Re: [liberationtech] secure download tool - doesn't exist?!?

[intrigeri]

Hi,

Jonathan Wilkes wrote (03 Jul 2013 18:26:11 GMT) :
> Are there security updates that don't use "Valid-Until"?

As far as official Debian repositories are concerned: none that I know
of. It's quite different among 3rd-party repositories, though (that's
what I was implicitly referring to, sorry for being unclear).

> The remaining question is this: what is an example of a potential attack that
> exploits the absence of a "Valid-Until" header in a stable release? A stable 
> version
> of  Debian is canonical, so there is nothing for an attacker to replay unless
> it's from a previous version of Debian which has a different key and, 
> therefore,
> would set off alarm bells from apt.

Point-releases modify the stable suite. I believe some bugfixes and
no-DSA security updates are shipped via point-release, without flowing
through DSA + -security. That's perhaps not a big deal, though.

Cheers,
--
  intrigeri
  | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
  | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Google: CLG News 'does not comply with Names Policy'

[Shava Nerad]

blogged to #nymwars on g+.

On Thu, Jul 4, 2013 at 1:37 AM, Lori Price  wrote:

> **
>
> *Google: CLG News 'does not comply with Names 
> Policy'
> * by Lori Price, www.legitgov.org 02 Jul 2013 *NSA buddy 
> Google
> * will not allow CLG News on Google+. After receiving countless promos at
> from Google to set up a 'Google+' account, I clicked to 'upgrade' to
> Google+. Google requested I select a different name, even though my Gmail
> address -- established years ago -- is clgnews at gmail dot com. When I
> declined to select another name, Google presented the option to 'click to
> appeal' to use CLG News as the owner for CLG News on Google+. On 28 June, I
> received an email from Google, which included the following comments.
>
> *After reviewing your appeal, we have determined that your name does not
> comply with the Google+ Names Policy. We want users to be able to find
> each other using the name they already use with their friends, family, and
> coworkers. For most people this is their legal name, or some variant of it,
> but we recognize that this isn't always the case, and we allow for other
> common names in Google+ -- specifically, those that represent an individual
> with an established online identity with a meaningful following.*
>
> CLG News, in fact, has a HUGE and 'established online identity with a
> meaningful following,' although NSA buddy Google doesn't 'see' that. Or,
> maybe they do, and that's the problem... See also: *NSA buddy Google
> wants me to change my name, declaring 'CLG News' is 'too long' for people
> to 
> remember
> * by Lori Price 09 Dec 2012.
>
> http://www.legitgov.org/Google-CLG-News-does-not-comply-Names-Policy
>
>
> http://www.legitgov.org/NSA-buddy-Google-wants-me-change-my-name-declaring-CLG-News-too-long-people-remember
>
>
>
> --
> Too many emails? Unsubscribe, change to digest, or change password by
> emailing moderator at compa...@stanford.edu or changing your settings at
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>



-- 

Shava Nerad
shav...@gmail.com
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

[liberationtech] Google: CLG News 'does not comply with Names Policy'

[Lori Price]

Google: CLG News 'does not comply with Names Policy' by Lori Price, 
www.legitgov.org 02 Jul 2013 NSA buddy Google will not allow CLG News on 
Google+. After receiving countless promos at from Google to set up a 'Google+' 
account, I clicked to 'upgrade' to Google+. Google requested I select a 
different name, even though my Gmail address -- established years ago -- is 
clgnews at gmail dot com. When I declined to select another name, Google 
presented the option to 'click to appeal' to use CLG News as the owner for CLG 
News on Google+. On 28 June, I received an email from Google, which included 
the following comments.

After reviewing your appeal, we have determined that your name does not comply 
with the Google+ Names Policy. We want users to be able to find each other 
using the name they already use with their friends, family, and coworkers. For 
most people this is their legal name, or some variant of it, but we recognize 
that this isn't always the case, and we allow for other common names in Google+ 
-- specifically, those that represent an individual with an established online 
identity with a meaningful following.

CLG News, in fact, has a HUGE and 'established online identity with a 
meaningful following,' although NSA buddy Google doesn't 'see' that. Or, maybe 
they do, and that's the problem... See also: NSA buddy Google wants me to 
change my name, declaring 'CLG News' is 'too long' for people to remember by 
Lori Price 09 Dec 2012.

http://www.legitgov.org/Google-CLG-News-does-not-comply-Names-Policy

http://www.legitgov.org/NSA-buddy-Google-wants-me-change-my-name-declaring-CLG-News-too-long-people-remember


--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

[liberationtech] Transcript of NSA recruiters vs. students

[Douglas Lucas]

A freelance journalist/Ph.D. candidate in anthropology and media
attended an NSA recruitment at a language program at the University of
Wisconsin very recently and produced this transcript of him and students
challenging the recruiters about the Snowden leaks. It gives me a slight
sense of the NSA demoralization James S. Tyre just mentioned.

http://mobandmultitude.com/2013/07/02/the-nsa-comes-recruiting/
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Salt Lake Tribune on NSA's Utah Data Center

[James S. Tyre]

Interesting, thanks.  But, unlike Reuters, it doesn't tell us that NSA is 
getting
demoralized.

http://www.chicagotribune.com/news/sns-rt-us-usa-nsa-furloughs-20130703,0,5221135.story

--
James S. Tyre
Law Offices of James S. Tyre
10736 Jefferson Blvd., #512
Culver City, CA 90230-4969
310-839-4114/310-839-4602(fax)
jst...@jstyre.com
Policy Fellow, Electronic Frontier Foundation
https://www.eff.org


> -Original Message-
> From: liberationtech-boun...@lists.stanford.edu [mailto:liberationtech-
> boun...@lists.stanford.edu] On Behalf Of Gregory Foster
> Sent: Wednesday, July 03, 2013 8:32 PM
> To: liberationtech@lists.stanford.edu
> Subject: [liberationtech] Salt Lake Tribune on NSA's Utah Data Center
> 
> The Salt Lake Tribune (Jun 29) - "NSA in Utah: Mining a mountain of data" by
> @Tony_Semerad:
> http://www.sltrib.com/sltrib/news/56515678-78/data-nsa-http-www.html.csp?page=1
> 
> Nice compilation of information, including new interviews, by reporters at 
> The Salt
> Lake Tribune.  Salt Lake is just 20 miles from Bluffdale where the NSA's $1.5 
> billion,
> 1 million square foot data center is scheduled to open this fall.
> 
> gf
> 
> --
> Gregory Foster || gfos...@entersection.org
> @gregoryfoster <> http://entersection.com/
> 
> --
> Too many emails? Unsubscribe, change to digest, or change password by emailing
> moderator at compa...@stanford.edu or changing your settings at
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

[liberationtech] Salt Lake Tribune on NSA's Utah Data Center

[Gregory Foster]

The Salt Lake Tribune (Jun 29) - "NSA in Utah: Mining a mountain of 
data" by @Tony_Semerad:

http://www.sltrib.com/sltrib/news/56515678-78/data-nsa-http-www.html.csp?page=1

Nice compilation of information, including new interviews, by reporters 
at The Salt Lake Tribune.  Salt Lake is just 20 miles from Bluffdale 
where the NSA's $1.5 billion, 1 million square foot data center is 
scheduled to open this fall.


gf

--
Gregory Foster || gfos...@entersection.org
@gregoryfoster <> http://entersection.com/

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Help with Privacy online

[Karl Fogel]

Justin Breithaupt  writes:
>I would like to know what services are available for e-mail that don't
>share my private information, like Gmail does when it shares my info. 

A simple answer is: riseup.net (and donate some money to them, if you
can afford to, by the way).

The answer might get more complicated (and more difficult to implement)
the more deeply you delve into your needs, of course.  But for a start,
riseup.net is probably a good place to look.

>I would also like to know the best way to secure a Ubuntu based PC
>against privacy and security problems that allow the government and
>other people into your PC. 

This is a more complicated topic.  Use good passwords, only install open
source software, and don't run unnecessary services (e.g., don't run a
web server on your laptop, database server, etc, unless you have to).
Make sure your screen lock goes on automatically; also remember to turn
it on when you leave the laptop alone.  Don't get seen on camera typing
your password.  Etc :-).

(As other replies indicate, really thinking about this problem gets
complicated.)
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Encryption Works: How to Protect Your Privacy in the Age of NSA Surveillance

[Karl Fogel]

Micah Lee  writes:
>I have added the CC license to the bottom of the web version:
>
>https://pressfreedomfoundation.org/whitepapers/encryption-works-how-protect-your-privacy-age-nsa-surveillance
>
>And I've also uploaded the source LibreOffice ODT, so it'll be easier
>for people to create derivative works:
>
>https://pressfreedomfoundation.org/sites/default/files/encryption_works.odt

Wonderful, thanks (and I see you put a link to the ODT at the bottom of
the web page too).

-Karl


>On 07/02/2013 03:01 PM, Karl Fogel wrote:
>> Micah Lee  writes:
>>> Freedom of the Press Foundation just published a whitepaper about how to
>>> protect your communications from NSA (or any other) surveillance.
>> 
>> Micah, thanks (& nice job).  Two quick questions:
>> 
>>   1) The CC-BY license info is only visible on the PDF; any reason it's
>>  not on the web version?
>> 
>>   2) Is the document available in source form (that is, whatever master
>>  format you edited to generate both web and PDF versions)?
>> 
>> The reason I ask (2) is that if someone wanted to make either an
>> abbreviate or an extended version of this guide, it would be easiest for
>> them to start from that source format.
>> 
>> Best,
>> -Karl
>> 
>>> https://pressfreedomfoundation.org/whitepapers/encryption-works-how-protect-your-privacy-age-nsa-surveillance
>>>
>>> The whole thing was inspired by this Edward Snowden quote: "Encryption
>>> works. Properly implemented strong crypto systems are one of the few
>>> things that you can rely on. Unfortunately, endpoint security is so
>>> terrifically weak that NSA can frequently find ways around it."
>>>
>>> Specifically we go over:
>>>
>>> * What crypto is and what makes it secure
>>> * What sort of software you can trust
>>> * Using Tor, and global adversaries
>>> * How OTR works and how to use it right
>>> * How PGP works and how to use it right
>>> * How Tails can help ensure high endpoint security
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Help with Privacy online

[Ali-Reza Anghaie]

Justin,

I'd suggest you start by studying the options presented at
http://prism-break.org/ for alternative solutions.

In terms of hardening your Ubuntu install there are vary resources
available from a web search but you may consider the Tails
distribution or Whonix - both referred in the OS section of the link
above. Good luck, Cheers, -Ali


On Wed, Jul 3, 2013 at 5:33 PM, Justin Breithaupt
 wrote:
> I would like to know what services are available for e-mail that don't share
> my private information, like Gmail does when it shares my info.
>
> I would also like to know the best way to secure a Ubuntu based PC against
> privacy and security problems that allow the government and other people
> into your PC.
>
>
>
> --
> Too many emails? Unsubscribe, change to digest, or change password by
> emailing moderator at compa...@stanford.edu or changing your settings at
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

[liberationtech] Help with Privacy online

[Justin Breithaupt]

I would like to know what services are available for e-mail that don't
share my private information, like Gmail does when it shares my info.

I would also like to know the best way to secure a Ubuntu based PC against
privacy and security problems that allow the government and other people
into your PC.
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] How to protect users from compelled fake ssl certs?

[Anthony Papillion]

On 07/03/2013 01:54 PM, Daniel Sieradski wrote:
> i use https://www.grc.com/fingerprints.htm to verify certs on the client
> end to make sure i'm not being man in the middled. it would be awesome
> if this were available as a firefox and chrome plugin that automatically
> did a check for you and gave you a red or green light.

Isn't this the same concept as notaries? Something like www.convergence.io?

Anthony

-- 
Anthony Papillion
Phone:   1.918.533.9699
SIP: sip:cajuntec...@iptel.org
iNum:+883510008360912
XMPP:cypherp...@patts.us

www.cajuntechie.org
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Postal mail monitoring

[R. Jason Cronk]

This was revealed last month (possibly earlier). See 
http://www.thesmokinggun.com/documents/woman-arrested-for-obama-bloomberg-ricin-letters-687435


To The Doctor's point, I'm not sure what you would correlate. 
Everybody's mail is being photographed so


On 7/3/2013 2:34 PM, The Doctor wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 07/03/2013 02:11 PM, Matt Johnson wrote:


I thought this might be of interest to this list, especially to
anyone who thought they could be safe by not using digital
communications.

It would be interesting to correlate this against reports of people
whose mail sometimes comes opened and resealed after leaving the
custody of the sender, or just opened following certain events.

- -- 
The Doctor [412/724/301/703] [ZS]

Developer, Project Byzantium: http://project-byzantium.org/

PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F  DD89 3BD8 FF2B 807B 17C1
WWW: https://drwho.virtadpt.net/

Sephiroth was once tech support for Shin-Ra.

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.20 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlHUbp8ACgkQO9j/K4B7F8GdhACgzMVYeIJC/nKxmaIFVn1gaFsK
vq8AnjRMTwLirg/fNDDpE32vHZiKuisb
=M+Zo
-END PGP SIGNATURE-
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech




*R. Jason Cronk, Esq., CIPP/US*
/Privacy Engineering Consultant/, *Enterprivacy Consulting Group* 



 * phone: (828) 4RJCESQ
 * twitter: @privacymaverick.com
 * blog: http://blog.privacymaverick.com

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

[liberationtech] Can a private cloud appliance protect businesses from prying eyes?

[Yosem Companys]

Can a private cloud appliance protect businesses from prying eyes?

By David Meyer | GigaOM.com, Updated: Wednesday, July 3, 7:12 AM

http://www.washingtonpost.com/business/on-it/prism-fallout-can-a-private-cloud-appliance-protect-businesses-from-prying-eyes/2013/07/03/e93dff20-e35f-11e2-bffd-37a36ddab820_story.html

As the internet surveillance scandal continues to unfold, some smell
an opportunity. One such player is Protonet, which is set to launch
its private cloud appliance on Thursday. Hailing from Germany, the
home of data protection, the company is pitching the device as a way
for small-to-medium-sized enterprises to enjoy the benefits of the
cloud without using suppliers that might have to let the NSA poke
around if the agency demands it.

What’s more, Protonet has also just scooped up $1.2 million in funding
from local backers Tarek Mueller, Stefan Kolle and Stephan Rebbe, as
well as the Hamburg Innovation Fund, in order to push into the
European and U.S. markets. Prior to that, it picked up €200,000
($260,000) on Seedmatch.

The Protonet appliance is basically a good old Linux NAS box, housed
in an arguably attractive orange casing with a single button on it,
and with homegrown replacements for Dropbox (file-sharing),
Skype/Yammer (collaboration) and Basecamp (task management)
preinstalled. As Protonet “chief satisfaction engineer” Philipp
Baumgaertel told me, it’s a plug-and-play affair aimed very much at
small businesses that lack IT savvy, but that also don’t trust the
cloud very much:

Prices range between €2,749-€4,099 ($3,574-$5,330) before tax,
depending on the chosen configuration (it takes up to 16TB of RAID5
storage and can pack a quad-core 2.5GHz Xeon processor). It’s not the
cheapest small-business server out there, but it can pack a punch and,
as Baumgartel noted, the real value is in the zero-configuration
Protonet SOUL OS software package, which just happens to come with
hardware as an extra selling point.

So, will it protect small businesses from prying eyes? That’s a tricky
one to answer while we still don’t know precisely what the PRISM,
Tempora and Boundless Informant programs entail. What we can say for
sure is that it’s a safer option than going with a U.S. cloud provider
that will have to do what the U.S. security services tell it to do.

However, that’s not to say what Protonet is offering is entirely safe.
According to Edward Snowden, the British Tempora program involves
sucking data straight off the cables that form the backbone of the
internet. If that’s true, then the intelligence services don’t need to
be dealing with a pliable cloud provider to get what they want, and
for European users there’s not a huge difference between an appliance
such as this and simply using a European cloud provider.

>From Protonet’s side, the company uses SSL encryption for
communications – the system does need to service mobile devices after
all – and claims it’s as safe as online banking. Baumgartel conceded
that, since we don’t know the full capabilities of the NSA, GCHQ and
their partners, it’s hard to promise anything more than that. (Of
course, the metadata associated with mobility can introduce unwanted
transparency all on its own.)

In other words, the private cloud appliance may be a good option for
businesses that fear the worst but haven’t entirely given up hope that
privacy may still be an option.
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Encryption Works: How to Protect Your Privacy in the Age of NSA Surveillance

[Micah Lee]

I have added the CC license to the bottom of the web version:

https://pressfreedomfoundation.org/whitepapers/encryption-works-how-protect-your-privacy-age-nsa-surveillance

And I've also uploaded the source LibreOffice ODT, so it'll be easier
for people to create derivative works:

https://pressfreedomfoundation.org/sites/default/files/encryption_works.odt


On 07/02/2013 03:01 PM, Karl Fogel wrote:
> Micah Lee  writes:
>> Freedom of the Press Foundation just published a whitepaper about how to
>> protect your communications from NSA (or any other) surveillance.
> 
> Micah, thanks (& nice job).  Two quick questions:
> 
>   1) The CC-BY license info is only visible on the PDF; any reason it's
>  not on the web version?
> 
>   2) Is the document available in source form (that is, whatever master
>  format you edited to generate both web and PDF versions)?
> 
> The reason I ask (2) is that if someone wanted to make either an
> abbreviate or an extended version of this guide, it would be easiest for
> them to start from that source format.
> 
> Best,
> -Karl
> 
>> https://pressfreedomfoundation.org/whitepapers/encryption-works-how-protect-your-privacy-age-nsa-surveillance
>>
>> The whole thing was inspired by this Edward Snowden quote: "Encryption
>> works. Properly implemented strong crypto systems are one of the few
>> things that you can rely on. Unfortunately, endpoint security is so
>> terrifically weak that NSA can frequently find ways around it."
>>
>> Specifically we go over:
>>
>> * What crypto is and what makes it secure
>> * What sort of software you can trust
>> * Using Tor, and global adversaries
>> * How OTR works and how to use it right
>> * How PGP works and how to use it right
>> * How Tails can help ensure high endpoint security


-- 
Micah Lee
@micahflee

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] How to protect users from compelled fake ssl certs?

[coderman]

On Wed, Jul 3, 2013 at 11:55 AM, Steve Weis  wrote:
> Hi. I was interested in your comment that the Comodo hacker used the
> HSM programmatic interfaces. Do you have a source of that which you
> can share? I'm not finding a good post-mortem that mentions that fact.


the gory details at http://pastebin.com/u/ComodoHacker

tl;dr:
- Comodo - HTTPS API level access from extracted reseller credentials.
CAA might be useful here.
- DigiNotar - HSM XUDA interface used directly. CAA not applicable.
- StartCOM - netHSM interface used directly. CAA not applicable.
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] How to protect users from compelled fake ssl certs?

[Daniel Sieradski]

i use https://www.grc.com/fingerprints.htm to verify certs on the client end to 
make sure i'm not being man in the middled. it would be awesome if this were 
available as a firefox and chrome plugin that automatically did a check for you 
and gave you a red or green light.

--
Daniel Sieradski
d...@danielsieradski.com
http://danielsieradski.com
315.889.1444

Follow me at http://twitter.com/selfagency
Public key http://danielsieradski.com/share/ds_public.key

On Jul 3, 2013, at 2:41 PM, coderman  wrote:

> On Tue, Jul 2, 2013 at 10:01 AM, Ralph Holz  wrote:
>>> DANE: https://tools.ietf.org/html/rfc6698
>>> CAA: https://tools.ietf.org/html/rfc6844
>>> 
>> I wonder whether that would have protected against the Comodo Hacker. It
>> seems it depends when and from where the CAA checks are run.
> 
> it would not. Comodo Hacker used the HSM programmatic interfaces
> directly to issue certificates, thus bypassing any checks CAA would
> imply.
> 
> 
>> ...
>> It's another reason I like DANE and CT better.
> 
> fortunately you don't have to pick one; use both ;)
> --
> Too many emails? Unsubscribe, change to digest, or change password by 
> emailing moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] How to protect users from compelled fake ssl certs?

[coderman]

On Tue, Jul 2, 2013 at 10:01 AM, Ralph Holz  wrote:
>> DANE: https://tools.ietf.org/html/rfc6698
>> CAA: https://tools.ietf.org/html/rfc6844
>> 
> I wonder whether that would have protected against the Comodo Hacker. It
> seems it depends when and from where the CAA checks are run.

it would not. Comodo Hacker used the HSM programmatic interfaces
directly to issue certificates, thus bypassing any checks CAA would
imply.


> ...
> It's another reason I like DANE and CT better.

fortunately you don't have to pick one; use both ;)
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Postal mail monitoring

[The Doctor]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 07/03/2013 02:11 PM, Matt Johnson wrote:

> I thought this might be of interest to this list, especially to
> anyone who thought they could be safe by not using digital
> communications.

It would be interesting to correlate this against reports of people
whose mail sometimes comes opened and resealed after leaving the
custody of the sender, or just opened following certain events.

- -- 
The Doctor [412/724/301/703] [ZS]
Developer, Project Byzantium: http://project-byzantium.org/

PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F  DD89 3BD8 FF2B 807B 17C1
WWW: https://drwho.virtadpt.net/

Sephiroth was once tech support for Shin-Ra.

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.20 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlHUbp8ACgkQO9j/K4B7F8GdhACgzMVYeIJC/nKxmaIFVn1gaFsK
vq8AnjRMTwLirg/fNDDpE32vHZiKuisb
=M+Zo
-END PGP SIGNATURE-
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] secure download tool - doesn't exist?!?

[Jonathan Wilkes]

On 07/03/2013 04:47 AM, intrigeri wrote:

Hi,

Jonathan Wilkes wrote (02 Jul 2013 21:57:01 GMT) :

On 07/02/2013 12:46 PM, Jonathan Wilkes wrote:

On 07/02/2013 04:51 AM, intrigeri wrote:

+ verify that the signed file you've downloaded is actually the
version you intended to download, and not an older, also properly
signed one.

[...]

Does Debian's "Valid-Until" field in the release files solve this problem?

After getting some help on #debian-apt, I can at least say that the 
"Valid-Until"
field in the release file for Debian security updates is indeed intended to 
address
replay attacks.

The Valid-Until mechanism (when it's used by the APT repository at
all) typically ensures an attacker can't hide available security
updates for more than a week.


You say "when it's used at all":

My understanding is that it's used for security updates (and possibly
some other repos), and not used for stable releases.  Are there security
updates that don't use "Valid-Until"?

The remaining question is this: what is an example of a potential attack 
that
exploits the absence of a "Valid-Until" header in a stable release? A 
stable version
of  Debian is canonical, so there is nothing for an attacker to replay 
unless
it's from a previous version of Debian which has a different key and, 
therefore,

would set off alarm bells from apt.

-Jonathan


This is sometimes good enough.

Cheers,
--
   intrigeri
   | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
   | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech



--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

[liberationtech] Postal mail monitoring

[Matt Johnson]

This NY Times article:
http://www.nytimes.com/2013/07/04/us/monitoring-of-snail-mail.html?hp&_r=2&&pagewanted=all
reports that the USPS has been keeping images of the outside of mail
for years. It is used in criminal investigations and for national
security. This is some information about how often it is used in
criminal investigations, but no such information about national
security use.

>From the article: "Mr. Pickering was targeted by a longtime
surveillance system called mail covers, but that is only a forerunner
of a vastly more expansive effort, the Mail Isolation Control and
Tracking program, in which Postal Service computers photograph the
exterior of every piece of paper mail that is processed in the United
States — about 160 billion pieces last year. It is not known how long
the government saves the images."


I thought this might be of interest to this list, especially to anyone
who thought they could be safe by not using digital communications.

--
Matt Johnson
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] [Tails-dev] secure download tool - doesn't exist?!?

[intrigeri]

Hi,

adrelanos wrote (03 Jul 2013 13:20:46 GMT) :
> intrigeri:
>> Other than this, our current take on it is, I believe, making it
>> easier to verify OpenPGP detached signatures. E.g. we're working to
>> make it work flawlessly on the GNOME desktop.

> So you're working with Debian/upstream to integrate OpenPGP verification
> better into the operating system?

We are currently only working on making it easier to verify detached
OpenPGP signatures on the GNOME desktop. That's all :)

Cheers,
--
  intrigeri
  | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
  | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

[liberationtech] Real World Crypto 2014

[Steve Weis]

Registration for the Real World Crypto 2014 workshop is open (and free).

http://realworldcrypto.wordpress.com/

What:
The Real World Cryptography Workshop aims to bring together
cryptography researchers with developers implementing cryptography in
real-world systems. The main goal of the workshop is to strengthen the
dialogue between these two groups. Topics covered will focus on uses
of cryptography in real-world environments such as the Internet, the
cloud, and embedded devices.

When:
Monday, January 13, 2014 - Wednesday, January 15, 2014

Where:
City College of New York / CUNY, New York, NY

Who:
Arvind Narayanan - Princeton University
Brian Warner - Mozilla
Christian Rechberger - DTU
David Anderson - Seagate
Eric Le Saint - Active Identity
Hans van Tilburg - Visa
Hoeteck Wee - George Washington University
Jakob Pagter - Partisia/Alexandra Instituttet
Marc Fischlin - TU Darmstadt
Matt Green - JHU
Moti Yung - Google
Shai Halevi - IBM
William Whyte - Security Innovations
Yevgeniy Dodis - New York University
Zooko O’Wilcox-Hearn - Least Authority
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

[liberationtech] Query re. Corporate censorship

[Charles Ess]

Dear colleagues,

I have been encouraged to repost this query to this list, and am more than
happy to do so.

I've been asked to develop a presentation on the future of freedom of
expression in online environments, including discussion of multiple ways in
which - in addition to whatever governments may be up to in different
contexts and ways - the private enterprises that increasingly dominate and
control much of our online spaces and infrastructures censor political
speech and expression.

The presentation is for an upcoming Webinar, sponsored by The Digital
Futures Task Force in collaboration with the European Commission Directorate
General for Communications Networks, Content & Technology - Unit  G1,
"Converging Media and Content².

One example passed on to me was of a well-established professional in a
European country (i.e., not fitting the profile of terrorist, anarchist, or
even leftist) who posted comments on his/her SNS page critical of the U.S.
These comments disappeared from the page without notice or explanation.

I would be very grateful for:
1) recommendations for careful studies of such events and phenomena which
include reliable documentation of their occurrence? (Yes, I realize that
documenting and studying such episodes would be extremely tricky and
difficult.)
And/or
2) well documented anecdotes or examples (e.g., as reported in a reliable
newspaper of record) of such episodes?

Please send these along offlist.  I will, of course, more than happily
credit the sources and authors of any examples and resources collected and
used for the presentation (unless anonymity is requested instead).

Many thanks in advance,
- charles ess

Professor in Media Studies
Department of Media and Communication
Director, Centre for Research on Media Innovations


University of Oslo 
P.O. Box 1093 Blindern
NO-0317 
Oslo Norway
email: c.m@media.uio.no





--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Terry Winograd and Evgeny Morozov

[The Doctor]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 07/02/2013 06:50 PM, Doug Schuler wrote:

> And not to be churlish, but of course language did not solve all of
> our problems. But as in the parable you mentioned, It did help
> humankind dominate nature ? lions included.

Talking to a lion doesn't help when it has you in its mouth.

- -- 
The Doctor [412/724/301/703] [ZS]
Developer, Project Byzantium: http://project-byzantium.org/

PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F  DD89 3BD8 FF2B 807B 17C1
WWW: https://drwho.virtadpt.net/

"Become a producer of experiences, not a consumer." --Terrence McKenna

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.20 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlHUO0QACgkQO9j/K4B7F8GIYwCeL3HjQf715t/VWmXc+t9QPwXb
Xq0AnixN13EA6fk12clYa6M3E9mj7cub
=aGL+
-END PGP SIGNATURE-
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] A community wireless mesh grows in Oakland, California.

[The Doctor]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 07/02/2013 03:34 PM, R. Jason Cronk wrote:
> Is anybody going to be attending the PETS conference next week who
> is familiar with current work/research in the area of wireless
> mesh networks? I'm very interested in getting together and learning
> more about the current state of affairs.

I can't make it, but I'm active in that problem space.  Are there any
questions that I can answer?

- -- 
The Doctor [412/724/301/703] [ZS]
Developer, Project Byzantium: http://project-byzantium.org/

PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F  DD89 3BD8 FF2B 807B 17C1
WWW: https://drwho.virtadpt.net/

"Become a producer of experiences, not a consumer." --Terrence McKenna

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.20 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlHUOmQACgkQO9j/K4B7F8Fl+gCfaadOMQxbJECGLTYvdzlXUK6+
Eh4AoIFKt5Tapwp5GMr9VPrtINRe1RYB
=vnok
-END PGP SIGNATURE-
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] [Tails-dev] secure download tool - doesn't exist?!?

[adrelanos]

intrigeri:
> Hi,
> 
> adrelanos wrote (01 Jul 2013 18:03:01 GMT) :
>> Goal:
> 
>> - big file downloads
>> - at least as secure as TLS
>> - at least as simple as a regular download using a browser
>> - not using TLS itself (too expensive) for bulk download
> 
>> The problem: [...]
> 
> + verify that the signed file you've downloaded is actually the
>   version you intended to download, and not an older, also properly
>   signed one.

I didn't want to make such high requirements. At the moment, problems
are worse, most downloads (http) aren't even as safe as TLS.

Any tool as safe as TLS and also defeating your + is of course welcome
as well.

> See tools that take this into account:
>   - Thandy (already mentioned by Moritz)

As far I know, Thandy is unfinished, no longer developed, Tor package
centric, derived from TUF, downloader. Therefore not useful for the
general use case?

>   - TUF:
> https://www.updateframework.com/

TUF is awesome. They're creating a library, others can use in their
applications. But then we're back to the original problem of this
thread: how to get this application in the first place and at least as
safe as TLS?

>   - our design for incremental updates:
> https://tails.boum.org/todo/incremental_upgrades/

This is awesome as well, but I believe it solves a different problem.
This one was: how to initially download? Then you're back to OpenPGP,
which very few people use.

> Other than this, our current take on it is, I believe, making it
> easier to verify OpenPGP detached signatures. E.g. we're working to
> make it work flawlessly on the GNOME desktop.

So you're working with Debian/upstream to integrate OpenPGP verification
better into the operating system?
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

[liberationtech] Iranian Internet Infrastructure and Policy Report: Election Edition

[Collin Anderson]

Libtech,

Small Media released its Election Edition of the ongoing Infrastructure
series. It should make for a quick read, but lend a great deal of technical
and political insight into the fairly aggressive campaign against access
that occurred in the final days of the lead up to the first round of voting
.

Cordially,
Collin

---
*
*
*Introduction*

 The behavior of Iranian telecommunication regulators and government
officials follows a recurrent, predictable formula: the extent to which the
Internet is accessible and stable is directly connected to the security of
the political status quo. The full technical capacity and socioeconomic
considerations of authorities for the interference of the flow of
communications is never truly known until moments of uncertainty, the exact
moment when the state intervenes. Despite this pattern, spanning at least
four years, international civil society has rarely kept an institutional
knowledge accounting for how disruptions occur, more often focusing on the
effects and outcomes; particularly, in a manner that enables the
articulation of the threat model of a government challenged by its people.
Iran has caught the attention of the international public for more often
than not reasons of international politics. However, for advocates of the
free flow of information, history has shown that as Iran goes, so does much
of the rest of the world. In consideration of the prospect of observing
such rare window, timed with the first Presidential election since the
Green Movement, for seven months we have sought to document the shifts of
the country’s Internet.

The May edition of our report set the stage, describing an aggressive and
accelerated campaign against anti-filtering tools, bloggers and
communications services. These technical impediments were creative in a
manner that few developers or researchers appeared to have ever predicted.
In the fol- lowing weeks after publication, Iranians were subject to a
continually compounding set of restrictions, attacks and crackdowns, both
online and offline. In the spirit of our mission and these circumstances,
we offer in this, the June election edition, a timelines of the events that
ensued, accounted for with technical evidence and external verification.
Colloquially known as the Filternet, within the course of six weeks, Iran’s
Internet progressed from its relative sense of normality, to a nearly
unusable network, whitelisted and throttling, and then overnight back to a
routine set of restrictions.

Such a narrative is sensational in its extremity and interesting
technically, however, focusing solely on the struggle between the user and
a firewall paints only a fraction of the picture. In the same period, the
public learned of links between malware campaigns targeting journalists and
prior state-sponsored attacks on Google, informal actors used filtered
social media to intimate and identify street protesters, blocking of
websites and SMS messages appeared to foreshadow the results of the vetting
process, and reformists sites were compromised on an eleventh hour hacking
spree. State-vetted candidates not only criticized the filtering regime,
but were blocked by it and used international platforms to bypass it. The
surprise first round victory of the moderate cleric Hassan Rouhani held a
lesson that applies to the Internet as well -- the politics and actions of
any system are complex to a point that understanding how it functions
requires a deeper knowledge and constant reevaluations of one’s
presumptions.


-- 
*Collin David Anderson*
averysmallbird.com | @cda | Washington, D.C.
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] secure download tool - doesn't exist?!?

[intrigeri]

Hi,

Jonathan Wilkes wrote (02 Jul 2013 21:57:01 GMT) :
> On 07/02/2013 12:46 PM, Jonathan Wilkes wrote:
>> On 07/02/2013 04:51 AM, intrigeri wrote:
>>> + verify that the signed file you've downloaded is actually the
>>>version you intended to download, and not an older, also properly
>>>signed one.
[...]
>> Does Debian's "Valid-Until" field in the release files solve this problem?

> After getting some help on #debian-apt, I can at least say that the 
> "Valid-Until"
> field in the release file for Debian security updates is indeed intended to 
> address
> replay attacks.

The Valid-Until mechanism (when it's used by the APT repository at
all) typically ensures an attacker can't hide available security
updates for more than a week. This is sometimes good enough.

Cheers,
--
  intrigeri
  | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
  | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech