "us" - it's not so each when we
> take it elsewhere. Just trying to see how we can promote things that look
> less like personal grips and trolls - and more like building something
> useful. -Ali
>
>
>
> On Thu, Feb 7, 2013 at 11:36 AM, Douglas Lucas  wrote:
>
>> Can Silent Circle promoters explain why Zimmerman is excused from
>> Kerckhoffs's principle?
>>
>> Is it because something unverifiable is allegedly better than nothing?
>> Even if we had divine knowledge to tell us Silent Circle is secure,
>> isn't it an overriding problem to encourage lock-in of closed source
>> being acceptable for something as common as text-messaging?
>>
>> It is good to have a scrappy talented young person such as Nadim being
>> pesky to older, accepted people.
>>
>>
>> On 02/07/2013 09:45 AM, Julien Rabier wrote:
>> > Hello all,
>> >
>> > I'm no sec expert but to me, it's so obvious that Nadim is right on
>> this.
>> > Perhaps the form is not perfect, but if he's the only one fighting
>> for our
>> > own sanity here, as he says, that's no surprise.
>> >
>> > We should all be asking Silent Circle to commit to their statement
>> and show
>> > us the source code of their so-called unbreakable encryption tools.
>> >
>> > Again, I'm no sec expert and I won't be the guy who will do the
>> hard task of
>> > auditing and reviewing this code. But as a user, as a citizen and
>> perhaps an
>> > activist, I want the source code of such tools to be reviewed
>> widely and
>> > publicly before using and promoting it.
>> >
>> > My 2 euro cents,
>> > Julien
>> >
>> > Le 07 févr. - 10:31, Nadim Kobeissi a écrit :
>> >> Small follow-up:
>> >> Maybe it'

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Nadim Kobeissi]

The latest "unbreakable even by a supercomputer" article includes artistic,
black and white photographs of Phil Zimmermann and John Callas:
http://www.dailymail.co.uk/sciencetech/article-2274597/How-foil-eavesdroppers-The-smartphone-encryption-app-promises-make-communications-private-again.html#axzz2KDR1XKE6


NK


On Thu, Feb 7, 2013 at 4:15 PM, Ali-Reza Anghaie wrote:

> And even the "proponents" already have. Here, elsewhere, .. Nobody is
> happy at technically ignorant gee-whiz journalism.
>
> The discussion has been, a few times now, how we tend to speak out about
> it. And what busses people on the same side seem willing to throw each
> other under. Gods know why. -Ali
>  On Feb 7, 2013 3:46 PM, "Jillian C. York"  wrote:
>
>> I'm not going to get into the politics or pettiness of this because
>> frankly, I don't care.
>>
>> But this 
>> headlineand
>>  the accompanying claims of unbreakability are so incredibly egregious
>> that I would expect *every single person on this list* to speak out
>> against those (claims, that is), regardless of their feelings on the actual
>> product.
>>
>>
>>
>> On Thu, Feb 7, 2013 at 12:20 PM, Yosem Companys wrote:
>>
>>> Just as a reminder, please let's all try to refrain from engaging in any
>>> personal attacks.  We're all build and use liberationtech to make a
>>> difference in various ways, and we're bound to have disagreements.  But
>>> let's not forget that we're all working toward the same broad goal of
>>> making people's lives better.  Otherwise, we would likely not be on this
>>> list.
>>>
>>> Best,
>>>
>>> YC
>>>
>>> On Thu, Feb 7, 2013 at 11:21 AM, Ali-Reza Anghaie 
>>> wrote:
>>>
 Douglas, I'm not sure many people are disagreeing with the end-goals
 and even Zimmerman acknolwedges the window for verifiable source proof is
 closing fast (longer than many would have liked as-is).

 My comments to Nadim are coming from a tact perspective - if the goal
 is to gain wider adoption and recognition for all the community work, good
 projects, verified projects, etc. etc. then it helps when you play in the
 sanboxes occupied by more than the hackers and programmers making it 
 happen.

 It's not uncommon to have people, who need solutions the most, to be
 afraid of projects because of the "main name" associated with them after
 some cursory rant reading. Nadim = Cryptocat, Jacob = TOR, Theo = OpenBSD,
 etc. etc.

 It's easy to tell everyone else to pound sand or to roll all activist
 causes into one for the collective libtech "us" - it's not so each when we
 take it elsewhere. Just trying to see how we can promote things that look
 less like personal grips and trolls - and more like building something
 useful. -Ali



 On Thu, Feb 7, 2013 at 11:36 AM, Douglas Lucas  wrote:

> Can Silent Circle promoters explain why Zimmerman is excused from
> Kerckhoffs's principle?
>
> Is it because something unverifiable is allegedly better than nothing?
> Even if we had divine knowledge to tell us Silent Circle is secure,
> isn't it an overriding problem to encourage lock-in of closed source
> being acceptable for something as common as text-messaging?
>
> It is good to have a scrappy talented young person such as Nadim being
> pesky to older, accepted people.
>
>
> On 02/07/2013 09:45 AM, Julien Rabier wrote:
> > Hello all,
> >
> > I'm no sec expert but to me, it's so obvious that Nadim is right on
> this.
> > Perhaps the form is not perfect, but if he's the only one fighting
> for our
> > own sanity here, as he says, that's no surprise.
> >
> > We should all be asking Silent Circle to commit to their statement
> and show
> > us the source code of their so-called unbreakable encryption tools.
> >
> > Again, I'm no sec expert and I won't be the guy who will do the hard
> task of
> > auditing and reviewing this code. But as a user, as a citizen and
> perhaps an
> > activist, I want the source code of such tools to be reviewed widely
> and
> > publicly before using and promoting it.
> >
> > My 2 euro cents,
> > Julien
> >
> > Le 07 févr. - 10:31, Nadim Kobeissi a écrit :
> >> Small follow-up:
> >> Maybe it's true I look like my goal here is just to foam at the
> mouth at
> >> Silent Circle. Maybe it looks like I'm just here to annoy Chris,
> and I'm
> >> truly sorry. These are not my goals, even if my method seems forced.
> >>
> >> I've tried writing multiple blog posts about Silent Circle,
> contacting
> >> Silent Circle, asking journalists to *please* mention the
> importance of
> >> free, open source in cryptography, and so on. All of this has
> failed. It
> >

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Jens Christian Hillerup]

On Thu, Feb 7, 2013 at 5:34 PM, scarp  wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> Jens Christian Hillerup:
>> Hear-hear. They don't need to open-source their software to
>> convince me, as long as they are open about their protocol at
>> least.
>
> And what if there's a second set of decryption master keys? You're
> willing to trust them because they say "We're famous guys, we won't do
> anything bad, and plus we hate naughty governments."

No, I think we agree. I meant by protocol that it'd be possible for me
to create a client for the service from scratch (maybe even the server
part, too, but not strictly needed), i.e. I get to choose the
encryption key(s), etc. Sorry for the misunderstanding.

JC
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Ali-Reza Anghaie]

And even the "proponents" already have. Here, elsewhere, .. Nobody is happy
at technically ignorant gee-whiz journalism.

The discussion has been, a few times now, how we tend to speak out about
it. And what busses people on the same side seem willing to throw each
other under. Gods know why. -Ali
 On Feb 7, 2013 3:46 PM, "Jillian C. York"  wrote:

> I'm not going to get into the politics or pettiness of this because
> frankly, I don't care.
>
> But this 
> headlineand
>  the accompanying claims of unbreakability are so incredibly egregious
> that I would expect *every single person on this list* to speak out
> against those (claims, that is), regardless of their feelings on the actual
> product.
>
>
>
> On Thu, Feb 7, 2013 at 12:20 PM, Yosem Companys wrote:
>
>> Just as a reminder, please let's all try to refrain from engaging in any
>> personal attacks.  We're all build and use liberationtech to make a
>> difference in various ways, and we're bound to have disagreements.  But
>> let's not forget that we're all working toward the same broad goal of
>> making people's lives better.  Otherwise, we would likely not be on this
>> list.
>>
>> Best,
>>
>> YC
>>
>> On Thu, Feb 7, 2013 at 11:21 AM, Ali-Reza Anghaie 
>> wrote:
>>
>>> Douglas, I'm not sure many people are disagreeing with the end-goals and
>>> even Zimmerman acknolwedges the window for verifiable source proof is
>>> closing fast (longer than many would have liked as-is).
>>>
>>> My comments to Nadim are coming from a tact perspective - if the goal is
>>> to gain wider adoption and recognition for all the community work, good
>>> projects, verified projects, etc. etc. then it helps when you play in the
>>> sanboxes occupied by more than the hackers and programmers making it happen.
>>>
>>> It's not uncommon to have people, who need solutions the most, to be
>>> afraid of projects because of the "main name" associated with them after
>>> some cursory rant reading. Nadim = Cryptocat, Jacob = TOR, Theo = OpenBSD,
>>> etc. etc.
>>>
>>> It's easy to tell everyone else to pound sand or to roll all activist
>>> causes into one for the collective libtech "us" - it's not so each when we
>>> take it elsewhere. Just trying to see how we can promote things that look
>>> less like personal grips and trolls - and more like building something
>>> useful. -Ali
>>>
>>>
>>>
>>> On Thu, Feb 7, 2013 at 11:36 AM, Douglas Lucas  wrote:
>>>
 Can Silent Circle promoters explain why Zimmerman is excused from
 Kerckhoffs's principle?

 Is it because something unverifiable is allegedly better than nothing?
 Even if we had divine knowledge to tell us Silent Circle is secure,
 isn't it an overriding problem to encourage lock-in of closed source
 being acceptable for something as common as text-messaging?

 It is good to have a scrappy talented young person such as Nadim being
 pesky to older, accepted people.


 On 02/07/2013 09:45 AM, Julien Rabier wrote:
 > Hello all,
 >
 > I'm no sec expert but to me, it's so obvious that Nadim is right on
 this.
 > Perhaps the form is not perfect, but if he's the only one fighting
 for our
 > own sanity here, as he says, that's no surprise.
 >
 > We should all be asking Silent Circle to commit to their statement
 and show
 > us the source code of their so-called unbreakable encryption tools.
 >
 > Again, I'm no sec expert and I won't be the guy who will do the hard
 task of
 > auditing and reviewing this code. But as a user, as a citizen and
 perhaps an
 > activist, I want the source code of such tools to be reviewed widely
 and
 > publicly before using and promoting it.
 >
 > My 2 euro cents,
 > Julien
 >
 > Le 07 févr. - 10:31, Nadim Kobeissi a écrit :
 >> Small follow-up:
 >> Maybe it's true I look like my goal here is just to foam at the
 mouth at
 >> Silent Circle. Maybe it looks like I'm just here to annoy Chris, and
 I'm
 >> truly sorry. These are not my goals, even if my method seems forced.
 >>
 >> I've tried writing multiple blog posts about Silent Circle,
 contacting
 >> Silent Circle, asking journalists to *please* mention the importance
 of
 >> free, open source in cryptography, and so on. All of this has
 failed. It
 >> has simply become clear to me that Silent Circle enjoys a double
 standard
 >> because of the reputation of those behind it.
 >>
 >> Silent Circle may be developed by Gods, but this is just quite
 plainly
 >> unfair. If someone repeatedly claims, towards activists, to have
 developed
 >> "unbreakable encryption", markets it closed-source for money, and
 receives
 >> nothing but nods of recognition and applause from the press and even
 >> from *sec

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Jillian C. York]

I'm not going to get into the politics or pettiness of this because
frankly, I don't care.

But this 
headlineand
the accompanying claims of unbreakability are so incredibly egregious
that I would expect *every single person on this list* to speak out against
those (claims, that is), regardless of their feelings on the actual product.



On Thu, Feb 7, 2013 at 12:20 PM, Yosem Companys wrote:

> Just as a reminder, please let's all try to refrain from engaging in any
> personal attacks.  We're all build and use liberationtech to make a
> difference in various ways, and we're bound to have disagreements.  But
> let's not forget that we're all working toward the same broad goal of
> making people's lives better.  Otherwise, we would likely not be on this
> list.
>
> Best,
>
> YC
>
> On Thu, Feb 7, 2013 at 11:21 AM, Ali-Reza Anghaie wrote:
>
>> Douglas, I'm not sure many people are disagreeing with the end-goals and
>> even Zimmerman acknolwedges the window for verifiable source proof is
>> closing fast (longer than many would have liked as-is).
>>
>> My comments to Nadim are coming from a tact perspective - if the goal is
>> to gain wider adoption and recognition for all the community work, good
>> projects, verified projects, etc. etc. then it helps when you play in the
>> sanboxes occupied by more than the hackers and programmers making it happen.
>>
>> It's not uncommon to have people, who need solutions the most, to be
>> afraid of projects because of the "main name" associated with them after
>> some cursory rant reading. Nadim = Cryptocat, Jacob = TOR, Theo = OpenBSD,
>> etc. etc.
>>
>> It's easy to tell everyone else to pound sand or to roll all activist
>> causes into one for the collective libtech "us" - it's not so each when we
>> take it elsewhere. Just trying to see how we can promote things that look
>> less like personal grips and trolls - and more like building something
>> useful. -Ali
>>
>>
>>
>> On Thu, Feb 7, 2013 at 11:36 AM, Douglas Lucas  wrote:
>>
>>> Can Silent Circle promoters explain why Zimmerman is excused from
>>> Kerckhoffs's principle?
>>>
>>> Is it because something unverifiable is allegedly better than nothing?
>>> Even if we had divine knowledge to tell us Silent Circle is secure,
>>> isn't it an overriding problem to encourage lock-in of closed source
>>> being acceptable for something as common as text-messaging?
>>>
>>> It is good to have a scrappy talented young person such as Nadim being
>>> pesky to older, accepted people.
>>>
>>>
>>> On 02/07/2013 09:45 AM, Julien Rabier wrote:
>>> > Hello all,
>>> >
>>> > I'm no sec expert but to me, it's so obvious that Nadim is right on
>>> this.
>>> > Perhaps the form is not perfect, but if he's the only one fighting for
>>> our
>>> > own sanity here, as he says, that's no surprise.
>>> >
>>> > We should all be asking Silent Circle to commit to their statement and
>>> show
>>> > us the source code of their so-called unbreakable encryption tools.
>>> >
>>> > Again, I'm no sec expert and I won't be the guy who will do the hard
>>> task of
>>> > auditing and reviewing this code. But as a user, as a citizen and
>>> perhaps an
>>> > activist, I want the source code of such tools to be reviewed widely
>>> and
>>> > publicly before using and promoting it.
>>> >
>>> > My 2 euro cents,
>>> > Julien
>>> >
>>> > Le 07 févr. - 10:31, Nadim Kobeissi a écrit :
>>> >> Small follow-up:
>>> >> Maybe it's true I look like my goal here is just to foam at the mouth
>>> at
>>> >> Silent Circle. Maybe it looks like I'm just here to annoy Chris, and
>>> I'm
>>> >> truly sorry. These are not my goals, even if my method seems forced.
>>> >>
>>> >> I've tried writing multiple blog posts about Silent Circle, contacting
>>> >> Silent Circle, asking journalists to *please* mention the importance
>>> of
>>> >> free, open source in cryptography, and so on. All of this has failed.
>>> It
>>> >> has simply become clear to me that Silent Circle enjoys a double
>>> standard
>>> >> because of the reputation of those behind it.
>>> >>
>>> >> Silent Circle may be developed by Gods, but this is just quite plainly
>>> >> unfair. If someone repeatedly claims, towards activists, to have
>>> developed
>>> >> "unbreakable encryption", markets it closed-source for money, and
>>> receives
>>> >> nothing but nods of recognition and applause from the press and even
>>> >> from *security
>>> >> experts* (?!) then something is seriously wrong! No one should be
>>> allowed
>>> >> to commit these wrongs, not even Silent Circle.
>>> >>
>>> >> I feel like I'm fighting for our own sanity here. Look at what you're
>>> >> allowing to happen!
>>> >>
>>> >>
>>> >> NK
>>> >>
>>> >>
>>> >> On Thu, Feb 7, 2013 at 10:15 AM, Nadim Kobeissi 
>>> wrote:
>>> >>
>>> >>> On Thu, Feb 7, 2013 at 4:11 AM, Christopher Soghoian <
>>> ch...@soghoian.net>wrote:
>>> >>>
>>> 
>>> >>>

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Yosem Companys]

Just as a reminder, please let's all try to refrain from engaging in any
personal attacks.  We're all build and use liberationtech to make a
difference in various ways, and we're bound to have disagreements.  But
let's not forget that we're all working toward the same broad goal of
making people's lives better.  Otherwise, we would likely not be on this
list.

Best,

YC

On Thu, Feb 7, 2013 at 11:21 AM, Ali-Reza Anghaie wrote:

> Douglas, I'm not sure many people are disagreeing with the end-goals and
> even Zimmerman acknolwedges the window for verifiable source proof is
> closing fast (longer than many would have liked as-is).
>
> My comments to Nadim are coming from a tact perspective - if the goal is
> to gain wider adoption and recognition for all the community work, good
> projects, verified projects, etc. etc. then it helps when you play in the
> sanboxes occupied by more than the hackers and programmers making it happen.
>
> It's not uncommon to have people, who need solutions the most, to be
> afraid of projects because of the "main name" associated with them after
> some cursory rant reading. Nadim = Cryptocat, Jacob = TOR, Theo = OpenBSD,
> etc. etc.
>
> It's easy to tell everyone else to pound sand or to roll all activist
> causes into one for the collective libtech "us" - it's not so each when we
> take it elsewhere. Just trying to see how we can promote things that look
> less like personal grips and trolls - and more like building something
> useful. -Ali
>
>
>
> On Thu, Feb 7, 2013 at 11:36 AM, Douglas Lucas  wrote:
>
>> Can Silent Circle promoters explain why Zimmerman is excused from
>> Kerckhoffs's principle?
>>
>> Is it because something unverifiable is allegedly better than nothing?
>> Even if we had divine knowledge to tell us Silent Circle is secure,
>> isn't it an overriding problem to encourage lock-in of closed source
>> being acceptable for something as common as text-messaging?
>>
>> It is good to have a scrappy talented young person such as Nadim being
>> pesky to older, accepted people.
>>
>>
>> On 02/07/2013 09:45 AM, Julien Rabier wrote:
>> > Hello all,
>> >
>> > I'm no sec expert but to me, it's so obvious that Nadim is right on
>> this.
>> > Perhaps the form is not perfect, but if he's the only one fighting for
>> our
>> > own sanity here, as he says, that's no surprise.
>> >
>> > We should all be asking Silent Circle to commit to their statement and
>> show
>> > us the source code of their so-called unbreakable encryption tools.
>> >
>> > Again, I'm no sec expert and I won't be the guy who will do the hard
>> task of
>> > auditing and reviewing this code. But as a user, as a citizen and
>> perhaps an
>> > activist, I want the source code of such tools to be reviewed widely and
>> > publicly before using and promoting it.
>> >
>> > My 2 euro cents,
>> > Julien
>> >
>> > Le 07 févr. - 10:31, Nadim Kobeissi a écrit :
>> >> Small follow-up:
>> >> Maybe it's true I look like my goal here is just to foam at the mouth
>> at
>> >> Silent Circle. Maybe it looks like I'm just here to annoy Chris, and
>> I'm
>> >> truly sorry. These are not my goals, even if my method seems forced.
>> >>
>> >> I've tried writing multiple blog posts about Silent Circle, contacting
>> >> Silent Circle, asking journalists to *please* mention the importance of
>> >> free, open source in cryptography, and so on. All of this has failed.
>> It
>> >> has simply become clear to me that Silent Circle enjoys a double
>> standard
>> >> because of the reputation of those behind it.
>> >>
>> >> Silent Circle may be developed by Gods, but this is just quite plainly
>> >> unfair. If someone repeatedly claims, towards activists, to have
>> developed
>> >> "unbreakable encryption", markets it closed-source for money, and
>> receives
>> >> nothing but nods of recognition and applause from the press and even
>> >> from *security
>> >> experts* (?!) then something is seriously wrong! No one should be
>> allowed
>> >> to commit these wrongs, not even Silent Circle.
>> >>
>> >> I feel like I'm fighting for our own sanity here. Look at what you're
>> >> allowing to happen!
>> >>
>> >>
>> >> NK
>> >>
>> >>
>> >> On Thu, Feb 7, 2013 at 10:15 AM, Nadim Kobeissi 
>> wrote:
>> >>
>> >>> On Thu, Feb 7, 2013 at 4:11 AM, Christopher Soghoian <
>> ch...@soghoian.net>wrote:
>> >>>
>> 
>>  It is clear that you seem to have developed a foaming-in-the-mouth,
>>  irrational hate of Silent Circle. As such, anyone who fails to
>> denounce
>>  Phil Zimmermann as the great Satan is, in your eyes, some kind of
>> corrupt
>>  shill.
>> 
>> >>>
>> >>> Chris,
>> >>> You have repeatedly stood up asking VoIP software to be more
>> transparent
>> >>> about their encryption. You have repeatedly stood up when the media
>> >>> overblew coverage into hype.
>> >>>
>> >>> However, Silent Circle remains *the only case* where you remain
>> mentioned
>> >>> regularly in articles on the company, where you make a point to
>> completel

Re: [liberationtech] Chromebooks for Risky Situations?

[Jacob Appelbaum]

Griffin Boyce:
> On Wed, Feb 6, 2013 at 5:16 PM, Jacob Appelbaum wrote:
> 
>> A persistent backdoor on your Chromebook is not actually impossible.
>>
> 
>   As Nate (?) pointed out, hardware backdoors wouldn't be all that
> difficult to implement, especially for someone who travels a lot. A ten
> minute delay in releasing checked luggage, and the secure boot could be lot
> less secure.
> 

I'm not talking about a hardware backdoor. What happens when you install
a Chrome extension that does bad stuff? Their hardware security model
doesn't really come into play with such a vector.

Yeah, a hardware backdoor is also a problem but I was speaking
specifically about how ChromeOS doesn't actually reduce things to a
hardware tampering attack.

> 
>> Most of arguments I've heard here boil down to privileged wealthy people
>> complaining that learning and mutual aid or solidarity is simply too
>> hard. The worst is when people who train people in risky situations make
>> those kinds of statements.
>>
> 
>   As someone who is neither privileged nor wealthy, and who enjoys teaching
> people tech, I'm gonna chime in.
> 
>   It's untrue and assumes a LOT about motivation for both users and people
> training them. Chrome is not right for everyone. I don't use a chromebook
> and don't recommend it for most people. It's a vast improvement over
> Windows, particularly for people who wind up with backdoored bootleg
> XP-like operating systems.
> 

Free Software was my point, I couldn't really care less about Chrome.

>   Jake, you absolutely cannot equivocate your situation with most at-risk
> people for several reasons. You're at a high risk, moreso than most at-risk
> users. You're also highly intelligent and self-educated (and have the
> resources to educate yourself). You exist in a milieu where there are many
> who can give guidance on technology and security. You also have the
> economic advantage of being able to jettison software if you suspect it's
> been tampered with.  There are many different types of privilege at play,
> and not everyone is in the same situation.  It's important (IMO) to
> customize recommendations rather than make broad statements.
> 

Actually, I can and I just did so for a very good set of reasons. The
2703(d) order for my gmail account is exactly the same legal tool that
will and was likely used against others on this mailing list. The
exception is the attention and not the technique!

>   Would it be great if we could move everyone using malware-riddled Windows
> setups to Ubuntu, Debian, or BSD? Absolutely. If I could convince everyone
> I know to switch to Ubuntu, that would be fucking amazing.  But I've tried
> to convince numerous people to make the switch, and only a few were willing
> to try the USB stick. I think two have committed to dual-booting. And
> that's just the reality.

The reason that they won't is because people either lack the support (in
terms of software, human time, hardware drivers, etc) or they simply
don't understand *or* care about the reasons we've discussed endlessly
on this list.

All the best,
Jake

> 
> ~Griffin
> 
> 
> 
> --
> Unsubscribe, change to digest, or change password at: 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 

--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Chromebooks for Risky Situations?

[Jacob Appelbaum]

Nadim Kobeissi:
> On Wed, Feb 6, 2013 at 5:16 PM, Jacob Appelbaum  wrote:
> 
>>
>>
>> This is hilarious.
>>
>> I would *never* use a laptop that lacks a way to protect all your
>> traffic (eg: VPN/Tor/SSH tunnel/etc) in a place with serious
>> surveillance as an at risk person. Not only because the remote systems
>> will have your exact geographic location and because a lack of anonymity
>> allows for targeted attacks, but also because the local network is well
>> known to be seriously hostile!
>>
>>
> Thankfully, while Chrome does not support better solutions (such as Tor),
> it does in fact support VPN connections:
> http://support.google.com/chromeos/bin/answer.py?hl=en&answer=1282338
> 
> 

This is a new (to me) feature; thanks for pointing it out. I'm glad to
see it finally landed and is in production. Would someone with a
ChromeOS device test the VPN to see if it leaks the way that we
described in our vpwned[0] paper?

It should be rather straight forward to see if it leaks with trivial
tests. Killing the VPN to see if it fails open should also be straight
forward. I would be pleasantly surprised if they were not vulnerable to
either of those issues. I asked a ChromeOS security person their
thoughts on the matter and passed them our paper; we'll see what they say.

All the best,
Jake

[0] https://www.usenix.org/system/files/conference/foci12/foci12-final8.pdf

>>
>>
> 
>>>
>>>
>>>
>>> On Wed, Feb 6, 2013 at 12:15 PM, Nadim Kobeissi  wrote:
>>>
 The biggest (and very important) difference between Linux and
>> Chromebooks
 is the hugely smaller attack surface.


 NK


 On Wed, Feb 6, 2013 at 2:36 PM, Brian Conley >> wrote:

> Andreas,
>
> Plenty of Syrians do have internet access, and use it on a regular
>> basis.
>
> Also, lack of appropriateness for one use-case doesn't necessitate lack
> of appropriateness across the board.
>
> Linux is a great solution for many use cases, but as has been
>> elaborated,
> quite a terrible one for many others.
>
> Brian
>
>
> On Wed, Feb 6, 2013 at 7:44 AM, Andreas Bader >> wrote:
>
>> On 02/06/2013 04:24 PM, Tom Ritter wrote:
>>> Nadim, I'm with you.  I'm not sure it's the perfect solution for
>>> everyone, but like Nathan said, if you already trust Google, I think
>>> it's a good option.
>>>
>>> On 6 February 2013 07:12, Andreas Bader 
>> wrote:
 Why don't you use an old thinkpad or something with Linux, you have
>> the
 same price like a Chromebook but more control over the system. And
>> you
 don't depend on the 3G and Wifi net.
>>> We started with the notion of Linux, and we were attracted to
>>> Chromebooks for a bunch of reasons.  Going back to Linux loses all
>> the
>>> things we were attracted to.
>>>
>>> - ChromeOS's attack surface is infinitely smaller than with Linux
>>> - The architecture of ChromeOS is different from Linux - process
>>> separation through SOP, as opposed to no process separation at all
>>> - ChromeOS was *designed* to have you logout, and hand the device
>> over
>>> to someone else to login, and get no access to your stuff.  Extreme
>>> Hardware attacks aside, it works pretty well.
>>> - ChromeOS's update mechanism is automatic, transparent, and
>> basically
>>> foolproof.  Having bricked Ubuntu and Gentoo systems, the same is not
>>> true of Linux.
>>> - Verified Boot, automatic FDE, tamper-resistant hardware
>>>
>>> Something I'm curious about is, if any less-popular device became
>>> popular amoung the activist community - would the government view is
>>> as an indicator of interest?  Just like they block Tor, would they
>>> block Chromebooks?  It'd have to get pretty darn popular first
>> though.
>>>
>>> -tom
>>> --
>>>
>> But you can't use it for political activists e.g. in Syria because of
>> its dependence on the internet connection. This fact is authoritative.
>> For Europe and USA and so on it might be a good solution.
>> --
>> Unsubscribe, change to digest, or change password at:
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>
>
>
>
> --
>
>
>
> Brian Conley
>
> Director, Small World News
>
> http://smallworldnews.tv
>
> m: 646.285.2046
>
> Skype: brianjoelconley
>
>
>
> --
> Unsubscribe, change to digest, or change password at:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>


 --
 Unsubscribe, change to digest, or change password at:
 https://mailman.stanford.edu/mailman/listinfo/liberationtech

>>>
>>>
>>>
>>> --
>>> Unsubscribe, change to digest, or change password at:
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>>
>>
>> --
>> Unsubscribe, change to digest, or change password at:
>> htt

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Ali-Reza Anghaie]

Douglas, I'm not sure many people are disagreeing with the end-goals and
even Zimmerman acknolwedges the window for verifiable source proof is
closing fast (longer than many would have liked as-is).

My comments to Nadim are coming from a tact perspective - if the goal is to
gain wider adoption and recognition for all the community work, good
projects, verified projects, etc. etc. then it helps when you play in the
sanboxes occupied by more than the hackers and programmers making it happen.

It's not uncommon to have people, who need solutions the most, to be afraid
of projects because of the "main name" associated with them after some
cursory rant reading. Nadim = Cryptocat, Jacob = TOR, Theo = OpenBSD, etc.
etc.

It's easy to tell everyone else to pound sand or to roll all activist
causes into one for the collective libtech "us" - it's not so each when we
take it elsewhere. Just trying to see how we can promote things that look
less like personal grips and trolls - and more like building something
useful. -Ali



On Thu, Feb 7, 2013 at 11:36 AM, Douglas Lucas  wrote:

> Can Silent Circle promoters explain why Zimmerman is excused from
> Kerckhoffs's principle?
>
> Is it because something unverifiable is allegedly better than nothing?
> Even if we had divine knowledge to tell us Silent Circle is secure,
> isn't it an overriding problem to encourage lock-in of closed source
> being acceptable for something as common as text-messaging?
>
> It is good to have a scrappy talented young person such as Nadim being
> pesky to older, accepted people.
>
>
> On 02/07/2013 09:45 AM, Julien Rabier wrote:
> > Hello all,
> >
> > I'm no sec expert but to me, it's so obvious that Nadim is right on this.
> > Perhaps the form is not perfect, but if he's the only one fighting for
> our
> > own sanity here, as he says, that's no surprise.
> >
> > We should all be asking Silent Circle to commit to their statement and
> show
> > us the source code of their so-called unbreakable encryption tools.
> >
> > Again, I'm no sec expert and I won't be the guy who will do the hard
> task of
> > auditing and reviewing this code. But as a user, as a citizen and
> perhaps an
> > activist, I want the source code of such tools to be reviewed widely and
> > publicly before using and promoting it.
> >
> > My 2 euro cents,
> > Julien
> >
> > Le 07 févr. - 10:31, Nadim Kobeissi a écrit :
> >> Small follow-up:
> >> Maybe it's true I look like my goal here is just to foam at the mouth at
> >> Silent Circle. Maybe it looks like I'm just here to annoy Chris, and I'm
> >> truly sorry. These are not my goals, even if my method seems forced.
> >>
> >> I've tried writing multiple blog posts about Silent Circle, contacting
> >> Silent Circle, asking journalists to *please* mention the importance of
> >> free, open source in cryptography, and so on. All of this has failed. It
> >> has simply become clear to me that Silent Circle enjoys a double
> standard
> >> because of the reputation of those behind it.
> >>
> >> Silent Circle may be developed by Gods, but this is just quite plainly
> >> unfair. If someone repeatedly claims, towards activists, to have
> developed
> >> "unbreakable encryption", markets it closed-source for money, and
> receives
> >> nothing but nods of recognition and applause from the press and even
> >> from *security
> >> experts* (?!) then something is seriously wrong! No one should be
> allowed
> >> to commit these wrongs, not even Silent Circle.
> >>
> >> I feel like I'm fighting for our own sanity here. Look at what you're
> >> allowing to happen!
> >>
> >>
> >> NK
> >>
> >>
> >> On Thu, Feb 7, 2013 at 10:15 AM, Nadim Kobeissi  wrote:
> >>
> >>> On Thu, Feb 7, 2013 at 4:11 AM, Christopher Soghoian <
> ch...@soghoian.net>wrote:
> >>>
> 
>  It is clear that you seem to have developed a foaming-in-the-mouth,
>  irrational hate of Silent Circle. As such, anyone who fails to
> denounce
>  Phil Zimmermann as the great Satan is, in your eyes, some kind of
> corrupt
>  shill.
> 
> >>>
> >>> Chris,
> >>> You have repeatedly stood up asking VoIP software to be more
> transparent
> >>> about their encryption. You have repeatedly stood up when the media
> >>> overblew coverage into hype.
> >>>
> >>> However, Silent Circle remains *the only case* where you remain
> mentioned
> >>> regularly in articles on the company, where you make a point to
> completely
> >>> ignore that they are posting everywhere on their social media that
> they are
> >>> developing "unbreakable encryption", and marketing it, closed-source,
> >>> towardsactivists. When I confront you about this, you publicly accuse
> me of
> >>> "soliciting a hit piece" (!!) against Silent Circle.
> >>>
> >>> That is what I have a problem with: A huge, clear, obvious double
> standard
> >>> strictly made available for Silent Circle.
> >>>
> >>>
> 
>  I proudly stand by every single statement quoted in that Verge story.
> 
>  Chris
> 
> 
> >>

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Ali-Reza Anghaie]

Inline below..


On Thu, Feb 7, 2013 at 11:34 AM, scarp  wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> Jens Christian Hillerup:
> > Hear-hear. They don't need to open-source their software to
> > convince me, as long as they are open about their protocol at
> > least.
>
> And what if there's a second set of decryption master keys? You're
> willing to trust them because they say "We're famous guys, we won't do
> anything bad, and plus we hate naughty governments."
>

We need to verify everything they say is true - keys aren't generated on
servers (with the PGP Universal option for email they allow it but
discourage it). Sure, yes, absolutely we all want to verify it from source
to wire.. no argument.

The fact you can't buy into this service anonymously, so at least
> payment credentials will be available. Even if Phil says he won't be
> bad what is to stop Apple revealing your iTunes account purchased this
> application in AppStore when the necessary legal screws are applied to
> them.
>

They do offer the Ronin option for anonymous purchasing of the provisioning
keys - the App is free itself.

-Ali
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Andy Isaacson]

On Thu, Feb 07, 2013 at 02:11:22AM -0700, Christopher Soghoian wrote:
> It is clear that you seem to have developed a foaming-in-the-mouth,
> irrational hate of Silent Circle. As such, anyone who fails to denounce
> Phil Zimmermann as the great Satan is, in your eyes, some kind of corrupt
> shill.

Silent Circle has some significant credibility gaps.  They repeatedly
claimed, and AFAIK continue to claim, to be "open source", but the
source isn't even available for inspection under restrictive license,
much less actually open source per OSI or DFSG or common sense
guidelines.  They haven't justified or explained this gap in any of
their statements I've seen.

They're trading very heavily on the excellent pedigrees of their
principals, while making outlandish and unsupported claims to credulous
mainstream journalists.

Your participation in their marketing interviews makes you complicit in
this problematic enterprise, Chris.

I think it's incredibly unfair of you to attack Nadim for pointing out
the flaws in this system without addressing your role in those flaws.

We all want privacy and security for users.  Silent Circle's
misappropriation of the "open source" label and hagiographic mainstream
press treatment in advance of actual public review, abetted by a wide
variety of experts and public voices, is deeply problematic for the
liberation technology community's role in civil society.

Silent Circle may be an excellent privacy app.  It might not have any
significant security problems.  It might even do a good job of
mitigating important platform-based attacks and supporting important new
use cases (the "burn after reading" feature).  When it's actually open
source I'll take a look and if it is good, I'll recommend it to users.

Until that open review happens, I think it's inappropriate for voices in
our community to commend or recommend such a proprietary system.  Each
person makes their own choices, of course, and nobody should base their
actions solely on what *I* think is right, but I hope you can hear my
concerns and consider the outcomes of your actions.

-andy
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Chromebooks for Risky Situations?

[Rich Kulawiec]

On Tue, Feb 05, 2013 at 10:29:49PM -0500, Nadim Kobeissi wrote:
> Now, for the obvious (and unfortunate!) downsides: Chromebooks natively
> encourage users to store all of their data on Google, leaving the company
> with an unbalanced amount of control over these machines, and attracting
> itself as a compromise target relevant to Chromebook users. 

Strongly agreed.

As the size of the organization grows, the probability that zero employees
are (a) taking payoffs/bribes (b) succumbing to extortion/blackmail
and/or (c) otherwise political/socially/economically/personal motivated
to do Bad Things decreases.

We could debate the shape of the curve, but I think it's darn near certain
that there is -- somewhere -- a Google employee doing (a) and a Google
employee doing (b) and a Google employee doing (c).  Of course there are.
There are simply too many of them for this not to be true.  The same
can be said of every large company and organization.

The question is thus not "do they exist?" because I think we already
know that they do.  The question, or questions rather, become things
like "What is their goal?", "What do they have access to?", "What
measures exist to prevent them from accessing things they shouldn't?",
"What measures exist to detect them trying to access things they
shouldn't?", "Will I find out if it happens to be my data?", and so on.

My own experience suggests that the answers to those last questions
are nearly always "nothing", "not much" and "no" even in places where we
would all hope otherwise.

So if you (rhetorical and plural you) are becoming an annoyance to whatever
government you're antagonizing because you're smart and effective,
then why wouldn't they consider dropping $100K in cash on a cloud engineer
in return for a USB drive full of everything you've all stored there?
Seems like a good investment.  Much less tedious than infiltrating
your group.  Probably cheaper and less risky.

Or why wouldn't they plan ahead and start getting their own people in the
pipeline for jobs there?  They could play the long game and gamble that
spending years training some of their own, putting them through school
at RIT or Michigan or GaTech and getting them into Rackspace and Google
and Twitter will one day pay off, when someone very very loyal to their
ideology and politics feeds them timely information.

Yes, you can encrypt everything -- if you're all diligent about that.
But the logs will still show when and where you were, and possibly who
is talking to who, how much information they're exchanging, and when.
(And there's the possibility that, in extremis, your communications can
be "accidentally" cut off just when you need them most.)

My point is that I don't think trusting *any* large organization is a
good move.  If you're going to store this kind of data anywhere but on
systems that you personally control, then pick the smallest, most obscure
ones you can find.  Better yet: don't build an architecture that relies
on centralized communications and thus is vulnerable to centralized
compromises; we've discussed Usenet here before and I think that sort
of decentralized architecture is a much better model for this application.

---rsk
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

[liberationtech] CfP: Special issue on ICT and Development in Africa

[Yosem Companys]

*Call for papers: Special issue on ICT and Development in Africa*

(Information Technology for Development)
*Deadline:* March 1, 2013
*More:* Submission 
information
,
Guidelines--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Rich Kulawiec]

Alchemy is to chemistry, astrology is to astronomy, as closed-source
is to open source.

Closed-source is intellectual fraud.  It is the equivalent of an academic
paper which has a synopsis and conclusions -- but nothing else.  No honest
reviewer would ever approve such tripe for publication in a refereed
journal of mechanical engineering or physics or medicine...yet we, in
computer science, are expected to do the equivalent.  We're actually
expected to take someone's word that their code does what they say it
does -- even though we have a mountain of evidence stretching back to the
beginning of our field that says it's NEVER been true, even when the
code's written by people who are smart/experienced/honest/diligent/etc.

Not even Stephen Hawking gets his papers published without showing
his data/reasoning/work/etc.  As it should be.

So yes, my response to this is "source or GTFO".  Extraordinary claims
require extraordinary proof and in this case, there is none.

---rsk
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Nadim Kobeissi]

On Thu, Feb 7, 2013 at 12:12 PM, Christopher Soghoian wrote:

>
> What I resent though, is Nadim's repeated, malicious attempts to drag my
> name through the mud, simply because I will not join his witch hunt against
> Silent Circle. Since he cannot find a single example of me saying anything
> false in the handful of interviews I have given to journalists writing
> about this company, instead he criticizes me for not throwing rocks at Phil
> Zimmermann.
>
>
This is not at all what I am asking for. When the press mentioned my own
project, Cryptocat, as a tool for activists, you threw every rock at your
disposal both at the media and at my work, even though I had made every
effort to label the limitations of my software and to release all source
code, and even to correct the false claims made by the media.

However, when the media calls Silent Circle "unbreakable," and when Silent
Circle posts those articles on their websites without releasing any source
code, and then market their products towards activists, you in fact
continue to speak in articles about them and compliment them. You cannot
deny the double standard that you are instituting here, Chris. You have
absolutely attacked projects that have been hyped in the media, even when
they had good policies and even when they were open source. You are
exercising a double standard. Stop denying it.


>
>
> --
> Unsubscribe, change to digest, or change password at:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Gregory Maxwell]

On Thu, Feb 7, 2013 at 9:12 AM, Christopher Soghoian  wrote:
> My area of research is the intersection of law, policy and technology. As
> such, I am most interested in companies' surveillance policies, their
> commitment to transparency, and their stated willingness to tell the
> government to GTFO if they come and ask for backdoors. On this front, Silent
> Circle is extremely interesting, probably more so than any other Internet
> company.

You may think these are your preferences, but what you're saying makes
it clear that your preferences are actually subtly different.

If someone says "we won't put in 'lawful surveillance' backdoors" but
doesn't back that up with independent auditing (which can come in the
form of access to source code) and you find that acceptable then what
you have is a preference for _claiming_ that there are no back doors,
and not a preference for being open about what the policy is (the real
policy is in the software, which the public has not observed) or a
preference for there being no back doors. Considering the long history
of mistakes and outright lies in security software— this is simply how
it is.

Doubly so when you consider that lying about a backdoor or being
mistaken about severe security holes is unlikely to carry consequence
more negative than being open to begin with.  If there were a surety
bond commensurate with the loss of life that could result from
mistakes and dishonesty here and there were independent auditing...
plus many of a number of other things then perhaps you could say that
you cared about transparency, policy, and backdoors.

> For many people on this list, source code is their #1 priority. That is
> fine. However, it is not my priority. I am more concerned with surveillance
> policy, because that is what I study and where I think I can be most
> effective in applying pressure.

You're erroneously concluding that people who disagree with you have
"source code [as] their #1 priority"— rather, I think it would be more
fair in the context of security software to characterize the position
has facts as #1 priority instead of warm and fuzzy hyperbole. Source
code access is simply the least expensive and most direct way to start
getting any real confidence that claims match reality.

Following the argument that something is not necessarily better than
nothing— we'd be better off if people who weren't interested in
producing trustworthy software we're pressed into making fuzzy
sounding fanciful claims.  If all you can be effective at doing is
improving the art of marketing (potential) snake oil, then perhaps you
need to reevaluate what you're working on.
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[scarp]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

scarp:
> Douglas Lucas:
>> Is it because something unverifiable is allegedly better than 
>> nothing? Even if we had divine knowledge to tell us Silent
>> Circle is secure, isn't it an overriding problem to encourage
>> lock-in of closed source being acceptable for something as common
>> as text-messaging?
> 
>> It is good to have a scrappy talented young person such as Nadim 
>> being pesky to older, accepted people.
> 
> Agreed, and this is one of the larger problems people in social 
> censorship bubbles, where basically if you don't have the tech you 
> can't talk to the person. One of the things that encryption 
> technologies like Off the Record Messaging try to bridge.
> 
> Nobody wants to be forced to use specific technology from a
> specific individual or entity. It's bad enough everyone uses
> Facebook.
> 
> Decentralization is the only way to avoid this becoming a weak
> link.
> 

Which brings me to another point, what if in 1991 Phil Zimmermann said
you must use his bbs/email server to use PGP, and wouldn't release the
source for the encrypting client? I wonder if it would be as popular
as it is today if that was the case.

I find it also amusing:

https://en.wikipedia.org/wiki/Pretty_Good_Privacy#Criminal_investigation
> Shortly after its release, PGP encryption found its way outside the
> United States, and in February 1993 Zimmermann became the formal
> target of a criminal investigation by the US Government for
> "munitions export without a license". Cryptosystems using keys
> larger than 40 bits were then considered munitions within the
> definition of the US export regulations; PGP has never used keys
> smaller than 128 bits so it qualified at that time. Penalties for
> violation, if found guilty, were substantial. After several years,
> the investigation of Zimmermann was closed without filing criminal
> charges against him or anyone else. Zimmermann challenged these
> regulations in a curious way. He published the entire source code
> of PGP in a hardback book,[13]

To me this seems like a big middle finger to totalitarian government
dictating how and who it must be used by. Of course by this point the
government couldn't stop people using it even if they wanted to, the
source was everywhere.

Given his interest in anti-nuclear activism, I wonder if in today's
world that could have been construed as anti-government and possibly a
person of interest by the government.

The other question is what's to stop Apple being legally forced to
push a modified copy of this software to a person's phone that has a
backdoor?

While people might say this isn't possible due to XXX law, what is to
prevent one being created that changes that. Encryption technology's
effectiveness should not be based on what the government is allowed
and not allowed to do. I guess this is an inherent problem with
storing data in the cloud.

> For an annual price of $20/month (closer to $30/month on their
> 3-month plan)

Poorer people of poorer nations won't be able to afford this, and
neither will the average citizen care enough to pay this.

I don't imagine some factory worker in china for example who earns 50
cents a day being able to pay for this so he can talk about how shitty
the conditions are.

To me it seems like it will only get used by businesses and enterprise
needing security abroad rather than activists residing in areas where
they would need it in order to have some semblance of freedom.

- -- 
scarp | A4F7 25DB 2529 CB1A 605B  3CB4 5DA0 4859 0FD4 B313
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJRE+N1AAoJEF2gSFkP1LMT4HAQAJOKz9LOqn0eY7/TDB5T4dhH
VuHzEq58jWeCedz4S2YMJx1oqymTLtuVAx8Z3K3KUrqlJZUOw3bWoqjK9QyfvnmD
fGdsqXY9GlUDEEc33DENXhAuRyFSuDMluu01DbB0c8HK4o64U1fiA7DrH9lXEGcT
vxBCBzh3fuenfcsxqAQMxNv0D8owSMfDsyeGhm52bUeaiCZ5HzXcUcHEiRJ1Ij9Q
nb1alnBFokyY8XJR6CdLvETgoCthnPM2JM3ZbHsybqHKQxCMU/35eO2+T1AbZN+n
XeJPwp42BLH7S44sPpQJ3huE1JBxrbRY3zv1tIZgWnm50mmUHOuOQhQQUgDFUzRk
zf1WksZqtonHtC5NerXvLASnBx38cEfAOSrQCJHWS7cVsc1IXbk6bGK9VCNUzTpe
IS9x+D2Ch5xBwNQayBGrE93mjwwoEwkXVnTDLPJVlktU7lI6DZkvY+r0OYDEmIfC
3ZnFQs+/wVFzdk0I/ZZeebm2BfxB5xyf8Lvks/6F0ixy40MXXAOCfZnyI83NpdED
MckjQeX9uMeNKmS7HHxgH5OYAcN+k2O6qsQVxGtURhxS5p3l1pQWREJTVcScC7u7
9I1hXp9LuMMpsG+QjVZu/EYn0cnT8qp8xU2ttYslXFkxvhGpdhvvLVN0Qy3YHpwf
c0TB1wxstLSouyjw/ep2
=whpX
-END PGP SIGNATURE-
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Christopher Soghoian]

> Chris,
> You have repeatedly stood up asking VoIP software to be more transparent
> about their encryption. You have repeatedly stood up when the media
> overblew coverage into hype.
>
>
I've never asked Skype to release the source code to their products, nor
have I berated Apple, Facebook or Microsoft for not releasing the source
code to their products. I have, however, asked Skype to be more transparent
about the extent to which it can provide communications interception
assistance to law enforcement and intelligence agencies. There is a big
difference.

If you don't want to use Silent Circle without seeing the source code, that
is an entirely legitimate point of view (and in fact, one that I share, and
that I expressed to Ryan Gallagher last year):
http://www.slate.com/articles/technology/future_tense/2012/10/silent_circle_mike_janke_s_iphone_app_makes_encryption_easy_governments.single.html

Christopher Soghoian, principal technologist at the ACLU's Speech Privacy
and Technology Project, said he was excited to see a company like Silent
Circle visibly competing on privacy and security but that he was waiting
for it to go open source and be audited by independent security experts
before he would feel comfortable using it for sensitive communications.


Even though I am not using Silent Circle for sensitive conversations, I am
still absolutely delighted to see them be as proactive as they have been
about embracing and documenting progressive law enforcement policies.
https://silentcircle.com/web/law-compliance/

My area of research is the intersection of law, policy and technology. As
such, I am most interested in companies' surveillance policies, their
commitment to transparency, and their stated willingness to tell the
government to GTFO if they come and ask for backdoors. On this front,
Silent Circle is extremely interesting, probably more so than any other
Internet company.

For many people on this list, source code is their #1 priority. That is
fine. However, it is not my priority. I am more concerned with surveillance
policy, because that is what I study and where I think I can be most
effective in applying pressure.

What I resent though, is Nadim's repeated, malicious attempts to drag my
name through the mud, simply because I will not join his witch hunt against
Silent Circle. Since he cannot find a single example of me saying anything
false in the handful of interviews I have given to journalists writing
about this company, instead he criticizes me for not throwing rocks at Phil
Zimmermann.
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Chromebooks for Risky Situations?

[Griffin Boyce]

>
>   Jake, you absolutely cannot equivocate your situation with most at-risk
> people for several reasons.
>

Er, correction, I meant that you cannot treat the situations equally.  And
by jettison software, I meant jettison Hardware.

Sorry, I can't brain today, I have the dumb.

best,
Griffin
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Gregory Maxwell]

On Thu, Feb 7, 2013 at 8:36 AM, Douglas Lucas  wrote:
> Can Silent Circle promoters explain why Zimmerman is excused from
> Kerckhoffs's principle?
>
> Is it because something unverifiable is allegedly better than nothing?
> Even if we had divine knowledge to tell us Silent Circle is secure,
> isn't it an overriding problem to encourage lock-in of closed source
> being acceptable for something as common as text-messaging?

Even if it were acceptable because "we" trust the source this time
that won't be clear to the public— and the next unscrupulous sake oil
salesman who comes around using identical marketing will look just as
trustworthy to the public.  Accordingly, this work still demands a
strong negative reaction if we're to continue to established in
people's mind that snazzy names, buzzword technobable, and big claims
do not show security products to be trustworthy: Only independent
auditing and open code do.
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Chromebooks for Risky Situations?

[Griffin Boyce]

On Wed, Feb 6, 2013 at 5:16 PM, Jacob Appelbaum wrote:

> A persistent backdoor on your Chromebook is not actually impossible.
>

  As Nate (?) pointed out, hardware backdoors wouldn't be all that
difficult to implement, especially for someone who travels a lot. A ten
minute delay in releasing checked luggage, and the secure boot could be lot
less secure.


> Most of arguments I've heard here boil down to privileged wealthy people
> complaining that learning and mutual aid or solidarity is simply too
> hard. The worst is when people who train people in risky situations make
> those kinds of statements.
>

  As someone who is neither privileged nor wealthy, and who enjoys teaching
people tech, I'm gonna chime in.

  It's untrue and assumes a LOT about motivation for both users and people
training them. Chrome is not right for everyone. I don't use a chromebook
and don't recommend it for most people. It's a vast improvement over
Windows, particularly for people who wind up with backdoored bootleg
XP-like operating systems.

  Jake, you absolutely cannot equivocate your situation with most at-risk
people for several reasons. You're at a high risk, moreso than most at-risk
users. You're also highly intelligent and self-educated (and have the
resources to educate yourself). You exist in a milieu where there are many
who can give guidance on technology and security. You also have the
economic advantage of being able to jettison software if you suspect it's
been tampered with.  There are many different types of privilege at play,
and not everyone is in the same situation.  It's important (IMO) to
customize recommendations rather than make broad statements.

  Would it be great if we could move everyone using malware-riddled Windows
setups to Ubuntu, Debian, or BSD? Absolutely. If I could convince everyone
I know to switch to Ubuntu, that would be fucking amazing.  But I've tried
to convince numerous people to make the switch, and only a few were willing
to try the USB stick. I think two have committed to dual-booting. And
that's just the reality.

~Griffin
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[scarp]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Douglas Lucas:
> Is it because something unverifiable is allegedly better than
> nothing? Even if we had divine knowledge to tell us Silent Circle
> is secure, isn't it an overriding problem to encourage lock-in of
> closed source being acceptable for something as common as
> text-messaging?
> 
> It is good to have a scrappy talented young person such as Nadim
> being pesky to older, accepted people.

Agreed, and this is one of the larger problems people in social
censorship bubbles, where basically if you don't have the tech you
can't talk to the person. One of the things that encryption
technologies like Off the Record Messaging try to bridge.

Nobody wants to be forced to use specific technology from a specific
individual or entity. It's bad enough everyone uses Facebook.

Decentralization is the only way to avoid this becoming a weak link.

- -- 
scarp | A4F7 25DB 2529 CB1A 605B  3CB4 5DA0 4859 0FD4 B313
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJRE9zUAAoJEF2gSFkP1LMTOlgP/RE96vcmU5RwUU8TqdXlebCl
P9MtBRye6gnYcMyNQIsrTOh9iY7xXUHfg/OYX09rBFS9zsfKS8rEJG8BlwJ57hEY
ldO82Z/kEC7ZTJUlQN+sGt1eMruEzmPGb8T4nVA2CtvKAyUaiJ4HFQQ2C00HS3Pz
qahL3qFp5qW5q2cPILsnMXLpZOzipQN4JD/TE/DgZNZ2OCGBt4DUAp+8jB/3BOAm
j1a/mJR4Rd/StvR+ugIFefItk/H1DZNGZ9qWxrHVv8L0xYnXjkRZ+m4WsKTffTS4
AUOqFZKxU6Krg5cl63KzsA92Fdv7TsZwQeVIl9sl0swOLMZ4h8FKkw19YFTYx4s6
CwzbJ8+knwSPLXyyWrdE1cBEhTrAtQb4lWLMOxCEROV50OqbkcQyxT26Vsl89BpD
Q9qVdKRTn1QwfGcODO6XfT+wlruByTJBMwd05nWAuQmqg6kgPQTIT1gjEmbC8H5p
32P106p72egFC/7r1lr9rtl1zKRE6DckfOnN7J9b7lO/C2b6AeF0w2/GYU3Fd7Ko
CtWgH3xUBWJ/0sbz3ssVpm7OWtVSOQ/SZqGHy1OxrkvxDlRpjizRp5n0G6VQ5Hcz
3RppIEEIK5zU5LAOedkcMtkNAG053fkj8XlfsQy4de0bAdlxjI9bB7XLw9O+GHrX
baDxW7pwheACW9RcAGEz
=Elw9
-END PGP SIGNATURE-
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Chromebooks for Risky Situations?

[Nadim Kobeissi]

NK


On Wed, Feb 6, 2013 at 5:16 PM, Jacob Appelbaum  wrote:

>
>
> Most of arguments I've heard here boil down to privileged wealthy people
> complaining that learning and mutual aid or solidarity is simply too
> hard. The worst is when people who train people in risky situations make
> those kinds of statements.
>
> It's frankly, really and seriously embarrassing.
>

Aside from how seriously tasteless that statement is, I'd like to point out
that Chromebooks are in fact based on free software:
http://www.chromium.org/chromium-os/licenses


>
> All the best,
> Jake
>
> > On Feb 6, 2013 7:09 PM, "micah anderson"  wrote:
> >
> >> Andy Isaacson  writes:
> >>
> >>> On Wed, Feb 06, 2013 at 10:52:23AM -0500, micah anderson wrote:
> > - ChromeOS's update mechanism is automatic, transparent, and
> basically
> > foolproof.  Having bricked Ubuntu and Gentoo systems, the same is not
> > true of Linux.
> 
>  I would be surprised if you actually 'bricked' these systems, since
>  neither operating system you mention involves a procedure that has the
>  risk of bricking a device. I suspect this is hyperbole?
> >>>
> >>> I've had dist-upgrade (or the GUI equivalent) make an Ubuntu system
> >>> unbootable and unrecoverable without recourse to a rescue-image and
> deep
> >>> magic grub hacking, etc.  That counts as "bricked" when the easiest
> >>> course of action is to simply reinstall the OS from scratch.  It's not
> >>> "bricked" in the sense that an Android install gone awry can require
> >>> specialized hardware (JTAG dongle etc) and crypto keys to fix, but it's
> >>> equivalent from a user's point of view.
> >>
> >> I understand where you are going with this, but when it comes to
> >> terminology, I think it serves to confuse the issue to misuse the term
> >> 'brick'. You cannot, as you say, "simply reinstall the OS from scratch"
> >> on a device that has been bricked.
> >>
> >> I can't wait for the day when Google accidentally pushes an update out
> >> that actually bricks their devices, because when that happens, there is
> >> no way to "simply reinstall the OS from scratch".
> >> --
> >> Unsubscribe, change to digest, or change password at:
> >> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> >>
> >
> >
> >
> > --
> > Unsubscribe, change to digest, or change password at:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> >
>
> --
> Unsubscribe, change to digest, or change password at:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Douglas Lucas]

Can Silent Circle promoters explain why Zimmerman is excused from
Kerckhoffs's principle?

Is it because something unverifiable is allegedly better than nothing?
Even if we had divine knowledge to tell us Silent Circle is secure,
isn't it an overriding problem to encourage lock-in of closed source
being acceptable for something as common as text-messaging?

It is good to have a scrappy talented young person such as Nadim being
pesky to older, accepted people.


On 02/07/2013 09:45 AM, Julien Rabier wrote:
> Hello all,
> 
> I'm no sec expert but to me, it's so obvious that Nadim is right on this.
> Perhaps the form is not perfect, but if he's the only one fighting for our
> own sanity here, as he says, that's no surprise.
> 
> We should all be asking Silent Circle to commit to their statement and show
> us the source code of their so-called unbreakable encryption tools.
> 
> Again, I'm no sec expert and I won't be the guy who will do the hard task of
> auditing and reviewing this code. But as a user, as a citizen and perhaps an
> activist, I want the source code of such tools to be reviewed widely and
> publicly before using and promoting it. 
> 
> My 2 euro cents,
> Julien
> 
> Le 07 févr. - 10:31, Nadim Kobeissi a écrit :
>> Small follow-up:
>> Maybe it's true I look like my goal here is just to foam at the mouth at
>> Silent Circle. Maybe it looks like I'm just here to annoy Chris, and I'm
>> truly sorry. These are not my goals, even if my method seems forced.
>>
>> I've tried writing multiple blog posts about Silent Circle, contacting
>> Silent Circle, asking journalists to *please* mention the importance of
>> free, open source in cryptography, and so on. All of this has failed. It
>> has simply become clear to me that Silent Circle enjoys a double standard
>> because of the reputation of those behind it.
>>
>> Silent Circle may be developed by Gods, but this is just quite plainly
>> unfair. If someone repeatedly claims, towards activists, to have developed
>> "unbreakable encryption", markets it closed-source for money, and receives
>> nothing but nods of recognition and applause from the press and even
>> from *security
>> experts* (?!) then something is seriously wrong! No one should be allowed
>> to commit these wrongs, not even Silent Circle.
>>
>> I feel like I'm fighting for our own sanity here. Look at what you're
>> allowing to happen!
>>
>>
>> NK
>>
>>
>> On Thu, Feb 7, 2013 at 10:15 AM, Nadim Kobeissi  wrote:
>>
>>> On Thu, Feb 7, 2013 at 4:11 AM, Christopher Soghoian 
>>> wrote:
>>>

 It is clear that you seem to have developed a foaming-in-the-mouth,
 irrational hate of Silent Circle. As such, anyone who fails to denounce
 Phil Zimmermann as the great Satan is, in your eyes, some kind of corrupt
 shill.

>>>
>>> Chris,
>>> You have repeatedly stood up asking VoIP software to be more transparent
>>> about their encryption. You have repeatedly stood up when the media
>>> overblew coverage into hype.
>>>
>>> However, Silent Circle remains *the only case* where you remain mentioned
>>> regularly in articles on the company, where you make a point to completely
>>> ignore that they are posting everywhere on their social media that they are
>>> developing "unbreakable encryption", and marketing it, closed-source,
>>> towardsactivists. When I confront you about this, you publicly accuse me of
>>> "soliciting a hit piece" (!!) against Silent Circle.
>>>
>>> That is what I have a problem with: A huge, clear, obvious double standard
>>> strictly made available for Silent Circle.
>>>
>>>

 I proudly stand by every single statement quoted in that Verge story.

 Chris


 On Wed, Feb 6, 2013 at 8:56 PM, Nadim Kobeissi  wrote:

> Chris Soghoian gives Silent Circle's unbreakable encryption an entire
> article's worth of lip service here, it must be really unbreakable:
>
> http://www.theverge.com/2013/2/6/3950664/phil-zimmermann-wants-to-save-you-from-your-phone
>
>
> NK
>
>
> On Wed, Feb 6, 2013 at 10:49 PM, Brian Conley 
> wrote:
>
>> I heard they have a super secret crypto clubhouse in the belly of an
>> extinct volcano.
>>
>> Other rumors suggest they built their lab in the liberated tunnels
>> beneath bin ladens secret lair in Pakistan...
>>
>> Sent from my iPad
>>
>> On Feb 6, 2013, at 19:42, Nadim Kobeissi  wrote:
>>
>> Actual headline.
>>
>>
>> http://www.extremetech.com/mobile/147714-cryptography-super-group-creates-unbreakable-encryption-designed-for-mass-market
>>
>>
>> NK
>>
>> --
>> Unsubscribe, change to digest, or change password at:
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>
>>
>> --
>> Unsubscribe, change to digest, or change password at:
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>
>
>
> --
> Unsubscribe, change to diges

Re: [liberationtech] Chromebooks for Risky Situations?

[Nadim Kobeissi]

On Wed, Feb 6, 2013 at 5:16 PM, Jacob Appelbaum  wrote:

>
>
> This is hilarious.
>
> I would *never* use a laptop that lacks a way to protect all your
> traffic (eg: VPN/Tor/SSH tunnel/etc) in a place with serious
> surveillance as an at risk person. Not only because the remote systems
> will have your exact geographic location and because a lack of anonymity
> allows for targeted attacks, but also because the local network is well
> known to be seriously hostile!
>
>
Thankfully, while Chrome does not support better solutions (such as Tor),
it does in fact support VPN connections:
http://support.google.com/chromeos/bin/answer.py?hl=en&answer=1282338


>
>

> >
> >
> >
> > On Wed, Feb 6, 2013 at 12:15 PM, Nadim Kobeissi  wrote:
> >
> >> The biggest (and very important) difference between Linux and
> Chromebooks
> >> is the hugely smaller attack surface.
> >>
> >>
> >> NK
> >>
> >>
> >> On Wed, Feb 6, 2013 at 2:36 PM, Brian Conley  >wrote:
> >>
> >>> Andreas,
> >>>
> >>> Plenty of Syrians do have internet access, and use it on a regular
> basis.
> >>>
> >>> Also, lack of appropriateness for one use-case doesn't necessitate lack
> >>> of appropriateness across the board.
> >>>
> >>> Linux is a great solution for many use cases, but as has been
> elaborated,
> >>> quite a terrible one for many others.
> >>>
> >>> Brian
> >>>
> >>>
> >>> On Wed, Feb 6, 2013 at 7:44 AM, Andreas Bader  >wrote:
> >>>
>  On 02/06/2013 04:24 PM, Tom Ritter wrote:
> > Nadim, I'm with you.  I'm not sure it's the perfect solution for
> > everyone, but like Nathan said, if you already trust Google, I think
> > it's a good option.
> >
> > On 6 February 2013 07:12, Andreas Bader 
>  wrote:
> >> Why don't you use an old thinkpad or something with Linux, you have
>  the
> >> same price like a Chromebook but more control over the system. And
> you
> >> don't depend on the 3G and Wifi net.
> > We started with the notion of Linux, and we were attracted to
> > Chromebooks for a bunch of reasons.  Going back to Linux loses all
> the
> > things we were attracted to.
> >
> > - ChromeOS's attack surface is infinitely smaller than with Linux
> > - The architecture of ChromeOS is different from Linux - process
> > separation through SOP, as opposed to no process separation at all
> > - ChromeOS was *designed* to have you logout, and hand the device
> over
> > to someone else to login, and get no access to your stuff.  Extreme
> > Hardware attacks aside, it works pretty well.
> > - ChromeOS's update mechanism is automatic, transparent, and
> basically
> > foolproof.  Having bricked Ubuntu and Gentoo systems, the same is not
> > true of Linux.
> > - Verified Boot, automatic FDE, tamper-resistant hardware
> >
> > Something I'm curious about is, if any less-popular device became
> > popular amoung the activist community - would the government view is
> > as an indicator of interest?  Just like they block Tor, would they
> > block Chromebooks?  It'd have to get pretty darn popular first
> though.
> >
> > -tom
> > --
> >
>  But you can't use it for political activists e.g. in Syria because of
>  its dependence on the internet connection. This fact is authoritative.
>  For Europe and USA and so on it might be a good solution.
>  --
>  Unsubscribe, change to digest, or change password at:
>  https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 
> >>>
> >>>
> >>>
> >>> --
> >>>
> >>>
> >>>
> >>> Brian Conley
> >>>
> >>> Director, Small World News
> >>>
> >>> http://smallworldnews.tv
> >>>
> >>> m: 646.285.2046
> >>>
> >>> Skype: brianjoelconley
> >>>
> >>>
> >>>
> >>> --
> >>> Unsubscribe, change to digest, or change password at:
> >>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> >>>
> >>
> >>
> >> --
> >> Unsubscribe, change to digest, or change password at:
> >> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> >>
> >
> >
> >
> > --
> > Unsubscribe, change to digest, or change password at:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> >
>
> --
> Unsubscribe, change to digest, or change password at:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[scarp]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Jens Christian Hillerup:
> Hear-hear. They don't need to open-source their software to
> convince me, as long as they are open about their protocol at
> least.

And what if there's a second set of decryption master keys? You're
willing to trust them because they say "We're famous guys, we won't do
anything bad, and plus we hate naughty governments."

In any case if they can match a person of interest with a with an
account (through other means) they can apply rubber-hose cryptanalysis
or key disclosure law to the user or recipient to really find out what
they've been sending and receiving with it.

The fact you can't buy into this service anonymously, so at least
payment credentials will be available. Even if Phil says he won't be
bad what is to stop Apple revealing your iTunes account purchased this
application in AppStore when the necessary legal screws are applied to
them.

- -- 
scarp | A4F7 25DB 2529 CB1A 605B  3CB4 5DA0 4859 0FD4 B313
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJRE9d6AAoJEF2gSFkP1LMTpVcQAIe/fslf4ahQ/yUUIKUElCKP
7fhpCc6WYmrl5JPQUsYqiL7SOBkBHFtgrqj9eoe00QqRKFb/+BTi5va58KINyIBk
/YS8AyMHz+tQvkqPrLmLVPGdweR423oZEmZhywsuhqPkc1dcd+o/lZrLilLxueV4
nJblJFtf1BqtG/P/PNb3kCH8A5XRZBJvk1Brns2Aa3M9AisI5wUzj+gxFgLUIIo1
PRwhTTEyQhkpsa9nfWBiwT6CrdEema4gnxhHB4l42Tf51d8AhYemc/w8p3i+1RMR
d1g7x28K8uVsT3D0irBfmD/EIuhhAAGIBHqpb94c5u0vnbSqNJ+wYpm8XVnYUGbM
X7WytDxVrXa6QMHjpjx0Vev6zz+4BmdjmXUnkgM9JS2yWZzxfdK36th53z3LokR6
A+Aa6IIaT90MclUHhCNXJcd/ifa0+637dNlEsqHc5ir94GuU/npTwEFdSOIY/RKV
9in+kqrKRr1YvEuIIJ+trTtrCAb2zhKKgIB9vWqDGoAbZ4c1zU8yDHAlqfc519Yj
SdMLu4u71TN8EeZFvxBWlyNqHMEmzanG8dlkZQBeVgohbdxM1fCB3ERoWWgogmG2
mhMUV2fDYHUVdUV24z0awFjXeISqlbmRuo/7rxad1RclQc1zsymm9haTf6WkJrIC
6j5HoVOUiZO4pBIfkpMG
=nYLq
-END PGP SIGNATURE-
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Chromebooks for Risky Situations?

[Nadim Kobeissi]

On Wed, Feb 6, 2013 at 5:16 PM, Jacob Appelbaum  wrote:

> Most of arguments I've heard here boil down to privileged wealthy people
> complaining that learning and mutual aid or solidarity is simply too
> hard. The worst is when people who train people in risky situations make
> those kinds of statements.
>
> It's frankly, really and seriously embarrassing.
>

What?


>
> All the best,
> Jake
>
> > On Feb 6, 2013 7:09 PM, "micah anderson"  wrote:
> >
> >> Andy Isaacson  writes:
> >>
> >>> On Wed, Feb 06, 2013 at 10:52:23AM -0500, micah anderson wrote:
> > - ChromeOS's update mechanism is automatic, transparent, and
> basically
> > foolproof.  Having bricked Ubuntu and Gentoo systems, the same is not
> > true of Linux.
> 
>  I would be surprised if you actually 'bricked' these systems, since
>  neither operating system you mention involves a procedure that has the
>  risk of bricking a device. I suspect this is hyperbole?
> >>>
> >>> I've had dist-upgrade (or the GUI equivalent) make an Ubuntu system
> >>> unbootable and unrecoverable without recourse to a rescue-image and
> deep
> >>> magic grub hacking, etc.  That counts as "bricked" when the easiest
> >>> course of action is to simply reinstall the OS from scratch.  It's not
> >>> "bricked" in the sense that an Android install gone awry can require
> >>> specialized hardware (JTAG dongle etc) and crypto keys to fix, but it's
> >>> equivalent from a user's point of view.
> >>
> >> I understand where you are going with this, but when it comes to
> >> terminology, I think it serves to confuse the issue to misuse the term
> >> 'brick'. You cannot, as you say, "simply reinstall the OS from scratch"
> >> on a device that has been bricked.
> >>
> >> I can't wait for the day when Google accidentally pushes an update out
> >> that actually bricks their devices, because when that happens, there is
> >> no way to "simply reinstall the OS from scratch".
> >> --
> >> Unsubscribe, change to digest, or change password at:
> >> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> >>
> >
> >
> >
> > --
> > Unsubscribe, change to digest, or change password at:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> >
>
> --
> Unsubscribe, change to digest, or change password at:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Chromebooks for Risky Situations?

[Jacob Appelbaum]

T N:
> The word "Linux" doesn't refer to anything, other than maybe the kernel.
> 
> Chrome OS is linux.  But it's a massively stripped down "distribution" that
> has a radical design, including the fact that it will ONLY run if all of
> the cryptographic checks are verified from the root of trust.  That root of
> trust is Google's massively large PKI public key that is burned into the
> firmware.
> 

It runs software that is in Debian, the GNU/Linux operating system. I
know, I've written some of it (eg: tlsdate). They do a good job of
locking things down but it is basically just another distribution of Linux.

> For a journalist in the field, that's a great reassurance.  Take your
> Chromebook to China.  The Chinese government can not alter what you are
> running without either (a) modifying your hardware, which means they take
> possession of it for a period of time and manage to do something that is
> tricky to do (i.e. circumstances under which you'd no longer trust your
> computer anyways) or (b) you will know they tried to hack it and your
> Chromebook will refuse to boot, and will instead wipe away the hacks and
> update itself and won't boot unless the update is a legitimate one signed
> by Google.

This is hilarious.

I would *never* use a laptop that lacks a way to protect all your
traffic (eg: VPN/Tor/SSH tunnel/etc) in a place with serious
surveillance as an at risk person. Not only because the remote systems
will have your exact geographic location and because a lack of anonymity
allows for targeted attacks, but also because the local network is well
known to be seriously hostile!

A persistent backdoor on your Chromebook is not actually impossible. I
have a few ideas for how to make it happen and I've discuss
security/development issues with the ChromeOS team on a nearly daily basis.

> Yes, you can't compare Chrome OS's attack surface to a typical linux
> distribution, or even a highly customized linux install which doesn't have
> the hardware root of trust.
> 

Actually, I think you can compare it - one major advantage is that you
can protect your network traffic and compartmentalize your risk with any
Secure Boot enabled Linux distro. You can also do it without secure boot
and it isn't terribly hard as long as you draw arbitrary lines like "the
EFI firmware blobs and hardware are out of scope" which is what happens
with Secure Boot systems anyway.

All the best,
Jake

> 
> 
> 
> On Wed, Feb 6, 2013 at 12:15 PM, Nadim Kobeissi  wrote:
> 
>> The biggest (and very important) difference between Linux and Chromebooks
>> is the hugely smaller attack surface.
>>
>>
>> NK
>>
>>
>> On Wed, Feb 6, 2013 at 2:36 PM, Brian Conley wrote:
>>
>>> Andreas,
>>>
>>> Plenty of Syrians do have internet access, and use it on a regular basis.
>>>
>>> Also, lack of appropriateness for one use-case doesn't necessitate lack
>>> of appropriateness across the board.
>>>
>>> Linux is a great solution for many use cases, but as has been elaborated,
>>> quite a terrible one for many others.
>>>
>>> Brian
>>>
>>>
>>> On Wed, Feb 6, 2013 at 7:44 AM, Andreas Bader 
>>> wrote:
>>>
 On 02/06/2013 04:24 PM, Tom Ritter wrote:
> Nadim, I'm with you.  I'm not sure it's the perfect solution for
> everyone, but like Nathan said, if you already trust Google, I think
> it's a good option.
>
> On 6 February 2013 07:12, Andreas Bader 
 wrote:
>> Why don't you use an old thinkpad or something with Linux, you have
 the
>> same price like a Chromebook but more control over the system. And you
>> don't depend on the 3G and Wifi net.
> We started with the notion of Linux, and we were attracted to
> Chromebooks for a bunch of reasons.  Going back to Linux loses all the
> things we were attracted to.
>
> - ChromeOS's attack surface is infinitely smaller than with Linux
> - The architecture of ChromeOS is different from Linux - process
> separation through SOP, as opposed to no process separation at all
> - ChromeOS was *designed* to have you logout, and hand the device over
> to someone else to login, and get no access to your stuff.  Extreme
> Hardware attacks aside, it works pretty well.
> - ChromeOS's update mechanism is automatic, transparent, and basically
> foolproof.  Having bricked Ubuntu and Gentoo systems, the same is not
> true of Linux.
> - Verified Boot, automatic FDE, tamper-resistant hardware
>
> Something I'm curious about is, if any less-popular device became
> popular amoung the activist community - would the government view is
> as an indicator of interest?  Just like they block Tor, would they
> block Chromebooks?  It'd have to get pretty darn popular first though.
>
> -tom
> --
>
 But you can't use it for political activists e.g. in Syria because of
 its dependence on the internet connection. This fact is authoritative.
 For Europe and USA and so on it might be a good solutio

Re: [liberationtech] Chromebooks for Risky Situations?

[Jacob Appelbaum]

Brian Conley:
> Micah,
> 
> Perhaps you can tell us the secret to convince all family members and
> colleagues to become Linux hackers able to be completely self-sufficient
> managing their own upgrades and modifications indefinitely?

Stop supporting the use of non-free software? We're all part of the
problem when we help people to be less free and to use proprietary
software or proprietary services. This is both an education and a
problem with enabling. We all suffer from it, I think.

When we encourage people to say, buy a Macbook or a Chromebook because
we're happy to support it over say, Windows, we're making things worse.
Largely because the choice is actually between Free Software and
proprietary software or free software on devices where we're not
actually able to exercise all of our freedoms.

Thus, when we aren't helping people to get off of the non-free platforms
or to reduce our dependency on non-free software, we're basically not
doing a great job at educating people that we care about and otherwise
wish to support. When we pass the buck, we're enabling them with
harmful, sometimes seriously so, solutions.

> 
> Otherwise what is your point?
> 

This essay seems like a longer version of what Micah has expressed:

  http://www.gnu.org/philosophy/free-sw.html
  http://www.gnu.org/philosophy/right-to-read.html

I also suggest reading these two essays by RMS:

  http://www.gnu.org/philosophy/shouldbefree.html


http://www.gnu.org/philosophy/when_free_software_isnt_practically_better.html


He is also talking about how the threats to a user might include Google
itself (eg: my legal cases!) or perhaps even the network you're using
(hint: ChromeOS has no way to protect you against such an attacker, so
no, it isn't safe to use everywhere or perhaps anywhere depending on
your trust of the local network).

> It seems like you are being needlessly confrontational or outright ignoring
> the quite reasonable counter arguments to various linux OSes,Ubuntu/gentoo/
> etc etc being made here.

Most of arguments I've heard here boil down to privileged wealthy people
complaining that learning and mutual aid or solidarity is simply too
hard. The worst is when people who train people in risky situations make
those kinds of statements.

It's frankly, really and seriously embarrassing.

All the best,
Jake

> On Feb 6, 2013 7:09 PM, "micah anderson"  wrote:
> 
>> Andy Isaacson  writes:
>>
>>> On Wed, Feb 06, 2013 at 10:52:23AM -0500, micah anderson wrote:
> - ChromeOS's update mechanism is automatic, transparent, and basically
> foolproof.  Having bricked Ubuntu and Gentoo systems, the same is not
> true of Linux.

 I would be surprised if you actually 'bricked' these systems, since
 neither operating system you mention involves a procedure that has the
 risk of bricking a device. I suspect this is hyperbole?
>>>
>>> I've had dist-upgrade (or the GUI equivalent) make an Ubuntu system
>>> unbootable and unrecoverable without recourse to a rescue-image and deep
>>> magic grub hacking, etc.  That counts as "bricked" when the easiest
>>> course of action is to simply reinstall the OS from scratch.  It's not
>>> "bricked" in the sense that an Android install gone awry can require
>>> specialized hardware (JTAG dongle etc) and crypto keys to fix, but it's
>>> equivalent from a user's point of view.
>>
>> I understand where you are going with this, but when it comes to
>> terminology, I think it serves to confuse the issue to misuse the term
>> 'brick'. You cannot, as you say, "simply reinstall the OS from scratch"
>> on a device that has been bricked.
>>
>> I can't wait for the day when Google accidentally pushes an update out
>> that actually bricks their devices, because when that happens, there is
>> no way to "simply reinstall the OS from scratch".
>> --
>> Unsubscribe, change to digest, or change password at:
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>
> 
> 
> 
> --
> Unsubscribe, change to digest, or change password at: 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 

--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[scarp]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Nadim Kobeissi:
> Small follow-up: Maybe it's true I look like my goal here is just
> to foam at the mouth at Silent Circle. Maybe it looks like I'm just
> here to annoy Chris, and I'm truly sorry. These are not my goals,
> even if my method seems forced.
> 
> I've tried writing multiple blog posts about Silent Circle,
> contacting Silent Circle, asking journalists to *please* mention
> the importance of free, open source in cryptography, and so on. All
> of this has failed. It has simply become clear to me that Silent
> Circle enjoys a double standard because of the reputation of those
> behind it.
> 
> Silent Circle may be developed by Gods, but this is just quite
> plainly unfair. If someone repeatedly claims, towards activists, to
> have developed "unbreakable encryption", markets it closed-source
> for money, and receives nothing but nods of recognition and
> applause from the press and even from *security experts* (?!) then
> something is seriously wrong! No one should be allowed to commit
> these wrongs, not even Silent Circle.
> 
> I feel like I'm fighting for our own sanity here. Look at what
> you're allowing to happen!

I've been monitoring this discussion about Silent Circle and the one
on cryptogra...@randombit.net

Software such as TrueCrypt would never have gained the popularity and
widespread usage if it were closed source. Likewise things like SSL
and TLS would not have gained widespread usage without standards
bodies and technical specifications.

I don't see Silent Circle being anything revolutionary. Encryption
software which encrypts the contents before uploading it to the cloud
already exists, see Cyphertite. They have actually released their source.

I also don't see how any "burn" function of software on sensitive data
has any useful purpose. I see that as a false sense of security. If
someone were to take a photo of the phone with another phone, it would
be circumvented.

I also don't see any problem in Silent Circle releasing source, and
using a restrictive license if they so please, the point is while it
is closed source we're really just expected to "trust" these big names.

Rich and popular men can be bought and sold, so really their
identities or names mean nothing to me. We need independent verifiable
proof by people who understand the most inner workings of the
implementations of the encryption to say "yes this works", and also
people attempting to break it.

Also by saying "unbreakable encryption" do they mean to say they've
developed encryption technology using unbreakable ciphers? or is it
just the implementation of them. To me it seems like a massive
marketing campaign if they're using social media as much as people say
they are this would further support this.

Also "unbreakable encryption" is similar to saying to you've made an
unsinkable ship, and we all know what happened last time someone said
that.

I also think journalists publishing about "Secret Circle" should find
independent qualified sources to verify the claims of it being
"unbreakable" before publishing it. To  me that seems like good
journalism vs bad.

- -- 
scarp | A4F7 25DB 2529 CB1A 605B  3CB4 5DA0 4859 0FD4 B313
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJRE9HGAAoJEF2gSFkP1LMTiT0P/RP6WeR9MEBX3ps8O/9dFaAt
nsxh47sU9cTlbsxkRQJaRgVMUIWMGNBW2Zm6IdkZtXB63O1fm2jzt/6Oy7+2HJ80
s9WBVD3hKJd0lKED0Qj9aPIwdaSl0+7cu9GkdnwptpW6rLTyZGpk0aV1NI0CTSLQ
30BPYzb2LYFOrNt+F3KIZODX7czPHlCqxhLjvRuJ5+392qYnLE6f8/I2RiS4BKD3
cVULmzRvg05RiJRHuTsYtgum8CicKK6OENoFqmvfu8Y80I04Gy6H/toD8IGZvTKC
AnW2SkDfyUW2wxJ5Bm5YL7+u3LQlgpB9C9e44pbUjEcFJVD0A6NHhkEuKDZ/NEU6
F/I5bKsI5m3v0FKKt7xKO1UTC4uIzmN4yLyVo32qz++N3ejiYyvrLHTuTWRQkCoT
GyrShIQvzvAlt6qOYPdOdMYNVq/E4dlF51aDD+9Oiq3uua6EAQSwbT/Tx+eAj4C4
n2Pin1fYOBm1mm1V7llgtj7BStPbfOOZaywE7XIFfXpAdQS4I3N+xcp1owmD6wg7
EuJ77z7mM/lE7g2vuaMYQKTqeH16tXb6V5B639q8FLdYu/NNDRuN11GnMhvuTmqX
tYTM6/4/cQyk0wC1ggzLAPjqdJ8RrxbvSSVuSl29PTIr2Wkdee8YudEYSeg2BBlx
hZdbWhuhzGHZKEsfU27a
=o2k+
-END PGP SIGNATURE-
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Griffin Boyce]

On Thu, Feb 7, 2013 at 10:31 AM, Nadim Kobeissi  wrote:

> I've tried writing multiple blog posts about Silent Circle, contacting
> Silent Circle, asking journalists to *please* mention the importance of
> free, open source in cryptography, and so on. All of this has failed. It
> has simply become clear to me that Silent Circle enjoys a double standard
> because of the reputation of those behind it.
>
> Silent Circle may be developed by Gods, but this is just quite plainly
> unfair. If someone repeatedly claims, towards activists, to have developed
> "unbreakable encryption", markets it closed-source for money, and receives
> nothing but nods of recognition and applause from the press and even from
> *security experts* (?!) then something is seriously wrong! No one should
> be allowed to commit these wrongs, not even Silent Circle.
>

  It's definitely not for nothing. *Any* project with that amount of hype
around it should be taken skeptically by media covering it, but until very
recently, that has not been the case with Silent Circle. You and other
vocal proponents of open-source crypto have changed the dialogue. Nothing
is perfect, but it's getting there. ("There" being more even-handed media
coverage. I don't actually expect them to open source anything.)

  There are many double standards in tech and especially tech-focused
journalism. Phil Zimmerman is going to have less pushback on his
product/service than an MIT grad student would, and the MIT grad student
would have less skepticism directed their way than a graduate of the
Univeristy of Edinburgh -- on down the line.  And personal relationships
affect these structures at every level.

  Anyone who thinks class stratification doesn't exist just because we're
Internauts is mistaken.

~Griffin
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Julien Rabier]

Hello all,

I'm no sec expert but to me, it's so obvious that Nadim is right on this.
Perhaps the form is not perfect, but if he's the only one fighting for our
own sanity here, as he says, that's no surprise.

We should all be asking Silent Circle to commit to their statement and show
us the source code of their so-called unbreakable encryption tools.

Again, I'm no sec expert and I won't be the guy who will do the hard task of
auditing and reviewing this code. But as a user, as a citizen and perhaps an
activist, I want the source code of such tools to be reviewed widely and
publicly before using and promoting it. 

My 2 euro cents,
Julien

Le 07 févr. - 10:31, Nadim Kobeissi a écrit :
> Small follow-up:
> Maybe it's true I look like my goal here is just to foam at the mouth at
> Silent Circle. Maybe it looks like I'm just here to annoy Chris, and I'm
> truly sorry. These are not my goals, even if my method seems forced.
> 
> I've tried writing multiple blog posts about Silent Circle, contacting
> Silent Circle, asking journalists to *please* mention the importance of
> free, open source in cryptography, and so on. All of this has failed. It
> has simply become clear to me that Silent Circle enjoys a double standard
> because of the reputation of those behind it.
> 
> Silent Circle may be developed by Gods, but this is just quite plainly
> unfair. If someone repeatedly claims, towards activists, to have developed
> "unbreakable encryption", markets it closed-source for money, and receives
> nothing but nods of recognition and applause from the press and even
> from *security
> experts* (?!) then something is seriously wrong! No one should be allowed
> to commit these wrongs, not even Silent Circle.
> 
> I feel like I'm fighting for our own sanity here. Look at what you're
> allowing to happen!
> 
> 
> NK
> 
> 
> On Thu, Feb 7, 2013 at 10:15 AM, Nadim Kobeissi  wrote:
> 
> > On Thu, Feb 7, 2013 at 4:11 AM, Christopher Soghoian 
> > wrote:
> >
> >>
> >> It is clear that you seem to have developed a foaming-in-the-mouth,
> >> irrational hate of Silent Circle. As such, anyone who fails to denounce
> >> Phil Zimmermann as the great Satan is, in your eyes, some kind of corrupt
> >> shill.
> >>
> >
> > Chris,
> > You have repeatedly stood up asking VoIP software to be more transparent
> > about their encryption. You have repeatedly stood up when the media
> > overblew coverage into hype.
> >
> > However, Silent Circle remains *the only case* where you remain mentioned
> > regularly in articles on the company, where you make a point to completely
> > ignore that they are posting everywhere on their social media that they are
> > developing "unbreakable encryption", and marketing it, closed-source,
> > towardsactivists. When I confront you about this, you publicly accuse me of
> > "soliciting a hit piece" (!!) against Silent Circle.
> >
> > That is what I have a problem with: A huge, clear, obvious double standard
> > strictly made available for Silent Circle.
> >
> >
> >>
> >> I proudly stand by every single statement quoted in that Verge story.
> >>
> >> Chris
> >>
> >>
> >> On Wed, Feb 6, 2013 at 8:56 PM, Nadim Kobeissi  wrote:
> >>
> >>> Chris Soghoian gives Silent Circle's unbreakable encryption an entire
> >>> article's worth of lip service here, it must be really unbreakable:
> >>>
> >>> http://www.theverge.com/2013/2/6/3950664/phil-zimmermann-wants-to-save-you-from-your-phone
> >>>
> >>>
> >>> NK
> >>>
> >>>
> >>> On Wed, Feb 6, 2013 at 10:49 PM, Brian Conley 
> >>> wrote:
> >>>
>  I heard they have a super secret crypto clubhouse in the belly of an
>  extinct volcano.
> 
>  Other rumors suggest they built their lab in the liberated tunnels
>  beneath bin ladens secret lair in Pakistan...
> 
>  Sent from my iPad
> 
>  On Feb 6, 2013, at 19:42, Nadim Kobeissi  wrote:
> 
>  Actual headline.
> 
> 
>  http://www.extremetech.com/mobile/147714-cryptography-super-group-creates-unbreakable-encryption-designed-for-mass-market
> 
> 
>  NK
> 
>  --
>  Unsubscribe, change to digest, or change password at:
>  https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 
> 
>  --
>  Unsubscribe, change to digest, or change password at:
>  https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 
> >>>
> >>>
> >>> --
> >>> Unsubscribe, change to digest, or change password at:
> >>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> >>>
> >>
> >>
> >> --
> >> Unsubscribe, change to digest, or change password at:
> >> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> >>
> >
> >

> --
> Unsubscribe, change to digest, or change password at: 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Ali-Reza Anghaie]

I'm not sure it's been all for naught, even the article Christian is quoted
in refers to Red Phone and TextSecure, .. is it a link-list of FOSS tools
and teams? No but, really, that doesn't actually get people to go ~use~
something.

I'm also not sure unbreakable is core to SC's marketing at all - I think
that's the type of thing some tech. journalists go with. SC's own site
talks about all sorts of things they ~can't~ do - they're not telling
people they are the best line of defense even (they talk about lifestyle
OPSEC too for example).

Here is the way I look at it - the easiest to use introduces more and more
people to the whole roll of things. It DRIVES people to search and write
about what else is out there once they "know" they don't want to be without
the tools anymore. SC is a win for everyone in this case.

I know, for a fact, SC has introduced a lot more people to FOSS solutions
that otherwise wouldn't have ever considered it after dalliances in GnuPG
years ago. Once bad privacy user experience - always bad privacy user
experience sort of thing.

Cheers, -Ali



On Thu, Feb 7, 2013 at 10:31 AM, Nadim Kobeissi  wrote:

> Small follow-up:
> Maybe it's true I look like my goal here is just to foam at the mouth at
> Silent Circle. Maybe it looks like I'm just here to annoy Chris, and I'm
> truly sorry. These are not my goals, even if my method seems forced.
>
> I've tried writing multiple blog posts about Silent Circle, contacting
> Silent Circle, asking journalists to *please* mention the importance of
> free, open source in cryptography, and so on. All of this has failed. It
> has simply become clear to me that Silent Circle enjoys a double standard
> because of the reputation of those behind it.
>
> Silent Circle may be developed by Gods, but this is just quite plainly
> unfair. If someone repeatedly claims, towards activists, to have developed
> "unbreakable encryption", markets it closed-source for money, and receives
> nothing but nods of recognition and applause from the press and even from
> *security experts* (?!) then something is seriously wrong! No one should
> be allowed to commit these wrongs, not even Silent Circle.
>
> I feel like I'm fighting for our own sanity here. Look at what you're
> allowing to happen!
>
>
> NK
>
>
> On Thu, Feb 7, 2013 at 10:15 AM, Nadim Kobeissi  wrote:
>
>> On Thu, Feb 7, 2013 at 4:11 AM, Christopher Soghoian 
>> wrote:
>>
>>>
>>> It is clear that you seem to have developed a foaming-in-the-mouth,
>>> irrational hate of Silent Circle. As such, anyone who fails to denounce
>>> Phil Zimmermann as the great Satan is, in your eyes, some kind of corrupt
>>> shill.
>>>
>>
>> Chris,
>> You have repeatedly stood up asking VoIP software to be more transparent
>> about their encryption. You have repeatedly stood up when the media
>> overblew coverage into hype.
>>
>> However, Silent Circle remains *the only case* where you remain
>> mentioned regularly in articles on the company, where you make a point to
>> completely ignore that they are posting everywhere on their social media
>> that they are developing "unbreakable encryption", and marketing it,
>> closed-source, towardsactivists. When I confront you about this, you
>> publicly accuse me of "soliciting a hit piece" (!!) against Silent Circle.
>>
>> That is what I have a problem with: A huge, clear, obvious double
>> standard strictly made available for Silent Circle.
>>
>>
>>>
>>> I proudly stand by every single statement quoted in that Verge story.
>>>
>>> Chris
>>>
>>>
>>> On Wed, Feb 6, 2013 at 8:56 PM, Nadim Kobeissi  wrote:
>>>
 Chris Soghoian gives Silent Circle's unbreakable encryption an entire
 article's worth of lip service here, it must be really unbreakable:

 http://www.theverge.com/2013/2/6/3950664/phil-zimmermann-wants-to-save-you-from-your-phone


 NK


 On Wed, Feb 6, 2013 at 10:49 PM, Brian Conley >>> > wrote:

> I heard they have a super secret crypto clubhouse in the belly of an
> extinct volcano.
>
> Other rumors suggest they built their lab in the liberated tunnels
> beneath bin ladens secret lair in Pakistan...
>
> Sent from my iPad
>
> On Feb 6, 2013, at 19:42, Nadim Kobeissi  wrote:
>
> Actual headline.
>
>
> http://www.extremetech.com/mobile/147714-cryptography-super-group-creates-unbreakable-encryption-designed-for-mass-market
>
>
> NK
>
> --
> Unsubscribe, change to digest, or change password at:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
>
> --
> Unsubscribe, change to digest, or change password at:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>


 --
 Unsubscribe, change to digest, or change password at:
 https://mailman.stanford.edu/mailman/listinfo/liberationtech

>>>
>>>
>>> --
>>> Unsubscribe, change to digest, or change password at:
>>> https://mailman.stanford.edu/

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Nadim Kobeissi]

Small follow-up:
Maybe it's true I look like my goal here is just to foam at the mouth at
Silent Circle. Maybe it looks like I'm just here to annoy Chris, and I'm
truly sorry. These are not my goals, even if my method seems forced.

I've tried writing multiple blog posts about Silent Circle, contacting
Silent Circle, asking journalists to *please* mention the importance of
free, open source in cryptography, and so on. All of this has failed. It
has simply become clear to me that Silent Circle enjoys a double standard
because of the reputation of those behind it.

Silent Circle may be developed by Gods, but this is just quite plainly
unfair. If someone repeatedly claims, towards activists, to have developed
"unbreakable encryption", markets it closed-source for money, and receives
nothing but nods of recognition and applause from the press and even
from *security
experts* (?!) then something is seriously wrong! No one should be allowed
to commit these wrongs, not even Silent Circle.

I feel like I'm fighting for our own sanity here. Look at what you're
allowing to happen!


NK


On Thu, Feb 7, 2013 at 10:15 AM, Nadim Kobeissi  wrote:

> On Thu, Feb 7, 2013 at 4:11 AM, Christopher Soghoian 
> wrote:
>
>>
>> It is clear that you seem to have developed a foaming-in-the-mouth,
>> irrational hate of Silent Circle. As such, anyone who fails to denounce
>> Phil Zimmermann as the great Satan is, in your eyes, some kind of corrupt
>> shill.
>>
>
> Chris,
> You have repeatedly stood up asking VoIP software to be more transparent
> about their encryption. You have repeatedly stood up when the media
> overblew coverage into hype.
>
> However, Silent Circle remains *the only case* where you remain mentioned
> regularly in articles on the company, where you make a point to completely
> ignore that they are posting everywhere on their social media that they are
> developing "unbreakable encryption", and marketing it, closed-source,
> towardsactivists. When I confront you about this, you publicly accuse me of
> "soliciting a hit piece" (!!) against Silent Circle.
>
> That is what I have a problem with: A huge, clear, obvious double standard
> strictly made available for Silent Circle.
>
>
>>
>> I proudly stand by every single statement quoted in that Verge story.
>>
>> Chris
>>
>>
>> On Wed, Feb 6, 2013 at 8:56 PM, Nadim Kobeissi  wrote:
>>
>>> Chris Soghoian gives Silent Circle's unbreakable encryption an entire
>>> article's worth of lip service here, it must be really unbreakable:
>>>
>>> http://www.theverge.com/2013/2/6/3950664/phil-zimmermann-wants-to-save-you-from-your-phone
>>>
>>>
>>> NK
>>>
>>>
>>> On Wed, Feb 6, 2013 at 10:49 PM, Brian Conley 
>>> wrote:
>>>
 I heard they have a super secret crypto clubhouse in the belly of an
 extinct volcano.

 Other rumors suggest they built their lab in the liberated tunnels
 beneath bin ladens secret lair in Pakistan...

 Sent from my iPad

 On Feb 6, 2013, at 19:42, Nadim Kobeissi  wrote:

 Actual headline.


 http://www.extremetech.com/mobile/147714-cryptography-super-group-creates-unbreakable-encryption-designed-for-mass-market


 NK

 --
 Unsubscribe, change to digest, or change password at:
 https://mailman.stanford.edu/mailman/listinfo/liberationtech


 --
 Unsubscribe, change to digest, or change password at:
 https://mailman.stanford.edu/mailman/listinfo/liberationtech

>>>
>>>
>>> --
>>> Unsubscribe, change to digest, or change password at:
>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>>
>>
>>
>> --
>> Unsubscribe, change to digest, or change password at:
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>
>
>
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Nadim Kobeissi]

On Thu, Feb 7, 2013 at 4:11 AM, Christopher Soghoian wrote:

>
> It is clear that you seem to have developed a foaming-in-the-mouth,
> irrational hate of Silent Circle. As such, anyone who fails to denounce
> Phil Zimmermann as the great Satan is, in your eyes, some kind of corrupt
> shill.
>

Chris,
You have repeatedly stood up asking VoIP software to be more transparent
about their encryption. You have repeatedly stood up when the media
overblew coverage into hype.

However, Silent Circle remains *the only case* where you remain mentioned
regularly in articles on the company, where you make a point to completely
ignore that they are posting everywhere on their social media that they are
developing "unbreakable encryption", and marketing it, closed-source,
towardsactivists. When I confront you about this, you publicly accuse me of
"soliciting a hit piece" (!!) against Silent Circle.

That is what I have a problem with: A huge, clear, obvious double standard
strictly made available for Silent Circle.


>
> I proudly stand by every single statement quoted in that Verge story.
>
> Chris
>
>
> On Wed, Feb 6, 2013 at 8:56 PM, Nadim Kobeissi  wrote:
>
>> Chris Soghoian gives Silent Circle's unbreakable encryption an entire
>> article's worth of lip service here, it must be really unbreakable:
>>
>> http://www.theverge.com/2013/2/6/3950664/phil-zimmermann-wants-to-save-you-from-your-phone
>>
>>
>> NK
>>
>>
>> On Wed, Feb 6, 2013 at 10:49 PM, Brian Conley 
>> wrote:
>>
>>> I heard they have a super secret crypto clubhouse in the belly of an
>>> extinct volcano.
>>>
>>> Other rumors suggest they built their lab in the liberated tunnels
>>> beneath bin ladens secret lair in Pakistan...
>>>
>>> Sent from my iPad
>>>
>>> On Feb 6, 2013, at 19:42, Nadim Kobeissi  wrote:
>>>
>>> Actual headline.
>>>
>>>
>>> http://www.extremetech.com/mobile/147714-cryptography-super-group-creates-unbreakable-encryption-designed-for-mass-market
>>>
>>>
>>> NK
>>>
>>> --
>>> Unsubscribe, change to digest, or change password at:
>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>>
>>>
>>> --
>>> Unsubscribe, change to digest, or change password at:
>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>>
>>
>>
>> --
>> Unsubscribe, change to digest, or change password at:
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>
>
>
> --
> Unsubscribe, change to digest, or change password at:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Jens Christian Hillerup]

On Thu, Feb 7, 2013 at 2:53 PM, Griffin Boyce  wrote:
>   It makes business sense for them to stay closed-source. But until the day
> comes that they open the app code, I will remain skeptical.
-snip-
>   Closed-source code makes me suspicious precisely for the reason that any
> major bugs that they find stay secret.  So if there is a flaw that could
> expose user data, affected users might never find out.  See also: Skype.

Hear-hear. They don't need to open-source their software to convince
me, as long as they are open about their protocol at least. But they
might as well open-source it since their product is not the software.
It is the service of storing encrypted stuff for their clients. It
would make a lot of sense business-wise to expose an API and allow
third-parties to make software for this platform. Not only would it be
nice to hack around with, it would also become evident whether or not
they are implementing stuff right.

JC
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Chromebooks for Risky Situations?

[Griffin Boyce]

Ali-Reza Anghaie  wrote:

> A VZW employee was nice enough to reach out off list - wanted to remain
> anonymous - says that the international SIMs they send for you to put in
> overseas Nexus devices won't tether. Ever. No matter what I'm told
> otherwise.
>
> Anyhow.. enough of that. Cheers, -Ali
>

Nate was talking about using the phone to tether onto a local wifi network,
not onto the phone's 3G+ network. Though it still wouldn't work with stock
OS, since the phone must be rooted and support iptables.[1]

~Griffin

[1] http://code.google.com/p/android-wifi-tether/

On Wed, Feb 6, 2013 at 1:28 AM, Nathan of Guardian <
nat...@guardianproject.info> wrote:
>
>
> You could also use Orbot with wifi-tether on Android phone. It can
> transparent proxy all the wifi hotspot traffic over Tor.
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Andreas Bader]

On 02/07/2013 11:58 AM, Jens Christian Hillerup wrote:
> On Thu, Feb 7, 2013 at 11:41 AM, Andreas Bader  
> wrote:
>> Notionally there is no unbreakable encryption.
>> Practically there is a unbreakable encryption (AES, SHA-3); our
>> standarts are more than adequate.
>> The risk with encryptions is more the possibility of a hardware hack.
>> Or a bad guy beating the shit out of you with a 5 Dollar Wrench until
>> you tell him the password.
>> In real life no one will use a super computer to break our hardcore
>> encrypted harddrives.
> I think Nadim was being sarcastic. I'm also eager to see what comes
> from this. I too think it's rather odd that these supposedly
> respectable cryptographers are so blatantly ignoring Kirchoff's
> principle.
>
> Quickly skimmed the article; it seems that you have to trust them to
> *actually* encrypt your stuff on your phone before storing it on their
> servers. As with so many others, it'd behoove them to put their code
> where their mouths are; I don't mind them making money off of this,
> but at least they should stop leveraging their big names in the
> industry to get a lot of media attention around them selling
> snake-oil.
>
> JC
> --
> Unsubscribe, change to digest, or change password at: 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
>
Didn't get it, sorry.
I always forget that you can have humor in such a serious world. :-)

Andreas
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] EU NIS cybersecurity directive

[André Rebentisch]

Am 07.02.2013 00:30, schrieb André Rebentisch:
> Hi,
>
> Tomorrow, Thursday, a proposal for an EU Cyber Directive is supposed to
> get released. To be known as a proposed NIS ("network and information
> security") Directive.
Here is the fish:
http://ec.europa.eu/information_society/newsroom/cf//document.cfm?doc_id=1666

Plus communication Cybersecurity Strategy of the European Union: An
Open, Safe and Secure Cyberspace
http://ec.europa.eu/information_society/newsroom/cf//document.cfm?doc_id=1667

Best,
André
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Jens Christian Hillerup]

On Thu, Feb 7, 2013 at 11:41 AM, Andreas Bader  wrote:
> Notionally there is no unbreakable encryption.
> Practically there is a unbreakable encryption (AES, SHA-3); our
> standarts are more than adequate.
> The risk with encryptions is more the possibility of a hardware hack.
> Or a bad guy beating the shit out of you with a 5 Dollar Wrench until
> you tell him the password.
> In real life no one will use a super computer to break our hardcore
> encrypted harddrives.

I think Nadim was being sarcastic. I'm also eager to see what comes
from this. I too think it's rather odd that these supposedly
respectable cryptographers are so blatantly ignoring Kirchoff's
principle.

Quickly skimmed the article; it seems that you have to trust them to
*actually* encrypt your stuff on your phone before storing it on their
servers. As with so many others, it'd behoove them to put their code
where their mouths are; I don't mind them making money off of this,
but at least they should stop leveraging their big names in the
industry to get a lot of media attention around them selling
snake-oil.

JC
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Andreas Bader]

On 02/07/2013 04:42 AM, Nadim Kobeissi wrote:
> Actual headline.
>
> http://www.extremetech.com/mobile/147714-cryptography-super-group-creates-unbreakable-encryption-designed-for-mass-market
>
>
> NK
>
Notionally there is no unbreakable encryption.
Practically there is a unbreakable encryption (AES, SHA-3); our
standarts are more than adequate.
The risk with encryptions is more the possibility of a hardware hack.
Or a bad guy beating the shit out of you with a 5 Dollar Wrench until
you tell him the password.
In real life no one will use a super computer to break our hardcore
encrypted harddrives.

Andreas
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Chromebooks for Risky Situations?

[scarp]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

micah anderson:
> 
> I can't wait for the day when Google accidentally pushes an update
> out that actually bricks their devices, because when that happens,
> there is no way to "simply reinstall the OS from scratch". -- 
> Unsubscribe, change to digest, or change password at:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 

Funny you should mention that. I have a Galaxy Nexus and I accepted an
OTA update 4.2 or 4.2.1 I forget. Anyway that particular device had
file system encryption enabled. After the update it was in a permanent
reboot loop and I had to re-flash the entire device with the stock ROM.

Fortunately I'd backed up my data with Titanium Backup so restoration
was easy.

Another handset I have also a Galaxy Nexus without encryption upgraded
properly without any issues. Likewise with a Nexus 7 I also own. Maybe
this was an example of a Google update going awry.

I do agree though Ubuntu wouldn't be the best solution (although I do
use Kubuntu on my workstation). I know my way around Linux, and it's
not mission critical. If it screwed up I'd have time to fix it, others
in hot areas trying to do a news report might not. :)

The other thing is Unity is distribution specific, Ubuntu's packages
are based off Debian testing/unstable. This is actually one of the
reasons I like KDE very much because they haven't aligned themselves
with a linux provider. In my opinion it also contains the right amount
of ease of use and reconfigurability to remain useful, unlike some
other environments aimed at being "easy to use".

For stable desktop usage something like CentOS or Debian stable would
probably be better. That said hardening those systems does take some
knowledge of Linux. I guess if you really wanted to use Ubuntu, you'd
have to stick to LTS releases those tend to be a fair bit more
conservative.

- -- 
scarp | A4F7 25DB 2529 CB1A 605B  3CB4 5DA0 4859 0FD4 B313
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJRE32mAAoJEF2gSFkP1LMTW5AP/2Haa+jqdQBzB+3L455kji6K
d9b7CuFJrbC2JFogT631wVS2ZH+yiImHDXHDfYlvtgO8PvwHW3eztrdB01bQaG9e
VqI4tCvw8pA7zRc+V0fOhjeaRxP5LLPlLkN9vF8cv4xjtD73L81ysvwLUQigr35X
MsW2cn2rcG8mAZU60l7DYSZpazNaP2NmNhKzy/ulBpMq9JPYeJ697VIGJsfI3Aw2
LEHn94NhwCLccXonHAn+V61EtebkP3s9QWkbI642htZFWHGjOiOHOcQG6ofr7Vyi
lSBYlvCL1pnwKZwH1a2PL+wUZ5mAihj4vMo+IxxiQ86RxzehWSg++2llyNV8qufC
4LWZz2WpAtNkYAJaoEenrPkyULWPMlzSa8qKxr6LvFWgRFeNDcplvZIUOxYVu2bm
JAy99Iydt+kf799tfmJzoQ7BRVhtxAo0nCEh39WeUr7e+8Jg4pLuN7SSkqLVeMmw
J4jsaqEfmCR46LnNPcarDH9IpID+nfYcmSD6INLq+Y5SW5jY4NsDs/zEXeFG4m+u
sUSXAx+i72prsugg92kAcGCPV7EcrN87Et5iF6g8BvCwII2pHLem5lg2eqhdY6ud
gjMNiEeTwvpWRbSt6//n6PNflCcRXK4Z6FwyWatC3zFtSaHv63t5FVVb3s5UwPh0
eiSUp/4ej9f/fnbdTCFp
=OT+R
-END PGP SIGNATURE-
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptography super-group creates unbreakable encryption

[Christopher Soghoian]

An entire article's worth of lip service?

“I’m agnostic about this,” he says, “I don’t really care if Silent Circle
captures this market, just as long as somebody does.”


I spent the entire interview with the Verge writer complaining about the
crappy security delivered by the wireless carriers, which, I think, is
entirely accurate, and consistent with my other efforts to shine light upon
the carriers' awful security.
See this in-depth today's Washington Post, for example:
http://www.washingtonpost.com/business/technology/android-phones-vulnerable-to-hackers/2013/02/01/f3248922-6723-11e2-9e1b-07db1d2ccd5b_print.html

It is clear that you seem to have developed a foaming-in-the-mouth,
irrational hate of Silent Circle. As such, anyone who fails to denounce
Phil Zimmermann as the great Satan is, in your eyes, some kind of corrupt
shill.

I proudly stand by every single statement quoted in that Verge story.

Chris


On Wed, Feb 6, 2013 at 8:56 PM, Nadim Kobeissi  wrote:

> Chris Soghoian gives Silent Circle's unbreakable encryption an entire
> article's worth of lip service here, it must be really unbreakable:
>
> http://www.theverge.com/2013/2/6/3950664/phil-zimmermann-wants-to-save-you-from-your-phone
>
>
> NK
>
>
> On Wed, Feb 6, 2013 at 10:49 PM, Brian Conley wrote:
>
>> I heard they have a super secret crypto clubhouse in the belly of an
>> extinct volcano.
>>
>> Other rumors suggest they built their lab in the liberated tunnels
>> beneath bin ladens secret lair in Pakistan...
>>
>> Sent from my iPad
>>
>> On Feb 6, 2013, at 19:42, Nadim Kobeissi  wrote:
>>
>> Actual headline.
>>
>>
>> http://www.extremetech.com/mobile/147714-cryptography-super-group-creates-unbreakable-encryption-designed-for-mass-market
>>
>>
>> NK
>>
>> --
>> Unsubscribe, change to digest, or change password at:
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>
>>
>> --
>> Unsubscribe, change to digest, or change password at:
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>
>
>
> --
> Unsubscribe, change to digest, or change password at:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech