[liberationtech] The Myopia of excluding censors: The tale of a self-defeating petition - Opinion - Al Jazeera English
http://www.aljazeera.com/indepth/opinion/2013/02/20132314561857436.html The Myopia of excluding censors: The tale of a self-defeating petition Closing US borders in the name of openness does not create more freedom, but creates more divisions, writes author. Last Modified: 06 Feb 2013 06:58 In the last week, thousands of people have signed a petition on Whitehouse.gov titled, People who help internet censorship, builders of Great Firewall in China for example, should be denied entry to the US. The petition proposes that the United States deny entry for people who use their skills and technology for blocking people to use internet. It goes on to say that as a responsible government [that] has always valued freedom, it [sic] reasonable to deny it. This petition is a horrible idea and I hope it does not gain anywhere close to the 100,000 signatures needed by February 24 for the petition to trigger a White House response. I came across the petition on Libtech, a great listserv out of the Program on Liberation Technology at Stanford University. The person who circulated this petition works on Internet Freedom at the Bureau of Democracy, Human Rights Labor (DRL) of the US State Department. I am shocked that someone from the US State Department is circulating this petition, listing their affiliation, and making it appear as if the US State Department approved the petition. This person forwarded it to the listserv without a disclaimer that circulation does not suggest US government’s endorsement. This person also pointed out that the petition needs 92,204 more signatures to reach its goal. While this person did not explicitly endorse the petition, these actions suggest endorsement. But even more troubling than a semi-official circulation is the idea that we should be denying people the opportunity to enter the US because they are associated with censorship. Public face of censorship How do we even define someone as a person who help(s) internet censorship and is a “builder of the Great Firewall”? Fang Binxing is the architect of China’s extensive censorship network, widely known as the “Father of China’s Great Firewall”. This petition would deny him entry into the US. But Fang Binxing is only one person who has become the public face of censorship. The Ministry of Industry and Information Technology (MIIT) oversees and implements filtering software. Would anyone associated with the MIIT be banned from coming into the US? The MIIT oversees the China Internet Network Information Center (CNNIC). Often referred to as the equivalent of the US’ FCC, CNNIC manages administrative affairs such as domain registry and anti-phishing. CNNIC also has a research arm that is similar to the Pew Internet Research Center, producing statistical reports about the Chinese internet that researchers and journalists often cite. I spent a summer as a National Science Foundation Fellow doing ethnographic fieldwork at CNNIC in Beijing. The people who oversaw CNNIC relished the chances they had to go to conferences outside of China. Conferences provided CNNIC officials an important source of firsthand information and experience of the world beyond China. One of the most important things I learned from my time at CNNIC is that these people whom we call censors are much more aware of the world than we in the West often portray them to be. This should inform policy decisions to maintain open exchanges with officials who oversee the Chinese internet. This petition would deny all CNNIC researchers and officials the opportunity to come to the US for conferences and events. Such a petition is backwards. We should be encouraging Fang Binxing to come to the US. He should witness what a society with limited censorship looks like and be a part of the discussions about internet freedom at internet governance conferences. Internet tech conferences are a lot like track two diplomacy. They bring together people who have opposing views to offer up insights or knowledge. Just as much as it is important for officials from authoritarian regimes to attend conferences in the US, it is also important for Americans to go to conferences that are held in authoritarian regimes. Internet freedom conferences In 2005, the World Summit on the Information Society (WSIS) was held in Tunisia, an authoritarian society at the time. In 2012, the Internet Governance Forum (IGF) was held in Azerbaijan, still an authoritarian society. Would we want these very same countries to turn around and deny US citizens the opportunity to enter just because we engage in anti-censorship practices? Sarah Kendzior argues that there is a very good reason why internet policy conferences are held in authoritarian states. In her article, she points to editorials that asked why a conference on internet freedom was taking place in a dictatorship. Kendzior argues that internet freedom conferences should always take place in authoritarian regimes because to do so holds all
[liberationtech] Comments on the EU Commission’s Flawed Cybersecurity Strategy
Hi all, Frustrated by the lack of critical reporting on the matter, I put together a post on the EU Cybersecurity Strategy that was announced yesterday. Apart from prof. Ross Anderson's, I've read very few worthwhile analysis of it coming from civil society or academia. So I thought it would be useful to have your take: http://www.wethenet.eu/2013/02/comments-on-the-eu-commissions-flawed-cybersecurity-strategy/ Corrections welcome, especially if you think I'm being overly pessimistic/negative. Best, Félix PS: Since this is my first post to the list, a few introductory words: I was a policy analyst (now volunteer) at Paris-based La Quadrature du Net for three years, and I'm currently writing my PhD thesis on the Internet's consequence for free speech law and citizen empowerment in EU democracies. Comments on the EU Commission’s Flawed Cybersecurity Strategy On Thursday February 7th 2013, during a press conference, the European Commission announced a milestone initiative in the field of “cybersecurity”, publishing two documents: - A *proposal for a directive http://www.wethenet.eu/wp-content/uploads/CYBERSECURITY-DRAFT-PROPOSAL.pdf *“concerning measures to ensure a high common level of network and information, security across the Union” (apparently nicknamed the “NIS directive”). - A *communication http://www.wethenet.eu/wp-content/uploads/CYBERSECURITY-JOINT-COMMUNICATION.pdf *on a “CyberSecurity Strategy of the European Union : An Open, Safe and Secure Cyberspace”. [Reminder : Cybersecurity in the sense used by the Commission is a buzzword covering issues ranging from the management of computer security systems in defense and private sector, to cyberwar, payment-fraud, zero-day exploits and malicious code, trafficking (among other things), but also the protection of Internet freedom internationally (just a few unconvincing words on the matter, but they’re there, in bold http://europa.eu/rapid/press-release_IP-13-94_en.htm! And there is open internet and online freedoms in the title of the Commission's press release http://europa.eu/rapid/press-release_IP-13-94_en.htm!! If that's not a proof...).]/ / Both the press conference https://www.youtube.com/watch?v=qYOIlT9hqPA of commissioners Kroes, Malmström and Ashton as well as the documents released show two things: *the Commission is not taking freedom seriously in Internet policy*, *and it might be paving the way for the militarization of cyberspace. * EC should start by getting the math right The commissioners started off by presenting very *vague and inflated statistics about the cost of cybercrime* (several studies http://www.commercialriskeurope.com/cre/1588/239/Report-rails-against-in... have already made that point clear)**. From copyright to cybersecurity policy debates, bogus numbers remain, in this case to the benefit of the security and surveillance industry1 http://comments-on-eu-commissions-vague-cybersecurity-strategy-0#footnote2_9oip6ek. This is classic, lobby-induced, pure *threat inflation* (on that note, see Brito Watkins’s 2011 article http://mercatus.org/sites/default/files/publication/loving-cyber-bomb-dangers-threat-inflation-cybersecurity-policy_0.pdf: /Loving the Cyber Bomb? The Dangers of Threat Inflation in Cybersecurity Policy/). Then, the commissioners moved to the substance of the proposal. Things were not particularly clear, as the questions of the journalists sitting in the press room would later reveal. The few reporters in attendance had interesting questions, but sadly these were largely unrelated to the actual texts2 http://comments-on-eu-commissions-vague-cybersecurity-strategy-0#footnote2_9oip6ek. They had apparently not been able to read the recent leaks of both texts by anonymous Brussels sources, released on the Internet last month (as I write, the documents officially released yesterday still cannot be found on the EU Commission website). Going over the 60-plus pages of the proposed directive http://www.wethenet.eu/wp-content/uploads/CYBERSECURITY-DRAFT-PROPOSAL.pdf and the accompanying communication http://www.wethenet.eu/wp-content/uploads/CYBERSECURITY-JOINT-COMMUNICATION.pdf, it becomes clear that the EU cybersecurity strategy suffers from several flaws… Towards a centralized network of cybersecurity authorities The proposed “Network and Information Security” directive aims to set up a “*NIS network*” of “cybersecurity firemen”, headed by the EU agency ENISA https://en.wikipedia.org/wiki/European_Network_and_Information_Security_Agency (created in 2004 and based in Athens). ENISA will lead a group of national counterparts (each Member State shall have its own NIS authority). For the most part, these already exist and are usually primarily in charge of *defense and military networks* (see this analysis http://www.edri.org/edrigram/number11.1/cybersecurity-draft-directive-eu by computer security researcher at Cambridge University, Prof. Ross
Re: [liberationtech] The Myopia of excluding censors: The tale of a self-defeating petition - Opinion - Al Jazeera English
Libtech, I appreciated the short articulation of this counterargument at the time of the petition being posted and this article summarizes it well. Firstly, unfortunately while Libtech has fostered an impression of being a private network, it has grown beyond that over the past three years, into a very public community -- at times it still often feels like a closed, personal community. I think we all agree that State Department employees are entailed to a right of an independent opinion, and the only misstep was perhaps sending from a work email address with an automatic signature. A brief history of the drama of Internet Freedom programs and China makes it clear that this is something that the US Government would never have the political will to adopt, much less endorse. We may do well to give such people the benefit of the doubt that they had intended to provoke conversation and reach out to the community, rather than encourage participation. Otherwise, a perspective may be lost. That being said, the post and petition should have, but did not, provoked a legitimate discussion about incongruences in American foreign policy toward states that practice repression of media and Internet communications. Case in point, on the exact day that Tricia Wang, of whom I am a longtime fan, published her argument, the Department of Treasury announced the designation of Islamic Republic of Iran Broadcasting (IRIB), Iranian Cyber Police, Communications Regulatory Authority (CRA), Iran Electronics Industries (IEI) and Ezzatollah Zarghami, head of IRIB, for their participation in activities that restrict or deny the free flow of information to or from the Iranian people. These listings follow previous designations by companies and persons responsible for the surveillance and disruption of information networks under American laws, such as the TRA, CISADA and GHRAVITY EO. I was a vocal advocate for these actions and wrote extensively on their justification, however, I was also left questioning whether it is morally justifiable that I have not spoke out with similar passion against the Bahraini MOI. I would ask whether Ms. Wang feels that Treasury's actions on Wednesday are similarly unjustifiable within her philosophical argument? Of minor importance, I do believe that the article over-interprets the extent of the applicability of institutional sanctions on employees, particularly low-level individuals. However, the tragedy of Treasury sanctions is that they are specifically designed to be unclear, and so let's allow that it may chill interactions with said researchers. However, more broadly. At the time of its original attention, the notion of travel restrictions was referred to as coercive force -- a label which I fundamentally disagree with. States and publics have a fundamental right to determine what activities that they directly or indirectly facilitate, such as through the provision of financial transaction, technical services, et al. The notion that Mr. Fang would come to Washington and be awestruck by the wonders of a free press seems *optimistic*, considering 1.) my recollection of him admitting to using VPNs and 2.) his substantial investment in the status quo. Therefore, how does Ms. Wang react to the notion of sanctions as signaling of expectations -- that designating Fang Binxing would not be about making his life less comfortable per-say, but calling attention to the fact that the level of censorship practiced by China is in contravention to basic obligations under international human rights conventions? Cordially, Collin *I hope my former International Relations professor reads this list.* [1] http://www.treasury.gov/press-center/press-releases/Pages/tg1847.aspx On Fri, Feb 8, 2013 at 4:29 AM, Yosem Companys compa...@stanford.eduwrote: http://www.aljazeera.com/indepth/opinion/2013/02/20132314561857436.html The Myopia of excluding censors: The tale of a self-defeating petition Closing US borders in the name of openness does not create more freedom, but creates more divisions, writes author. Last Modified: 06 Feb 2013 06:58 In the last week, thousands of people have signed a petition on Whitehouse.gov titled, People who help internet censorship, builders of Great Firewall in China for example, should be denied entry to the US. The petition proposes that the United States deny entry for people who use their skills and technology for blocking people to use internet. It goes on to say that as a responsible government [that] has always valued freedom, it [sic] reasonable to deny it. This petition is a horrible idea and I hope it does not gain anywhere close to the 100,000 signatures needed by February 24 for the petition to trigger a White House response. I came across the petition on Libtech, a great listserv out of the Program on Liberation Technology at Stanford University. The person who circulated this petition works on Internet Freedom at the Bureau of Democracy, Human
Re: [liberationtech] Cryptography super-group creates unbreakable encryption
Overall, I am dissatisfied with Chris totally ignoring my point regarding hype in the media. Chris selectively criticizes projects he doesn't like when the media hypes them up, but when it's Silent Circle, even calling it unbreakable crypto doesn't get anything out of him but dozens of quotations all over their media blitz. I remain convinced that he is being absolutely unfair and biased. NK On Thu, Feb 7, 2013 at 8:14 PM, Christopher Soghoian ch...@soghoian.netwrote: See Inline On Thu, Feb 7, 2013 at 12:15 PM, Andy Isaacson a...@hexapodia.org wrote: Silent Circle may be an excellent privacy app. It might not have any significant security problems. It might even do a good job of mitigating important platform-based attacks and supporting important new use cases (the burn after reading feature). When it's actually open source I'll take a look and if it is good, I'll recommend it to users. Until that open review happens, I think it's inappropriate for voices in our community to commend or recommend such a proprietary system. Each person makes their own choices, of course, and nobody should base their actions solely on what *I* think is right, but I hope you can hear my concerns and consider the outcomes of your actions. Twitter's official client and server code are not open source. That hasn't stopped the good folks at EFF, as well as many other privacy advocates from praising the company's law enforcement transparency policies, as well as Twitter's willingness to go the extra mile when responding to various forms of legal process. Much of Google's code, including all of the Gmail backend code is not open source, but that hasn't stopped privacy advocates from legitimately praising the company for voluntarily publishing some really useful data on government requests and DMCA takedown demands. Although I have not recommended Silent Circle to anyone, I believe that it is entirely legitimate to praise the company for its commitment to transparency regarding law enforcement requests and the company's overall law enforcement policy. Hell, looking at the list of companies ranked on EFF's Who's got your back website, closed source is by far the norm, not the exception. That hasn't stopped EFF from giving out gold stars where they feel they are deserved. See: https://www.eff.org/pages/when-government-comes-knocking-who-has-your-back In fact, for many of the factors that I am most interested in, source code is completely irrelevant. Client source code does not reveal a company's data retention policy, and server data retention configurations are impossible to verify. Source code does not reveal whether a company will tell its users about subpoenas submitted for user data where not prevented from doing so by a gag order. Source code will not reveal a company's willingness to spend hundreds of thousands of dollars on legal bills to fight an improper request submitted by lawyers at the Department of Justice. For such things, you have to evaluate the company on its public policy (and, once the policy is put into action, you can judge the company via its track record). By all means, continue to harass Silent Circle about its source code. Likewise, please do hold journalists accountable for the bogus headlines they, or their editors have selected. But do not dismiss my legitimate interest in the law enforcement legal policies adopted by companies. These policies are often just as important, yet impossible to verify, even when companies publish their source code. Cheers, Chris -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
[liberationtech] Contest by the MacArthur Foundation
A new competition offers $100,000 in prizes for creative and provocative digital media pieces that offer new ideas and fresh perspectives to help improve American democracy. The competition - Looking@Democracy http://www.lookingatdemocracy.org/ - aims to spark a national conversation about why government is important to our lives and how individuals and communities can come together to strengthen American democracy. Given our perception that the political system has failed to adequately address major issues confronting the nation, MacArthur seeks to stimulate discussion about the future of the Republic and invests in promising ideas to help enhance democratic ideals, institutions, and practices, said MacArthur President Robert Gallucci. This new public competition is all about engaging citizens and encouraging them to apply their creative talents and offer their ideas to strengthen American democracy. By welcoming submissions in any digital format (e.g., videos, apps, data visualizations, podcasts, graphic art), the competition hopes to engage independent media makers, investigative reporters, students, graphic designers, and artists - anyone with creative ideas to help engage Americans and shift the political discussion in a fresh and engaging way. Examples of successful approaches could include addressing a critical topic that is absent from the national debate, looking at data and exploring the stories behind them, or highlighting an aspect about democracy taking place on a local level. Looking@Democracy is a project of the Illinois Humanities Council and funded by MacArthur. Submissions are due by April 30 and will be reviewed by a panel of expert judges from media and the nonprofit community. Read the press release http://www.macfound.org/press/press-releases/challenge-offers-prizes-fr esh-ideas-democracy/-- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Cryptography super-group creates unbreakable encryption
At this point, I'd like to realize that I'm no longer contributing productively to this conversation. I've stated my points, would like to apologize should anyone have felt offended, and am going to bow out. NK On Fri, Feb 8, 2013 at 11:48 AM, Nadim Kobeissi na...@nadim.cc wrote: Overall, I am dissatisfied with Chris totally ignoring my point regarding hype in the media. Chris selectively criticizes projects he doesn't like when the media hypes them up, but when it's Silent Circle, even calling it unbreakable crypto doesn't get anything out of him but dozens of quotations all over their media blitz. I remain convinced that he is being absolutely unfair and biased. NK On Thu, Feb 7, 2013 at 8:14 PM, Christopher Soghoian ch...@soghoian.netwrote: See Inline On Thu, Feb 7, 2013 at 12:15 PM, Andy Isaacson a...@hexapodia.org wrote: Silent Circle may be an excellent privacy app. It might not have any significant security problems. It might even do a good job of mitigating important platform-based attacks and supporting important new use cases (the burn after reading feature). When it's actually open source I'll take a look and if it is good, I'll recommend it to users. Until that open review happens, I think it's inappropriate for voices in our community to commend or recommend such a proprietary system. Each person makes their own choices, of course, and nobody should base their actions solely on what *I* think is right, but I hope you can hear my concerns and consider the outcomes of your actions. Twitter's official client and server code are not open source. That hasn't stopped the good folks at EFF, as well as many other privacy advocates from praising the company's law enforcement transparency policies, as well as Twitter's willingness to go the extra mile when responding to various forms of legal process. Much of Google's code, including all of the Gmail backend code is not open source, but that hasn't stopped privacy advocates from legitimately praising the company for voluntarily publishing some really useful data on government requests and DMCA takedown demands. Although I have not recommended Silent Circle to anyone, I believe that it is entirely legitimate to praise the company for its commitment to transparency regarding law enforcement requests and the company's overall law enforcement policy. Hell, looking at the list of companies ranked on EFF's Who's got your back website, closed source is by far the norm, not the exception. That hasn't stopped EFF from giving out gold stars where they feel they are deserved. See: https://www.eff.org/pages/when-government-comes-knocking-who-has-your-back In fact, for many of the factors that I am most interested in, source code is completely irrelevant. Client source code does not reveal a company's data retention policy, and server data retention configurations are impossible to verify. Source code does not reveal whether a company will tell its users about subpoenas submitted for user data where not prevented from doing so by a gag order. Source code will not reveal a company's willingness to spend hundreds of thousands of dollars on legal bills to fight an improper request submitted by lawyers at the Department of Justice. For such things, you have to evaluate the company on its public policy (and, once the policy is put into action, you can judge the company via its track record). By all means, continue to harass Silent Circle about its source code. Likewise, please do hold journalists accountable for the bogus headlines they, or their editors have selected. But do not dismiss my legitimate interest in the law enforcement legal policies adopted by companies. These policies are often just as important, yet impossible to verify, even when companies publish their source code. Cheers, Chris -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
[liberationtech] Bellovin, Blaze, Clark, Landau
This appears to be in front of the IEEE paywall for a bit, so grab it now unless you want to #icanhazpdf it later... http://www.computer.org/portal/web/computingnow/security/content?g=53319type=articleurlTitle=going-bright%3A-wiretapping-without-weakening-communications-infrastructure Going Bright: Wiretapping without Weakening Communications Infrastructure Steven M. Bellovin , Columbia University Matt Blaze , University of Pennsylvania Sandy Clark , University of Pennsylvania Susan Landau , Privacyink.org Abstract: Mobile IP-based communications and changes in technologies have been a subject of concern for law enforcement, which seeks to extend current wiretap design requirements for digital voice networks. Such an extension would create considerable security risks as well as seriously harm innovation. Exploitation of naturally occurring bugs in the platforms being used by targets may be a better alternative. Mobile IP-based communications and changes in technologies, including wider use of peer-to-peer communication methods and increased deployment of encryption, has made wiretapping more difficult for law enforcement, which has been seeking to extend wiretap design requirements for digital voice networks to IP network infrastructure and applications. Such an extension to emerging Internet-based services would create considerable security risks as well as cause serious harm to innovation. In this article, the authors show that the exploitation of naturally occurring weaknesses in the software platforms being used by law enforcement's targets is a solution to the law enforcement problem. The authors analyze the efficacy of this approach, concluding that such law enforcement use of passive interception and targeted vulnerability exploitation tools creates fewer security risks for non-targets and critical infrastructure than do design mandates for wiretap interfaces. -- Joseph Lorenzo Hall Senior Staff Technologist Center for Democracy Technology 1634 I ST NW STE 1100 Washington DC 20006-4011 (p) 202-407-8825 (f) 202-637-0968 j...@cdt.org PGP: https://josephhall.org/gpg-key -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] [cryptography] Meet the groundbreaking new encryption app set to revolutionize privacy...
- Forwarded message from Jon Callas j...@callas.org - From: Jon Callas j...@callas.org Date: Fri, 8 Feb 2013 11:26:23 -0800 To: Randombit List cryptogra...@randombit.net Subject: Re: [cryptography] Meet the groundbreaking new encryption app set to revolutionize privacy... X-Mailer: Apple Mail (2.1283) -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Thanks for your comments, Ian. I think they're spot on. At the time that the so-called Arab Spring was going on, I was invited to a confab where there were a bunch of activists and it's always interesting to talk to people who are on the ground. One of the things that struck me was their commentary on how we can help them. A thing that struck me was one person who said, Don't patronize us. We know what we're doing, we're the ones risking our lives. Actually, I lied. That person said, don't fucking patronize us so as to make the point stronger. One example this person gave was that they talked to people providing some social meet-up service and they wanted that service to use SSL. They got a lecture how SSL was flawed and that's why they weren't doing it. In my opinion, this was just an excuse -- they didn't want to do SSL for whatever reason (very likely just the cost and annoyance of the certs), and the imperfection was an excuse. The activists saw it as being patronizing and were very, very angry. They had people using this service, and it would be safer with SSL. Period. This resonates with me because of a number of my own peeves. I have called this the the security cliff at times. The gist is that it's a long way from no security to the top -- what we'd all agree on as adequate security. The cliff is the attitude that you can't stop in the middle. If you're not going to go all the way to the top, then you might as well not bother. So people don't bother. This effect is also the same thing as the best being the enemy of the good, and so on. We're all guilty of it. It's one of my major peeves about security, and I sometimes fall into the trap of effectively arguing against security because something isn't perfect. Every one of us has at one time said that some imperfect security is worse than nothing because it might lull people into thinking it's perfect -- or something like that. It's a great rhetorical flourish when one is arguing against some bit of snake oil or cargo-cult security. Those things really exist and we have to argue against them. However, this is precisely being patronizing to the people who really use them to protect themselves. Note how post-Diginotar, no one is arguing any more for SSL Everywhere. Nothing helps the surveillance state more than blunting security everywhere. Jon -BEGIN PGP SIGNATURE- Version: PGP Universal 3.2.0 (Build 1672) Charset: us-ascii wj8DBQFRFVFhsTedWZOD3gYRAjX5AKCw+SBcR1TDlDuPorgri2makt30wACgs3iI 2f+SwEqjbAVyPhf9SH67Aa8= =tB7/ -END PGP SIGNATURE- ___ cryptography mailing list cryptogra...@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography - End forwarded message - -- Eugen* Leitl a href=http://leitl.org;leitl/a http://leitl.org __ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Bellovin, Blaze, Clark, Landau
When law enforcement relies on vulnerabilities in the system (be it protocols, operating systems, applications, or web sites), they are incentivized to keep it insecure. If it were secure, how would they get in? Would the FBI patch their own systems against the bugs they know about? How would they control that information across all their systems? (This is an old hackers' puzzle: if you had an OpenSSH 0day, would you patch yourself against it?) If I were a communications provider (e.g. Silent Circle), and I found that the FBI was hacking me to learn customer data... what is my recourse? To borrow from the CFAA, the FBI is certainly performing unauthorized access or exceeding authorized access to a computer system. Am I allowed to kick them out? Sue them? What if they accidently crash a system because they're crappy exploit writers? Just like when Matt Blaze wrote it in Wired, this feels like a mistimed April Fools joke. -tom -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Bellovin, Blaze, Clark, Landau
Found a downloadable PDF of it here (thank you smb!): https://www.cs.columbia.edu/~smb/papers/GoingBright.pdf ---rsk -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Chromebooks for Risky Situations?
Brian Conley: snip My point was for something off the shelf, I know of nothing better and as far as it goes... I'd say it's a step up for a lot people who should be using more secure IT technologies and methods than they are (such as some journalists), and they can take that step with minimal investment in time and energy and a chromebook will meet their needs. I'd suggest users have no hard disk and boot off of a Tails USB disk. Now we've reduced the attack surface to the BIOS/EFI layer - something that I suspect is pretty crappy all across the board. snip I would love to be a fly on the wall of the IDF customs agent you have to explain this to. I see no OPSEC problem whatsoever in travelling with a laptop that has no hard disk. I cannot imagine any customs agent or other two-bit security bureaucrat having a problem with that. // See what I just did there? I attacked the specific *text* of your response, rather than what I believe to be true about you. I assume you'd not ever recommend that interpretation of your words to someone, so how does it help dialogue/discussion/liberation for me to engage in that line of reasoning? Having had a laptop with no hard drive taken and inspected by US customs, I'd like to say that it was a lot smoother than the time I brought a Chromebook (with a (blank) disk) through customs. In any case, you can do whatever you'd like with the drive in the system - the point is simply to treat the disk internally as not part of the operational plan for using the laptop. I would actually suggest a used windows install that is forensically imaged before a trip. This will later allow you to see if they compromised the machine in an obvious manner while say, you were out at the pool or not near the laptop. All the best, Jake -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Chromebooks for Risky Situations?
Brian Conley: On Wed, Feb 6, 2013 at 2:16 PM, Jacob Appelbaum ja...@appelbaum.net wrote: Brian Conley: Micah, Perhaps you can tell us the secret to convince all family members and colleagues to become Linux hackers able to be completely self-sufficient managing their own upgrades and modifications indefinitely? Stop supporting the use of non-free software? We're all part of the problem when we help people to be less free and to use proprietary software or proprietary services. This is both an education and a problem with enabling. We all suffer from it, I think. What's funny about this, is that you appear to think I disagree with you on this. My point is, if *YOU* (any you out there of the many yous on this here libtech list) want to advise someone who is at risk to use free software, YOU should take responsibility for stewarding them through the process and making sure they know enough not to get themselves into trouble. When we encourage people to say, buy a Macbook or a Chromebook because we're happy to support it over say, Windows, we're making things worse. Largely because the choice is actually between Free Software and proprietary software or free software on devices where we're not actually able to exercise all of our freedoms. I don't know a great deal about Linux. I know enough to know that smart people I know seem to think it is better for a variety of reasons from a security standpoint. Unfortunately where it is *not* better is for people engaged in multimedia. It would be great if someone would support the development of better linux-based multimedia tools. I'm not that person. Oh, except for the last year I've been working with the good folks at the Guardian Project and others on a secure-by-design multimedia reporting app based in Android, and a large portion of our relatively meager funding has been directed at UI/UX design and graphics and content in the training portion. Thus, when we aren't helping people to get off of the non-free platforms or to reduce our dependency on non-free software, we're basically not doing a great job at educating people that we care about and otherwise wish to support. When we pass the buck, we're enabling them with harmful, sometimes seriously so, solutions. See above. I am certainly doing a lot more than I used to be doing in this realm. I hope you're not trying to suggest that I am passing the buck. I actually think that we all pass the buck. It is part of the current discourse - perhaps the only person that doesn't pass the buck is Micah. He's like some kind of Gnu/Saint, really. My point is that if knowledgeable individuals are not willing to spend the time to assist less knowledgeable people to get the first leg up in the much-less-than-obvious world of FOSS/FLOSS/Whatever, then they are just as responsible for security risks and endangerment as people who ignorantly recommend windows, mac, etc because as you put it When we encourage people to say, buy a Macbook or a Chromebook because we're happy to support it over say, Windows, we're making things worse. I disagree. The packaging system alone for most systems encourages a safe way to install nearly all software. Thanks to the nearly impossible UX choices, we don't see a lot of accidental malware on GNU/Linux systems. I wish I was kidding but this is actually an improvement over say, Windows or Mac OS X software packages that promote downloading anything and everything insecurely, running it and then updating willy nilly over the same insecure channels. Again, just as I still haven't heard a strong argument why google hangout is as bad or worse than Skype, I don't yet see good arguments why Chromebook is such a bad option for many use cases. In fact, I don't see why a lot of mobile devices that are wifi only might be such bad options. However, don't worry, I won't be advocating for you to use a windows mobile or apple tablet anytime soon. This is the wrong framing entirely. Allow me to re-frame it: I haven't heard a strong argument as to why Google or Skype is safe at all. Thus, I'll conclude that neither are very safe for anything at all, though they may thwart some people with little time on their hands. Otherwise what is your point? This essay seems like a longer version of what Micah has expressed: http://www.gnu.org/philosophy/free-sw.html http://www.gnu.org/philosophy/right-to-read.html I also suggest reading these two essays by RMS: http://www.gnu.org/philosophy/shouldbefree.html http://www.gnu.org/philosophy/when_free_software_isnt_practically_better.html I will definitely read up, though by pointing me in this direction, you open yourself up to replying to relevant and serious clarification questions as follow up. (the Gunner clause ;) ) Happy to help. :) He is also talking about how the threats to a user might include Google itself (eg: my legal cases!) or
Re: [liberationtech] The Myopia of excluding censors: The tale of a self-defeating petition - Opinion - Al Jazeera English
As an activist working against online censorship in China, I find this petition both useful and encouraging for many reasons: - It promotes much-needed discussion of Internet censorship in China. - The petition and the public listing of individuals contributing to the Great Firewall could dissuade some people from continuing or taking up such work in the future. - The initiative is an expression of the anger felt by people whose Internet is restricted. - Neither the White House Petition page nor GitHub (where lists of people contributing to the Great Firewall are edited and commented) are blocked in China. Both are HTTPS only so blocking individual pages is not possible. It's likely that the authorities have backed down from blocking GitHub completely because of it's importance to business. - The individuals who are named likely feel uncomfortable about this publicity. Perhaps some of them could see the parallel between that and the surveillance of ordinary people that their technology is used for. Usually, the authorities know everything that users do and users know nothing about the authorities. This is an example of users knowing something about who the authorities are, but the authorities probably not being able to track down the users (since GitHub is HTTPS-only). The specific idea outlined in this petition has a very small chance of becoming law. Discussing, promoting or signing it is unlikely to change that. But the existence of the petition helps spread awareness of the massive restrictions on the Chinese Internet. If the petition succeeds, only more so. 新年快乐 Martin Martin Johnson Founder https://GreatFire.org - Monitoring Online Censorship In China. https://FreeWeibo.com - Uncensored, Anonymous Sina Weibo Search. https://Unblock.cn.com - We Can Unblock Your Website In China. On Sat, Feb 9, 2013 at 3:17 AM, x z xhzh...@gmail.com wrote: Libtech, I am an ardent supporter for that GFW petition, and I feel compelled to write about it *again*, in reply to Tricia Wang's article. There are three major issues in this piece. 1. The intent of the petition is badly interpreted and exaggerated by Tricia even in the literal sense. Tricia claiming *This petition would deny all CNNIC researchers and officials the opportunity to come to the US for conferences and events* is appalling. The petition is for those *people who help internet censorship*. Tricia herself argues using several paragraphs that many tasks in CNNIC are not censorship related! 2. A lot of people, including Tricia and many on this list, misunderstand the spirit of the petition. It is naive to perceive that many people, including many of the signatories of this petition, realistically think such a petition can make US government to actually adopt such an entry-denial policy. Like I mentioned in my previous email on this topic, this petition is a *symbolic* one. Its goal is to show to the world that many of Chinese netizens care, and it is a way to mobilize (and hopefully organize) us. 3. This article repeated again and again that engagement with China officials (including Fang Binxing) is beneficial. I don't disagree with this, but Tricia greatly overestimated such benefit. Most of China's officials, especially those overseeing censorship, know very well what an open society looks like. This knowledge *reinforces* their belief in their censorship policies, contrary to what Tricia may think. The present China is not Soviet Union in the cold war era. China's ideology system is way more robust. Regards, 2013/2/8 Collin Anderson col...@averysmallbird.com Libtech, I appreciated the short articulation of this counterargument at the time of the petition being posted and this article summarizes it well. Firstly, unfortunately while Libtech has fostered an impression of being a private network, it has grown beyond that over the past three years, into a very public community -- at times it still often feels like a closed, personal community. I think we all agree that State Department employees are entailed to a right of an independent opinion, and the only misstep was perhaps sending from a work email address with an automatic signature. A brief history of the drama of Internet Freedom programs and China makes it clear that this is something that the US Government would never have the political will to adopt, much less endorse. We may do well to give such people the benefit of the doubt that they had intended to provoke conversation and reach out to the community, rather than encourage participation. Otherwise, a perspective may be lost. That being said, the post and petition should have, but did not, provoked a legitimate discussion about incongruences in American foreign policy toward states that practice repression of media and Internet communications. Case in point, on the exact day that Tricia Wang, of whom I am a longtime fan, published her argument, the Department of Treasury