Re: [liberationtech] a privacy preserving and resilient social network

[John Sullivan]

I like the idea, so I was checking it out. I was confused by this
statement in the download terms:

> Since MyZone Client Application is open source, you will not change any
> part of MyZone’s code without the written approval of MyZone’s copyright
> owner Alireza Mahdian reached at (alireza.mahdian at colorado dot edu). 

Can you explain what you mean? Usually, something called "open source"
can be modified without any additional written approval.

-john

-- 
John Sullivan | Executive Director, Free Software Foundation
GPG Key: 61A0963B | http://status.fsf.org/johns | http://fsf.org/blogs/RSS

Do you use free software? Donate to join the FSF and support freedom at
.
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

[liberationtech] a privacy preserving and resilient social network

[Alireza Mahdian]

Hi,

With all the recent news on NSA spying on social network users the concern over 
the user privacy has increased even more. I am not arguing whether it is 
ethical or not and whether it is needed for the safety of citizens and how 
effective it would be. even before this, social network providers like Facebook 
and Google were violating user privacy in so many ways and only a small 
fraction of it was revealed. 

A need for a more secure and private social network has always been there and 
was never adequately addressed. I have been working on this issue for a long 
time and I have been able to design and implement a social network that is 
inherently user privacy preserving. it uses military grade encryption and no 
authority can have any control over it. one design goal behind it was actually 
to make it resilient towards government imposed censorship and filtering. This 
is specially useful as it provides a very effective tool for democracy movement 
advocacy groups. I have implemented a prototype and you can check it out at 
http://joinmyzone.com . It is a complex piece of software but to summarize how 
it works you can think of it as implementing a social network over bittorrent. 
it supports all the common features of Facebook and Google+. Feel free to send 
me your feedbacks. thanks.

Ali

--
Alireza Mahdian
Department of Computer Science
University of Colorado at Boulder
Email: alireza.mahd...@gmail.com

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

[liberationtech] Fwd: MyZone social network

[Yosem Companys]

Forwarded conversation
Subject: MyZone social network


From: *Alireza Mahdian* 
Date: Thu, Jun 27, 2013 at 12:18 PM
To: building-a-distributed-decentralized-inter...@googlegroups.com


Hi,

With all the recent news on NSA spying on social network users the concern
over the user privacy has increased even more. I am not arguing whether it
is ethical or not and whether it is needed for the safety of citizens and
how effective it would be. even before this, social network providers like
Facebook and Google were violating user privacy in so many ways and only a
small fraction of it were revealed.

A need for a more secure and private social network has always been there
and was never adequately addressed. I have been working on this issue for a
long time and I have been able to design and implement a social network
that is inherently user privacy preserving. it uses military grade
encryption and no authority can have any control over it. one design goal
behind it was actually to make it resilient towards government imposed
censorship and filtering. I have implemented a prototype and you can check
it out on joinmyzone dot com. It is a complex piece of software but to
summarize how it works you can think of it as implementing a social network
over bittorrent. Feel free to send me your feedbacks. thanks.

Ali

-- 
You received this message because you are subscribed to the Google Groups
"The Next Net" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to
building-a-distributed-decentralized-internet+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.



--
From: *Melvin Carvalho* 
Date: Thu, Jun 27, 2013 at 12:29 PM
To: building-a-distributed-decentralized-inter...@googlegroups.com





On 27 June 2013 21:18, Alireza Mahdian  wrote:

> Hi,
>
> With all the recent news on NSA spying on social network users the concern
> over the user privacy has increased even more. I am not arguing whether it
> is ethical or not and whether it is needed for the safety of citizens and
> how effective it would be. even before this, social network providers like
> Facebook and Google were violating user privacy in so many ways and only a
> small fraction of it were revealed.
>
> A need for a more secure and private social network has always been there
> and was never adequately addressed. I have been working on this issue for a
> long time and I have been able to design and implement a social network
> that is inherently user privacy preserving. it uses military grade
> encryption and no authority can have any control over it. one design goal
> behind it was actually to make it resilient towards government imposed
> censorship and filtering. I have implemented a prototype and you can check
> it out on joinmyzone dot com. It is a complex piece of software but to
> summarize how it works you can think of it as implementing a social network
> over bittorrent. Feel free to send me your feedbacks. thanks.
>

You may be interested in

http://retroshare.sourceforge.net/


>
> Ali
>
> --
> You received this message because you are subscribed to the Google Groups
> "The Next Net" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to
> building-a-distributed-decentralized-internet+unsubscr...@googlegroups.com
> .
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
>


--
From: *Alireza Mahdian* 
Date: Thu, Jun 27, 2013 at 12:46 PM
To: "building-a-distributed-decentralized-inter...@googlegroups.com" <
building-a-distributed-decentralized-inter...@googlegroups.com>


I've seen this before but myzone is Facebook but decentralized. There are
some huge challenges when you want to achieve such a goal.

Sent from my iPhone

On Jun 27, 2013, at 1:29 PM, Melvin Carvalho 
wrote:




On 27 June 2013 21:18, Alireza Mahdian  wrote:

> Hi,
>
> With all the recent news on NSA spying on social network users the concern
> over the user privacy has increased even more. I am not arguing whether it
> is ethical or not and whether it is needed for the safety of citizens and
> how effective it would be. even before this, social network providers like
> Facebook and Google were violating user privacy in so many ways and only a
> small fraction of it were revealed.
>
> A need for a more secure and private social network has always been there
> and was never adequately addressed. I have been working on this issue for a
> long time and I have been able to design and implement a social network
> that is inherently user privacy preserving. it uses military grade
> encryption and no authority can have any control over it. one design goal
> behind it was actually to make it resilient towards government imposed
> censorship and filtering. I have implemented a prototype and you can check
> it out on joinmyzone dot com. It is a complex piece of software but to
> summarize how it works you can thin

[liberationtech] Data Dealer, the new game about digital privacy and online surveillance (nonprofit, under CC)

[aestetix]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Passing this along for some friends of mine...

=
Data Dealer, the new game about digital privacy and online
surveillance (nonprofit, under CC)
=
We've been working hard on our new game, and have recently released
the first English version: it's based on extensive research and offers
a simple but important perspective on all the issues of personal data
and surveillance currently playing out in the media in the NSA/Snowden
fiasco. Two years in the making, we have been mentioned in ProPublica,
Fast Company, Guardian, Le Monde and recently won the Games of Change
Award in NYC. We've also been featured by Open Rights Group, Bits of
Freedom, Bruce Sterling and many more. A project like this isn't free
to create, so we've launched a Kickstarter to raise cash. What we now
need is publicity-- we need help in spreading the word.

DATA DEALER: LEGAL? ILLEGAL? WHATEVER.
What is Data Dealer? It's the new hilarious and clever online game
about personal data & privacy. Data Dealer is a serious/edu/fun
browser game about running your own Smoogle & Tracebook, collecting
and selling personal data, tracking people and surveillance. Call it a
bastard offspring of certain shiny 2010 Facebook Games and the 1990 TV
simulation game Mad TV, reborn with the souls of South Park and Bruce
Schneier. Support them on kickstarter!
http://www.kickstarter.com/projects/cuteacute/data-dealer

LINKS
http://datadealer.com
http://datadealer.com/blog/prism-as-a-game
http://datadealer.com/about
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQEcBAEBAgAGBQJRzMfYAAoJEOrRfDwkjbpTKpQH/25GSGyF4YhMlMCE07p3D6Th
Tairuc6BFL/FMZ5mz0QDDjgbtnL+RJQVs3QrAtL25+7X4sQpug/N6cXj6XWPGkYo
gPu2aZqXMrEsXL1suVeukkGYQfIhZ59aWzFyMTprqqvMcPnZaPX9xj15mIBbZGIG
A5BMunZ869anr0PzgAYUfYzgX/3HY2iNbyhEGTFOU02vsmE6ljE7si8JZDDOTwxP
JqcpBwnl9QxDg8O+kUYtj7fd6sZfDffCKQkkZALc1I0O3/Nne4VYWYfwOUiNevgH
ZkK3Ff5Qk6A7ELaosItQB2E5B1E7B/jNTVvbjtXg6btij/zWJQ6mSkjfCu6ScZw=
=Fw9I
-END PGP SIGNATURE-
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Crowdfunding for Tor exit relays and bridges

[Daniel Cross]

Neat, promoted. 

I can't say that I agree with the claim that all exit nodes are professionally 
operated ;)

Moritz Bartl  wrote:

>-BEGIN PGP SIGNED MESSAGE-
>Hash: SHA512
>
>Hi!
>
>I've just started a crowdfunding campaign for Tor exit relays and
>bridges.
>
>tl;dr: We collect donations, and simply distribute them equally among
>all Torservers.net partner organizations.
>
>http://www.indiegogo.com/projects/tor-anti-censorship-and-anonymity-infrastructure/
>
>Please spread :) Thanks!
>
>- -- 
>Moritz Bartl
>https://www.torservers.net/
>-BEGIN PGP SIGNATURE-
>
>iQEcBAEBCgAGBQJRzLGkAAoJEOGPxWJITcUAYZQH/i+XFNulJ/OirMF23WGe0nkA
>ic9pM3U1mioHnZQM6wpE1Ap5fp2hkNJplwGRem50D+VU5ltRnnXYO1JYXEfISL7a
>WlmWrZezZD3aLL3ggcpI7NFNzMCFr/jXJEQxDNbMssxnnQknXqylgicC9JU9a/qK
>qKU6IUflWfnd38xHTMLcV2uiO7AEWizD0TfDhRLjcEWq1aQh1+EzkwnhW1mA2DC8
>/ytRPWcrvcQqwWfKYCqWMXzjMEEdIcThitslO7Ee7UBBWCPwZe+x9ckqi9NFlxKv
>VwP3WdljIBdmOMB3tb8/g6IqMGJC6pBSz1luj7hyENcjSv1/S74KuPoGO3519Zc=
>=/nOa
>-END PGP SIGNATURE-
>--
>Too many emails? Unsubscribe, change to digest, or change password by
>emailing moderator at compa...@stanford.edu or changing your settings
>at https://mailman.stanford.edu/mailman/listinfo/liberationtech

-- 
Sent from my Android phone with K-9 Mail. Please excuse my brevity.--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

[liberationtech] Crowdfunding for Tor exit relays and bridges

[Moritz Bartl]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi!

I've just started a crowdfunding campaign for Tor exit relays and
bridges.

tl;dr: We collect donations, and simply distribute them equally among
all Torservers.net partner organizations.

http://www.indiegogo.com/projects/tor-anti-censorship-and-anonymity-infrastructure/

Please spread :) Thanks!

- -- 
Moritz Bartl
https://www.torservers.net/
-BEGIN PGP SIGNATURE-

iQEcBAEBCgAGBQJRzLGkAAoJEOGPxWJITcUAYZQH/i+XFNulJ/OirMF23WGe0nkA
ic9pM3U1mioHnZQM6wpE1Ap5fp2hkNJplwGRem50D+VU5ltRnnXYO1JYXEfISL7a
WlmWrZezZD3aLL3ggcpI7NFNzMCFr/jXJEQxDNbMssxnnQknXqylgicC9JU9a/qK
qKU6IUflWfnd38xHTMLcV2uiO7AEWizD0TfDhRLjcEWq1aQh1+EzkwnhW1mA2DC8
/ytRPWcrvcQqwWfKYCqWMXzjMEEdIcThitslO7Ee7UBBWCPwZe+x9ckqi9NFlxKv
VwP3WdljIBdmOMB3tb8/g6IqMGJC6pBSz1luj7hyENcjSv1/S74KuPoGO3519Zc=
=/nOa
-END PGP SIGNATURE-
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] abuse control for Tor exit nodes

[Mike Perry]

Rich Kulawiec:
> On Wed, Jun 05, 2013 at 10:16:23PM -0700, Andy Isaacson wrote:
> > This is a really deeply interesting assertion.  You seem to imagine a
> > bright line of "abuse" that is agreed on by all parties, with a policy
> > that can be implemented by thoughtful operators to "make the abuse
> > stop".  I submit that that is not the real world, in many different
> > dimensions.
> 
> [ Okay, so I have a long-winded response to this.  It's possible that
> eventually I'll wander somewhere near a point. ;-) ]
> 
> Many people who are relatively new to the 'net haven't yet internalized
> parts of the fundamental ethic that has allowed it to flourish.  There is
> an implicit social contract that's far more important than any formal
> legal document -- but because it's implicit and not overt, many don't
> realize that it exists and that it serves a critical function.
> One way to put it, if I might borrow a line from popular culture, is:
> 
>   "With great power, comes great responsibility."
> 
> Being connected to the Internet gives you incredible power.  Not because
> of who *you* are -- because for all values of "you" (including "me"),
> you are unimportant and expendable.  It gives you incredible power
> because of *everyone else* out there.  By plugging in, you have --
> whether you realize it or not, whether you acknowledge it or not --
> tacitly committed yourself to living up to the responsibility that
> accompanies the immense power you now have.
> 
> So like everyone else on the Internet -- from the tiniest single system
> connected via a slow dialup line, to the largest distributed operation
> imaginable -- you're responsible for everything your operation does to
> everything and everyone else.  You don't get a free ride.  You don't
> get to pass the blame along.  If there's abuse coming from YOUR system
> on YOUR network on YOUR watch, then it's YOUR abuse.  You own it.
> You're responsible for it.

The problem with what you suggest is that it transforms the hierarchical
'scale-free' network topology of the Internet (that others here have
already lamented in other threads as being precisely what *enables* mass
surveillance) beyond just a topology that makes packet routing efficient
and surveillance convenient.

It transforms it into a centralized hierarchy for content and traffic
control. That hierarchy gets to decide what 'abuse' is, and push their
decisions down to the leaves, who if they don't comply, can simply be
disconnected, because "They weren't being good Netizens."

This is the route to fascism.

As the "Net Neutrality" wars showed us, some members of this hierarchy
(the major consumer ISPs) would prefer to define 'abuse' as bittorrent
traffic, or more generally as any new system that causes the average
leaf user to use up more resources than what the hierarchy already
pre-ordained as sufficient for being a passive consumer of existing
content distribution systems (so the hierarchy can continue to overbook
and overbill their current pipes, and cache popular content to avoid
transit costs).

We are seeing a similar battle play out with 'three/six strikes' laws,
except instead of internal controls like QoS, this hierarchy is instead
being externally co-opted by Big Media to re-define 'abuse' to enforce a
failing business model.

> It's always been that way -- and it has to be that way, otherwise the
> Internet won't work because it can't work.  (And if you've been paying
> attention during the past decade or two, you'll note that many components
> of the 'net that aren't working very well are struggling for precisely
> this reason.)

Just because Big Brother has always cared for us doesn't mean we should
not strive for more freedom (and the associated costs in terms of
increased personal responsibility).

> Responsible and ethical operations know this and design, budget, plan,
> train, and staff accordingly.  Irresponsible and unethical operations
> don't -- they just shrug their shoulders and try to slough off their
> incompetence and negligence on someone else, often the rhetorical "they".
> 
> Note that this results in massive but silent cost-shifting: someone
> has to deal with that abuse, because it doesn't just vanish.  It goes
> somewhere.  It impacts other networks, systems and people.  And the
> people responsible for defending those need to spend their resources
> to deal with it, even though they had nothing to do with its origin.
> The costs of doing so are enormous: just look at the subindustries
> that exist to sell products to deal with this and consider that every
> single dollar/euro/yen they ever make comes from someone paying
> the price for others' negligence.
> 
> And they're making billions upon billions.
>
> Consider, for example, that companies like Cloudflare and Prolexic
> probably *would not exist* if it weren't for the ongoing epidemic
> of abuse.

The price of being on the Internet is also securing your own systems
from attack, and that is why these comp

[liberationtech] Multiple vulnerabilities in Silent Circle

[Nadim Kobeissi]

Thanks to Arturo Filastò for pointing this out:
https://github.com/SilentCircle/silent-phone-base/issues/5

Many remotely executable overflows in the ZRTP library used by Silent Circle.

NK
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] A simple SSL tweak could protect you from GCHQ/NSA snooping

[Eduardo Robles Elvira]

Hello!

Thanks, this is just in time, I'll try to use Elliptic Curve
cryptography (ECDHE) whenever possible =)

Kind regards,

On Thu, Jun 27, 2013 at 12:05 PM, Eugen Leitl  wrote:
>
> (for the sake of completeness)
>
> http://www.theregister.co.uk/2013/06/26/ssl_forward_secrecy/
>
> A simple SSL tweak could protect you from GCHQ/NSA snooping
>
> It might slow you down, but hey, you can't have everything
>
> By John Leyden, 26th June 2013
>
> Forward Secrecy
>
> An obscure feature of SSL/TLS called Forward Secrecy may offer greater
> privacy, according to security experts who have begun promoting the
> technology in the wake of revelations about mass surveillance by the NSA and
> GCHQ.
>
> Every SSL connection begins with a handshake, during which the two parties in
> an encrypted message exchange perform authentication and agree on their
> session keys, through a process called key exchange. The session keys are
> used for a limited time and deleted afterwards. The key exchange phase is
> designed to allow two users to exchange keys without allowing an eavesdropper
> to intercept or capture these credentials.
>
> Several key exchange mechanisms exist but the most widely used mechanism is
> based on the well-known RSA algorithm, explains Ivan Ristic, director of
> engineering at Qualys. This approach relies on the server's private key to
> protect session keys.
>
> "This is an efficient key exchange approach, but it has an important
> side-effect: anyone with access to a copy of the server's private key can
> also uncover the session keys and thus decrypt everything," Ristic warns.
>
> This capability makes it possible for enterprise security tools - such as
> intrusion detection and web application firewalls - to screen otherwise
> undecipherable SSL encrypted traffic, given a server’s private keys. This
> feature has become a serious liability in the era of mass surveillance.
>
> GCHQ have been secretly tapping hundreds of fibre-optic cables to tap data,
> The Guardian reported last week, based on documents leaked to the paper by
> former NSA contractor turned whistleblower Edward Snowden. The NSA also
> carries out deep packet inspection analysis of traffic passing through US
> fibre optic networks.
>
> Related revelations show that the NSA applies particular attention - and
> special rules - to encrypted communications, such as PGP-encrypted emails and
> SSL encrypted messages. Captured data should really be destroyed within five
> years, unless it consists of "communications that are enciphered or
> reasonably believed to contain secret meaning, and sufficient duration may
> consist of any period of time during which encrypted material is subject to,
> or of use in, cryptanalysis", according to the terms of a leaked Foreign
> Intelligence Surveillance Court order.
>
> The upshot is that intelligence agencies are collecting all the traffic they
> can physically capture before attempting to snoop upon encrypted content,
> where possible. These techniques are currently only practical for
> intelligence agencies but this may change over time - and those interested in
> protecting privacy need to act sooner rather than later, Ristic argues.
>
> "Your adversaries might not have your private key today, but what they can do
> now is record all your encrypted traffic," Ristic explains. "Eventually, they
> might obtain the key in one way or another - for example, by bribing someone,
> obtaining a warrant, or by breaking the key after sufficient technology
> advances. At that point, they will be able to go back in time to decrypt
> everything."
>
> The Diffie–Hellman protocol offers an alternative algorithm to RSA for
> cryptographic key exchange. Diffie–Hellman is slower but generates more
> secure session keys that can't be recovered simply by knowing the server's
> private key, a protocol feature called Forward Secrecy.
>
> "Breaking strong session keys is clearly much more difficult than obtaining
> servers' private keys, especially if you can get them via a warrant," Ristic
> explains. "Furthermore, in order to decrypt all communication, now you can no
> longer compromise just one key - the server's - but you have to compromise
> the session keys belonging to every individual communication session."
>
> Someone with access to the server's private key can perform an active
> man-in-the-middle attack and impersonate the target server. However, they can
> do that only at the time the communication is taking place. It is not
> possible to pile up mountains of encrypted traffic for later decryption. So,
> Forward Secrecy still creates a significant obstacle against industrial scale
> snooping.
>
> SSL supports Forward Secrecy using two algorithms: Diffie-Hellman (DHE) and
> the adapted version for use with Elliptic Curve cryptography (ECDHE). The
> main obstacle to using Forward Secrecy has been that Diffie-Hellman is
> significantly slower, leading to a decision by many website operators to
> disable the featur

Re: [liberationtech] abuse control for Tor exit nodes [was: Twitter Underground Market Research - pdf]

[Rich Kulawiec]

On Wed, Jun 05, 2013 at 10:16:23PM -0700, Andy Isaacson wrote:
> This is a really deeply interesting assertion.  You seem to imagine a
> bright line of "abuse" that is agreed on by all parties, with a policy
> that can be implemented by thoughtful operators to "make the abuse
> stop".  I submit that that is not the real world, in many different
> dimensions.

[ Okay, so I have a long-winded response to this.  It's possible that
eventually I'll wander somewhere near a point. ;-) ]

Many people who are relatively new to the 'net haven't yet internalized
parts of the fundamental ethic that has allowed it to flourish.  There is
an implicit social contract that's far more important than any formal
legal document -- but because it's implicit and not overt, many don't
realize that it exists and that it serves a critical function.
One way to put it, if I might borrow a line from popular culture, is:

"With great power, comes great responsibility."

Being connected to the Internet gives you incredible power.  Not because
of who *you* are -- because for all values of "you" (including "me"),
you are unimportant and expendable.  It gives you incredible power
because of *everyone else* out there.  By plugging in, you have --
whether you realize it or not, whether you acknowledge it or not --
tacitly committed yourself to living up to the responsibility that
accompanies the immense power you now have.

So like everyone else on the Internet -- from the tiniest single system
connected via a slow dialup line, to the largest distributed operation
imaginable -- you're responsible for everything your operation does to
everything and everyone else.  You don't get a free ride.  You don't
get to pass the blame along.  If there's abuse coming from YOUR system
on YOUR network on YOUR watch, then it's YOUR abuse.  You own it.
You're responsible for it.

It's always been that way -- and it has to be that way, otherwise the
Internet won't work because it can't work.  (And if you've been paying
attention during the past decade or two, you'll note that many components
of the 'net that aren't working very well are struggling for precisely
this reason.)

Responsible and ethical operations know this and design, budget, plan,
train, and staff accordingly.  Irresponsible and unethical operations
don't -- they just shrug their shoulders and try to slough off their
incompetence and negligence on someone else, often the rhetorical "they".

Now...everyone is probably going to leak a small amount of abuse from
time to time.  Software breaks.  Routers lose their minds.  Users do
silly things.  System admins make typos.  Security holes get
exploited.  Stuff...happens.

The expectation is that such incidents should be isolated and
sporadic -- and that effective remedial action (where "effective
remedial action" may require the root password and/or wirecutters)
will be taken promptly.   The reality is that many such incidents are
pervasive, sustained and completely unaddressed.  And that is why we,
for a global value of "we", find ourselves defending against myriad forms
of abuse, from ssh brute-force attacks to spam.  NONE of that abuse just
magically falls out of the sky: it all comes from somewhere...and that
"somewhere" is mostly "irresponsible, negligent, incompetent operations".

Note that this results in massive but silent cost-shifting: someone
has to deal with that abuse, because it doesn't just vanish.  It goes
somewhere.  It impacts other networks, systems and people.  And the
people responsible for defending those need to spend their resources
to deal with it, even though they had nothing to do with its origin.
The costs of doing so are enormous: just look at the subindustries
that exist to sell products to deal with this and consider that every
single dollar/euro/yen they ever make comes from someone paying
the price for others' negligence.

And they're making billions upon billions.

Consider, for example, that companies like Cloudflare and Prolexic
probably *would not exist* if it weren't for the ongoing epidemic
of abuse.

Here's another way to phrase that fundamental ethic, also borrowing a
line from popular culture:

"The needs of the many outweigh the needs of the few."

No matter how big my operation or your operation or anyone's operation
becomes, it will always be "the few" when compared to the rest of the
Internet: "the many".  No single operation is ever more important than
all operations.  Not mine, not yours, not Google, not Reddit, not anything.

I did say I'd try to get near a point.  Alright, here goes: if you
run anything, including a Tor exit node, then you are personally,
fully responsible for all abuse sourced from that operation.  Which
means that you are responsible for figuring out how to detect it
and stuff a sock in it.  Maybe that's easy.  Maybe that's hard.
Doesn't matter: it's still your responsibility.  You signed up for
it, you implicitly agreed to it, when you plugged *your* operation
into 

[liberationtech] A simple SSL tweak could protect you from GCHQ/NSA snooping

[Eugen Leitl]

(for the sake of completeness)

http://www.theregister.co.uk/2013/06/26/ssl_forward_secrecy/

A simple SSL tweak could protect you from GCHQ/NSA snooping

It might slow you down, but hey, you can't have everything

By John Leyden, 26th June 2013

Forward Secrecy

An obscure feature of SSL/TLS called Forward Secrecy may offer greater
privacy, according to security experts who have begun promoting the
technology in the wake of revelations about mass surveillance by the NSA and
GCHQ.

Every SSL connection begins with a handshake, during which the two parties in
an encrypted message exchange perform authentication and agree on their
session keys, through a process called key exchange. The session keys are
used for a limited time and deleted afterwards. The key exchange phase is
designed to allow two users to exchange keys without allowing an eavesdropper
to intercept or capture these credentials.

Several key exchange mechanisms exist but the most widely used mechanism is
based on the well-known RSA algorithm, explains Ivan Ristic, director of
engineering at Qualys. This approach relies on the server's private key to
protect session keys.

"This is an efficient key exchange approach, but it has an important
side-effect: anyone with access to a copy of the server's private key can
also uncover the session keys and thus decrypt everything," Ristic warns.

This capability makes it possible for enterprise security tools - such as
intrusion detection and web application firewalls - to screen otherwise
undecipherable SSL encrypted traffic, given a server’s private keys. This
feature has become a serious liability in the era of mass surveillance.

GCHQ have been secretly tapping hundreds of fibre-optic cables to tap data,
The Guardian reported last week, based on documents leaked to the paper by
former NSA contractor turned whistleblower Edward Snowden. The NSA also
carries out deep packet inspection analysis of traffic passing through US
fibre optic networks.

Related revelations show that the NSA applies particular attention - and
special rules - to encrypted communications, such as PGP-encrypted emails and
SSL encrypted messages. Captured data should really be destroyed within five
years, unless it consists of "communications that are enciphered or
reasonably believed to contain secret meaning, and sufficient duration may
consist of any period of time during which encrypted material is subject to,
or of use in, cryptanalysis", according to the terms of a leaked Foreign
Intelligence Surveillance Court order.

The upshot is that intelligence agencies are collecting all the traffic they
can physically capture before attempting to snoop upon encrypted content,
where possible. These techniques are currently only practical for
intelligence agencies but this may change over time - and those interested in
protecting privacy need to act sooner rather than later, Ristic argues.

"Your adversaries might not have your private key today, but what they can do
now is record all your encrypted traffic," Ristic explains. "Eventually, they
might obtain the key in one way or another - for example, by bribing someone,
obtaining a warrant, or by breaking the key after sufficient technology
advances. At that point, they will be able to go back in time to decrypt
everything."

The Diffie–Hellman protocol offers an alternative algorithm to RSA for
cryptographic key exchange. Diffie–Hellman is slower but generates more
secure session keys that can't be recovered simply by knowing the server's
private key, a protocol feature called Forward Secrecy.

"Breaking strong session keys is clearly much more difficult than obtaining
servers' private keys, especially if you can get them via a warrant," Ristic
explains. "Furthermore, in order to decrypt all communication, now you can no
longer compromise just one key - the server's - but you have to compromise
the session keys belonging to every individual communication session."

Someone with access to the server's private key can perform an active
man-in-the-middle attack and impersonate the target server. However, they can
do that only at the time the communication is taking place. It is not
possible to pile up mountains of encrypted traffic for later decryption. So,
Forward Secrecy still creates a significant obstacle against industrial scale
snooping.

SSL supports Forward Secrecy using two algorithms: Diffie-Hellman (DHE) and
the adapted version for use with Elliptic Curve cryptography (ECDHE). The
main obstacle to using Forward Secrecy has been that Diffie-Hellman is
significantly slower, leading to a decision by many website operators to
disable the feature in order to get better performance.

"In recent years, we've seen DHE fall out of fashion. Internet Explorer 9 and
10, for example, support DHE only in combination with obsolete DSA keys,"
Ristic explains, adding that ECDHE is bit faster than DHE but still slower
than RSA. In addition, ECDHE algorithms are relatively new and not as widely

Re: [liberationtech] How many of us are at CFP?

[Shava Nerad]

And though CFP is over, I will be in DC for meetings for Blue Rose until
maybe Saturday, now, it looks like, if anyone wants to get together!

I am renewing my researcher card and camping out at LOC at the law library
as "coworking space" when not in meetings.

It will feel like the late 90s (only with free wifi and lacking a mulch of
IRS EOB archive cases spread around me), heh.

Yrs,


Shava Nerad
shav...@gmail.com
On Jun 26, 2013 7:43 PM, "R. Jason Cronk"  wrote:

>  I was though didn't see the message until just now.
>
> Jason
>
> On 6/25/2013 2:28 PM, Shava Nerad wrote:
>
> I am. *purr*
>
> 
>
> Shava Nerad
> shav...@gmail.com
> On Jun 25, 2013 11:58 AM, "Bill Woodcock"  wrote:
>
>>
>> ...today?  Apropos question, given that it's nearly lunchtime in D.C.
>>
>>
>> -Bill
>>
>>
>> --
>> Too many emails? Unsubscribe, change to digest, or change password by
>> emailing moderator at compa...@stanford.edu or changing your settings at
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>
>
>
> --
> Too many emails? Unsubscribe, change to digest, or change password by 
> emailing moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
>
>
> --
> Too many emails? Unsubscribe, change to digest, or change password by
> emailing moderator at compa...@stanford.edu or changing your settings at
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] safermobile.org / mobileactive.org

[Laurent Giacobino]

Robert, Kristin, Kody

Thanks for you feedbacks and for forgiving me to have missed it the first
time.
Good to know that this work is still around, although it is not that fresh
now and should probably be used with care (and of course the CC ND is
unfortunate for anyone willing to update or translate these manuals...)

But thanks anyway!

Cheers
L
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] DuckDuckGo vs Startpage [was: Help test Tor Browser]

[Eugen Leitl]

On Wed, Jun 26, 2013 at 04:02:15PM -0700, Mike Perry wrote:

> YaCY and other FOSS engines (in a sibling thread someone mentioned
> another that I already forgot) are also something that I will accept
> search plugins for the Omnibox, but their result quality, index depth,
> and crawl frequency are no match for either StartPage or DDG.

In absence of a P2P name system, even a crappy distributed crawler
that indexes onionland is extremely useful. Instead of startpage
TBB could bundle YaCy, which only crawls onionland.

StartPage seems to be a front to Google, and as such can
suffer Scroogle's fate.
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech