Re: [liberationtech] Deterministic builds and software trust [was: Help test Tor Browser!]

[Jonathan Wilkes]

 >From: Mike Perry 
>To: liberationtech  
>Sent: Tuesday, June 18, 2013 11:54 PM
>Subject: [liberationtech] Deterministic builds and software trust [was: Help 
>test Tor Browser!]
 

[...]

>This is where deterministic builds come in: any individual can use our
anonymity network to download our source code, verify it against public
signed, audited, and mirrored git repositories, and reproduce our builds
exactly, without being subject to such targeted attacks. If they notice
any differences, they can alert the public builders/signers, hopefully
using a pseudonym or our anonymous trac account.

Interesting.  Questions:

1) I'd imagine in your case that a large portion of
users aren't going to want to compile the software, and it seems at
least like they could still be good citizens by verifying the binaries
they download against what a random sampling of mirrors say they
should look like.  Is there a tool out there they can use to do this?
2) Do you use Tor's git version id (the hash) for the
release as the random seed string?  Seems like that would be a
good precedent to set in case other projects start using this
method, too.

-Jonathan

>This also will eventually allow us to create a number of auxiliary
authentication mechanisms for our packages, beyond just trusting the
offline build machine and the gpg key integrity.


I believe it is important for Tor to set an example on this point, and I
hope that the Linux distributions will follow in making deterministic
packaging the norm. (Don't despair: it probably won't take 6 weeks per
package. Firefox is just a bitch).

Otherwise, I really don't think we'll have working computers left in
5-10 years from now :/.


I hope to write a longer blog post about this topic on the Tor Blog in
the next couple weeks, discussing the dangers of exploit weaponization
and the threats it poses to software engineering and software
distribution. I'm still mulling over the exact focus and if I should
split the two ideas apart, or combine them into one post...


Ideas and comments welcome!


-- 
Mike Perry
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Decoupling from current power structures

[Sebastian Benthall]

I recommend reading Fred Turner's *From Counterculture to Cyberculture* for
interesting context on the ideological connection between sustainable
independent communities and tech culture.

Long story short, in the 70's the Whole Earth Catalog connected
back-to-land communes with recent tech research. Then the communes all
failed and the countercultural element within the cyberculture community
turned from radical independence to radical interconnectivity.  This was
about the time of the rise of the first virtual communities.  These
communities were way more successful than the isolationist ones.

Taking that as a model, maybe rather the right way to think about it is:
how to build an alternative distributed economy for food and shelter that
is not tied to centralized power structures.

While hardly radical, you could argue AirBnB does this sort of thing for
housing by disrupting centralizing limits on rented homes.

But that doesn't seem to be what you are getting at exactly.  Seems like to
decouple from the mainstream economy you would need to be able to both
incentivize production/appropriation of shelter (or food) into your
alternative system, and then create a mechanism for distribution that works
efficiently without just reproducing the problems of the market system we
already have.
On Jun 18, 2013 10:48 AM, "phryk"  wrote:

> On Tue, 18 Jun 2013 09:40:23 -0400
> Bruce Potter at IRF  wrote:
>
> > in a nation of 300 million, and a global system heading for 10
> > billion, I don't see it.
>
> I didn't mean decoupling everybody at once. I am talking about
> loosening our dependance on them by introducing systems by the people
> for the people that would make at least the base needs of food and
> shelter available to people.
>
> Obviously this would be really small at scale, at least at first.
>
> You could for instance form a small community with the goal of
> providing shelter and food for everyone in an automated way.
> You wouldn't even need to declare your independence from the government
> or anything but just build it in parallel.
>
> If this at some point actually gets to the point where it works
> efficiently, it could simply be scaled up.
> --
> Too many emails? Unsubscribe, change to digest, or change password by
> emailing moderator at compa...@stanford.edu or changing your settings at
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] NSA flag terms

[Michael Azarkevich]

I find it hard to believe the list is authentic. It has words like "Java",
"Quiche" and "Redheads" for gods sake. Also, they misspelled the name of
the Israeli equivalent of the Navy SEALS (They wrote "Shayet-13" instead of
"Shayetet-13").

The NSA aren't stupid, they're running the biggest spying operation in the
world. I know size doesn't imply competency but I'm inclined to believe
they know what they're doing.
The list is, in all probability, fake.


On Tue, Jun 18, 2013 at 8:09 PM, Owen Barton  wrote:

> Hi everyone (first post),
>
> I am pretty sure most of that list has been around since the late 90s at
> least - I remember many of them from "Jam Echelon Day" in 1999.
>
> Incidentally, if anyone is interested in a little Jam Echelon Day history
> you can read the hactivism e-mail list (which the JED idea emerged from,
> and which I happened to start/moderate) archives at
> http://archives.openflows.org/hacktivism/index.html and also
> a dissertation someone wrote on early hacktivism
> http://www.alexandrasamuel.com/dissertation/pdfs/Samuel-Hacktivism-entire.pdf.
> I think it's pretty clearly the NSA derives more intelligence from graphing
> connections/relationships than grepping for keywords, so I think JED was
> more conceptual than practical (and quite disorganized, of course).
>
> Thanks!
> - Owen
>
>
> On Tue, Jun 18, 2013 at 8:27 AM, Ryan Gallagher wrote:
>
>> FYI, this keyword list is at least about 12/13 years old. See:
>> http://www.theregister.co.uk/2001/05/31/what_are_those_words/
>>
>>
>> On 18 June 2013 15:59, Yosem Companys  wrote:
>>
>>> From: Khannea Suntzu 
>>>
>>> This is an (admittedly huge) list of words that supposedly cause the
>>> NSA to flag you as a potential terrorist if you over-use them in an
>>> email.
>>>
>>> We found this on Reddit, where James Bamford, a veteran reporter with
>>> 30 years experience covering the NSA, is answering questions from the
>>> community. This list comes from Reddit user GloriousDawn, who found it
>>> on Attrition.org, a site that very closely follows the security
>>> industry.
>>>
>>> You may want to peruse this entire list yourself, but here are some of
>>> our favourites that stick out:
>>>
>>> · dictionary
>>>
>>> · sweeping
>>>
>>> · ionosphere
>>>
>>> · military intelligence
>>>
>>> · Steve Case
>>>
>>> · Scully
>>>
>>> And the full list for your browsing pleasure:
>>>
>>> Waihopai, INFOSEC, Information Security, Information Warfare, IW, IS,
>>> Privacy, Information Terrorism, Terrorism Defensive Information,
>>> defence Information Warfare, Offensive Information, Offensive
>>> Information Warfare, National Information Infrastructure, InfoSec,
>>> Reno, Compsec, Computer Terrorism, Firewalls, Secure Internet
>>> Connections, ISS, Passwords, DefCon V, Hackers, Encryption, Espionage,
>>> USDOJ, NSA, CIA, S/Key, SSL, FBI, Secert Service, USSS, Defcon,
>>> Military, White House, Undercover, NCCS, Mayfly, PGP, PEM, RSA,
>>> Perl-RSA, MSNBC, bet, AOL, AOL TOS, CIS, CBOT, AIMSX, STARLAN, 3B2,
>>> BITNET, COSMOS, DATTA, E911, FCIC, HTCIA, IACIS, UT/RUS, JANET, JICC,
>>> ReMOB, LEETAC, UTU, VNET, BRLO, BZ, CANSLO, CBNRC, CIDA, JAVA, Active
>>> X, Compsec 97, LLC, DERA, Mavricks, Meta-hackers, ^?, Steve Case,
>>> Tools, Telex, Military Intelligence, Scully, Flame, Infowar, Bubba,
>>> Freeh, Archives, Sundevil, jack, Investigation, ISACA, NCSA, spook
>>> words, Verisign, Secure, ASIO, Lebed, ICE, NRO, Lexis-Nexis, NSCT,
>>> SCIF, FLiR, Lacrosse, Flashbangs, HRT, DIA, USCOI, CID, BOP, FINCEN,
>>> FLETC, NIJ, ACC, AFSPC, BMDO, NAVWAN, NRL, RL, NAVWCWPNS, NSWC, USAFA,
>>> AHPCRC, ARPA, LABLINK, USACIL, USCG, NRC, ~, CDC, DOE, FMS, HPCC,
>>> NTIS, SEL, USCODE, CISE, SIRC, CIM, ISN, DJC, SGC, UNCPCJ, CFC, DREO,
>>> CDA, DRA, SHAPE, SACLANT, BECCA, DCJFTF, HALO, HAHO, FKS, 868, GCHQ,
>>> DITSA, SORT, AMEMB, NSG, HIC, EDI, SAS, SBS, UDT, GOE, DOE, GEO,
>>> Masuda, Forte, AT, GIGN, Exon Shell, CQB, CONUS, CTU, RCMP, GRU, SASR,
>>> GSG-9, 22nd SAS, GEOS, EADA, BBE, STEP, Echelon, Dictionary, MD2, MD4,
>>> MDA, MYK, 747,777, 767, MI5, 737, MI6, 757, Kh-11, Shayet-13, SADMS,
>>> Spetznaz, Recce, 707, CIO, NOCS, Halcon, Duress, RAID, Psyops, grom,
>>> D-11, SERT, VIP, ARC, S.E.T. Team, MP5k, DREC, DEVGRP, DF, DSD, FDM,
>>> GRU, LRTS, SIGDEV, NACSI, PSAC, PTT, RFI, SIGDASYS, TDM. SUKLO, SUSLO,
>>> TELINT, TEXTA. ELF, LF, MF, VHF, UHF, SHF, SASP, WANK, Colonel,
>>> domestic disruption, smuggle, 15kg, nitrate, Pretoria, M-14, enigma,
>>> Bletchley Park, Clandestine, nkvd, argus, afsatcom, CQB, NVD, Counter
>>> Terrorism Security, Rapid Reaction, Corporate Security, Police,
>>> sniper, PPS, ASIS, ASLET, TSCM, Security Consulting, High Security,
>>> Security Evaluation, Electronic Surveillance, MI-17, Counterterrorism,
>>> spies, eavesdropping, debugging, interception, COCOT, rhost, rhosts,
>>> SETA, Amherst, Broadside, Capricorn, Gamma, Gorizont, Guppy,
>>> Ionosphere, Mole, Keyhole, Kilderkin, Artichoke, Badger, Cor

[liberationtech] Deterministic builds and software trust [was: Help test Tor Browser!]

[Mike Perry]

Jacob Appelbaum:
> Hi,
> 
> I'm really excited to say that Tor Browser has had some really important
> changes. Mike Perry has really outdone himself - from deterministic
> builds that allow us to verify that he is honest to actually having
> serious usability improvements. 

First, thanks for the praise, Jake!

But: I've been meaning to clarify this "honesty" point for a few days
now, and Cooper's similar statement in another thread about security
being all about trust reminded me of it.

I actually disagree with the underlying assumptions of both points.

I didn't spend six agonizing weeks (and counting) getting deterministic
builds to work for Tor Browser to prove that I was honest or
trustworthy. I did it because I don't believe that software development
models based on single party trust can actually be secure against
serious adversaries anymore, given the current trends in computer
security and "cyberwar".

For the past several years, we've been seeing a steady increase in the
weaponization, stockpiling, and the use of exploits by multiple
governments, and by multiple *areas* of multiple governments. This
includes weaponized exploits specifically designed to "bridge the air
gap", by attacking software/hardware USB stacks, disconnected Bluetooth
interfaces, disconnected Wifi interfaces, etc. Even if these exploits
themselves don't leak (ha!), the fact that they are known to exist means
that other parties can begin looking for them.


In this brave new world, without the benefit of anonymity to protect
oneself from such targeted attacks, I don't believe it is possible to
keep a software-based GPG key secure anymore, nor do I believe it is
possible to keep even an offline build machine secure from malware
injection anymore, especially against the types of adversaries that Tor
has to contend with.

This means that software development has to evolve beyond the simple
models of "Trust my gpg-signed apt archive from my trusted build
machine", or even projects like Debian going to end up distributing
state-sponsored malware in short order.

This is where deterministic builds come in: any individual can use our
anonymity network to download our source code, verify it against public
signed, audited, and mirrored git repositories, and reproduce our builds
exactly, without being subject to such targeted attacks. If they notice
any differences, they can alert the public builders/signers, hopefully
using a pseudonym or our anonymous trac account.

This also will eventually allow us to create a number of auxiliary
authentication mechanisms for our packages, beyond just trusting the
offline build machine and the gpg key integrity.


I believe it is important for Tor to set an example on this point, and I
hope that the Linux distributions will follow in making deterministic
packaging the norm. (Don't despair: it probably won't take 6 weeks per
package. Firefox is just a bitch).

Otherwise, I really don't think we'll have working computers left in
5-10 years from now :/.


I hope to write a longer blog post about this topic on the Tor Blog in
the next couple weeks, discussing the dangers of exploit weaponization
and the threats it poses to software engineering and software
distribution. I'm still mulling over the exact focus and if I should
split the two ideas apart, or combine them into one post...


Ideas and comments welcome!


-- 
Mike Perry
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Encipher.it

[Cooper Quintin]

Agreed,
Security is all about trust. If you install pgp in debian you are
trusting package maintainers, package server administrators, whoever
most recently patched pgp code, the debian OS, the hardware that your
computer is running and the other applications running on your OS.

Most people don't want to take the time to learn how to use a
complicated system like pgp (and say what you will but PGP is a huge
pain for most people to use on a daily basis).  Most people would very
much like to trust a third party to encrypt on their behalf.  The
problem is that most of those third parties are not actually very
reliable when it comes down to it.

Cooper Quintin
Technology Director
radicalDESIGNS
1201 Martin Luther King Jr. Blvd, Oakland, CA
PGP Key ID: 75FB 9347 FA4B 22A0 5068 080B D0EA 7B6F F0AF E2CA

On 06/18/2013 02:14 PM, Griffin Boyce wrote:
> Wasabee mailto:wasabe...@gmail.com>> wrote:
> 
> why does everyone want to trust yet another third party to encrypt
> data on their behalf :)?
> 
> 
>   We're all relying on someone else's code to some extent, which is why
> I fully support approaching groups of knowledgeable people for their
> input. :D
> 
> ~Griffin
> 
> 
> --
> Too many emails? Unsubscribe, change to digest, or change password by 
> emailing moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Encipher.it

[Griffin Boyce]

Wasabee  wrote:

>  why does everyone want to trust yet another third party to encrypt data
> on their behalf :)?
>

  We're all relying on someone else's code to some extent, which is why I
fully support approaching groups of knowledgeable people for their input. :D

~Griffin
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

[liberationtech] Yes We Scan! Privacy Activists Protest Against PRISM and NSA Surveillance As President Obama Arrives in Berlin

[Markus Beckedahl]

hi,

Privacy activists just held a protest at the well-known Berlin Wall 
crossing point Checkpoint Charlie in Berlin. As President Barack Obama 
prepares to arrive in the german capital, the protest critizised 
excessive NSA surveillance and the Prism programme. The call from 
digital rights NGO Digitale Gesellschaft asked for people to come with 
surveillance equipment, posing as NSA agents and their corporate helpers.


You should copy that in your country and/or city. Here are some pictures:

https://netzpolitik.org/2013/yes-we-scan-privacy-activists-protest-against-prism-and-nsa-surveillance-as-president-obama-arrives-in-berlin/ 

https://secure.flickr.com/photos/digitalegesellschaft/sets/72157634191380643/ 



ciao,
markus
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Encipher.it

[Wasabee]

why does everyone want to trust yet another third party to encrypt data 
on their behalf :)?
if u want to encrypt stuff, u should do it on ur machine. Maybe what 
people should be searching for is an easy-to-use, audited and open 
source stack to do it.
if we are too lazy to do it ourselves and want to outsource it to an 
online service; this we dont really value ourprivacy after all. there is 
no gain without a little pain.


On 18/06/2013 21:05, Steve Weis wrote:

It's not safe.

This is their bookmarklet:
(function(){document.body.appendChild(document.createElement('script')).src='https://encipher.it/javascripts/inject.js';})( 
);


That loads a JavaScript file from the encipher.it  
site, which can be changed at any time and compromise your messages 
without your knowledge.


The actual call to encrypt data is here: 
https://encipher.it/javascripts/encipher.js :

"""
hmac = hex_hmac_sha1(key, _this.text);
hmac += hmac.slice(0, 24);
cipher = hmac + salt + Aes.Ctr.encrypt(_this.text, key, 256);
"""

They're MACing the key for some reason, then using unauthenticated CTR 
mode without an HMAC. So this is completely vulnerable to someone 
modifying the ciphertext.


That CTR mode is implemented by this: 
https://encipher.it/javascripts/AES.js. That's using the time of day 
as a nonce combined with a weak JS Math.random(). That's vulnerable to 
some attacks as well.


Generally, I'd assume that a random crypto project you run across is 
probably not safe.



On Tue, Jun 18, 2013 at 11:51 AM, Lorenzo Franceschi Bicchierai 
mailto:lorenzo...@gmail.com>> wrote:


Have you guys seen this?

https://encipher.it/

I've searched through the archives but didn't see anything. I'm
wondering how safe this is.

It has received some small attention on the media before.


http://www.pcworld.com/article/255938/encipher_it_encrypts_email_for_free.html


Thoughts?

-- 
*Lorenzo Franceschi-Bicchierai

*Mashable  Junior US & World Reporter
lore...@mashable.com  |
lorenzo...@gmail.com 
#: (+1) 917 257 1382
Twitter: @lorenzoFB 
Skype: lorenzofb8
OTR: lorenz...@jabber.ccc.de 
www.lorenzofb.com 

--
Too many emails? Unsubscribe, change to digest, or change password
by emailing moderator at compa...@stanford.edu
 or changing your settings at
https://mailman.stanford.edu/mailman/listinfo/liberationtech




--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech


--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Encipher.it

[Steve Weis]

It's not safe.

This is their bookmarklet:
(function(){document.body.appendChild(document.createElement('script')).src='
https://encipher.it/javascripts/inject.js';})();

That loads a JavaScript file from the encipher.it site, which can be
changed at any time and compromise your messages without your knowledge.

The actual call to encrypt data is here:
https://encipher.it/javascripts/encipher.js :
"""
hmac = hex_hmac_sha1(key, _this.text);
hmac += hmac.slice(0, 24);
cipher = hmac + salt + Aes.Ctr.encrypt(_this.text, key, 256);
"""

They're MACing the key for some reason, then using unauthenticated CTR mode
without an HMAC. So this is completely vulnerable to someone modifying the
ciphertext.

That CTR mode is implemented by this:
https://encipher.it/javascripts/AES.js. That's
using the time of day as a nonce combined with a weak JS Math.random().
That's vulnerable to some attacks as well.

Generally, I'd assume that a random crypto project you run across is
probably not safe.


On Tue, Jun 18, 2013 at 11:51 AM, Lorenzo Franceschi Bicchierai <
lorenzo...@gmail.com> wrote:

> Have you guys seen this?
>
> https://encipher.it/
>
> I've searched through the archives but didn't see anything. I'm wondering
> how safe this is.
>
> It has received some small attention on the media before.
>
>
> http://www.pcworld.com/article/255938/encipher_it_encrypts_email_for_free.html
>
> Thoughts?
>
> --
> *Lorenzo Franceschi-Bicchierai
> *Mashable  Junior US & World Reporter
> lore...@mashable.com | lorenzo...@gmail.com
> #: (+1) 917 257 1382
> Twitter: @lorenzoFB 
> Skype: lorenzofb8
> OTR: lorenz...@jabber.ccc.de
> www.lorenzofb.com
>
> --
> Too many emails? Unsubscribe, change to digest, or change password by
> emailing moderator at compa...@stanford.edu or changing your settings at
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

[liberationtech] Encipher.it

[Lorenzo Franceschi Bicchierai]

Have you guys seen this?

https://encipher.it/

I've searched through the archives but didn't see anything. I'm wondering
how safe this is.

It has received some small attention on the media before.

http://www.pcworld.com/article/255938/encipher_it_encrypts_email_for_free.html

Thoughts?

-- 
*Lorenzo Franceschi-Bicchierai
*Mashable  Junior US & World Reporter
lore...@mashable.com | lorenzo...@gmail.com
#: (+1) 917 257 1382
Twitter: @lorenzoFB 
Skype: lorenzofb8
OTR: lorenz...@jabber.ccc.de
www.lorenzofb.com
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] NSA flag terms

[Owen Barton]

Hi everyone (first post),

I am pretty sure most of that list has been around since the late 90s at
least - I remember many of them from "Jam Echelon Day" in 1999.

Incidentally, if anyone is interested in a little Jam Echelon Day history
you can read the hactivism e-mail list (which the JED idea emerged from,
and which I happened to start/moderate) archives at
http://archives.openflows.org/hacktivism/index.html and also a dissertation
someone wrote on early hacktivism
http://www.alexandrasamuel.com/dissertation/pdfs/Samuel-Hacktivism-entire.pdf.
I think it's pretty clearly the NSA derives more intelligence from graphing
connections/relationships than grepping for keywords, so I think JED was
more conceptual than practical (and quite disorganized, of course).

Thanks!
- Owen


On Tue, Jun 18, 2013 at 8:27 AM, Ryan Gallagher wrote:

> FYI, this keyword list is at least about 12/13 years old. See:
> http://www.theregister.co.uk/2001/05/31/what_are_those_words/
>
>
> On 18 June 2013 15:59, Yosem Companys  wrote:
>
>> From: Khannea Suntzu 
>>
>> This is an (admittedly huge) list of words that supposedly cause the
>> NSA to flag you as a potential terrorist if you over-use them in an
>> email.
>>
>> We found this on Reddit, where James Bamford, a veteran reporter with
>> 30 years experience covering the NSA, is answering questions from the
>> community. This list comes from Reddit user GloriousDawn, who found it
>> on Attrition.org, a site that very closely follows the security
>> industry.
>>
>> You may want to peruse this entire list yourself, but here are some of
>> our favourites that stick out:
>>
>> · dictionary
>>
>> · sweeping
>>
>> · ionosphere
>>
>> · military intelligence
>>
>> · Steve Case
>>
>> · Scully
>>
>> And the full list for your browsing pleasure:
>>
>> Waihopai, INFOSEC, Information Security, Information Warfare, IW, IS,
>> Privacy, Information Terrorism, Terrorism Defensive Information,
>> defence Information Warfare, Offensive Information, Offensive
>> Information Warfare, National Information Infrastructure, InfoSec,
>> Reno, Compsec, Computer Terrorism, Firewalls, Secure Internet
>> Connections, ISS, Passwords, DefCon V, Hackers, Encryption, Espionage,
>> USDOJ, NSA, CIA, S/Key, SSL, FBI, Secert Service, USSS, Defcon,
>> Military, White House, Undercover, NCCS, Mayfly, PGP, PEM, RSA,
>> Perl-RSA, MSNBC, bet, AOL, AOL TOS, CIS, CBOT, AIMSX, STARLAN, 3B2,
>> BITNET, COSMOS, DATTA, E911, FCIC, HTCIA, IACIS, UT/RUS, JANET, JICC,
>> ReMOB, LEETAC, UTU, VNET, BRLO, BZ, CANSLO, CBNRC, CIDA, JAVA, Active
>> X, Compsec 97, LLC, DERA, Mavricks, Meta-hackers, ^?, Steve Case,
>> Tools, Telex, Military Intelligence, Scully, Flame, Infowar, Bubba,
>> Freeh, Archives, Sundevil, jack, Investigation, ISACA, NCSA, spook
>> words, Verisign, Secure, ASIO, Lebed, ICE, NRO, Lexis-Nexis, NSCT,
>> SCIF, FLiR, Lacrosse, Flashbangs, HRT, DIA, USCOI, CID, BOP, FINCEN,
>> FLETC, NIJ, ACC, AFSPC, BMDO, NAVWAN, NRL, RL, NAVWCWPNS, NSWC, USAFA,
>> AHPCRC, ARPA, LABLINK, USACIL, USCG, NRC, ~, CDC, DOE, FMS, HPCC,
>> NTIS, SEL, USCODE, CISE, SIRC, CIM, ISN, DJC, SGC, UNCPCJ, CFC, DREO,
>> CDA, DRA, SHAPE, SACLANT, BECCA, DCJFTF, HALO, HAHO, FKS, 868, GCHQ,
>> DITSA, SORT, AMEMB, NSG, HIC, EDI, SAS, SBS, UDT, GOE, DOE, GEO,
>> Masuda, Forte, AT, GIGN, Exon Shell, CQB, CONUS, CTU, RCMP, GRU, SASR,
>> GSG-9, 22nd SAS, GEOS, EADA, BBE, STEP, Echelon, Dictionary, MD2, MD4,
>> MDA, MYK, 747,777, 767, MI5, 737, MI6, 757, Kh-11, Shayet-13, SADMS,
>> Spetznaz, Recce, 707, CIO, NOCS, Halcon, Duress, RAID, Psyops, grom,
>> D-11, SERT, VIP, ARC, S.E.T. Team, MP5k, DREC, DEVGRP, DF, DSD, FDM,
>> GRU, LRTS, SIGDEV, NACSI, PSAC, PTT, RFI, SIGDASYS, TDM. SUKLO, SUSLO,
>> TELINT, TEXTA. ELF, LF, MF, VHF, UHF, SHF, SASP, WANK, Colonel,
>> domestic disruption, smuggle, 15kg, nitrate, Pretoria, M-14, enigma,
>> Bletchley Park, Clandestine, nkvd, argus, afsatcom, CQB, NVD, Counter
>> Terrorism Security, Rapid Reaction, Corporate Security, Police,
>> sniper, PPS, ASIS, ASLET, TSCM, Security Consulting, High Security,
>> Security Evaluation, Electronic Surveillance, MI-17, Counterterrorism,
>> spies, eavesdropping, debugging, interception, COCOT, rhost, rhosts,
>> SETA, Amherst, Broadside, Capricorn, Gamma, Gorizont, Guppy,
>> Ionosphere, Mole, Keyhole, Kilderkin, Artichoke, Badger, Cornflower,
>> Daisy, Egret, Iris, Hollyhock, Jasmine, Juile, Vinnell, B.D.M.,Sphinx,
>> Stephanie, Reflection, Spoke, Talent, Trump, FX, FXR, IMF, POCSAG,
>> Covert Video, Intiso, r00t, lock picking, Beyond Hope, csystems,
>> passwd, 2600 Magazine, Competitor, EO, Chan, Alouette,executive, Event
>> Security, Mace, Cap-Stun, stakeout, ninja, ASIS, ISA, EOD, Oscor,
>> Merlin, NTT, SL-1, Rolm, TIE, Tie-fighter, PBX, SLI, NTT, MSCJ, MIT,
>> 69, RIT, Time, MSEE, Cable & Wireless, CSE, Embassy, ETA, Porno, Fax,
>> finks, Fax encryption, white noise, pink noise, CRA, M.P.R.I., top
>> secret, Mossberg, 50BMG, Macintosh Sec

liberationtech@lists.stanford.edu

[The Doctor]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 06/17/2013 10:53 PM, Eric S Johnson wrote:

> Agreed. Even my 13-year-old's using it. I do wish something as easy
> existed for MS Outlook users. Symantec Desktop Encryption works
> well and is much more powerful but is also much harder to use
> (besides costing much more!).

It's also very finicky - while it does disk encryption quite well,
sometimes the e-mail and file encryption bits freak out and Do the
Wrong Thing(tm).  Complaints about it stacked up at the DC cryptoparty
last year.

That said, I've been using and teaching GPG4win
(http://www.gpg4win.org/) for about a year now.  It includes GpgOL
(GPG for Outlook), and attempts to accomplish the same tasks as
Enigmail (and mostly succeeds).

- -- 
The Doctor [412/724/301/703] [ZS]
Developer, Project Byzantium: http://project-byzantium.org/

PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F  DD89 3BD8 FF2B 807B 17C1
WWW: https://drwho.virtadpt.net/

SEARCH PARTY ATTACKED BY MONSTER

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.20 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlHAmcAACgkQO9j/K4B7F8E4ywCeNZrztH3URxjKbyIwRP1SaQR/
UUoAn2xX/b6V/PjLoy8nMJBs0Ka6NY0+
=NnA1
-END PGP SIGNATURE-
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Help Testing & Compare the new vs old Tor Browser Bundle Project

[Daniel Sieradski]

New Tor browser version is working great on OS X.

Have any of you folks heard about and/or verified that Facebook is blocking 
logins from Tor?
http://www.wamda.com/2013/06/facebook-blocks-tor

BTW, hi everyone.  I just joined the list.  I work with Nick Merrill at Calyx 
Institute on community engagement and online marketing.  I'm also the guy 
behind http://twitter.com/_nothingtohide and have organized two Cryptoparties 
(so far) in Syracuse, NY.

--
Daniel Sieradski
d...@danielsieradski.com
http://danielsieradski.com
315.889.1444

Follow me at http://twitter.com/selfagency
Public key http://danielsieradski.com/share/ds_public.key--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] [tp] NSA flag terms

[Eugen Leitl]

- Forwarded message from Matthew Bailey  -

Date: Tue, 18 Jun 2013 09:47:50 -0700
From: Matthew Bailey 
To: technoprogress...@yahoogroups.com
Subject: Re: [tp] NSA flag terms
X-Mailer: Apple Mail (2.1508)
Reply-To: technoprogress...@yahoogroups.com

I am pretty impressed by the list. But probably not why people would/might think

And I am also sure that it is neither complete, nor the only list. Nor is it 
probably real.

But…

Usually things like this come in pairs.

You have keywords that flag a communication for extra attention, and then 
another list that then looks for additional keywords that focus on specific 
subjects dealing with the keywords that are flagged. 

In addition there will be a set of grammars checked against to see if the 
language in the flagged communication matches any known set of communications 
(people have things in their writings that tend to signal consistent authorship 
- as an(some) example(s), people might notice that I have a tendency toward 
parenthetical asides, using pairs/combinations of words separated by slashes <- 
as I just did, or by using flexible noun-predicate tense with the use of 
parenthetical plurals, as in: "as an(some) example(s)").

And the list is hardly huge.

The list keyword we use at work at UCLA (Prof. Francis Steen's Cognitive 
Communication's Lab) to look for syntagmatic signaling in newscasts is at least 
a hundred times longer than this list.

In other words, this is just a small bite of a list, or a fabrication made to 
give people something to get hysterical over (I am going to guess the latter).

MB

On Jun 18, 2013, at 7:55 AM, "Hughes, James J."  
wrote:

> 
> My favorites are ‘utopia’ and ‘Zen’
> 
>  
> 
> From: Khannea Suntzu [mailto:khannea.sun...@gmail.com] 
> Sent: Sunday, June 16, 2013 10:02 AM
> To: Hughes, James J.
> Subject: No seriously
> 
>  
> 
> This is an (admittedly huge) list of words that supposedly cause the NSA to 
> flag you as a potential terrorist if you over-use them in an email.
> 
> We found this on Reddit, where James Bamford, a veteran reporter with 30 
> years experience covering the NSA, is answering questions from the community. 
> This list comes from Reddit user GloriousDawn, who found it on Attrition.org, 
> a site that very closely follows the security industry.
> 
> You may want to peruse this entire list yourself, but here are some of our 
> favourites that stick out:
> 
> · dictionary
> 
> · sweeping
> 
> · ionosphere
> 
> · military intelligence
> 
> · Steve Case
> 
> · Scully
> 
> And the full list for your browsing pleasure:
> 
> Waihopai, INFOSEC, Information Security, Information Warfare, IW, IS, 
> Privacy, Information Terrorism, Terrorism Defensive Information, defence 
> Information Warfare, Offensive Information, Offensive Information Warfare, 
> National Information Infrastructure, InfoSec, Reno, Compsec, Computer 
> Terrorism, Firewalls, Secure Internet Connections, ISS, Passwords, DefCon V, 
> Hackers, Encryption, Espionage, USDOJ, NSA, CIA, S/Key, SSL, FBI, Secert 
> Service, USSS, Defcon, Military, White House, Undercover, NCCS, Mayfly, PGP, 
> PEM, RSA, Perl-RSA, MSNBC, bet, AOL, AOL TOS, CIS, CBOT, AIMSX, STARLAN, 3B2, 
> BITNET, COSMOS, DATTA, E911, FCIC, HTCIA, IACIS, UT/RUS, JANET, JICC, ReMOB, 
> LEETAC, UTU, VNET, BRLO, BZ, CANSLO, CBNRC, CIDA, JAVA, Active X, Compsec 97, 
> LLC, DERA, Mavricks, Meta-hackers, ^?, Steve Case, Tools, Telex, Military 
> Intelligence, Scully, Flame, Infowar, Bubba, Freeh, Archives, Sundevil, jack, 
> Investigation, ISACA, NCSA, spook words, Verisign, Secure, ASIO, Lebed, ICE, 
> NRO, Lexis-Nexis, NSCT, SCIF, FLiR, Lacrosse, Flashbangs, HRT, DIA, USCOI, 
> CID, BOP, FINCEN, FLETC, NIJ, ACC, AFSPC, BMDO, NAVWAN, NRL, RL, NAVWCWPNS, 
> NSWC, USAFA, AHPCRC, ARPA, LABLINK, USACIL, USCG, NRC, ~, CDC, DOE, FMS, 
> HPCC, NTIS, SEL, USCODE, CISE, SIRC, CIM, ISN, DJC, SGC, UNCPCJ, CFC, DREO, 
> CDA, DRA, SHAPE, SACLANT, BECCA, DCJFTF, HALO, HAHO, FKS, 868, GCHQ, DITSA, 
> SORT, AMEMB, NSG, HIC, EDI, SAS, SBS, UDT, GOE, DOE, GEO, Masuda, Forte, AT, 
> GIGN, Exon Shell, CQB, CONUS, CTU, RCMP, GRU, SASR, GSG-9, 22nd SAS, GEOS, 
> EADA, BBE, STEP, Echelon, Dictionary, MD2, MD4, MDA, MYK, 747,777, 767, MI5, 
> 737, MI6, 757, Kh-11, Shayet-13, SADMS, Spetznaz, Recce, 707, CIO, NOCS, 
> Halcon, Duress, RAID, Psyops, grom, D-11, SERT, VIP, ARC, S.E.T. Team, MP5k, 
> DREC, DEVGRP, DF, DSD, FDM, GRU, LRTS, SIGDEV, NACSI, PSAC, PTT, RFI, 
> SIGDASYS, TDM. SUKLO, SUSLO, TELINT, TEXTA. ELF, LF, MF, VHF, UHF, SHF, SASP, 
> WANK, Colonel, domestic disruption, smuggle, 15kg, nitrate, Pretoria, M-14, 
> enigma, Bletchley Park, Clandestine, nkvd, argus, afsatcom, CQB, NVD, Counter 
> Terrorism Security, Rapid Reaction, Corporate Security, Police, sniper, PPS, 
> ASIS, ASLET, TSCM, Security Consulting, High Security, Security Evaluation, 
> Electronic Surveillance, MI-17, Counterterrorism, spies, eavesdropping, 
> debugging, 

Re: [liberationtech] Help Testing & Compare the new vs old Tor Browser Bundle Project

[Moritz Bartl]

Hi,

On 18.06.2013 17:50, Randolph D. wrote:> old Version:
> https://sourceforge.net/projects/torbrowser/

This is not an "old version". It was never official, and the author has
no interest in talking to the Tor developer team, or writing a detailed
spec such as https://www.torproject.org/projects/torbrowser/design/ that
exists for the official Tor Browser.

All in all, it is up to the (hopefully educated) user to choose between
the one that is built by a group of people with known background and
experience, or something released by a single person under pseudonym,
violating the Tor trademark and confusing users like you.

> I think the new one looks great, I just searched for the Start and
> Stop button.

There is no safe way to combine a non-Tor browser with a Tor browser
just yet. For quite some time now, Tor Browser decided to thus get rid
of the option to Start or Stop. Especially now that Tor is "integrated
in the Tor Browser", and starts when you start the browser and stops
when you stop the browser, why should there be separate buttons?!

> It gives less control to the user, if not already familiar with it.

The user expects an application to start when they run it, and stop when
they close it, no?

> Furthermore Firefox was sponsored from Google, who knows, if they are
> not as well in the Project of Prism? Why not using an open source
> security browser?

Firefox is open source. Chrome is a potential choice, but there's a
number of issues that would need to be fixed in the Chrome source before
it can be used for a safe browser. There's not enough developers to
support multiple browsers, or dedicate time to implement missing
features in Chrome.

> The Vidalia Plugin allows for Qt a smooth process with all GUI details
> the user knows already.

Usability studies show, quite expectedly, that many users are confused
by separate applications. Most users just don't need all the extra
features that are present in Vidalia. On MacOS, for example, the GUI
adds *both* Vidalia and the browser component to a launch area: many
users then start just the browser, which fails because Tor is not running.

> Any comments in the regard of how trustful Mozilla is today?

Look for the real conspiracies and economical dependencies, rather than
implying that Google, one of the *victims* of PRISM et al, sponsors a
piece of software (just) to force it to add some sort of backdoor.

-- 
Moritz Bartl
https://www.torservers.net/
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] security aspects of OpenQwaq

[Eugen Leitl]

- Forwarded message from Ron Teitelbaum  -

Date: Tue, 18 Jun 2013 11:45:07 -0400
From: Ron Teitelbaum 
To: openq...@googlegroups.com
Cc: t...@ritter.vg
Subject: RE: [liberationtech] security aspects of OpenQwaq
X-Mailer: Microsoft Outlook 14.0
Reply-To: openq...@googlegroups.com

Hi Tom,

 

See responses inline below.

 

> - Forwarded message from Tom Ritter < 
t...@ritter.vg> -

> 

> Date: Tue, 18 Jun 2013 09:28:05 -0400

> From: Tom Ritter <  t...@ritter.vg>

> To: liberationtech < 
liberationtech@lists.stanford.edu>

> Cc:   zs-...@googlegroups.com, "
 cypherpu...@al-qaeda.net"

> <  cypherpu...@al-qaeda.net>,
 i...@postbiota.org

> Subject: Re: [liberationtech] security aspects of OpenQwaq

> Reply-To: liberationtech < 
liberationtech@lists.stanford.edu>

> 

> The claim of end to end encryption give me pause, although I'm also not
clear

> on the differences between the products and which claim applies to which.
Do

> they claim the other end is them the provider, or the other user?

> 

> It gives me pause because

> 1) They say they use SSL with CA certs.  But if Joe the user is an end,
how do they

> give him a public CA cert?

 

TerfT uses SSL much like a web site.  Each person connects to a server that
is protected using a 3D ICC certificate.  The clients are only clients to
that connection they are not considered SSL servers.  This is the model that
most people trust for financial transactions.  The issue here is that the
client needs to ensure that the DNS is correct.  This is not as easy as one
might think.  There are a number of virus' out there whose sole purpose is
to change your DNS settings to forward all of your traffic to a compromised
server so that they can track or hack your connections.  The other issue is
that the certificate needs to be verified.  Since we control the software
installed on the client we ensure that the certificate is verified.  I had
not considered doing a DSN verification but it's a good idea, I suppose that
I could do a verification much like SSH and give a warning that something
changed to prevent DSN subversion, but there are cases where we change
servers so we would have to balance ease of use with security.  I'll spend
some time thinking about it and add DNS subversion to our attack tree so
that we don't forget about the problem.

 

> 2) Multiparty end to end encryption is... mpOTR (to some extent, it
probably

> doesn't have PFS or repudiation).  That's a hard problem.  Not saying they

> couldn't have solved it or made good progress on it, but I am saying I
think every

> cryptographer in this space would be extremely interesting looking at the

> protocol. 

 

This problem is solved by the server component.  We handle multiple
connections using replicated instructions, but each person is authenticating
using a separate connection to a secure server.  Users do not connect to
other users.  

 

> 

> (I also don't care for the smaller trend of "Free but insecure or pay us
for

> secure!")

 

Sorry but we don't do free. J 

 

I didn't say OpenQwaq was insecure.  It is not.  I consider the threat of
MITM rare and the impact for must users negligible.  What I said was that we
improved the security at 3D ICC.  I also said that security can be improved
but that was targeted at people interested in running TerfT on SIPRNet or
NIPRNet.  This is for military users not corporate or casual users.  

 

> 

> -tom

> 

> 

> On Jun 17, 2013 10:46 AM, "Eugen Leitl" < 
eu...@leitl.org> wrote:

> 

> >

> > OpenQwaq is potentially a useful tool for collaboration, especially

> > multimedia (webcam streaming to avatar face, audio (best with USB

> > headset) with ability to instantiate rooms) -- I've seen it scale to

> > groups or 50+ partipants. Collaborative editing is available.

 

We just had a 60 person meeting for the US Army.  It was a General briefing.
The users were located around the world.  We used webcams and video and the
meeting went extremely well.

 



 

 

All the best,

 

Ron Teitelbaum

Head Of Engineering

3d Immersive Collaboration Consulting

r...@3dicc.com

Follow Me On Twitter: @RonTeitelbaum  

www.3dicc.com   

3d ICC on G+
 

 

 

 

> >

> > Disclosure: no commercial relation to 3D ICC, just a happy user of

> > their hosted services.

> >

> > - Forwarded message from Ron Teitelbaum < 
r...@3dicc.com> -

> >

> > Date: Mon, 17 Jun 2013 10:34:41 -0400

> > From: Ron Teitelbaum <  r...@3dicc.com>

> > To:   openq...@g

Re: [liberationtech] Decoupling from current power structures

[phryk]

On Tue, 18 Jun 2013 09:40:23 -0400
Bruce Potter at IRF  wrote:

> in a nation of 300 million, and a global system heading for 10
> billion, I don't see it.

I didn't mean decoupling everybody at once. I am talking about
loosening our dependance on them by introducing systems by the people
for the people that would make at least the base needs of food and
shelter available to people.

Obviously this would be really small at scale, at least at first.

You could for instance form a small community with the goal of
providing shelter and food for everyone in an automated way.
You wouldn't even need to declare your independence from the government
or anything but just build it in parallel.

If this at some point actually gets to the point where it works
efficiently, it could simply be scaled up.
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

[liberationtech] Help Testing & Compare the new vs old Tor Browser Bundle Project

[Randolph D.]

Hi

any help for the details in the comparison of Tor Browser Bundle

old Version:
https://sourceforge.net/projects/torbrowser/

new Version:
https://people.torproject.org/~mikeperry/tbb-3.0alpha1-builds/official/


I think the new one looks great, I just searched for the Start and Stop
button.
It gives less control to the user, if not already familiar with it.
Furthermore Firefox was sponsored from Google, who knows, if they are not
as well in the Project of Prism? Why not using an open source security
browser?

What is the motivation to code XUL?

The Vidalia Plugin allows for Qt a smooth process with all GUI details the
user knows already.

Any comments in the regard of how trustful Mozilla is today?
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

[liberationtech] Jim Bamford's comments all in one place

[Eugen Leitl]

http://www.reddit.com/user/JimBamford

In case you haven't read his books, go read his books.
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Facebook blocking Tor ?

[Amaelle G]

Yeah, I just saw that too.
Would be interesting anyway to know why and how it happened exactly --
as it could happen again, I suppose.

Le 18/06/2013 17:42, Wassim Ben Ayed a écrit :
> 
>> Hi Libtech,
>>
>> Just saw this post a few minutes ago :
>> http://arabcrunch.com/2013/06/facebook-blocks-log-ins-from-tor-browser-putting-thousands-of-political-activist-at-risk.html
>>
>> It looks like Facebook doesn't allow connections from Tor Browser
>> anymore. (Just tried myself and couldn't connect, indeed). Considering
>> the amount of activists using FB in Arabic countries, for instance,
>> this is not a minor issue. Could this by any chance be something else
>> than an intentional move, or do we have to consider that Facebook made
>> a clear choice regarding the personal safety of its users ?
> 
> Hi Amaelle,
> 
> Actually, torproject had just published a blog post in which
> they explain that Facebook is not blocking Tor deliberately, and they are
> workin on the issue.
> https://blog.torproject.org/blog/facebook-and-tor
> 
> Regards,
> 
> -- 
> phoewass
> 
> GPG ID: 0xBD3BC6E9
> GPG Fingerprint: 5A71 D4C4 E0EF 1C2F 39F2  4ED7 9F92 D755 BD3B C6E9
> 
> 
> 
> --
> Too many emails? Unsubscribe, change to digest, or change password by 
> emailing moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 


-- 
Amaelle Guiton
Journalisme @ Le Mouv' (Radio France) & ailleurs
Auteur de "Hackers : Au cœur de la résistance numérique"
--
PGP Key 0x5AF9
Fingerprint 4D45 9E75 9D0B 098C 6D85 F839 0373 A9CB  5AF9
--
facebook.com/amaelle.guiton
twitter.com/micro_ouvert
XMPP : micro_ouv...@jabber.ubuntu-fr.org
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Facebook blocking Tor ?

[Wassim Ben Ayed]

> Hi Libtech,
>
> Just saw this post a few minutes ago :
> http://arabcrunch.com/2013/06/facebook-blocks-log-ins-from-tor-browser-putting-thousands-of-political-activist-at-risk.html
>
> It looks like Facebook doesn't allow connections from Tor Browser
> anymore. (Just tried myself and couldn't connect, indeed). Considering
> the amount of activists using FB in Arabic countries, for instance,
> this is not a minor issue. Could this by any chance be something else
> than an intentional move, or do we have to consider that Facebook made
> a clear choice regarding the personal safety of its users ?

Hi Amaelle,

Actually, torproject had just published a blog post in which
they explain that Facebook is not blocking Tor deliberately, and they are
workin on the issue.
https://blog.torproject.org/blog/facebook-and-tor

Regards,

-- 
phoewass

GPG ID: 0xBD3BC6E9
GPG Fingerprint: 5A71 D4C4 E0EF 1C2F 39F2  4ED7 9F92 D755 BD3B C6E9

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

[liberationtech] AFCEA reflections on recent prism case

[André Rebentisch]

Interesting blog post:

http://mazzintblog.afcea.org/2013/06/18/nsa-can-you-hear-me-now/

Best,
Andrë
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] NSA flag terms

[Ryan Gallagher]

FYI, this keyword list is at least about 12/13 years old. See:
http://www.theregister.co.uk/2001/05/31/what_are_those_words/

On 18 June 2013 15:59, Yosem Companys  wrote:

> From: Khannea Suntzu 
>
> This is an (admittedly huge) list of words that supposedly cause the
> NSA to flag you as a potential terrorist if you over-use them in an
> email.
>
> We found this on Reddit, where James Bamford, a veteran reporter with
> 30 years experience covering the NSA, is answering questions from the
> community. This list comes from Reddit user GloriousDawn, who found it
> on Attrition.org, a site that very closely follows the security
> industry.
>
> You may want to peruse this entire list yourself, but here are some of
> our favourites that stick out:
>
> · dictionary
>
> · sweeping
>
> · ionosphere
>
> · military intelligence
>
> · Steve Case
>
> · Scully
>
> And the full list for your browsing pleasure:
>
> Waihopai, INFOSEC, Information Security, Information Warfare, IW, IS,
> Privacy, Information Terrorism, Terrorism Defensive Information,
> defence Information Warfare, Offensive Information, Offensive
> Information Warfare, National Information Infrastructure, InfoSec,
> Reno, Compsec, Computer Terrorism, Firewalls, Secure Internet
> Connections, ISS, Passwords, DefCon V, Hackers, Encryption, Espionage,
> USDOJ, NSA, CIA, S/Key, SSL, FBI, Secert Service, USSS, Defcon,
> Military, White House, Undercover, NCCS, Mayfly, PGP, PEM, RSA,
> Perl-RSA, MSNBC, bet, AOL, AOL TOS, CIS, CBOT, AIMSX, STARLAN, 3B2,
> BITNET, COSMOS, DATTA, E911, FCIC, HTCIA, IACIS, UT/RUS, JANET, JICC,
> ReMOB, LEETAC, UTU, VNET, BRLO, BZ, CANSLO, CBNRC, CIDA, JAVA, Active
> X, Compsec 97, LLC, DERA, Mavricks, Meta-hackers, ^?, Steve Case,
> Tools, Telex, Military Intelligence, Scully, Flame, Infowar, Bubba,
> Freeh, Archives, Sundevil, jack, Investigation, ISACA, NCSA, spook
> words, Verisign, Secure, ASIO, Lebed, ICE, NRO, Lexis-Nexis, NSCT,
> SCIF, FLiR, Lacrosse, Flashbangs, HRT, DIA, USCOI, CID, BOP, FINCEN,
> FLETC, NIJ, ACC, AFSPC, BMDO, NAVWAN, NRL, RL, NAVWCWPNS, NSWC, USAFA,
> AHPCRC, ARPA, LABLINK, USACIL, USCG, NRC, ~, CDC, DOE, FMS, HPCC,
> NTIS, SEL, USCODE, CISE, SIRC, CIM, ISN, DJC, SGC, UNCPCJ, CFC, DREO,
> CDA, DRA, SHAPE, SACLANT, BECCA, DCJFTF, HALO, HAHO, FKS, 868, GCHQ,
> DITSA, SORT, AMEMB, NSG, HIC, EDI, SAS, SBS, UDT, GOE, DOE, GEO,
> Masuda, Forte, AT, GIGN, Exon Shell, CQB, CONUS, CTU, RCMP, GRU, SASR,
> GSG-9, 22nd SAS, GEOS, EADA, BBE, STEP, Echelon, Dictionary, MD2, MD4,
> MDA, MYK, 747,777, 767, MI5, 737, MI6, 757, Kh-11, Shayet-13, SADMS,
> Spetznaz, Recce, 707, CIO, NOCS, Halcon, Duress, RAID, Psyops, grom,
> D-11, SERT, VIP, ARC, S.E.T. Team, MP5k, DREC, DEVGRP, DF, DSD, FDM,
> GRU, LRTS, SIGDEV, NACSI, PSAC, PTT, RFI, SIGDASYS, TDM. SUKLO, SUSLO,
> TELINT, TEXTA. ELF, LF, MF, VHF, UHF, SHF, SASP, WANK, Colonel,
> domestic disruption, smuggle, 15kg, nitrate, Pretoria, M-14, enigma,
> Bletchley Park, Clandestine, nkvd, argus, afsatcom, CQB, NVD, Counter
> Terrorism Security, Rapid Reaction, Corporate Security, Police,
> sniper, PPS, ASIS, ASLET, TSCM, Security Consulting, High Security,
> Security Evaluation, Electronic Surveillance, MI-17, Counterterrorism,
> spies, eavesdropping, debugging, interception, COCOT, rhost, rhosts,
> SETA, Amherst, Broadside, Capricorn, Gamma, Gorizont, Guppy,
> Ionosphere, Mole, Keyhole, Kilderkin, Artichoke, Badger, Cornflower,
> Daisy, Egret, Iris, Hollyhock, Jasmine, Juile, Vinnell, B.D.M.,Sphinx,
> Stephanie, Reflection, Spoke, Talent, Trump, FX, FXR, IMF, POCSAG,
> Covert Video, Intiso, r00t, lock picking, Beyond Hope, csystems,
> passwd, 2600 Magazine, Competitor, EO, Chan, Alouette,executive, Event
> Security, Mace, Cap-Stun, stakeout, ninja, ASIS, ISA, EOD, Oscor,
> Merlin, NTT, SL-1, Rolm, TIE, Tie-fighter, PBX, SLI, NTT, MSCJ, MIT,
> 69, RIT, Time, MSEE, Cable & Wireless, CSE, Embassy, ETA, Porno, Fax,
> finks, Fax encryption, white noise, pink noise, CRA, M.P.R.I., top
> secret, Mossberg, 50BMG, Macintosh Security, Macintosh Internet
> Security, Macintosh Firewalls, Unix Security, VIP Protection, SIG,
> sweep, Medco, TRD, TDR, sweeping, TELINT, Audiotel, Harvard, 1080H,
> SWS, Asset, Satellite imagery, force, Cypherpunks, Coderpunks, TRW,
> remailers, replay, redheads, RX-7, explicit, FLAME, Pornstars, AVN,
> Playboy, Anonymous, Sex, chaining, codes, Nuclear, 20, subversives,
> SLIP, toad, fish, data havens, unix, c, a, b, d, the, Elvis, quiche,
> DES, 1*, NATIA, NATOA, sneakers, counterintelligence, industrial
> espionage, PI, TSCI, industrial intelligence, H.N.P., Juiliett Class
> Submarine, Locks, loch, Ingram Mac-10, sigvoice, ssa, E.O.D., SEMTEX,
> penrep, racal, OTP, OSS, Blowpipe, CCS, GSA, Kilo Class, squib,
> primacord, RSP, Becker, Nerd, fangs, Austin, Comirex, GPMG, Speakeasy,
> humint, GEODSS, SORO, M5, ANC, zone, SBI, DSS, S.A.I.C., Minox,
> Keyhole, SAR, Rand Corporation, Wackenhutt, EO, Wackendude, mol,

Re: [liberationtech] NSA flag terms

[Griffin Boyce]

  While I can't speak to the veracity of *this* list in particular, the
list of DHS keywords is worth a look:
http://www.scribd.com/doc/82701103/Analyst-Desktop-Binder-REDACTED

~Griffin

-- 
Just another hacker in the City of Spies.
#Foucault / PGP: 0xAE792C97 / OTR: sa...@jabber.ccc.de

My posts, while frequently amusing, are not representative of the thoughts
of my employer.
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] NSA flag terms

[Lina Srivastava]

Well, real men don't eat quiche, so that one makes sense.
But "Pixar"?
I'm definitely flagged.

Is there a link to this somewhere?



On Tue, Jun 18, 2013 at 11:14 AM, Joss Wright <
joss-liberationt...@pseudonymity.net> wrote:

> On Tue, Jun 18, 2013 at 07:59:08AM -0700, Yosem Companys wrote:
> > From: Khannea Suntzu 
> >
> > This is an (admittedly huge) list of words that supposedly cause the
> > NSA to flag you as a potential terrorist if you over-use them in an
> > email.
> >
> > You may want to peruse this entire list yourself, but here are some of
> > our favourites that stick out:
> >
> > · dictionary
> >
> > · sweeping
> >
> > · ionosphere
> >
> > · military intelligence
> >
> > · Steve Case
> >
> > · Scully
>
> The ones that stick out more for me are: "c", "a", "b", "d", and "the".
>
> Oh, and "Badger". And "Quiche".
>
> Joss
> --
> Joss Wright | @JossWright
> http://www.pseudonymity.net
> --
> Too many emails? Unsubscribe, change to digest, or change password by
> emailing moderator at compa...@stanford.edu or changing your settings at
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>



-- 
Lina Srivastava
--
linasrivastava.com  |  twitter   |
linkedin
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] NSA flag terms

[Joss Wright]

On Tue, Jun 18, 2013 at 07:59:08AM -0700, Yosem Companys wrote:
> From: Khannea Suntzu 
> 
> This is an (admittedly huge) list of words that supposedly cause the
> NSA to flag you as a potential terrorist if you over-use them in an
> email.
> 
> You may want to peruse this entire list yourself, but here are some of
> our favourites that stick out:
> 
> · dictionary
> 
> · sweeping
> 
> · ionosphere
> 
> · military intelligence
> 
> · Steve Case
> 
> · Scully

The ones that stick out more for me are: "c", "a", "b", "d", and "the".

Oh, and "Badger". And "Quiche".

Joss
-- 
Joss Wright | @JossWright
http://www.pseudonymity.net
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] NSA flag terms

[David Johnson]

Speaking of NSA flagging, I thought this piece was very funny ...

http://www.warscapes.com/literature/cryptogams-nsa


On Tue, Jun 18, 2013 at 7:59 AM, Yosem Companys wrote:

> From: Khannea Suntzu 
>
> This is an (admittedly huge) list of words that supposedly cause the
> NSA to flag you as a potential terrorist if you over-use them in an
> email.
>
> We found this on Reddit, where James Bamford, a veteran reporter with
> 30 years experience covering the NSA, is answering questions from the
> community. This list comes from Reddit user GloriousDawn, who found it
> on Attrition.org, a site that very closely follows the security
> industry.
>
> You may want to peruse this entire list yourself, but here are some of
> our favourites that stick out:
>
> · dictionary
>
> · sweeping
>
> · ionosphere
>
> · military intelligence
>
> · Steve Case
>
> · Scully
>
> And the full list for your browsing pleasure:
>
> Waihopai, INFOSEC, Information Security, Information Warfare, IW, IS,
> Privacy, Information Terrorism, Terrorism Defensive Information,
> defence Information Warfare, Offensive Information, Offensive
> Information Warfare, National Information Infrastructure, InfoSec,
> Reno, Compsec, Computer Terrorism, Firewalls, Secure Internet
> Connections, ISS, Passwords, DefCon V, Hackers, Encryption, Espionage,
> USDOJ, NSA, CIA, S/Key, SSL, FBI, Secert Service, USSS, Defcon,
> Military, White House, Undercover, NCCS, Mayfly, PGP, PEM, RSA,
> Perl-RSA, MSNBC, bet, AOL, AOL TOS, CIS, CBOT, AIMSX, STARLAN, 3B2,
> BITNET, COSMOS, DATTA, E911, FCIC, HTCIA, IACIS, UT/RUS, JANET, JICC,
> ReMOB, LEETAC, UTU, VNET, BRLO, BZ, CANSLO, CBNRC, CIDA, JAVA, Active
> X, Compsec 97, LLC, DERA, Mavricks, Meta-hackers, ^?, Steve Case,
> Tools, Telex, Military Intelligence, Scully, Flame, Infowar, Bubba,
> Freeh, Archives, Sundevil, jack, Investigation, ISACA, NCSA, spook
> words, Verisign, Secure, ASIO, Lebed, ICE, NRO, Lexis-Nexis, NSCT,
> SCIF, FLiR, Lacrosse, Flashbangs, HRT, DIA, USCOI, CID, BOP, FINCEN,
> FLETC, NIJ, ACC, AFSPC, BMDO, NAVWAN, NRL, RL, NAVWCWPNS, NSWC, USAFA,
> AHPCRC, ARPA, LABLINK, USACIL, USCG, NRC, ~, CDC, DOE, FMS, HPCC,
> NTIS, SEL, USCODE, CISE, SIRC, CIM, ISN, DJC, SGC, UNCPCJ, CFC, DREO,
> CDA, DRA, SHAPE, SACLANT, BECCA, DCJFTF, HALO, HAHO, FKS, 868, GCHQ,
> DITSA, SORT, AMEMB, NSG, HIC, EDI, SAS, SBS, UDT, GOE, DOE, GEO,
> Masuda, Forte, AT, GIGN, Exon Shell, CQB, CONUS, CTU, RCMP, GRU, SASR,
> GSG-9, 22nd SAS, GEOS, EADA, BBE, STEP, Echelon, Dictionary, MD2, MD4,
> MDA, MYK, 747,777, 767, MI5, 737, MI6, 757, Kh-11, Shayet-13, SADMS,
> Spetznaz, Recce, 707, CIO, NOCS, Halcon, Duress, RAID, Psyops, grom,
> D-11, SERT, VIP, ARC, S.E.T. Team, MP5k, DREC, DEVGRP, DF, DSD, FDM,
> GRU, LRTS, SIGDEV, NACSI, PSAC, PTT, RFI, SIGDASYS, TDM. SUKLO, SUSLO,
> TELINT, TEXTA. ELF, LF, MF, VHF, UHF, SHF, SASP, WANK, Colonel,
> domestic disruption, smuggle, 15kg, nitrate, Pretoria, M-14, enigma,
> Bletchley Park, Clandestine, nkvd, argus, afsatcom, CQB, NVD, Counter
> Terrorism Security, Rapid Reaction, Corporate Security, Police,
> sniper, PPS, ASIS, ASLET, TSCM, Security Consulting, High Security,
> Security Evaluation, Electronic Surveillance, MI-17, Counterterrorism,
> spies, eavesdropping, debugging, interception, COCOT, rhost, rhosts,
> SETA, Amherst, Broadside, Capricorn, Gamma, Gorizont, Guppy,
> Ionosphere, Mole, Keyhole, Kilderkin, Artichoke, Badger, Cornflower,
> Daisy, Egret, Iris, Hollyhock, Jasmine, Juile, Vinnell, B.D.M.,Sphinx,
> Stephanie, Reflection, Spoke, Talent, Trump, FX, FXR, IMF, POCSAG,
> Covert Video, Intiso, r00t, lock picking, Beyond Hope, csystems,
> passwd, 2600 Magazine, Competitor, EO, Chan, Alouette,executive, Event
> Security, Mace, Cap-Stun, stakeout, ninja, ASIS, ISA, EOD, Oscor,
> Merlin, NTT, SL-1, Rolm, TIE, Tie-fighter, PBX, SLI, NTT, MSCJ, MIT,
> 69, RIT, Time, MSEE, Cable & Wireless, CSE, Embassy, ETA, Porno, Fax,
> finks, Fax encryption, white noise, pink noise, CRA, M.P.R.I., top
> secret, Mossberg, 50BMG, Macintosh Security, Macintosh Internet
> Security, Macintosh Firewalls, Unix Security, VIP Protection, SIG,
> sweep, Medco, TRD, TDR, sweeping, TELINT, Audiotel, Harvard, 1080H,
> SWS, Asset, Satellite imagery, force, Cypherpunks, Coderpunks, TRW,
> remailers, replay, redheads, RX-7, explicit, FLAME, Pornstars, AVN,
> Playboy, Anonymous, Sex, chaining, codes, Nuclear, 20, subversives,
> SLIP, toad, fish, data havens, unix, c, a, b, d, the, Elvis, quiche,
> DES, 1*, NATIA, NATOA, sneakers, counterintelligence, industrial
> espionage, PI, TSCI, industrial intelligence, H.N.P., Juiliett Class
> Submarine, Locks, loch, Ingram Mac-10, sigvoice, ssa, E.O.D., SEMTEX,
> penrep, racal, OTP, OSS, Blowpipe, CCS, GSA, Kilo Class, squib,
> primacord, RSP, Becker, Nerd, fangs, Austin, Comirex, GPMG, Speakeasy,
> humint, GEODSS, SORO, M5, ANC, zone, SBI, DSS, S.A.I.C., Minox,
> Keyhole, SAR, Rand Corporation, Wackenhutt, EO, Wackendude, mo

[liberationtech] NSA flag terms

[Yosem Companys]

From: Khannea Suntzu 

This is an (admittedly huge) list of words that supposedly cause the
NSA to flag you as a potential terrorist if you over-use them in an
email.

We found this on Reddit, where James Bamford, a veteran reporter with
30 years experience covering the NSA, is answering questions from the
community. This list comes from Reddit user GloriousDawn, who found it
on Attrition.org, a site that very closely follows the security
industry.

You may want to peruse this entire list yourself, but here are some of
our favourites that stick out:

· dictionary

· sweeping

· ionosphere

· military intelligence

· Steve Case

· Scully

And the full list for your browsing pleasure:

Waihopai, INFOSEC, Information Security, Information Warfare, IW, IS,
Privacy, Information Terrorism, Terrorism Defensive Information,
defence Information Warfare, Offensive Information, Offensive
Information Warfare, National Information Infrastructure, InfoSec,
Reno, Compsec, Computer Terrorism, Firewalls, Secure Internet
Connections, ISS, Passwords, DefCon V, Hackers, Encryption, Espionage,
USDOJ, NSA, CIA, S/Key, SSL, FBI, Secert Service, USSS, Defcon,
Military, White House, Undercover, NCCS, Mayfly, PGP, PEM, RSA,
Perl-RSA, MSNBC, bet, AOL, AOL TOS, CIS, CBOT, AIMSX, STARLAN, 3B2,
BITNET, COSMOS, DATTA, E911, FCIC, HTCIA, IACIS, UT/RUS, JANET, JICC,
ReMOB, LEETAC, UTU, VNET, BRLO, BZ, CANSLO, CBNRC, CIDA, JAVA, Active
X, Compsec 97, LLC, DERA, Mavricks, Meta-hackers, ^?, Steve Case,
Tools, Telex, Military Intelligence, Scully, Flame, Infowar, Bubba,
Freeh, Archives, Sundevil, jack, Investigation, ISACA, NCSA, spook
words, Verisign, Secure, ASIO, Lebed, ICE, NRO, Lexis-Nexis, NSCT,
SCIF, FLiR, Lacrosse, Flashbangs, HRT, DIA, USCOI, CID, BOP, FINCEN,
FLETC, NIJ, ACC, AFSPC, BMDO, NAVWAN, NRL, RL, NAVWCWPNS, NSWC, USAFA,
AHPCRC, ARPA, LABLINK, USACIL, USCG, NRC, ~, CDC, DOE, FMS, HPCC,
NTIS, SEL, USCODE, CISE, SIRC, CIM, ISN, DJC, SGC, UNCPCJ, CFC, DREO,
CDA, DRA, SHAPE, SACLANT, BECCA, DCJFTF, HALO, HAHO, FKS, 868, GCHQ,
DITSA, SORT, AMEMB, NSG, HIC, EDI, SAS, SBS, UDT, GOE, DOE, GEO,
Masuda, Forte, AT, GIGN, Exon Shell, CQB, CONUS, CTU, RCMP, GRU, SASR,
GSG-9, 22nd SAS, GEOS, EADA, BBE, STEP, Echelon, Dictionary, MD2, MD4,
MDA, MYK, 747,777, 767, MI5, 737, MI6, 757, Kh-11, Shayet-13, SADMS,
Spetznaz, Recce, 707, CIO, NOCS, Halcon, Duress, RAID, Psyops, grom,
D-11, SERT, VIP, ARC, S.E.T. Team, MP5k, DREC, DEVGRP, DF, DSD, FDM,
GRU, LRTS, SIGDEV, NACSI, PSAC, PTT, RFI, SIGDASYS, TDM. SUKLO, SUSLO,
TELINT, TEXTA. ELF, LF, MF, VHF, UHF, SHF, SASP, WANK, Colonel,
domestic disruption, smuggle, 15kg, nitrate, Pretoria, M-14, enigma,
Bletchley Park, Clandestine, nkvd, argus, afsatcom, CQB, NVD, Counter
Terrorism Security, Rapid Reaction, Corporate Security, Police,
sniper, PPS, ASIS, ASLET, TSCM, Security Consulting, High Security,
Security Evaluation, Electronic Surveillance, MI-17, Counterterrorism,
spies, eavesdropping, debugging, interception, COCOT, rhost, rhosts,
SETA, Amherst, Broadside, Capricorn, Gamma, Gorizont, Guppy,
Ionosphere, Mole, Keyhole, Kilderkin, Artichoke, Badger, Cornflower,
Daisy, Egret, Iris, Hollyhock, Jasmine, Juile, Vinnell, B.D.M.,Sphinx,
Stephanie, Reflection, Spoke, Talent, Trump, FX, FXR, IMF, POCSAG,
Covert Video, Intiso, r00t, lock picking, Beyond Hope, csystems,
passwd, 2600 Magazine, Competitor, EO, Chan, Alouette,executive, Event
Security, Mace, Cap-Stun, stakeout, ninja, ASIS, ISA, EOD, Oscor,
Merlin, NTT, SL-1, Rolm, TIE, Tie-fighter, PBX, SLI, NTT, MSCJ, MIT,
69, RIT, Time, MSEE, Cable & Wireless, CSE, Embassy, ETA, Porno, Fax,
finks, Fax encryption, white noise, pink noise, CRA, M.P.R.I., top
secret, Mossberg, 50BMG, Macintosh Security, Macintosh Internet
Security, Macintosh Firewalls, Unix Security, VIP Protection, SIG,
sweep, Medco, TRD, TDR, sweeping, TELINT, Audiotel, Harvard, 1080H,
SWS, Asset, Satellite imagery, force, Cypherpunks, Coderpunks, TRW,
remailers, replay, redheads, RX-7, explicit, FLAME, Pornstars, AVN,
Playboy, Anonymous, Sex, chaining, codes, Nuclear, 20, subversives,
SLIP, toad, fish, data havens, unix, c, a, b, d, the, Elvis, quiche,
DES, 1*, NATIA, NATOA, sneakers, counterintelligence, industrial
espionage, PI, TSCI, industrial intelligence, H.N.P., Juiliett Class
Submarine, Locks, loch, Ingram Mac-10, sigvoice, ssa, E.O.D., SEMTEX,
penrep, racal, OTP, OSS, Blowpipe, CCS, GSA, Kilo Class, squib,
primacord, RSP, Becker, Nerd, fangs, Austin, Comirex, GPMG, Speakeasy,
humint, GEODSS, SORO, M5, ANC, zone, SBI, DSS, S.A.I.C., Minox,
Keyhole, SAR, Rand Corporation, Wackenhutt, EO, Wackendude, mol,
Hillal, GGL, CTU, botux, Virii, CCC, Blacklisted 411, Internet
Underground, XS4ALL, Retinal Fetish, Fetish, Yobie, CTP, CATO, Phon-e,
Chicago Posse, l0ck, spook keywords, PLA, TDYC, W3, CUD, CdC, Weekly
World News, Zen, World Domination, Dead, GRU, M72750, Salsa, 7,
Blowfish, Gorelick, Glock, Ft. Meade, press-release, Indigo, wire
tra

liberationtech@lists.stanford.edu

[Eugen Leitl]

On Tue, Jun 18, 2013 at 12:18:38PM +0300, Michael Azarkevich wrote:
> Why settle for "strong enough"? Use the strongest options you have at your
> disposal.

One-time pads are provably strong if done right, but come with
considerable usability disadvantages (but are potentially
worth it if people's lives are on the line).

Moreover, the point was that available encryption is sufficiently
strong so that it's being worked around in practice. These
are not the droids you're looking for.  
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Decoupling from current power structures

[phryk]

On Tue, 18 Jun 2013 09:40:23 -0400
Bruce Potter at IRF  wrote:

> in a nation of 300 million, and a global system heading for 10
> billion, I don't see it.

I didn't mean decoupling everybody at once. I am talking about
loosening our dependance on them by introducing systems by the people
for the people that would make at least the base needs of food and
shelter available to people.

Obviously this would be really small at scale, at least at first.

You could for instance form a small community with the goal of
providing shelter and food for everyone in an automated way.
You wouldn't even need to declare your independence from the government
or anything but just build it in parallel.

If this at some point actually gets to the point where it works
efficiently, it could simply be scaled up.
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Quick Guide to Alternatives

[Karl Fogel]

Moritz Bartl  writes:
>On 17.06.2013 21:06, micah wrote:
>> Do you have any suggestions for what Riseup can do to resolve that
>> concern for you? I don't disagree with you, I'm just curious about
>> solutions here.
>
>I am happy to repeat myself, since the issues I have with Riseup have
>not been addressed so far.
>
>Tactical Tech should not be recommending Riseup, and Riseup only,
>without stressing that you *always* have to trust the operators and the
>systems behind them, and at least mention some alternatives to Riseup. A
>longer article should also discuss that Gmail is probably better
>security-wise than some random open source installation. In the end it
>depends on your threat model, right?
>
>Anyway:
>
>#1 There was a point in time when Riseup purposely decided to stop
>pushing decentralization. A lot of work was and is put into features
>that are *not* documented properly and not easily available to replicate.
>
>#2 As an example, the website states "minimal logging". What the hell is
>"minimum logging" other than marketing speech? Why don't you tell you're
>users what you are logging, up to the last byte? Especially when you
>provide a sensitive service like email, extra care should be put in the
>documentation and specification of logging policies. And by that I mean
>down to the config files of the syslog daemon.

Riseup makes a more specific promise than just "minimal logging".  They
say: "We do not log your IP address" and some other things, at
https://help.riseup.net/en/about-us .  It's not the "up to the last
byte" you're asking for above, but it's more specific than just "minimal
logging".

>#3 How hard is it to be transparent about money and sponsors? There's
>some big money behind Riseup now, and you guys should be very open about
>the sources.

Surprisingly hard.

It's actually a fair bit of work to maintain up-to-date donor pages,
especially when you have some donors who want to remain anonymous and
other donors who want to be listed under a name slightly different from
the one they donated under, etc... I'm not saying this is the reason
Risup isn't showing that information.  But the answer to your direct
question is: "surprisingly hard".  (Speaking from abundant personal
experience, running one US non-profit organization and being on the
board of another.)

There's an opportunity cost to maintaining that information publicly.
Whoever takes on the task gives up something else they could be doing --
something that might be more interesting and feel more productive to
them.

"Volunteers are surely standing by", and all that :-).
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Identi.ca, Diaspora, and Friendica are more secure alternatives to Facebook.

[h0ost]

Friendica is definitely worth a try.  They've done some really
interesting work with privacy controls, access control lists for
communication using public key crypto, etc. Not to mention that it runs
on my Raspberry Pi, among other things.

The idea of small servers, distributed throughout the world sounds like
a good alternative to centralized, super-sized servers, which by design
require large (corporate) resources to run.

On 06/18/2013 04:35 AM, John Sullivan wrote:
> John Adams  writes:
> 
>> 
>>
>> I'm completely certain that these small, poorly funded projects have hired
>> massive security teams (as the major social networks do) and provide a safe
>> alternative to Facebook or Twitter.
>>
>> 
> 
> One compromise at Twitter gave attackers access to a slew of login
> details to try against other sites. The same thing (on a much smaller
> scale) could be true of identi.ca, since it has many users, but the same
> would not be true of identi.ca's (StatusNet / pump.io) ideal world,
> where everyone has their own individual instance, each of which would
> have to be compromised separately in order to capture a useful list of
> credentials.
> 
> Also, break-ins like this are only one aspect of security, and the
> article is primarily about how easy your data is to obtain via
> "legitimate" means, and who makes decisions related to that.
> 
> There are plenty of other differences that land in favor of the free
> software decentralized services vision. Such as, actually deleting your
> data when you want it deleted. Or ease of moving your information from a
> platform found to be insecure to a better one.
> 
> More could have been said in the article about the fundamental
> difference in vision and what it means for the future. A future where we
> don't have to rely on antagonistic corporations to build huge castles to
> guard our baby pictures with massive security teams seems worth
> contemplating. Encouraging people to try out that vision, and see how it
> changes their relationship to all this spying news, seems like a good
> thing to me. 
> 
> As usual, it's not that simple for dissidents under active threat, but
> as a way to encourage broad social change, I think it has merit.
> 
> 
> -john
> 
> --
> John Sullivan | Executive Director, Free Software Foundation
> GPG Key: 61A0963B | http://status.fsf.org/johns | http://fsf.org/blogs/RSS
> 
> Do you use free software? Donate to join the FSF and support freedom at
> .
> 
> computer terrorism warfare bank HAMASMOIS munitions sweep underground
> Roswell keyhole SDI ANZUS pre-emptive Ansar al-Islam terrorism Aladdin
> --
> Too many emails? Unsubscribe, change to digest, or change password by 
> emailing moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

[liberationtech] Decoupling from current power structures

[phryk]

I am pretty sure that I am not the only one thinking that we
(colloquially known as "we, the people") need to make ourselves
independent from current power structures ie. governments and
corporations.

Even if you are not an anarchist or similiar you will have to
acknowledge that a centralized government poses a single point of
failure. If the government collapses it's fuck-all for the people
living in that state.

At the most basic level what people need is food and shelter.

In our day and age the obvious way for giving *everyone* access to
something would be automation.

So, in essence, my question is this:

What efforts for automating the supply of food, shelter and other
things needed to be independent of our current, centralized, power
structures do you know of?


I know of the urban farming community but think they are a bit too
low-tech. Automated vertical farming[1] seems interesting, but I don't
know of any project trying to do this open-source or even just
proprietarily…

What seems very interesting in terms of shelter is a technology called
contour crafting[2] which was inspired by 3D-printing and could
revolutionize how we think about architecture.

Last but not least I know of the Global Village Construction Set[3]
which is a promising project, but seems to depend on classical,
inefficient, agriculture.

[1] https://en.wikipedia.org/wiki/Vertical_farming
[2] http://www.contourcrafting.org/


Greetings,

phryk
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

[liberationtech] Facebook blocking Tor ?

[Amaelle G]

Hi Libtech,

Just saw this post a few minutes ago :
http://arabcrunch.com/2013/06/facebook-blocks-log-ins-from-tor-browser-putting-thousands-of-political-activist-at-risk.html

It looks like Facebook doesn't allow connections from Tor Browser
anymore. (Just tried myself and couldn't connect, indeed). Considering
the amount of activists using FB in Arabic countries, for instance, this
is not a minor issue. Could this by any chance be something else than an
intentional move, or do we have to consider that Facebook made a clear
choice regarding the personal safety of its users ?

Best,

Amaelle

[PS -- as it's my first message to the list : I'm a French journalist,
working for public radio, notably on digital issues & netpolitics.]

-- 
Amaelle Guiton
Journalisme @ Le Mouv' (Radio France) & ailleurs
Auteur de "Hackers : Au coeur de la résistance numérique"
--
PGP Key 0x5AF9
Fingerprint 4D45 9E75 9D0B 098C 6D85 F839 0373 A9CB  5AF9
--
facebook.com/amaelle.guiton
twitter.com/micro_ouvert
XMPP : micro_ouv...@jabber.ubuntu-fr.org

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] How CyanogenMod’s founder is giving Android users their privacy back | Ars Technica

[Wasa]

On 18/06/13 05:46, Yosem Companys wrote:

Since not all applications are malicious, users will be able to enable
Incognito Mode on a per-app basis. The option will be available within
each application’s individual settings.
the first thing that bad apps (at least some) do is syphon out data 
right when u open them.
if u need to go to setting to turn the "incognito" option on, there is a 
risk the damage is already done by the time u get to the settings.
I may exaggerate a little of course... but that suggests an installation 
screen with "set default incoginito yes/no" prompt could be of use...
it might degrade usability (an extra screen to interact with), user may 
default to the OK button (so incognito maybe should be default).
On starting the app from grid, maybe a toast informing the "incognito" 
status may also be useful...


well, just thoughts...
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Decoupling from current power structures

[Bruce Potter at IRF]

Decoupling might have been a feasible option in Thomas Jefferson's time 
(although they DID create the UNITED States after experimenting with the more 
decoupled "Articles of Confederation), but somehow in a nation of 300 million, 
and a global system heading for 10 billion, I don't see it. At least until we 
can start colonizing asteroids. Afraid the answer is finding ways to "humanize" 
big systems.


On Jun 18, 2013, at 8:01 AM, phryk  wrote:

> I am pretty sure that I am not the only one thinking that we
> (colloquially known as "we, the people") need to make ourselves
> independent from current power structures ie. governments and
> corporations.
> 
> Even if you are not an anarchist or similiar you will have to
> acknowledge that a centralized government poses a single point of
> failure. If the government collapses it's fuck-all for the people
> living in that state.
> 
> At the most basic level what people need is food and shelter.
> 
> In our day and age the obvious way for giving *everyone* access to
> something would be automation.
> 
> So, in essence, my question is this:
> 
> What efforts for automating the supply of food, shelter and other
> things needed to be independent of our current, centralized, power
> structures do you know of?
> 
> 
> I know of the urban farming community but think they are a bit too
> low-tech. Automated vertical farming[1] seems interesting, but I don't
> know of any project trying to do this open-source or even just
> proprietarily…
> 
> What seems very interesting in terms of shelter is a technology called
> contour crafting[2] which was inspired by 3D-printing and could
> revolutionize how we think about architecture.
> 
> Last but not least I know of the Global Village Construction Set[3]
> which is a promising project, but seems to depend on classical,
> inefficient, agriculture.
> 
> [1] https://en.wikipedia.org/wiki/Vertical_farming
> [2] http://www.contourcrafting.org/
> 
> 
> Greetings,
>   
>   phryk
> --
> Too many emails? Unsubscribe, change to digest, or change password by 
> emailing moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] USA Today panel with 3 American Whistleblowers

[Tom Ritter]

On 18 June 2013 07:01, Bernard Tyers - ei8fdb  wrote:
> I also thought Willliam Binney's view that Edward Snowden was potentially 
> crossing a line from whistleblower to traitor with the release of information 
> about the USA's alleged hacking of foreign computer systems is interesting. 
> Is he right? Does it matter?

I think it makes a big practical difference in public opinion.  If the
NSA and CIA was *not* trying to spy on countries like Iran and China -
what would their purpose really be?  Clearly intelligence agencies
should be looking for intelligence on threats to the country*.  I
don't think one of their methods to do so should include dragnet
surveillance of all Americans, but getting a WARRANT to go over the
telephone records of suspected terrorists is the legal instrument
we're pushing for, no?

* Among other things, like looking for incidents of 'bad stuff' other
countries do, to bring to the UN or other bodies: things like
genocide, political imprisonment, censorship, and so on

But if you ask the average citizen "Hey, is giving a list of targets
the NSA/CIA gathers evidence from overseas an acceptable thing for a
[spy]** to give another country in the name of stopping the
human-rights-violating surveillance machine?" I think the answer is
going to be 'No'.  I mean heck, use Binney as an example of the
average citizen.

** The subtleties of "defense contractor" and "spy" are probably lost a bit

-tom
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] security aspects of OpenQwaq

[Tom Ritter]

The claim of end to end encryption give me pause, although I'm also not
clear on the differences between the products and which claim applies to
which.  Do they claim the other end is them the provider, or the other user?

It gives me pause because
1) They say they use SSL with CA certs.  But if Joe the user is an end, how
do they give him a public CA cert?
2) Multiparty end to end encryption is... mpOTR (to some extent, it
probably doesn't have PFS or repudiation).  That's a hard problem.  Not
saying they couldn't have solved it or made good progress on it, but I am
saying I think every cryptographer in this space would be extremely
interesting looking at the protocol.

(I also don't care for the smaller trend of "Free but insecure or pay us
for secure!")

-tom


On Jun 17, 2013 10:46 AM, "Eugen Leitl"  wrote:

>
> OpenQwaq is potentially a useful tool for collaboration,
> especially multimedia (webcam streaming to avatar face,
> audio (best with USB headset) with ability to
> instantiate rooms) -- I've seen it scale to
> groups or 50+ partipants. Collaborative editing is
> available.
>
> Disclosure: no commercial relation to 3D ICC, just a
> happy user of their hosted services.
>
> - Forwarded message from Ron Teitelbaum  -
>
> Date: Mon, 17 Jun 2013 10:34:41 -0400
> From: Ron Teitelbaum 
> To: openq...@googlegroups.com
> Subject: RE: security aspects of OpenQwaq
> X-Mailer: Microsoft Outlook 14.0
> Reply-To: openq...@googlegroups.com
>
> Hi Eugen,
>
>
>
> OpenQwaq uses ARC4 for encryption.  All data end to end is encrypted over a
> single port connection.
>
>
>
> 3D ICC's Immersive Terf T uses SSL for encryption.  It's basically the same
> model but we've improved it for, security, performance and reliability.
>
>
>
> All encrypted traffic is susceptible to MITM.  SSL helps this considerably
> by using public certificate authorities to verify the certificates.  The
> trick is to ensure that your DNS is accurate and that all certificates are
> verified.
>
>
>
> The open source version of OpenQwaq on the other hand is encrypted without
> certificates.
>
>
>
> In either case MITM would leave some significant performance foot prints
> (this could be improved using hardware) and it would take some engineering
> to understand our overlay network protocols to make the data useful for an
> attacker.
>
>
>
> Are you safe from hackers?  Yes I would say that MITM is very unlikey for
> both OpenQwaq and TerfT.
>
>
>
> Are you safe from Governments?  No.  Unlimited access to resources and
> direct internet filtering could in theory attack the connection using MITM
> by subverting DNS, using hardware proxies, and forwarding to the server.
>
>
>
> How safe is it?  We have been reviewed by the Federal Reserve Bank in New
> York and were allowed to have our software installed internally.  We have
> been used by every branch of the military (except the Marines, why I have
> no
> idea, except maybe because the Navy used it).  We have had significant
> pentration testing done by some of the largest financial institutions and
> corporations in the world and have passed.   I would say that this puts us
> in the upper categories of safeness but still below top secret grade*.
>
>
>
> Hope that helps.
>
>
>
> All the best,
>
>
>
> Ron Teitelbaum
>
> Head Of Engineering
>
> 3d Immersive Collaboration Consulting
>
>   r...@3dicc.com
>
> Follow Me On Twitter:   @RonTeitelbaum
>
>   www.3dicc.com
>
>
> <
> https://plus.google.com/u/0/b/108936249366287171125/108936249366287171125/p
> osts> 3d ICC on G+
>
>
>
> * if your organization is interested sponsoring an improvement to our level
> of our security, 3D ICC is ready, willing and able to improve our security
> using Common Criteria and Military Information Assurance standards.  We can
> use data centers with certifications in SSAE16 SOC-1 Type II, Federal
> Information Security Management Act (FISMA), DoD Information Assurance
> Certification and Accreditation Process (DIACAP).  We would be very happy
> to
> work with you and your organization to meet your security needs.  For more
> information contact us at i...@3dicc.com.
>
>
>
>
>
> > -Original Message-
>
> > From: openq...@googlegroups.com [mailto:openq...@googlegroups.com]
>
> > On Behalf Of Eugen Leitl
>
> > Sent: Monday, June 17, 2013 9:11 AM
>
> > To: openq...@googlegroups.com
>
> > Subject: security aspects of OpenQwaq
>
> >
>
> >
>
> > What's the security model of OpenQwaq?
>
> >
>
> > How secure is the communication model against passive sniffing?
>
> >
>
> > Active traffic manipulation (MITM)?
>
> >
>
> > --
>
> > You received this message because you are subscribed to the Google Groups
>
> > "OpenQwaq Forum" group.
>
> > To unsubscribe from this group and stop receiving emails from it, send an
> email
>
> > to  
> openqwaq+unsubscr...@googlegroups.com.
>
> > For more options, 

Re: [liberationtech] Quick Guide to Alternatives

[Michael Rogers]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 17/06/13 18:13, Anne Roth wrote:
> We have compiled this 'Quick Guide to Alternatives', based on
> Security in-a-box and more.
> 
> https://alternatives.tacticaltech.org

Hi Anne,

Thanks for making this resource available.

The descriptions of RedPhone and Ostel seem a bit inconsistent - or
maybe I don't understand the distinction that's being made.

"RedPhone ... encrypts voice communication data sent between two
devices that run this application. However it also becomes easier to
analyze the traffic it produces and trace it back to you, through your
mobile number. RedPhone uses a central server, which is a point of
centralization and thus puts RedPhone in a powerful position (of
having control over some of this data)."

"When using CSipSimple, you never directly communicate with your
communication partner, instead all your data is routed through the
Ostel server. This makes it much harder to trace your data and find
out who you are talking to. Additionally, Ostel doesn't retain any of
this data, except the account data that you need to log in."

It sounds like you're saying the use of a central server is a
disadvantage for RedPhone but an advantage for Ostel - which may be
true, but I don't understand why.

Cheers,
Michael

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJRwFjzAAoJEBEET9GfxSfMWc0IAJmTnY1IXKNkCKnj7P68ei0D
D9n4dlo6ZJ/yEIxYKoaji+bnFDuPVE5flkf1B58LqyIKxUOBds0XzLVmjDKGwrWZ
vv9Jna6Ic07isFvJPyoq4zpjfKRspIfCRHmZVyOkCbnuh3takMz74q3BibtI6Izu
STTVg3Fkw2fhfhQ0DSUEvU07s8rzBNwK4CNoikyxG9xF9ZwtlVLzOq5G0R9xoed8
0GxiJAzjCwLJm6saCkqHBilw4b0ky9JBNS/6hsZoXrY8v/Ps8CrNACcjkEHbH45O
mDd5vgNMDkI3pcKnoz7QUztRoi8KxE4YiGRzT6XKE7Mwb84ZW8OcumkuXQcJkaQ=
=FELY
-END PGP SIGNATURE-
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Help test the new Tor Browser!

[Masayuki Hatta]

Hi,

Now the new TBB works nicely for me, and I love it.  One regret is UI
messages are not translated into Japanese...actually, the messages seems to
be already translated(
https://www.transifex.com/projects/p/torproject/language/ja/), but somehow
it doesn't show up (messages in the installer is translated, btw).  Is
there anything I can help?

Best regards,
MH


2013/6/17 Jacob Appelbaum 

> Hi,
>
> I'm really excited to say that Tor Browser has had some really important
> changes. Mike Perry has really outdone himself - from deterministic
> builds that allow us to verify that he is honest to actually having
> serious usability improvements. I really mean it - the new TBB is
> actually awesome. It is blazing fast, it no longer has the sometimes
> confusing Vidalia UI, it is now fast to start, it now has a really nice
> splash screen, it has a setup wizard - you name it - nearly everything
> that people found difficult has been removed, replaced or improved.
> Hooray for Mike Perry and all that helped him!
>
> Here is Mike's email:
>
>  https://lists.torproject.org/pipermail/tor-talk/2013-June/028440.html
>
> Here is the place to download it:
>
>  https://people.torproject.org/~mikeperry/tbb-3.0alpha1-builds/official/
>
> Please test it and please please tell us how we might improve it!
>
> All the best,
> Jacob
> --
> Too many emails? Unsubscribe, change to digest, or change password by
> emailing moderator at compa...@stanford.edu or changing your settings at
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
>


-- 
Masayuki Hatta
Assistant Professor, Faculty of Economics and Management, Surugadai
University, Japan

http://about.me/mhatta

mha...@gnu.org  / mha...@debian.org / mha...@opensource.jp /
hatta.masay...@surugadai.ac.jp
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

[liberationtech] Decoupling from current power structures

[phryk]

I am pretty sure that I am not the only one thinking that we
(colloquially known as "we, the people") need to make ourselves
independent from current power structures ie. governments and
corporations.

Even if you are not an anarchist or similiar you will have to
acknowledge that a centralized government poses a single point of
failure. If the government collapses it's fuck-all for the people
living in that state.

At the most basic level what people need is food and shelter.

In our day and age the obvious way for giving *everyone* access to
something would be automation.

So, in essence, my question is this:

What efforts for automating the supply of food, shelter and other
things needed to be independent of our current, centralized, power
structures do you know of?


I know of the urban farming community but think they are a bit too
low-tech. Automated vertical farming[1] seems interesting, but I don't
know of any project trying to do this open-source or even just
proprietarily…

What seems very interesting in terms of shelter is a technology called
contour crafting[2] which was inspired by 3D-printing and could
revolutionize how we think about architecture.

Last but not least I know of the Global Village Construction Set[3]
which is a promising project, but seems to depend on classical,
inefficient, agriculture.

[1] https://en.wikipedia.org/wiki/Vertical_farming
[2] http://www.contourcrafting.org/


Greetings,

phryk
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

[liberationtech] USA Today panel with 3 American Whistleblowers

[Bernard Tyers - ei8fdb]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

This might be of interest to people..

http://www.usatoday.com/story/news/politics/2013/06/16/snowden-whistleblower-nsa-officials-roundtable/2428809/

A round-table discussion with Thomas Drake, William Binney and J. Kirk Wiebe.

I thought these videos were terribly interesting, and powerful.

I also thought Willliam Binney's view that Edward Snowden was potentially 
crossing a line from whistleblower to traitor with the release of information 
about the USA's alleged hacking of foreign computer systems is interesting. Is 
he right? Does it matter?

- --
Q: There's a question being debated whether Snowden is a hero or a traitor.

Binney: Certainly he performed a really great public service to begin with by 
exposing these programs and making the government in a sense publicly 
accountable for what they're doing. At least now they are going to have some 
kind of open discussion like that.

But now he is starting to talk about things like the government hacking into 
China and all this kind of thing. He is going a little bit too far. I don't 
think he had access to that program. But somebody talked to him about it, and 
so he said, from what I have read, anyway, he said that somebody, a reliable 
source, told him that the U.S. government is hacking into all these countries. 
But that's not a public service, and now he is going a little beyond public 
service.

So he is transitioning from whistle-blower to a traitor.
- --

- --
Bernard / bluboxthief / ei8fdb

IO91XM / www.ei8fdb.org

-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQEcBAEBAgAGBQJRwD30AAoJENsz1IO7MIrre1cH/0eltLgt8VjbnXK9a4lLAAlz
gg9zZMyn0oq+VdFGCdxN0kSYfc+Y0fmRr/XuTOdvsRpCR3fw5X8yJr7w/psYthW/
DAqdjo4o5PNqeP0eEuA2DEGvjoTAo78hgr5mlqWmAdzkuClu2z8r9w3Y3zgVsbmg
R7gO2YgcGxzsfaHuvlmkTxMZBnMCGw5uZY042kwU1DTPfPqkA2vuCU9w1dLFZ0Rn
ymrwIS15rY8p2OUxF8X1Xx19DeseOpag/AJDDzGHP2+4mw01wyF7DPzVmNON6vZy
MJp6O/7k5cvWIbXwEhmP4fmQmJr+m0BqxB1jnUhcMAJcMKrYUmrBfemQhW6xaNU=
=etuN
-END PGP SIGNATURE-
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] NYT: Obama’s German Storm

[Paul Bernal (LAW)]

This all needs to be viewed in the context of complex and contentious internal 
wrangling within the EU over the data protection reform package. What the PRISM 
saga does is strengthen the hand of those within the EU advocating for a 
stronger new package, and less watering down. To an extent this is an internal 
battle - and the Eurocrats don't care as much what the US thinks. To me it's 
more 'Germany vs UK' than it is 'Germany vs US', if you see what I mean.

Ultimately they know that US businesses may well ignore large swathes of the 
new regulation, but they'll use that regulation for horse-trading, in the way 
they've done with European competition regulation for decades. 

It does, however, have a bit of symbolic significance, I think - and if 
businesses think 'privacy' might be a selling point, they might make some 
shifts. That matters more than the details of the law.


On 18 Jun 2013, at 10:39, "Eugen Leitl"  wrote:

> On Mon, Jun 17, 2013 at 10:40:23PM +0200, fukami wrote:
>> Hi,
>> 
>> it's not the first time I hear or read this from Americans: Many people 
>> already gave up discussions about data protection a long time ago. So there 
>> seems a lot of hope that Europeans and especially the Germans with their 
>> learnings from history of surveillance and strong view on privacy can help 
>> fix "Americas lost balance". But to be true: I actually don't think that our 
>> stupid politicians are really the right people for this (and I also think 
>> that the US administration give a f*** what Europeans think or demand).
> 
> You're falling for bad PR. Particularly Germany does not have
> full souvereignity, and it specifically shows in it being #6
> on the top telecommunication surveillance lists. Rest of the EU
> is not much different. De facto they're vassals to the US,
> as long the empire is still functional they'll remain that.
> 
> Do not look that your politicians tell you (not that they
> represent you, anyway), and rather judge them by their actions.
> 
> Look back into the past couple decades, there's your answer already.
> 
> Notice this list is called liberation technology, not liberation
> politics. There's a probably reason for that.
> 
>> Still, if the pressure will last longer than the usual couple of days, there 
>> is a real change to get some interesting regulations on EU level that could 
>> badly influence US internet businesses in Europe - for good in terms of 
>> better general data protection for all of us.
>> 
>> http://www.nytimes.com/2013/06/18/opinion/global/roger-cohen-obamas-german-storm.html
> --
> Too many emails? Unsubscribe, change to digest, or change password by 
> emailing moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] NYT: Obama’s German Storm

[Eugen Leitl]

On Mon, Jun 17, 2013 at 10:40:23PM +0200, fukami wrote:
> Hi,
> 
> it's not the first time I hear or read this from Americans: Many people 
> already gave up discussions about data protection a long time ago. So there 
> seems a lot of hope that Europeans and especially the Germans with their 
> learnings from history of surveillance and strong view on privacy can help 
> fix "Americas lost balance". But to be true: I actually don't think that our 
> stupid politicians are really the right people for this (and I also think 
> that the US administration give a f*** what Europeans think or demand). 

You're falling for bad PR. Particularly Germany does not have
full souvereignity, and it specifically shows in it being #6
on the top telecommunication surveillance lists. Rest of the EU
is not much different. De facto they're vassals to the US,
as long the empire is still functional they'll remain that.

Do not look that your politicians tell you (not that they
represent you, anyway), and rather judge them by their actions.

Look back into the past couple decades, there's your answer already.

Notice this list is called liberation technology, not liberation
politics. There's a probably reason for that.
 
> Still, if the pressure will last longer than the usual couple of days, there 
> is a real change to get some interesting regulations on EU level that could 
> badly influence US internet businesses in Europe - for good in terms of 
> better general data protection for all of us.
> 
> http://www.nytimes.com/2013/06/18/opinion/global/roger-cohen-obamas-german-storm.html
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Quick Guide to Alternatives

[Julian Oliver]

..on Mon, Jun 17, 2013 at 07:13:08PM +0200, Anne Roth wrote:
> Hi,
> 
> Tactical Tech has been getting a lot of questions lately on what to do
> to avoid being spied on - like probably most everyone on this list.
> 
> We have compiled this 'Quick Guide to Alternatives', based on Security
> in-a-box and more.
> 
> https://alternatives.tacticaltech.org
> 
> 
> In addition we try to keep 'Me and My Shadow' up to date with
> information about how we leave digital shadows and what can be done to
> reduce them: https://myshadow.org/ - also a topic that seems to matter
> more these days, also to people who so far tended to be members of the
> 'nothing to hide' and 'but it's so convenient' clubs.

Great list.

It'd be also good to add GNU/Linux however. It's an open source (inspectable) OS
made with the public interest in mind, rather than the strategic ambitions of a
sole proprietor. 

Use of open source applications alone is an insufficient measure against
snooping today, IMO. The operating system is a tangible and known point of
vulnerability, from keyloggers to auto-updaters and the unnegotiable pushing of
metadata over proprietary channels, such as iTunes.

Both Apple and Microsoft have been shown to collaborate with the NSA. Microsoft
has been found to alert government clients as to security flaws in their
operating systems long before publicly releasing a fix. There's no reason Apple
doesn't do the same, as if its track record for timely patching wasn't poor
enough. 

An important sub-theme of this whole debacle is that it's simply unrealistic to
trust that a corporation will defend basic human rights, especially when coerced
by a government or their own craving for profit.

Cheers,

-- 
Julian Oliver
http://julianoliver.com
http://criticalengineering.org
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

liberationtech@lists.stanford.edu

[Michael Azarkevich]

Why settle for "strong enough"? Use the strongest options you have at your
disposal.


On Tue, Jun 18, 2013 at 9:02 AM, Helder Ribeiro  wrote:

> On Mon, Jun 17, 2013 at 5:23 PM, Richard Brooks  wrote:
> >
> > From Guardian Q&A with Snowden
> >
> >
> http://www.guardian.co.uk/world/2013/jun/17/edward-snowden-nsa-files-whistleblower
> >
> > Is encrypting my email any good at defeating the NSA survelielance? Id
> > my data protected by standard encryption?
> >
> > Answer:
> >
> > Encryption works. Properly implemented strong crypto systems are one
> > of the few things that you can rely on. Unfortunately, endpoint security
> > is so terrifically weak that NSA can frequently find ways around it.
>
> How strong is strong enough?
>
> > --
> > Too many emails? Unsubscribe, change to digest, or change password by
> emailing moderator at compa...@stanford.edu or changing your settings at
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> --
> Too many emails? Unsubscribe, change to digest, or change password by
> emailing moderator at compa...@stanford.edu or changing your settings at
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] diseconomies of scale

[Eugen Leitl]

On Mon, Jun 17, 2013 at 02:35:36PM -0400, The Doctor wrote:

> There is a problem with that: Traffic to and from small providers has
> to traverse the networks of the tier-II and tier-I providers to go any
> appreciable distance.  We already know that at least some of the
> peering points are backdoored - Naurus hardware, if I recall

IIRC Narus is an FPGA box capable of up to layer 7 passive
(maybe active attacks?) sniffing at wire speed
(up to TBit/s?). Someone correct me if I remembered wrongly.

Notice that at least one leg of your message was protected
against passive sniffing by StartTLS:

Received: from smtp.stanford.edu (smtp1.Stanford.EDU [171.67.219.81])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(Client did not present a certificate)
by leitl.org (Postfix) with ESMTPS id 773E55443CC
for ; Mon, 17 Jun 2013 20:35:45 +0200 (CEST)

In case of self-signed certs which secret key was never leaked,
according to publicly available inforformation (shops like NSA
are definitely somewhat, possibly considerably ahead of nonclassified
cryptography state of the art) you need an active (man in the middle) 
attack to disrupt the session, and get at the message cleartext.

Mail transport agents (MTAs, e.g. postfix) can be configured to
strictly enforce StartTLS message delivery.

> correctly.  So, even if someone sets up a status.net instance that,
> let's say for example a subset of this mailing list starts using
> instead of Twitter because it's smaller, all of that traffic is still
> probably going to pass through a location that's snaffling copies of
> every packet.  It might not see every bit of traffic to and from that
> site, but enough traffic might be picked up to get an idea of what's
> happening there and whether or not a closer look is warranted.

Obviously a mailing list is not about keeping secrets. 
But if an increasing fraction of all network traffic goes
dark to passive sniffing this presents a considerable challenge
to a global adversary. MITM is expensive, and can be detected
(and thus protected against) with finite effort.

It is we who make things unnecessarily easy.
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Identi.ca, Diaspora, and Friendica are more secure alternatives to Facebook.

[John Sullivan]

John Adams  writes:

> 
>
> I'm completely certain that these small, poorly funded projects have hired
> massive security teams (as the major social networks do) and provide a safe
> alternative to Facebook or Twitter.
>
> 

One compromise at Twitter gave attackers access to a slew of login
details to try against other sites. The same thing (on a much smaller
scale) could be true of identi.ca, since it has many users, but the same
would not be true of identi.ca's (StatusNet / pump.io) ideal world,
where everyone has their own individual instance, each of which would
have to be compromised separately in order to capture a useful list of
credentials.

Also, break-ins like this are only one aspect of security, and the
article is primarily about how easy your data is to obtain via
"legitimate" means, and who makes decisions related to that.

There are plenty of other differences that land in favor of the free
software decentralized services vision. Such as, actually deleting your
data when you want it deleted. Or ease of moving your information from a
platform found to be insecure to a better one.

More could have been said in the article about the fundamental
difference in vision and what it means for the future. A future where we
don't have to rely on antagonistic corporations to build huge castles to
guard our baby pictures with massive security teams seems worth
contemplating. Encouraging people to try out that vision, and see how it
changes their relationship to all this spying news, seems like a good
thing to me. 

As usual, it's not that simple for dissidents under active threat, but
as a way to encourage broad social change, I think it has merit.


-john

--
John Sullivan | Executive Director, Free Software Foundation
GPG Key: 61A0963B | http://status.fsf.org/johns | http://fsf.org/blogs/RSS

Do you use free software? Donate to join the FSF and support freedom at
.

computer terrorism warfare bank HAMASMOIS munitions sweep underground
Roswell keyhole SDI ANZUS pre-emptive Ansar al-Islam terrorism Aladdin
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Help test the new Tor Browser!

[Kody Leonard]

I have the same results:

I do not have a Nvidia card.
"sfc /verifyonly" did not resolve the issue
Setting gfx.direct2d.disabled to true lets it run without setting the
compatibility to Windows XP

Once it is going it looks really great!  Excited to try it out.


On Tue, Jun 18, 2013 at 6:10 AM, Nadim Kobeissi  wrote:

> This is a really awesome improvement. I tried the new Tor Browser
> yesterday (OS X) and loved it. Did not encounter any problems.
>
> Really glad to see such drastic usability improvements for Tor.
>
> NK
>
> On 2013-06-17, at 9:45 AM, Jacob Appelbaum  wrote:
>
> > Hi,
> >
> > I'm really excited to say that Tor Browser has had some really important
> > changes. Mike Perry has really outdone himself - from deterministic
> > builds that allow us to verify that he is honest to actually having
> > serious usability improvements. I really mean it - the new TBB is
> > actually awesome. It is blazing fast, it no longer has the sometimes
> > confusing Vidalia UI, it is now fast to start, it now has a really nice
> > splash screen, it has a setup wizard - you name it - nearly everything
> > that people found difficult has been removed, replaced or improved.
> > Hooray for Mike Perry and all that helped him!
> >
> > Here is Mike's email:
> >
> > https://lists.torproject.org/pipermail/tor-talk/2013-June/028440.html
> >
> > Here is the place to download it:
> >
> > https://people.torproject.org/~mikeperry/tbb-3.0alpha1-builds/official/
> >
> > Please test it and please please tell us how we might improve it!
> >
> > All the best,
> > Jacob
> > --
> > Too many emails? Unsubscribe, change to digest, or change password by
> emailing moderator at compa...@stanford.edu or changing your settings at
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
> --
> Too many emails? Unsubscribe, change to digest, or change password by
> emailing moderator at compa...@stanford.edu or changing your settings at
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Identi.ca, Diaspora, and Friendica are more secure alternatives to Facebook.

[Petter Ericson]

Certainly they collect less of your data specifically, and thus have less to
leak. Furthermore, they have a smaller amount of users, meaning that they
are unable to do the sort of massive network analysis that facebook et al.
can pull off.

If that is "more secure".. Well, considering that the major players offer
exactly _zero_ security (your data is free for the taking by anyone with
enough dollars i.e. effort)...

Well, just my 0.02BTC

/P

On 17 June, 2013 - John Adams wrote:

> 
> 
> I'm completely certain that these small, poorly funded projects have hired
> massive security teams (as the major social networks do) and provide a safe
> alternative to Facebook or Twitter.
> 
> 
> 
> 
> 
> On Mon, Jun 17, 2013 at 4:13 PM, Yosem Companys wrote:
> 
> > Slate makes mistake of calling them "more secure."
> >
> > YC
> >
> >
> >
> >
> > http://www.slate.com/blogs/future_tense/2013/06/17/identi_ca_diaspora_and_friendica_are_more_secure_alternatives_to_facebook.html
> >
> > How to Block the NSA From Your Friends List
> >
> > By April Glaser and Libby Reinish
> >
> > Posted Monday, June 17, 2013, at 11:12 AM
> >
> > If you don't trust this guy with your data, there are other
> > social-networking options
> >
> > After recent revelations of NSA spying, it’s difficult to trust large
> > Internet corporations like Facebook to host our online social
> > networks. Facebook is one of nine companies tied to PRISM––perhaps the
> > largest government surveillance effort in world history. Even before
> > this story broke, many social media addicts had lost trust in the
> > company. Maybe now they’ll finally start thinking seriously about
> > leaving the social network giant.
> >
> > Luckily, there are other options, ones that are less vulnerable to
> > government spying and offer users more control over their personal
> > data. But will mass migration from Facebook actually happen?
> >
> > According to a Pew study released weeks before news of PRISM broke,
> > teenagers are disenchanted with Facebook. They're moving to other
> > platforms, like Snapchat and (Facebook owned) Instagram, the study
> > reports. This is the way a social network dies—people sign up for
> > multiple platforms before gradually realizing that one has become
> > vacant or uninteresting. Myspace, for instance, took years to drop off
> > the map. By 2006 Myspace reached 100 million users, making it the most
> > popular social network in the United States. But by 2008, Facebook had
> > reached twice that number, less than two years after allowing anyone
> > older than 13 to join the network.
> >
> > Benjamin Mako Hill, a fellow at the Berkman Center for Internet and
> > Society, thinks Facebook's ability to connect people and bind them to
> > the social network is overrated to begin with. "Facebook didn't exist,
> > what, 10 years ago,” he says, and in 10 years, he thinks, “a company
> > called Facebook will exist, but will it occupy the same space in our
> > culture? That's certainly not something I'm willing to take for
> > granted."
> >
> > Teens may be turning to Instagram and Snapchat, but those services
> > don’t offer the deeper levels of social networking that Facebook users
> > are accustomed to, with photo albums, event invites, fan pages, and
> > connections to old friends. Ultimately, teens may be smart not to
> > consolidate all of their social networking on one platform—but
> > Instagram, Snapchat, and some other new flavors of the month all use
> > centralized servers that are incredibly easy to spy on.
> >
> > But there are other places to go. For years, the free software
> > movement has been developing and using social networks designed with
> > user privacy in mind. Unlike Facebook, these social networks are not
> > hosted by a single entity's privately owned servers but rather by
> > volunteers across the world that share server space in order to
> > maintain a decentralized, robust network. When a company like Facebook
> > hosts the data of more than 1 billion users, it's not hard for the
> > government to simply ask for permission to access that data,
> > conveniently stored all in one place.
> >
> > Gabriella Coleman, a professor of scientific and technological
> > literacy at McGill University, points out that companies like Facebook
> > would be collecting data on individuals regardless of government
> > requests. That's how the vast majority of free online social networks
> > make money; they use data mining to sell targeted, contextual ads. "In
> > some ways,” she says, “that's the source of the problem, the fact that
> > we've just given up all of our data in return for free services."
> >
> > Community-hosted, decentralized social media, on the other hand, allow
> > people to maintain ownership of their data. These platforms use a
> > principle called “federation” to connect a vast network of servers to
> > one another. If the NSA wants to collect the data of all the users on
> > a decentralized network, it has to conte