[liberationtech] Indymedia: It’s time to move on

[Anne Roth]

Hi,

this article about Indymedia is not liberation tech in the strict sense
of the word. But then a lot of people who are or were involved with
Indymedia are subscribers here and there's considerable overlap of
interest, I'd say?

http://ceasefiremagazine.co.uk/indymedia-its-time-move/

A local Indymedia group in Nottingham, UK, is discussing whether to
close down and what will be next (or whether there will be something
next). "Indymedia: It’s time to move on" discusses whether Indymedia "is
still useful and necessary to the social movements that it grew from".
Many Indymedia groups have closed or are in the process of discussing
whether to continue.

One of the reasons Indymedia is dying a slow death in many places is (a
lack of) liberation tech: easily available independent tech
infrastructure, CMSes suitable for big multi-user platforms in different
languages that can be administrated with little prior knowledge,
attractive (!) alternatives to YouTube and the like.

That's definitely not the only reason but when YouTube took over the
wind of defeat swept through Indymedia chat rooms. I'm saying that
knowing how many dedicated people have put in so much hard work and
still do today.

Another reason is the dynamics of movements and the simple fact that the
Anti-Globalization movement that was one of the roots of Indymedia had
had its peak years ago.

The need for independent media (using independent infrastructure and
open source software) is bigger than ever (ok, same as always). Is the
glass half full with citizen journalists all over and more than enough
option to publish whatever we like or is it half empty with filter
bubbles defined by mainstream media?

When looking at different threads of "independent vs. commercial" media
production is looking particularly bad. Two other 'branches' are
software (open source) and knowledge (Wikipedia) - both are now
established as inherent parts of their respective spheres. Why wasn't
that possible for media?

Would be interested to hear your thoughts.

Anne


-- 

http://about.me/annalist
http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x7689407F942951E2
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

[liberationtech] INC Social Media Reader out now

[Geert Lovink]

Geert Lovink and Miriam Rasch (eds), Unlike Us Reader: Social Media  
Monopolies and Their Alternatives, Amsterdam: Institute of Network  
Cultures, 2013. ISBN: 978-90-818575-2-9, paperback, 384 pages.


Freely downloadable as pdf on:
http://networkcultures.org/wpmu/portal/publication/unlike-us-reader-social-media-monopolies-and-their-alternatives

To order free print copies of the reader, visit 
http://networkcultures.org/publications

Check the book trailer here: https://vimeo.com/59997671

The Unlike Us Reader offers a critical examination of social media,  
bringing together theoretical essays, personal discussions, and  
artistic manifestos. How can we understand the social media we use  
everyday, or consciously choose not to use? We know very well that  
monopolies control social media, but what are the alternatives? While  
Facebook continues to increase its user population and combines loose  
privacy restrictions with control over data, many researchers,  
programmers, and activists turn towards designing a decentralized  
future. Through understanding the big networks from within, be it by  
philosophy or art, new perspectives emerge.


Unlike Us is a research network of artists, designers, scholars,  
activists, and programmers, with the aim to combine a critique of the  
dominant social media platforms with work on ‘alternatives in social  
media’, through workshops, conferences, online dialogues, and  
publications. Everyone is invited to be a part of the public  
discussion on how we want to shape the network architectures and the  
future of social networks we are using so intensely.


Contributors: Solon Barocas, Caroline Bassett, Tatiana Bazzichelli,  
David Beer, David M. Berry, Mercedes Bunz, Florencio Cabello, Paolo  
Cirio, Joan Donovan, Louis Doulas, Leighton Evans, Marta G. Franco,  
Robert W. Gehl, Seda Gürses, Alexandra Haché, Harry Halpin, Mariann  
Hardey, Pavlos Hatzopoulos, Yuk Hui, Ippolita, Nathan Jurgenson, Nelli  
Kambouri, Jenny Kennedy, Ganaele Langlois, Simona Lodi, Alessandro  
Ludovico, Tiziana Mancinelli, Andrew McNicol, Andrea Miconi, Arvind  
Narayanan, Wyatt Niehaus, Korinna Patelis, PJ Rey, Sebastian  
Sevignani, Bernard Stiegler, Marc Stumpel, Tiziana Terranova, Vincent  
Toubiana, Brad Troemel, Lonneke van der Velden, Martin Warnke and D.E.  
Wittkower.


Next conference: Unlike Us 3, Amsterdam NL, March 22-23 2013.

URL: http://networkcultures.org/wpmu/unlikeus/3-amsterdam/program/

--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] About private networks (Was Re: NYT covers China cyberthreat)

[Eugen Leitl]

On Wed, Feb 20, 2013 at 09:03:06PM -0600, Charles Zeitler wrote:

> http://en.wikipedia.org/wiki/Quantum_cryptography

Doesn't really work. Essentially, this is expensive
snake oil.
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

[liberationtech] Freeze the memory out of a galaxy nexus?

[Brian Conley]

http://www.forbes.com/sites/andygreenberg/2013/02/14/frost-attack-unlocks-android-phones-data-by-chilling-its-memory-in-a-freezer/
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

[liberationtech] Chinese Hacking, Mandiant & Cyber War

[Yosem Companys]

From: Gary McGraw 

No doubt all of you have seen the NY Times article about the Mandiant
report that pervades the news this week:
http://www.nytimes.com/2013/02/19/technology/chinas-army-is-seen-as-tied-to-hacking-against-us.html

I believe it is important to understand the difference between cyber
espionage and cyber war.  Because espionage unfolds over months or years in
realtime, we can triangulate the origin of an exfiltration attack with some
certainty.  During the fog of a real cyber war attack, which is more likely
to happen in milliseconds,  the kind of forensic work that Mandiant did
would not be possible.  (In fact, we might just well be "Gandalfed" and pin
the attack on the wrong enemy as explained here:
http://searchsecurity.techtarget.com/news/2240169976/Gary-McGraw-Proactive-defense-prudent-alternative-to-cyberwarfare
.)

Sadly, policymakers seem to think we have completely solved the attribution
problem.  We have not.  This article published in Computerworld does an
adequate job of stating my position:
http://news.idg.no/cw/art.cfm?id=94AB4F98-9BBD-1370-154D49FAA7706BE9

Those of us who work on security engineering and software security can help
educate policymakers and others so that we don't end up pursuing the folly
of active defense.

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Freeze the memory out of a galaxy nexus?

[Steve Weis]

This is a good illustration how data in use is exposed to physical attacks
on most computing devices.

An interesting side-note is that Android phones are starting to ship with a
hardware security module (HSM), which can be used for crypto operations and
key storage. Duo Security is one company that started using the HSM to
store credentials:
http://siliconangle.com/blog/2013/02/19/simple-to-scale-duo-security-uses-android-hardware-for-its-own-hack-resistance/

I haven't found much about the capabilities of these HSMs. It's not a
silver bullet since they may still be key material exposed in memory, but I
think it's a positive development.


On Thu, Feb 21, 2013 at 7:12 AM, Brian Conley wrote:

>
> http://www.forbes.com/sites/andygreenberg/2013/02/14/frost-attack-unlocks-android-phones-data-by-chilling-its-memory-in-a-freezer/
>
> --
> Unsubscribe, change to digest, or change password at:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

[liberationtech] Someone in "Yo Soy 132"? Undergraduate seeking info for project

[Yosem Companys]

from: Victoria Robles 

Does anyone know someone involved in this movement in Mexico? I'm
trying to get some first-hand information. Thanks!

abrazos,
Vicky

--
Victoria Robles
Stanford University | Class of 2014
B.S. Candidate | Materials Science & Engineering
Engineering Diversity Programs | Intern

Gates Millennium Scholar | Campus Based Leader

Guiding Concilio of El Centro Chicano/Latino | Chair
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Freeze the memory out of a galaxy nexus?

[Brian Conley]

Thanks Steve,

Any idea why the researchers would posit that iOS devices may be less
susceptible?

Brian

On Thu, Feb 21, 2013 at 10:08 AM, Steve Weis  wrote:

> This is a good illustration how data in use is exposed to physical attacks
> on most computing devices.
>
> An interesting side-note is that Android phones are starting to ship with
> a hardware security module (HSM), which can be used for crypto operations
> and key storage. Duo Security is one company that started using the HSM to
> store credentials:
>
> http://siliconangle.com/blog/2013/02/19/simple-to-scale-duo-security-uses-android-hardware-for-its-own-hack-resistance/
>
> I haven't found much about the capabilities of these HSMs. It's not a
> silver bullet since they may still be key material exposed in memory, but I
> think it's a positive development.
>
>
> On Thu, Feb 21, 2013 at 7:12 AM, Brian Conley wrote:
>
>>
>> http://www.forbes.com/sites/andygreenberg/2013/02/14/frost-attack-unlocks-android-phones-data-by-chilling-its-memory-in-a-freezer/
>>
>> --
>> Unsubscribe, change to digest, or change password at:
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>
>
>
> --
> Unsubscribe, change to digest, or change password at:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>



-- 



Brian Conley

Director, Small World News

http://smallworldnews.tv

m: 646.285.2046

Skype: brianjoelconley
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Freeze the memory out of a galaxy nexus?

[Parker Higgins]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 2/21/13 10:32 AM, Brian Conley wrote:
> Any idea why the researchers would posit that iOS devices may be
> less susceptible?

Not sure if this is what they have in mind, but this particular
technique requires a battery pop to get into fastboot mode, which
isn't quite as available on iOS devices as these Android ones.



> On Thu, Feb 21, 2013 at 10:08 AM, Steve Weis  > wrote:
> 
> This is a good illustration how data in use is exposed to physical 
> attacks on most computing devices.
> 
> An interesting side-note is that Android phones are starting to
> ship with a hardware security module (HSM), which can be used for
> crypto operations and key storage. Duo Security is one company that
> started using the HSM to store credentials: 
> http://siliconangle.com/blog/2013/02/19/simple-to-scale-duo-security-uses-android-hardware-for-its-own-hack-resistance/
>
>  I haven't found much about the capabilities of these HSMs. It's
> not a silver bullet since they may still be key material exposed
> in memory, but I think it's a positive development.
> 

- -- 
Parker Higgins
Activist
Electronic Frontier Foundation
https://eff.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJRJmlPAAoJEJQzX4iaNncJU1UP/jlg5E78XGOYu3KWpRwS6tCM
8eMXPANGvv3CVBhlL8WNe9HsdpyGOJVAvztdUUGiZ40HkYN7KXn/xY7Ar7TSsa8W
iwT/jjwbJO7WRkl8gW/MxrQJF8SAIwgzbZ9lJ2745e7MODS6qLyMaha8B/jou1ni
OMy7G907qrM4mLiSYdS8vKNJ89kDMMT04iX9phHDRHscBDot7dRhY+bAeBKV6H3W
HUG5neWGKrRNW1altAFZWdKEYobQkvC/TWRLbfcr825t+ilJjeXzGw3WFom2mkto
nKn1LLG6LTb94TK3x7ev8paecRthkpxPHjFd8aAmsEovvPzmNUr6fN538eII2jTW
oARxCDcm8A/i4swoJEBVanFAzYNCs5ADgKYQ1EUtJAhdYDTT5Ml2kfwWUTIeyynW
+pFlR+LivnfBl40ursbrYjVIk5Kgu1uY4V4pdY7JIw5JrCqiTMvAFjZrWJGaY4L/
oiMSPb4bmZGMS2J8/VgNR/NF6vapckcN3m1J6jf8jbKsyUojjWCrrfh5D3FTvULM
LAeT5ku31eV07MWQQeVIleBGbwQEp6uyY65U2uoieL0DvpRox/FNkZO1XhmcMxkr
Tok0QavnNOr0Zt4G/4MyFqPAjR3kh+W+KlGhba5Qzfz6FSj2/7/3CegET5FaV4JT
ScwShlIBQwiHzYqIaMpb
=jTAu
-END PGP SIGNATURE-
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Freeze the memory out of a galaxy nexus?

[Brian Conley]

hrm, also true for the newest line of google nexus i believe.

On Thu, Feb 21, 2013 at 10:37 AM, Parker Higgins  wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On 2/21/13 10:32 AM, Brian Conley wrote:
> > Any idea why the researchers would posit that iOS devices may be
> > less susceptible?
>
> Not sure if this is what they have in mind, but this particular
> technique requires a battery pop to get into fastboot mode, which
> isn't quite as available on iOS devices as these Android ones.
>
>
>
> > On Thu, Feb 21, 2013 at 10:08 AM, Steve Weis  > > wrote:
> >
> > This is a good illustration how data in use is exposed to physical
> > attacks on most computing devices.
> >
> > An interesting side-note is that Android phones are starting to
> > ship with a hardware security module (HSM), which can be used for
> > crypto operations and key storage. Duo Security is one company that
> > started using the HSM to store credentials:
> >
> http://siliconangle.com/blog/2013/02/19/simple-to-scale-duo-security-uses-android-hardware-for-its-own-hack-resistance/
> >
> >  I haven't found much about the capabilities of these HSMs. It's
> > not a silver bullet since they may still be key material exposed
> > in memory, but I think it's a positive development.
> >
>
> - --
> Parker Higgins
> Activist
> Electronic Frontier Foundation
> https://eff.org
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.12 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBAgAGBQJRJmlPAAoJEJQzX4iaNncJU1UP/jlg5E78XGOYu3KWpRwS6tCM
> 8eMXPANGvv3CVBhlL8WNe9HsdpyGOJVAvztdUUGiZ40HkYN7KXn/xY7Ar7TSsa8W
> iwT/jjwbJO7WRkl8gW/MxrQJF8SAIwgzbZ9lJ2745e7MODS6qLyMaha8B/jou1ni
> OMy7G907qrM4mLiSYdS8vKNJ89kDMMT04iX9phHDRHscBDot7dRhY+bAeBKV6H3W
> HUG5neWGKrRNW1altAFZWdKEYobQkvC/TWRLbfcr825t+ilJjeXzGw3WFom2mkto
> nKn1LLG6LTb94TK3x7ev8paecRthkpxPHjFd8aAmsEovvPzmNUr6fN538eII2jTW
> oARxCDcm8A/i4swoJEBVanFAzYNCs5ADgKYQ1EUtJAhdYDTT5Ml2kfwWUTIeyynW
> +pFlR+LivnfBl40ursbrYjVIk5Kgu1uY4V4pdY7JIw5JrCqiTMvAFjZrWJGaY4L/
> oiMSPb4bmZGMS2J8/VgNR/NF6vapckcN3m1J6jf8jbKsyUojjWCrrfh5D3FTvULM
> LAeT5ku31eV07MWQQeVIleBGbwQEp6uyY65U2uoieL0DvpRox/FNkZO1XhmcMxkr
> Tok0QavnNOr0Zt4G/4MyFqPAjR3kh+W+KlGhba5Qzfz6FSj2/7/3CegET5FaV4JT
> ScwShlIBQwiHzYqIaMpb
> =jTAu
> -END PGP SIGNATURE-
>



-- 



Brian Conley

Director, Small World News

http://smallworldnews.tv

m: 646.285.2046

Skype: brianjoelconley
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Freeze the memory out of a galaxy nexus?

[Jacob Appelbaum]

Brian Conley:
> hrm, also true for the newest line of google nexus i believe.
> 

In any phone where one might be able to open the case, I assume someone
will also just be able to tap the bus lines. Thus, the easy route
(booting off of a special image) might not be simple but these devices
aren't using encrypted bits in DRAM as far as I understand, so it isn't
really secure. It is secure like, no one is trying very hard, secure.

All the best,
Jake
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Freeze the memory out of a galaxy nexus?

[Brian Conley]

Always trust Jake to cut right to the bare honest ugly (and depressing!)
truth.

thanks!

B

On Thu, Feb 21, 2013 at 10:48 AM, Jacob Appelbaum wrote:

> Brian Conley:
> > hrm, also true for the newest line of google nexus i believe.
> >
>
> In any phone where one might be able to open the case, I assume someone
> will also just be able to tap the bus lines. Thus, the easy route
> (booting off of a special image) might not be simple but these devices
> aren't using encrypted bits in DRAM as far as I understand, so it isn't
> really secure. It is secure like, no one is trying very hard, secure.
>
> All the best,
> Jake
> --
> Unsubscribe, change to digest, or change password at:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>



-- 



Brian Conley

Director, Small World News

http://smallworldnews.tv

m: 646.285.2046

Skype: brianjoelconley
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Freeze the memory out of a galaxy nexus?

[Michael Rogers]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 21/02/13 18:32, Brian Conley wrote:
> Any idea why the researchers would posit that iOS devices may be
> less susceptible?

iOS has several classes of encrypted storage. For the
NSFileProtectionComplete class, the class key that protects the
individual file keys is erased from memory 10 seconds after the device
is locked. So I guess files encrypted with that class would be
unrecoverable via a cold boot attack if the device had been locked for
10 seconds.

http://images.apple.com/ipad/business/docs/iOS_Security_May12.pdf

Android uses a single key to protect all encrypted storage (excluding
apps that use their own encryption, eg SQLCipher), so that key must be
kept in memory whenever the device is running.

http://source.android.com/tech/encryption/android_crypto_implementation.html

Cheers,
Michael

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJRJm4YAAoJEBEET9GfxSfMwi8H/37g4caSmxPQ1DKLkHALqS/u
IIUD1iCrxjAhglRgqMHLUZb/XX12lM+iQ8IqqMWNHQkrw9p04Amd/f+dR+MkAbsf
ndf0grkiIllTuPEm4kcLY9DNcAfH5VavFpoRoEMCKtEAPOtWHAPt93RTkjx6oLAJ
Y8vPHiG4Bndr2GckjpSkdpkIW4dt2uCMfZOd+ALtKnMpSmJpr2I7A8x+iexwIJXP
SLm77PP1rQrOCykvZN+dfuDWH8lYytX37fbabxy5S0VNZtfvPIT4QJIxWW62e1nm
6uE/zTIJlY5WZj6GSxYLsPpcn41Vj3Pfzk7TDT/iPoWSBabRpfLhzuqPK/L2/oo=
=zB77
-END PGP SIGNATURE-
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Freeze the memory out of a galaxy nexus?

[Jacob Appelbaum]

Brian Conley:
> Always trust Jake to cut right to the bare honest ugly (and depressing!)
> truth.

If you really want to be depressed about mobile security, I encourage
you to acquire the cellebrite UFED forensics device:

http://www.cellebrite.com/mobile-forensic-products/ufed-touch-ultimate.html

I'm sure they'll do the coldboot stuff in no time flat if they haven't
already. Other forensics companies have done so.

All the best,
Jake
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Freeze the memory out of a galaxy nexus?

[Jacob Appelbaum]

Michael Rogers:
> On 21/02/13 18:32, Brian Conley wrote:
>> Any idea why the researchers would posit that iOS devices may be
>> less susceptible?
> 
> iOS has several classes of encrypted storage. For the
> NSFileProtectionComplete class, the class key that protects the
> individual file keys is erased from memory 10 seconds after the device
> is locked. So I guess files encrypted with that class would be
> unrecoverable via a cold boot attack if the device had been locked for
> 10 seconds.
> 

Any idea what they mean by erase? Just dereferenced or zeroed or filled
with random bytes? I mean, from actual code rather than claims? Some
disassembly would be useful here, I wonder if anyone has looked into it?

> http://images.apple.com/ipad/business/docs/iOS_Security_May12.pdf
> 
> Android uses a single key to protect all encrypted storage (excluding
> apps that use their own encryption, eg SQLCipher), so that key must be
> kept in memory whenever the device is running.
> 
>
>
http://source.android.com/tech/encryption/android_crypto_implementation.html
>

It seems like one of the few times the use of something like TRESOR
would improve:
http://www1.informatik.uni-erlangen.de/tresor


All the best,
Jake
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Using Gajim Instead of Pidgin for More Secure OTR Chat

[Micah Lee]

On 02/20/2013 10:42 PM, Gregory Maxwell wrote:
> On Wed, Feb 20, 2013 at 10:27 PM, Micah Lee  wrote:
>> I just wrote a blog post that people here might find interesting about
>> using Gajim, a chat client written in python, and Gajim's OTR plugin, a
>> purely python implementation of the OTR standard, instead of Pidgin and
>> libotr.
> 
> Uh. Writing something in python does not make it magically secure. It
> often trades one set of security issues for another— in higher level
> languages programmers often have no idea what the underlying machine
> is doing, and surprising behavior can easily slip in. E.g. I've seen
> programs python programs that could be triggered to run arbitrary
> commands on the system, for example, because some library they called
> n levels deep passed arguments to an os.system().  The mistakes you
> need to avoid to write secure C code are more easily made but there
> are generally fewer ways to fail.

Of course there's more to security than the choice of language. In my
blog post I point out Gajim's history of security problems, including an
arbitrary code execution bug.

But at least it doesn't depend on libpurple, which people seem to think
of as impossible to completely secure without some huge refactoring,
which no one is doing.

Seeing a working jabber client written in python with a working OTR
plugin is definitely a good thing. Completely removing things like
message sanitation bugs is a lot easier to do and to maintain than
completely removing memory corruption bugs.

> Personally, I run pidgin in a selinux sandbox in a KVM that I use for
> other internet access. I'd like to also run it inside valgrind
> modified to exit on error, but pidgin is thoroughly and depressingly
> valgrind unclean and with all the white-listing required I'm not sure
> how much marginal value that would provide (and Openssl itself for
> that matter, though for stupid reasons).

Sounds inconvenient.

-- 
Micah Lee
https://twitter.com/micahflee

--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Let's make rooting phones a crime

[Mark Belinsky]

Good news everyone! It *looks like we made it*. I'd like to share this
victory video with you
https://www.youtube.com/watch?v=8SEwQRPtUz4&feature=youtu.be&t=2m13s

The White House
petitionto
make unlocking phones legal has
surpassed the 100,000 signatures
necessaryfor
them to issue a statement. It took 26 days to get the first 80,000
signatures and only 2 days to get the last 20,000 we needed. What a great
couple days!

Thanks to everyone who signed the petition and to those who pointed out
that unlocking phones is indeed different than rooting phones. This is one
step in the ongoing battle to maintain ownership over the devices we have
in our loved ones pockets. Congrats Guardians and libtechers!

Best,
Mark


--*
@mbelinsky  |
markbelinsky.com| phone:
+1-347-466-9327 | skype: markontheline
*


On Wed, Feb 20, 2013 at 7:43 PM, Seth David Schoen  wrote:

> hwamyeon writes:
>
> > While I agree that the anti-circumvention provision of the DMCA should
> > be revoked, I don't think we should be tasking the Librarian of Congress
> > to do this for us. The Librarian of Congress's power of exemption is
> > supposed to be specifically in the interest of supporting the mission of
> > the library. Fundamental changes to the DMCA is a political issue that
> > we should be tasking Congress with.
>
> I agree that it would be preferable to have a comprehensive fix, like
> repealing the entirety of §1201.
>
> The current law calls for the Librarian of Congress to decide "whether
> persons who are users of a copyrighted work are, or are likely to be
> in the succeeding 3-year period, adversely affected by the prohibition
> under subparagraph (A) in their ability to make noninfringing uses under
> this title of a particular class of copyrighted works". 17 USC
> §1201(a)(1)(C).
> So that determination isn't limited to "the interest of supporting the
> mission of the library".
>
> --
> Seth Schoen  
> Senior Staff Technologist   https://www.eff.org/
> Electronic Frontier Foundation  https://www.eff.org/join
> 454 Shotwell Street, San Francisco, CA  94110   +1 415 436 9333 x107
> --
> Unsubscribe, change to digest, or change password at:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Freeze the memory out of a galaxy nexus?

[Nadim Kobeissi]

On Thu, Feb 21, 2013 at 2:08 PM, Jacob Appelbaum wrote:

>
> It seems like one of the few times the use of something like TRESOR
> would improve:
> http://www1.informatik.uni-erlangen.de/tresor


TRESOR looks very interesting! I wonder what's preventing its kind of
techniques from being more widely adopted...


>
>
>
> All the best,
> Jake
> --
> Unsubscribe, change to digest, or change password at:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Freeze the memory out of a galaxy nexus?

[Steve Weis]

TRESOR uses debug registers and only protects key material. It doesn't
protect the code that actually reads that key in or out of the register,
nor any of the data that is actually decrypted with the key. So, it
provides protection just for keys against passive, read-only attacks
against memory. This is illustrated in the TRESOR-HUNT paper Jurre just
posted.

I think CARMA is a more interesting line of research. However, CARMA is
limited to just the L3 cache running in non-evict mode:
http://users.ece.cmu.edu/~jmmccune/papers/VaMcNePevDo2012.pdf

Cryptkeeper is another approach, but only reduces the scope of
vulnerability to a small portion of memory and does not resist active
attacks:
http://flynn.zork.net/~pedro/docs/ieee-hst-2010.pdf

There's also Frozen Cache:
http://frozencache.blogspot.com/

On Thu, Feb 21, 2013 at 12:13 PM, Nadim Kobeissi  wrote:
>
>  It seems like one of the few times the use of something like TRESOR
>> would improve:
>> http://www1.informatik.uni-erlangen.de/tresor
>
>
> TRESOR looks very interesting! I wonder what's preventing its kind of
> techniques from being more widely adopted...
>
>
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Freeze the memory out of a galaxy nexus?

[Jacob Appelbaum]

Jurre andmore:
> TRESOR is no holy grail - I recommend reading TRESOR-HUNT: Attacking
> CPU-Bound Encryption[1].
> 
> [1] http://seclab.ccs.neu.edu/publications/acsac2012dma.pdf
> 

Of course and UFED has JTAG support and so, I would be surprised if they
didn't also attack TRESOR with such a setup available.

Good times!

All the best,
Jake
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Chinese Hacking, Mandiant & Cyber War

[Fabio Pietrosanti (naif)]

On 2/21/13 5:27 PM, Yosem Companys wrote:
> Sadly, policymakers seem to think we have completely solved the
> attribution problem. We have not. This article published in
> Computerworld does an adequate job of stating my position:
> http://news.idg.no/cw/art.cfm?id=94AB4F98-9BBD-1370-154D49FAA7706BE9
>
> Those of us who work on security engineering and software security can
> help educate policymakers and others so that we don't end up pursuing
> the folly of active defense.
I'd suggest reading the following blog post to get a critical overview:
http://jeffreycarr.blogspot.co.uk/2013/02/mandiant-apt1-report-has-critical.html

We should remind that Mandiant is an "interested party" in boosting the
"fear of china and APT".

That's because it's their business to sell consulting and technologies
to protect against that risks:
http://www.issa-dc.org/presentations/07202010_robert_lee.pdf

So, we should be really careful about it.
The report is not "a scientific forensic report" that a "Forensic"
and/or "cyberintelligence analyst" can really independently verify.

While in the meantime the report have currently an important media and
(reasonably) political impact.

-naif

p.s. Infosec world’s reaction to Mandiant’s APT1 report.
http://securityreactions.tumblr.com/post/43527198909/alternate-infosec-worlds-reaction-to-mandiants-apt1
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

[liberationtech] Cryptocat Bug Hunt!

[Nadim Kobeissi]

Hey LibTech,
I just wanted to let the techies on this list know that Cryptocat's just
started a bug hunt initiative! We will be rewarding security bug squishers
with swag, t-shirts, stickers, cash and a mention of our Wall of
Unquestionable Greatness:

https://crypto.cat/bughunt/

Participate and help make open source software more secure!

NK
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

[liberationtech] Security Seminar Today (*in Gates 415*): Florian Kerschbaum -- An Optimizing Compiler for Secure Computations

[Yosem Companys]

From: Joe Zimmerman 

*Florian Kerschbaum  --  An Optimizing Compiler for Secure Computations
**
*Thursday, February 21, 2013, 4:30pm*
Gates 415* *(note unusual place)

*Abstract:

Secure multi-party computations have many applications in privacy and data
security. They can solve cross-organizational problems in supply chain
management or privacy-enhanced data analysis, such that the protection
needs of the parties are respected. Nevertheless, the development of
protocols for multi-party computation is extremely complex. Domain-specific
languages can help the programmer to implement more efficiently and
effectively. However, compilers currently produce worse results than
manually generated protocols. Program analysis and automated optimization
can remedy this problem. Based on several practical examples we show
general techniques for optimizing secure computations which can be
automatically implemented in a compiler.
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] About private networks (Was Re: NYT covers China cyberthreat)

[Charles Zeitler]

On Thu, Feb 21, 2013 at 8:10 AM, Eugen Leitl  wrote:
> On Wed, Feb 20, 2013 at 09:03:06PM -0600, Charles Zeitler wrote:
>
>> http://en.wikipedia.org/wiki/Quantum_cryptography
>
> Doesn't really work. Essentially, this is expensive
> snake oil.

so, it's been tried, eh? can you post a link?

charles zeitler

-- 

Do what thou wilt
shall  be the whole  of the Law.
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] About private networks (Was Re: NYT covers China cyberthreat)

[Andreas Bader]

On 22/02/13 03:53, Charles Zeitler wrote:
> On Thu, Feb 21, 2013 at 8:10 AM, Eugen Leitl  wrote:
>> On Wed, Feb 20, 2013 at 09:03:06PM -0600, Charles Zeitler wrote:
>>
>>> http://en.wikipedia.org/wiki/Quantum_cryptography
>> Doesn't really work. Essentially, this is expensive
>> snake oil.
> so, it's been tried, eh? can you post a link?
>
> charles zeitler
>
We had this discussion some time ago.
You can have a look at this article:
http://online.wsj.com/article/SB10001424052702304203604577396282717616136.html
The problem is that you have no insight in military research, therefore
you can not assess how far the different intellegence agencys and the
military is in this area.

Andreas
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech