Re: [liberationtech] Is spideroak really zero-knowledge?
@Tony, The secret that keeps your data accessible to you alone is your SpiderOak password, which is never transmitted to SpiderOak in its original form. https://spideroak.com/engineering_matters -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Can JavaScript cryptography be trusted? (was: In defense of client-side encryption)
Quickly adding my blog post on the matter to this thread. Would love to hear discussion regarding it: http://log.nadim.cc/?p=33 NK On 2013-08-13, at 1:58 AM, Tony Arcieri basc...@gmail.com wrote: On Mon, Aug 12, 2013 at 3:07 PM, Ali-Reza Anghaie a...@packetknife.com wrote: I'm sorry but aren't we spending a lot of time conflating code quality, secure coding practices, software distribution, .. with ~JavaScript in a browser~? I think the title of the thread has a lot to do with that. Fixed! ;) -- Tony Arcieri -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Is spideroak really zero-knowledge?
On Mon, Aug 12, 2013 at 11:02 PM, Percy Alpha percyal...@gmail.com wrote: @Tony, The secret that keeps your data accessible to you alone is your SpiderOak password, which is never transmitted to SpiderOak in its original form. https://spideroak.com/engineering_matters Again, they seem to be talking about client-side encryption here. A zero-knowledge proof around a password looks a bit more like this: https://en.wikipedia.org/wiki/Secure_Remote_Password_protocol#Protocol Short of implementing something like SRP they don't have a true zero knowledge system IMO -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Lavabit, Silent Circle both shut down
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Arjen, May I ask what Swiss providers would you recommend? (disclaimer: I am normally very hesitant to 'advertise' for specific companies since as a consultant I do my very best to remain independent from having any interest in procurement of specific products or services). Duly noted. :) SwissVPN provides some nice VPN services but it is not the only VPN provider I use. That's the company I use, too - and ultimately the reason I am asking because Chris Soghoian once told me that they log the connections. This seems to be supported by this inquiry made in 2011: http://torrentfreak.com/which-vpn-providers-really-take-anonymity-seriously-111007/ They log for 6 months and say they will respond to requests under Swiss law. I would be surprised if other Swiss providers wouldn't do the same, but I am very happy to hear otherwise? Ralph - -- Ralph Holz I8 - Network Architectures and Services Technische Universität München http://www.net.in.tum.de/de/mitarbeiter/holz/ Phone +49.89.289.18043 PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJSCfOSAAoJEFIODINpsAPvznoH/jKnUEbbpS8Ahgl8dZ8OCE+g QQSxeFSR1MRDaHYWaNkL/tSRpUZheI9wbSAZI0kU0dGyJXSvE9WHFNUmasNGi6DY OT8XQxgcl/wQggAv1zGDFAlPImg0eJej8L6hRvtcZgGH6h9nkGyTenkdhjMohn6U aCBp69dG31mvsIE8QHIe/EirVO+y1JY1D+0NoIz238VS4w9zZH5E6XZ1zEJ1KC7d yF6lI73g5NQIcM3WIJjYJUrfaY+Nj8g+ZwBb50BEDbaUtny2jic/Gi5EjXD8c/UT XnmcbeqHg+hDRGHF7cSAoFTKMbFDCr5Y4GeNQVQ4w/GQslxr6SK4fO6fqoG5K8E= =1WXH -END PGP SIGNATURE- -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Does anyone know a celebrity who feels strongly about privacy issues?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/08/13 21:32, Francisco Ruiz wrote: So, here's my question. Does any one know of a celebrity who cares enough about computer security to be persuaded to take one minute of his/her time to read a hash before a camera? I'd like to second Guido's objection that most people don't know what a hash is, or have the skills or software required to verify one, so this isn't an effective security measure for most people. Even if it were, you'd have to ask the celebrity to read a new hash for every version of the software, and the videos for old versions could be used in a rollback attack. Cheers, Michael -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJSCf5oAAoJEBEET9GfxSfMUB4H/RTrYX1we2t1p9+TeXm21GV2 OWJkZvWLvfDmJqf/utJNoFH4wgLkDvziWrTCqGWbuDlPlmLzNTvGvIZio9i82cUT tja1bnmPr17BDz5Msn8d4/BFdjrV957e1S3P2Tqx8GGaZFAYCi5EX57Q7G2Lvphj 4NDkDOFEfwfQ38azsBNokdUXo5Ek98I2SXv2GG3ac8N1a2HBVpsHr3lqfsZLDTyS LrwM6dPCEWV+kd8+VsOjokKB8y7o9lUjLMmOvMtM4dC9bak8OoDy+fkxWkmMf48v KBRqsPN6rasEmDxGRDtLZN0CAzEMGcmndJDqMY4tV/v9IgnLRScaMJaz8Fsc8cY= =7Qy4 -END PGP SIGNATURE- -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Does anyone know a celebrity who feels strongly about privacy issues?
Maybe the celebrity could read the binary sequence of a compiled program, and the user could take dictation into a simple command line script? On 13 August 2013 10:37, Michael Rogers mich...@briarproject.org wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/08/13 21:32, Francisco Ruiz wrote: So, here's my question. Does any one know of a celebrity who cares enough about computer security to be persuaded to take one minute of his/her time to read a hash before a camera? I'd like to second Guido's objection that most people don't know what a hash is, or have the skills or software required to verify one, so this isn't an effective security measure for most people. Even if it were, you'd have to ask the celebrity to read a new hash for every version of the software, and the videos for old versions could be used in a rollback attack. Cheers, Michael -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJSCf5oAAoJEBEET9GfxSfMUB4H/RTrYX1we2t1p9+TeXm21GV2 OWJkZvWLvfDmJqf/utJNoFH4wgLkDvziWrTCqGWbuDlPlmLzNTvGvIZio9i82cUT tja1bnmPr17BDz5Msn8d4/BFdjrV957e1S3P2Tqx8GGaZFAYCi5EX57Q7G2Lvphj 4NDkDOFEfwfQ38azsBNokdUXo5Ek98I2SXv2GG3ac8N1a2HBVpsHr3lqfsZLDTyS LrwM6dPCEWV+kd8+VsOjokKB8y7o9lUjLMmOvMtM4dC9bak8OoDy+fkxWkmMf48v KBRqsPN6rasEmDxGRDtLZN0CAzEMGcmndJDqMY4tV/v9IgnLRScaMJaz8Fsc8cY= =7Qy4 -END PGP SIGNATURE- -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Love regards etc David Miller http://www.deadpansincerity.com 07854 880 883 -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Is spideroak really zero-knowledge?
On 08/13/2013 12:32 AM, Tony Arcieri wrote: On Mon, Aug 12, 2013 at 11:02 PM, Percy Alpha percyal...@gmail.com mailto:percyal...@gmail.com wrote: @Tony, The secret that keeps your data accessible to you alone is your SpiderOak password, which is never transmitted to SpiderOak in its original form. https://spideroak.com/engineering_matters Again, they seem to be talking about client-side encryption here. A zero-knowledge proof around a password looks a bit more like this: https://en.wikipedia.org/wiki/Secure_Remote_Password_protocol#Protocol Short of implementing something like SRP they don't have a true zero knowledge system IMO Curious, they used to actually include some notes on how they use a zero knowledge proof for authentication, but it has been taken down. Waybackmachine has the old text: http://web.archive.org/web/20130430135938/https://spideroak.com/engineering_matters Perhaps they changed how they do authentication. -elijah -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Lavabit, Silent Circle both shut down
Hi guys: Safe and secure are relevant. But, Arjen is absolutely right, Switzerland is at the moment the best place to have your materials hosted. It's also the place where Silent Circle looks at. And one where Wikileaks is hosted. Some on this list still have doubts, even about Switzerland. Never a bad idea to be paranoid of course, but there are some logical reasons why Switzerland is a good choice. Here are the main ones: The Swiss are well known for their bank secrecy. A fact which is hated and regularly contested by the E.U. and the U.S. Banks in CH need to be extremely careful in guarding their own nations' interest, of which banking, tourism, cheese and watch making are core values. There are some pretty harsh rules in place to protect those interests. Of course when there is a major crime Swiss police cooperates with other nations. But saving money in a bank is definitively not seen as a crime. And so far as I know there is not any remote chance that the U.S. and/or the E.U. will be able to force a change. Like lately by levying huge fines on the UBS bank. They try though:) There is yet another reason. And that is because Switzerland is the second seat nation of the United Nations, while being itself not a member, only observer to U.N. The U.S. has many times (as also revealed by Snowden) attempted to bribe Swiss officials and business people and/or coerce them. CIA has been fairly active, but to no avail. Swiss have also taken serious countermeasures against intrusions. This hostile behavior from the U.S. towards Switzerland is taken seriously into account as well. It isn't really productive to enhance friendships. Then Switzerland still feels abused by the U.S., in particular by the NSA, because of the Crypto AG affair of some decennia back. Search the web to get the historical details. Whatever happened, happened, but it was surely not in the core interest of the Swiss people. And finally, once every year there is a meeting of all chiefs and directors of (western)European intelligence services, called the Club du Berne, in Switzerland. Switzerland was chosen as a meeting place because of its impartiality and integrity. Surely, one of the 'Five Eyes Nations' is present as well. And word has it that it's not playing a role of any significance. No the above is not a guarantee that nobody will attempt to intrude in a system, in Switzerland. It will happen, and occasionally with success. But the Swiss government, businesses and people are very keen to stop the bullets before these hit somebody. In particular from other European nations and the United States. And finally, am I Swiss? Absolutely not, but these days I wish I was :) And, yes, I do host my Internet business activities there, and I mean since 1994. That's almost 20 years, and I have never been disappointed. And that does count for something. Do follow Arjen's leads, search the web, and by all means go there and meet them in person. Greetz RTF -Original Message- From: liberationtech-boun...@lists.stanford.edu [mailto:liberationtech-boun...@lists.stanford.edu] On Behalf Of Ralph Holz Sent: Tuesday, August 13, 2013 10:52 AM To: liberationtech@lists.stanford.edu Subject: Re: [liberationtech] Lavabit, Silent Circle both shut down -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Arjen, May I ask what Swiss providers would you recommend? (disclaimer: I am normally very hesitant to 'advertise' for specific companies since as a consultant I do my very best to remain independent from having any interest in procurement of specific products or services). Duly noted. :) SwissVPN provides some nice VPN services but it is not the only VPN provider I use. That's the company I use, too - and ultimately the reason I am asking because Chris Soghoian once told me that they log the connections. This seems to be supported by this inquiry made in 2011: http://torrentfreak.com/which-vpn-providers-really-take-anonymity-seriously- 111007/ They log for 6 months and say they will respond to requests under Swiss law. I would be surprised if other Swiss providers wouldn't do the same, but I am very happy to hear otherwise? Ralph - -- Ralph Holz I8 - Network Architectures and Services Technische Universität München http://www.net.in.tum.de/de/mitarbeiter/holz/ Phone +49.89.289.18043 PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJSCfOSAAoJEFIODINpsAPvznoH/jKnUEbbpS8Ahgl8dZ8OCE+g QQSxeFSR1MRDaHYWaNkL/tSRpUZheI9wbSAZI0kU0dGyJXSvE9WHFNUmasNGi6DY OT8XQxgcl/wQggAv1zGDFAlPImg0eJej8L6hRvtcZgGH6h9nkGyTenkdhjMohn6U aCBp69dG31mvsIE8QHIe/EirVO+y1JY1D+0NoIz238VS4w9zZH5E6XZ1zEJ1KC7d yF6lI73g5NQIcM3WIJjYJUrfaY+Nj8g+ZwBb50BEDbaUtny2jic/Gi5EjXD8c/UT XnmcbeqHg+hDRGHF7cSAoFTKMbFDCr5Y4GeNQVQ4w/GQslxr6SK4fO6fqoG5K8E= =1WXH -END PGP SIGNATURE- -- Liberationtech is a public list
Re: [liberationtech] Petition Google over banning Servers on Google Fiber?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all, On Tue, Aug 13, 2013 at 01:24:07AM +0200, Moritz Bartl wrote: Thank you EFF for the well-written reminder: https://www.eff.org/deeplinks/2013/08/google-fiber-continues-awful-isp-tradition-banning-servers [...] We should petition Google to get rid of this. Does anyone know if EFF planning such an action, or do you have contacts to organizational networks to get it going properly? A petition is probably worth giving a try, but in the end Google are on their infrastructure and selling access under their terms of service, so it may be quite a difficult challenge. Even more difficult since, as far as I understand, many other operators do the same on the market. There are similar issues in France: a few ISPs providing high-speed fiber connection forbid in the same way hosting a server at home (unless you pay more). In addition, some do not provide a fixed IP address to practically make things more difficult. We all understand that this violates Net Neutrality and prevents citizens from reclaiming control of their data to have a decent level of privacy. We subsequently understand that this is a serious issue from a democracy point of view, knowing governments' surveillance practices. Now, in case it could be of any use in the US, in France Europe I see two types of initiatives that try to push things in a better direction: - - at the European Parliament some advocacy groups have tried to push the fact that a company could not say that they sell internet access if what they sell contains violations to Net Neutrality (I don't know the details on the situation of this political battle, but you get the idea); - - in France, we have more and more associative (non-profit) ISPs providing internet access to small numbers of people - the core ideas are to provide a neutral access (to the extent permitted by law) and promote decentralization (as in internet) through the creation of many little structures; the oldest and biggest, French Data Network (FDN) created a Federation (FFDN) in which the smaller and more local ones are gathered; we would really like this kind of initiative to spread - take a look there http://www.ffdn.org, some posts are in English All the best, KheOps -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.20 (GNU/Linux) iQEcBAEBAgAGBQJSCjM0AAoJEK9g/8GX/m3dUB4IAMh6qFnPhE5L6uQDzWWxGlU1 0Paqfs7OodmOW0DiD1oEbMX3EFAIR341MP7Lck2JDbKRBHqUPw/SJOi9fNUKGujW Ai5lV9ZVUYudCzsHVqczDorVUKbC7DyYRgVZ+7PJ5KGFzUpt9XGkdPfEGnXmXFOE 2QeYTcUTJzmBG9tjMwh6xpKglrltz4gp1sYyWCEJZuiBea6iBkU15WBiJLZ5zhE+ 3a7DnAa9gB+FgVG9bWDx7a2PIH2TOxQ2lEo8P3QrRf7VHZzm7pfxb/PDzpzW6Euw 9UOxddUDg2NPak8fPocWOc/+vqfyLY7VL9gfhmL53tXUbiaPsEkHCfwG7Z0btiU= =h0AL -END PGP SIGNATURE- -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] Swiss VPNs (was: Re: Lavabit, Silent Circle both shut down)
On 13.08.2013 10:51, Ralph Holz wrote: SwissVPN provides some nice VPN services but it is not the only VPN provider I use. They log for 6 months and say they will respond to requests under Swiss law. I would be surprised if other Swiss providers wouldn't do the same, but I am very happy to hear otherwise? Switzerland has data retention laws. While it might be good for oligarchs to hide their money, it is not good for online privacy. -- Moritz Bartl https://www.torservers.net/ -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Swiss VPNs (was: Re: Lavabit, Silent Circle both shut down)
Oligarchs and privacy advocates have something in common. If you got a better place, please name it. And by the by, forget Germany, it may not have data retention (for now), but it does have 50,000 American troops, a refurbished Bad Aibling with all newly trained German personnel, and a huge Intel building in Berlin that can house 101 Airborne in the basement. While the abolished Pullach establishment is readied for 'modern intel testing equipment'. RTF -Original Message- From: liberationtech-boun...@lists.stanford.edu [mailto:liberationtech-boun...@lists.stanford.edu] On Behalf Of Moritz Bartl Sent: Tuesday, August 13, 2013 1:46 PM To: liberationtech@lists.stanford.edu Subject: [liberationtech] Swiss VPNs (was: Re: Lavabit, Silent Circle both shut down) On 13.08.2013 10:51, Ralph Holz wrote: SwissVPN provides some nice VPN services but it is not the only VPN provider I use. They log for 6 months and say they will respond to requests under Swiss law. I would be surprised if other Swiss providers wouldn't do the same, but I am very happy to hear otherwise? Switzerland has data retention laws. While it might be good for oligarchs to hide their money, it is not good for online privacy. -- Moritz Bartl https://www.torservers.net/ -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Swiss VPNs
On 13.08.2013 14:20, taxakis wrote: Oligarchs and privacy advocates have something in common. If you got a better place, please name it. I don't. I still believe we should stop being naive and promote Iceland or Switzerland, just because we think they offer better privacy. In general, just because you read something in the news, don't just believe it. I never said Germany was a better place. Yes, I should have quotable sources at hand, but at the moment I don't. A good address for a more detailed answer would be the Chaos Computer Club Switzerland, http://www.ccc-ch.ch/ , and, for Iceland, try the people behind IMMI, https://immi.is/ . The interesting part about Iceland is that there is a slight chance of *making it* a privacy-friendly jurisdiction. It is not, yet. If media always convey the picture of a privacy-friendly country, its own politicians will start believing it and fight for it, hopefully. -- Moritz Bartl https://www.torservers.net/ -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Is spideroak really zero-knowledge?
They've also been working on an open source version of their client and server software called crypton (https://crypton.io/) It implements the protocol originally listed on their site as Elijah pointed out with the wayback machine. On Tue, Aug 13, 2013 at 2:52 AM, elijah eli...@riseup.net wrote: On 08/13/2013 12:32 AM, Tony Arcieri wrote: On Mon, Aug 12, 2013 at 11:02 PM, Percy Alpha percyal...@gmail.com mailto:percyal...@gmail.com wrote: @Tony, The secret that keeps your data accessible to you alone is your SpiderOak password, which is never transmitted to SpiderOak in its original form. https://spideroak.com/engineering_matters Again, they seem to be talking about client-side encryption here. A zero-knowledge proof around a password looks a bit more like this: https://en.wikipedia.org/wiki/Secure_Remote_Password_protocol#Protocol Short of implementing something like SRP they don't have a true zero knowledge system IMO Curious, they used to actually include some notes on how they use a zero knowledge proof for authentication, but it has been taken down. Waybackmachine has the old text: http://web.archive.org/web/20130430135938/https://spideroak.com/engineering_matters Perhaps they changed how they do authentication. -elijah -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] From Snowden's email provider. NSL???
On Sun, Aug 11, 2013 at 4:46 AM, Michael Rogers mich...@briarproject.org wrote: The app store can't substitute a different binary (no developer signing key), users can verify that the app was what the developer produced (via pulling the binary and checking the hash), and advanced users can verify that what the developer produced is what they produce via the replicable build process. I don't know how the Apple or Chrome app stores work, but on Android the user doesn't have a standard way to obtain the developer's key, so the app store could sign a modified binary with any key. Signing isn't sufficient without some means of invalidation under the developer's control. Even putting aside users who are slow to update, select users can be served older versions of apps with known vulnerabilities intact. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] Snowden: Unencrypted Journalist-Source Communications Unforgivably Reckless
Hey LibTech, In a recently published interview with the New York Times, Edward Snowden called unencrypted communications between journalists and sources unforgivably reckless: I was surprised to realize that there were people in news organizations who didn’t recognize any unencrypted message sent over the Internet is being delivered to every intelligence service in the world. In the wake of this year’s disclosures, it should be clear that unencrypted journalist-source communication is unforgivably reckless. http://www.nytimes.com/2013/08/18/magazine/snowden-maass-transcript.html I hope sending this along will be useful for journalists on this list as well as for those who need extra material to help them convince their journalist friends to adopt privacy-preserving practices. As usual, I'll take the opportunity to again vouch for the need for accessible, easy to use encryption, like what Guardian Project, Whisper Systems and Cryptocat are working on. NK -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Does anyone know a celebrity who feels strongly about privacy issues?
So not sure this is taking the discussion in a direction useful to this list, but a thought-- celebrities are not likely to be available to do something like this -- i.e., a series of readings on youtube videos -- unless the videos were connected to a high-profile campaign, a film/documentary, or run by an organization that they are connected to or doing a favor for (and the favor is usually done through a celebrity that's a friend or their management. And the negotiation of a campaign that incorporates a celebrtiy is complicated and time-consuming, and once done, is difficult to manage. It's not impossible and it's not that celebrities (John Cusack was a great suggestion, by the way) wouldn't be interested in the issue, it's just that it may not be worth the time you'd spend in trying to attract someone. Having said that, if anyone ever did want to attract a celebrity to a high-profile cause, start by inquiring with CAA or the Global Philanthropy Group. Or if you want a simple retweet for profile, most celebrities are pretty obliging with that. Lina On Tue, Aug 13, 2013 at 5:52 AM, David Miller da...@deadpansincerity.comwrote: Maybe the celebrity could read the binary sequence of a compiled program, and the user could take dictation into a simple command line script? On 13 August 2013 10:37, Michael Rogers mich...@briarproject.org wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/08/13 21:32, Francisco Ruiz wrote: So, here's my question. Does any one know of a celebrity who cares enough about computer security to be persuaded to take one minute of his/her time to read a hash before a camera? I'd like to second Guido's objection that most people don't know what a hash is, or have the skills or software required to verify one, so this isn't an effective security measure for most people. Even if it were, you'd have to ask the celebrity to read a new hash for every version of the software, and the videos for old versions could be used in a rollback attack. Cheers, Michael -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJSCf5oAAoJEBEET9GfxSfMUB4H/RTrYX1we2t1p9+TeXm21GV2 OWJkZvWLvfDmJqf/utJNoFH4wgLkDvziWrTCqGWbuDlPlmLzNTvGvIZio9i82cUT tja1bnmPr17BDz5Msn8d4/BFdjrV957e1S3P2Tqx8GGaZFAYCi5EX57Q7G2Lvphj 4NDkDOFEfwfQ38azsBNokdUXo5Ek98I2SXv2GG3ac8N1a2HBVpsHr3lqfsZLDTyS LrwM6dPCEWV+kd8+VsOjokKB8y7o9lUjLMmOvMtM4dC9bak8OoDy+fkxWkmMf48v KBRqsPN6rasEmDxGRDtLZN0CAzEMGcmndJDqMY4tV/v9IgnLRScaMJaz8Fsc8cY= =7Qy4 -END PGP SIGNATURE- -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Love regards etc David Miller http://www.deadpansincerity.com 07854 880 883 -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Lina Srivastava -- linasrivastava.com | twitter http://twitter.com/lksriv | linkedinhttp://www.linkedin.com/in/linasrivastava -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Snowden: Unencrypted Journalist-Source Communications Unforgivably Reckless
Hi Nadim all, Le 13 août 2013 à 18:00, Nadim Kobeissi na...@nadim.cc a écrit : http://www.nytimes.com/2013/08/18/magazine/snowden-maass-transcript.html I hope sending this along will be useful for journalists on this list as well as for those who need extra material to help them convince their journalist friends to adopt privacy-preserving practices. As usual, I'll take the opportunity to again vouch for the need for accessible, easy to use encryption, like what Guardian Project, Whisper Systems and Cryptocat are working on. It is obviously one side-effect of PRISM revelations that more more journalists now feel the urge to update their work habits in order to protect their sources. And the more accessible tools we have, the easier it is for the people who feel concerned by these issues to advocate for such improvements. Good occasion for me to thank all the people involved in projects for easy-to-use anonymization encryption :) Cheers, Amaelle -- Amaelle Guiton Journalisme au futur extérieur @ Radio France ailleurs 0x5AF9 / micro_ouv...@jabber.ubuntu-fr.org-- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Snowden: Unencrypted Journalist-Source Communications Unforgivably Reckless
The passage Nadim highlights is of course quite appropriate for this list. But for those who have some extra time (it's very long) the whole article is worth reading. -- James S. Tyre Law Offices of James S. Tyre 10736 Jefferson Blvd., #512 Culver City, CA 90230-4969 310-839-4114/310-839-4602(fax) jst...@jstyre.com Policy Fellow, Electronic Frontier Foundation https://www.eff.org From: liberationtech-boun...@lists.stanford.edu [mailto:liberationtech-boun...@lists.stanford.edu] On Behalf Of Nadim Kobeissi Sent: Tuesday, August 13, 2013 9:00 AM To: liberationtech Subject: [liberationtech] Snowden: Unencrypted Journalist-Source Communications Unforgivably Reckless Hey LibTech, In a recently published interview with the New York Times, Edward Snowden called unencrypted communications between journalists and sources unforgivably reckless: I was surprised to realize that there were people in news organizations who didn't recognize any unencrypted message sent over the Internet is being delivered to every intelligence service in the world. In the wake of this year's disclosures, it should be clear that unencrypted journalist-source communication is unforgivably reckless. http://www.nytimes.com/2013/08/18/magazine/snowden-maass-transcript.html I hope sending this along will be useful for journalists on this list as well as for those who need extra material to help them convince their journalist friends to adopt privacy-preserving practices. As usual, I'll take the opportunity to again vouch for the need for accessible, easy to use encryption, like what Guardian Project, Whisper Systems and Cryptocat are working on. NK -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] verifying SSL certs (was Re: In defense of client-side encryption (Guido Witmond)
On Mon, Aug 12, 2013 at 11:10:39AM +0200, Guido Witmond wrote: There is another problem. You rely on HTTPS. Here is the 64000 dollar question: Q._What is the CA-certificate for your banks' website?_ I ask that question to anyone who claims to be security conscious. No one has given me positive answer so far. Not even a wrong answer. Only that people don't know. So I take it for granted that people won't verify anything, ever. FWIW, I did run my browser in trust on first use (TOFU) mode -- I deleted all the CA certs and manually added exceptions for each site, as I encountered the certificate warnings -- for several years. I've given up on that for modern websites because - sites frequently include resources from other hostnames, and JS/CSS https errors are silently ignored by Firefox - loadbalanced websites frequently have multiple certificates for a single hostname, and Firefox only allows a single certificate exception per hostname - expiration times have come down to, generally, 1 year, and with multiple certs per page, I was approving a new cert for most pages at least once every few months, decreasing the value of Trust in TOFU. So in some sense I would have been able to answer that what is the cert for your bank, by saying the one that I approved last year and has been correctly working since then. But the world has passed that model by. -andy -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] Internet Policy Observatory: Call for Proposals
Libtech -- This might be promising for the academics and researchers amongst us. http://cgcsblog.asc.upenn.edu/2013/07/31/internet-policy-observatory-call-for-proposals/ Internet Policy Observatory: Call for Proposals The Center for Global Communication Studies (CGCS) at the Annenberg School for Communication at the University of Pennsylvania, announces a call for proposals under its Internet Policy Observatory (IPO). One of the goals of IPO is helping to develop a broad understanding of the conditions, processes and stakeholders that drive the development of Internet policies in pivotal countries, and of how those conditions influence developments at the regional and international levels. Proposals should address one or both of the two RFPs described below: * Internet Policy Observatory Regional Hub Grants * Internet Policy Observatory Thematic Grants Internet Policy Observatory – Regional Hub Grant The objective of this Call is to add to a global network of Regional Hubs supporting Internet policy research with specific regional perspectives. The purpose of these grants is to encourage research from a variety of disciplines to help further understanding on how global Internet policies evolve. This Call is open to persons and organizations who are particularly interested in Internet policy research, and who are based in countries that are located within (1) Latin America Caribbean, (2) Middle-East and North Africa[1], (3) South South-East Asia[2] / Pacific (4) Central Asia[3](5) East Asia[4] (6) Sub-Saharan Africa. Research groups, universities, and civil society organizations which already have research programs on Internet policy issues in the relevant countries and regions are particularly encouraged to apply. Beneficiaries of related, but different grants awarded under the Internet Policy Observatory may also apply to this call. Eligible proposals should address four core deliverables (Please view the full RFP for complete descriptions of deliverables): 1. Hub Study: The Internet Policy Observatory welcomes proposals that seek to investigate Internet policy issues within specific countries within a region, or alternatively the region as a whole. Potential topics to consider range across the wider field of Internet policy, including, but are not limited to, issues of Internet governance, Internet filtration and censorship, implications of military and security services activities and concerns on policy development, to name but a few examples. 2. Hub Survey: Proposals should speak to the organization’s capacity to carry out qualitative and quantitative research. As part of the Internet Policy Observatory’s effort to create a global Delphi (expert) survey on Internet policy formation, organizations will be expected to incorporate a strategy for the creation and implementation of regional surveys. 3. Hub View: A key task of the Regional Hubs is to regularly provide news on Internet-policy-relevant developments within their region to the IPO website. 4. Hub Action: Each Regional Hub should also propose further, regional specific activity – such as local conferences or workshops – that can be financed directly from the Grant or might be financed from other sources. Grants are expected to be USD 20,000-40,000 per application selected. Applications should be submitted by 5pm EST on September 15, 2013. Click here for the full RFP, including information about eligibility, deliverables, submission guidelines, and award criteria. Internet Policy Observatory Thematic Grants The objective of this Call is to encourage research by individuals and institutions particularly interested in Internet policy issues. This Call is open to persons and organizations who are particularly interested in Internet policy research and who are based in key countries/regions or led by a consortium that is located within the key regions. Research groups and civil society organizations which already have research programs on Internet policy issues in the relevant countries and regions are particularly encouraged to apply. Fluency in English is required both for research and relevant administration tasks. The thematic focus of the proposals may include, but is not limited to, one of the general areas (for full descriptions, please view the full RFP. * Technical developments and Internet policy * Governance and Internet policy * Internet policy and Internet/cyberspace ownership * Social media and Internet policy * The socio-economic impact of Internet policy * The language of Internet Policy Applications should be submitted by 5pm EST on September 15, 2013. Click here for the full RFP, including information about eligibility, deliverables, submission guidelines, and award criteria. For more information, please direct comments and questions to internetpol...@asc.upenn.edu -- *Collin David Anderson* averysmallbird.com | @cda | Washington, D.C. -- Liberationtech is a public list whose archives are searchable on
Re: [liberationtech] Snowden: Unencrypted Journalist-Source Communications Unforgivably Reckless
On 08/13/2013 09:00 AM, Nadim Kobeissi wrote: I hope sending this along will be useful for journalists on this list as well as for those who need extra material to help them convince their journalist friends to adopt privacy-preserving practices. As usual, I'll take the opportunity to again vouch for the need for accessible, easy to use encryption, like what Guardian Project, Whisper Systems and Cryptocat are working on. I've written a fairly comprehensive guide to using the tools that Laura Poitras, Glenn Greenwald, and Edward Snowden use to communicate securely, written primarily for journalists: https://pressfreedomfoundation.org/encryption-works -- Micah Lee @micahflee -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Lavabit, Silent Circle both shut down
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 08/13/2013 10:51 AM, Ralph Holz wrote: That's the company I use, too - and ultimately the reason I am asking because Chris Soghoian once told me that they log the connections. This seems to be supported by this inquiry made in 2011: http://torrentfreak.com/which-vpn-providers-really-take-anonymity-seriously-111007/ They log for 6 months and say they will respond to requests under Swiss law. And that is a shitty situation. Swiss law however does affords at least some protections under the Swiss constitution. Unlike US law where all rights are instantly meaningless as soon as somebody says 'terrorism' (these effects also apply to US puppet-states such as UK and the Netherlands). Note that under Swiss law the wikileaks.ch domain was never taken down despite massive diplomatic pressure from the US to do so. France caved in even faster than in the summer of 1940 and took down wikileaks.fr I'll be the last person to claim either Switserland or Germany are ideal. But having looked around I can't find better places right now. If somebody does know of a better place to put servers I'd love to know about it. Obviously territory and law are just a little extra defense-in-depth. I believe much more in privacy-by-tech over privacy-by-policy/law. In the words of the great American strategist Lt Lockhart: http://youtu.be/UdK3ZImjPsY - -- Met vriendelijke groet/With kind regards, Arjen Kamphuis Gendo B.V. Main: +31 20 891 0330 mail: ar...@gendo.ch gendo.ch(website) gendo.nl/blog/arjen (Dutch blog) gendo.ch/en/blog/arjen (English blog) about.me/arjenkamphuis (social media) files.gendo.nl/keys/ar...@gendo.ch.asc (public key) PGP fingerprint: 55FB B3B7 949D ABF5 F31B BA1D 237D 4C50 118A 0EC2 Gendo BV Wibautstraat 150, 1091 GR Amsterdam The Netherlands P please consider the environment before printing this email This e-mail message and its attachments are subject to the disclaimer published at the following website of Gendo: http://www.gendo.nl/disclaimer Gendo B.V. is registered with the trade register in The Netherlands under number 28116864. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQIcBAEBAgAGBQJSCn8jAAoJECN9TFARig7CyYYQAIcMdwdQCRBWHstGPpPkoiH0 uCI8GO20krfIYekX3J7u1DgkwEkgXZzkI45J4xqfzaEAHWrZWDowFbROO8Tiybia d9PjpWX++S6xYvIFOm+G53XxpC3svaPcE2LIbZIuqrBpemF0yZ2YdDCwOXfEEm/G dNyoq6DSlve7cKUBZv9jCVHDm8LJI10pJ2chgB8rzpL/6A1oIt2OjLLXPdLjdRmW fOKi//Dmv3Vhe5Ox6ik4twPxYMbuI2Ur1s2eOdLjOpXHUm4QK/FtnkazpArRNGkm Zo7IZoY807Gb0RUst2brgY0rBfPVFHI+MxLwmbTuxRhbiwJHUqzKFjQoWjeOVGdr r8AU97kDRkjdPV71uZSU5hNWgYpwmf2QIhQqEWprXma815GOSqMyVgFeysd1CPKC 0AK0++m5xNZ2yi6XIBEpkbZlVIba15J/qic93dD0kKm+B2aCstbnVCdHZnvLAudB ZbIXQn9vEqKvyCAx2wi4HCGqxi/hsUzhxeX8rWA6FIp0rwgi+u9I1m7/AaFD6AYY h51aGgmOTOahhxU17tJ3SGG7NVetw78qbgGZ+uVx5VqtJC43yppL0mz+QUSRad5m vIlqgWKVyb86rDgiTk0R97vekfblM5qxYklBiguP7fKW3c0ghqi7XGsvdJzH/B0A 024Dfr8vrPAQkOtrYnU+ =Hime -END PGP SIGNATURE- -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] Zwiebelfreunde take over popular onion.to Tor gateway
Hi Libtechies, I hope you don't mind me putting this press release here. Please spread if you like it. -- # Zwiebelfreunde take over popular onion.to Tor gateway (Dresden, 13.8.2013) The non-profit organization Zwiebelfreunde e.V. is known for the “Torservers” project, which over the past years has grown into a global network of organizations that maintain server infrastructure for the open anonymization network Tor. Today, Zwiebelfreunde has taken over a very popular web gateway for Tor hidden services, onion.to. Tor hidden services provide anonymity for website owners, mail providers, chat systems and other Internet services. Hidden services are designed to be accessed using Tor Browser, which additionally provides anonymity for users of the service. Web gateways such as onion.to provide a convenient way to reach hidden services using a regular browser without having to install Tor. A side effect is that the broad world of hidden services are exposed to search engines and can thus be indexed and found. The trade-off is that users lose anonymity: Both the gateway and the hidden service can track users across visits, and determine the user's IP address. That is why Zwiebelfreunde strongly encourages people to download Tor Browser instead. “By exposing hidden services to the public, we hope to attract even more users and widen the spectrum of available services within the Tor network.”, says Zwiebelfreunde founder and president Moritz Bartl. “I can imagine privacy-friendly email services to be based fully on hidden services in the future, for example.” The current gateway server is located in Iceland, and another one will be added in the near future. https://www.onion.to/ An example hidden service can be found at https://duskgytldkxiuqc6.onion.to/ # Zwiebelfreunde e.V. The German non-profit association Zwiebelfreunde e.V. serves as a platform for projects in the area of safe and anonymous communication. The organization facilitates and participates in educational events about technological advances in the area of privacy, and connects professionals to spread knowledge and experience on these fields. “Zwiebelfreunde” is German for “Friends of the Onion”, as a reference to Onion Routing, the name of the concept behind Tor for anonymizing communication: Messages are passed through relays that each removes one layer of encryption, like peeling the skin of an onion. Contact # Contact Moritz Bartl Zwiebelfreunde e.V. c/o DID Dresdner Institut für Datenschutz Palaisplatz 3 D-01097 Dresden Germany pr...@torservers.net Tel.: +49-(0)351 / 212 960 18 Fax.: +49-(0)911 / 308 4466 748 http://www.torservers.net/ http://www.twitter.com/torservers/ -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] ICANN and WHOIS reform...
Hi all, I didn't see any individuals or orgs from libtech comment to ICANN on the recent report to reform WHOIS. I wanted to put this on your collective radar if it's of interest to you. TL;DR: ICANN is working on reforming WHOIS, and their Experts' Working Group has come up with a pretty bad proposal, in our opinion. It would centralize validated registrant data and streamline legitimate access to this data. It would do things that appear almost entirely motivated by law enforcement and intellectual property interests, without much consideration of the interests of individual and non-commercial registrants. I'm including our blog post below... and a link to the 6-page comment that is our critique of their proposal. This was joint work with a marvelous CDT intern, a super-technical law student at Berkeley, Joe Mornin. He's behind http://latexforlawyers.org/ and many good things to come. PDF of full comments: https://www.cdt.org/files/pdfs/20130812_whois_comments-cdt.pdf Blog post... (links in original) https://www.cdt.org/blogs/joseph-lorenzo-hall/1308icann-must-do-better-job-privacy-and-whois ICANN Must Do a Better Job with Privacy and WHOIS by Joseph Lorenzo Hall August 13, 2013 In June, an Expert Working Group (EWG) with ICANN – the entity that controls the allocation of domain names and IP addresses on the Internet – released a report that proposed extensive changes to the WHOIS system. WHOIS allows anyone to look up details on who owns a domain name (e.g., the cdt.org WHOIS entry). The EWG asked for public input in response to their report and yesterday CDT submitted comments critical of the draft report, specifically focusing on serious privacy concerns. WHOIS, which was developed way back in 1982, initially served as a mechanism to identify who operated certain servers to make it easier to get contact information of these operators in case something technical went awry. These days, with many, many millions of domain names in operation and many more on the horizon, WHOIS is showing its age in a number of respects. For example, for personal domain registrants – e.g., josephall.org – WHOIS essentially reports sensitive contact information, notably email addresses, postal addresses, and phone numbers. It’s widely known that WHOIS data is highly inaccurate; many individual domain name registrants provide inaccurate data to avoid having their personal information broadcast to the world (to be fair, spammers and scammers also provide inaccurate data to avoid scrutiny). Many others – like me! – use proxy services that mask personal information but that still allow email and postal mail to eventually be routed to them through the proxy provider. The EWG was chartered to provide possible solutions for a revamped WHOIS that would better address privacy, security, and accessibility of WHOIS data. The draft report proposed a centralized, validated WHOIS system with a gated access model where registrant data would be made freely available. In our comments we raised a number of concerns about this approach and offered recommendations, including: The current WHOIS system raises privacy and free expression concerns by requiring registrants to disclose sensitive information. The EWG report does a good job of outlining use cases for access to currently available registrant data, but we think it should also reexaminine what data must be available today, in light of the vastly more complex modern Internet environment. The proposed privacy scheme and validation of registrants is unnecessary and unworkable. Instead, ICANN should protect registrants’ privacy by default. We believe that individual registrants (noncommercial entities) should not have any information disclosed by default other than what is needed for the proper technical functioning of the domain name system. A centralized system is unnecessary and unstable. The gatekeeper under the new proposal would be a poor substitute for existing legal processes because the WHOIS database operator would likely lack the capacity to identify and/or reject illegitimate or overly broad requests. ICANN is unique and must act in an extra-jurisdictional capacity, so it is difficult to see how this new WHOIS would deal with, for example, a Chinese law enforcement request targeting a citizen of another country. Additionally, the EWG focused on a single model for a new registrant database, rather than a suite of possible models for the public and stakeholders to consider. This greatly limits the conversation that can be had around possible enhancements to WHOIS. We encourage ICANN to consider multiple solutions to this complicated problem and believe the EWG should be explicitly re-tasked with recommending a number of additional models in light of feedback they receive, not just the one current flawed proposal. -- Joseph Lorenzo Hall Senior Staff Technologist Center for Democracy Technology 1634 I ST NW STE 1100 Washington DC 20006-4011 (p)
Re: [liberationtech] Does anyone know a celebrity who feels strongly about privacy issues?
Hi Kyle, don't take it so hard. I asked this question so _everybody_ who'd like to try the celebrity video trick would be able to collect a few likely candidates. Likely others will beat me to it. On Mon, Aug 12, 2013 at 7:29 PM, Kyle Maxwell ky...@xwell.org wrote: I didn't know LibTech had become the PassLok development mailing list. On Mon, Aug 12, 2013 at 6:26 PM, Collin Anderson col...@averysmallbird.com wrote: The problem with occasionally looking at Huffington Post is that I'm subjected to such things... Matt Damon: He broke up with me, the Elysium star said. There are a lot of things that I really question, you know: the legality of the drone strikes, and these NSA revelations they’re, you know, it’s like, they’re, you know, Jimmy Carter came out and said we don’t live in a democracy. That’s, that’s a little, that’s a little intense when an ex-president says that. So, you know, he’s got some, some explaining to do, particularly for a constitutional law professor. http://www.huffingtonpost.com/2013/08/09/matt-damon-obama-broke-up-with-me_n_3732426.html?utm_hp_ref=entertainment On Mon, Aug 12, 2013 at 11:44 PM, Yishay Mor yish...@gmail.com wrote: Cory Doctorow - sent from my phone. On Aug 12, 2013 9:33 PM, Francisco Ruiz r...@iit.edu wrote: Quick request. In comments to a recent post, people seemed to agree that publishing a video of someone reading a hash might be a fairly hard-to-hack way to deliver that hash to the public, and thus assure the authenticity of a piece of code, a public key, or whatnot. The problem is that the sample youtube video I linked had yours truly reading the hash, and people naturally objected that I wasn't Justin Bieber and, consequently, weren't too convinced that the video was authentic. Aside from the fact that an adversary might be able to convince Justin Bieber to make a video reading a fake hash (not that I believe Justin doesn't care; it's just a hypothesis), the idea of getting a celebrity for this kind of video has a lot of merit. I'd like to engage one for the next update of my app. So, here's my question. Does any one know of a celebrity who cares enough about computer security to be persuaded to take one minute of his/her time to read a hash before a camera? Thanks a million! -- Francisco Ruiz Associate Professor MMAE department Illinois Institute of Technology PL13lok=WsH3zTgZn8V3hnIqjdbfPus+5YF5n+LBRPuH9USMMp8izPv+hsLoZKv+jaCFMapJFfiA11Q9yJU1K1Wo0TbjXK/=PL13lok get the PassLok privacy app at: http://passlok.com -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Collin David Anderson averysmallbird.com | @cda | Washington, D.C. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- @kylemaxwell -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Francisco Ruiz Associate Professor MMAE department Illinois Institute of Technology PL13lok=WsH3zTgZn8V3hnIqjdbfPus+5YF5n+LBRPuH9USMMp8izPv+hsLoZKv+jaCFMapJFfiA11Q9yJU1K1Wo0TbjXK/=PL13lok get the PassLok privacy app at: http://passlok.com -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Does anyone know a celebrity who feels strongly about privacy issues?
Hi Guido, This looks very interesting, but I have trouble understanding it. Can you give me a sample URL where this is being shown in action? Many thanks. On Mon, Aug 12, 2013 at 4:34 PM, Guido Witmond gu...@witmond.nl wrote: Dear professor Ruiz. The real issue is to create an *easy* way to do hash validation correctly. Reading a hash on youtube is not going to make it. You use HTTPS without DNSSEC and DANE. Please use those first. It solves a lot of your server validation issues. At least it allows your users' browsers to validate code44.com. I repeat: Hashes are for computers, not for people. Plugging my own warez: I believe I've come up with a way to do DNSSEC and DANE in combination with a certificate repository. It allows the browser to validate the authenticity of a server certificate. When validated it can be sure that the javascript found at a page is indeed that what the page-author wanted. Please see: http://eccentric-authentication.org/blog/2013/03/23/Cryptographic-same-origin-policy.html And please ask if anything is unclear. I love to receive comments on where I'm right or wrong. Regards, Guido. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Francisco Ruiz Associate Professor MMAE department Illinois Institute of Technology PL13lok=WsH3zTgZn8V3hnIqjdbfPus+5YF5n+LBRPuH9USMMp8izPv+hsLoZKv+jaCFMapJFfiA11Q9yJU1K1Wo0TbjXK/=PL13lok get the PassLok privacy app at: http://passlok.com -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] [Dewayne-Net] Are Hackers the Next Bogeyman Used to Scare Americans Into Giving Up More Rights?
Haven't hackers always been portrayed in a way to scare people? * If it's not dDoSing script kiddies, its zombie network owning Latvian mafias.. If this *is* the case, how can General Alexander go to Blackhat 2013 and say (paraphrasing) we (CIA) use the same tools as you do. Help us protect America by teaching us rad haxoring skills.? *: I still have a problem with the incorrect use of the word hacker here..but it's already passed into common usage. On 12 Aug 2013, at 22:55, michael gurstein gurst...@gmail.com wrote: -Original Message- From: dewayne-...@warpspeed.com [mailto:dewayne-...@warpspeed.com] On Behalf Of Dewayne Hendricks Sent: Tuesday, August 13, 2013 4:32 AM To: Multiple recipients of Dewayne-Net Subject: [Dewayne-Net] Are Hackers the Next Bogeyman Used to Scare Americans Into Giving Up More Rights? Are Hackers the Next Bogeyman Used to Scare Americans Into Giving Up More Rights? Has terrorism grown a little stale as an all purpose boogeyman? By Digby Aug 12 2013 http://www.alternet.org/are-hackers-next-bogeyman-used-scare-americans-givi ng-more-rights Marcy Wheeler has been speculating for a very long time that the real purpose of all this NSA collection isn't terrorism, it's hacking. These comments last week from Michael Hayden lend a lot of credence to that theory in my eyes: If and when our government grabs Edward Snowden, and brings him back here to the United States for trial, what does this group do? said retired air force general Michael Hayden, who from 1999 to 2009 ran the NSA and then the CIA, referring to nihilists, anarchists, activists, Lulzsec, Anonymous, twentysomethings who haven't talked to the opposite sex in five or six years. They may want to come after the US government, but frankly, you know, the dot-mil stuff is about the hardest target in the United States, Hayden said, using a shorthand for US military networks. So if they can't create great harm to dot-mil, who are they going after? Who for them are the World Trade Centers? The World Trade Centers, as they were for al-Qaida. That's just a tiny bit overwrought for an allegedly serious expert, don't you think? In fact, it sounds like the kind of thing we heard from various members of the Bush administration during the early days after 9/11. And it certainly indicates, as Wheeler has been speculating, that the government is stretching the terrorism laws to include hacking. They certainly are using the same histrionic language to describe it. Under Hayden, the NSA began to collect, among other things, the phone records and internet data of Americans without warrants after 9/11, a drastic departure from its traditional mission of collecting foreign intelligence. A variety of technically sophisticated collection and analysis programs, codenamed Stellar Wind, were the genesis of several of the NSA efforts that Snowden disclosed to the Guardian and the Washington Post. [snip] Dewayne-Net RSS Feed: http://www.warpspeed.com/wordpress -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Bernard / bluboxthief / ei8fdb IO91XM / www.ei8fdb.org -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] Speculation as to what the US government ordered Lavabit to do?
I don't think I've seen educated speculation here about what the court order that Lavabit received actually ordered them to do. Here is my own guess and I'm wondering if people have thoughts. First, from an interview with Ladar Levison ( http://possibility.com/LavabitArchitecture.html ) it seems clear that they wrote ciphertext to disk for each message in a users' account: * Do you use any particularly cool technologies or algorithms? The way we encrypt messages before storing them is relatively unique. We only know of one commercial service, and one commercial product that will secure user data using asymmetric encryption before writing it to disk. Basically we generate public and private keys for the user and then encrypt the private key using a derivative of the plain text password. We then encrypt user messages using their public key before writing them to disk. (Alas, right now this is only available to paid users.) So, in excruciating detail I read this to mean: 1. When a user signs-up, they create a log-in password. 2. The system creates a key pair. 3. The private key is encrypted symmetrically using some hard variant of the log-in password. 4. Both keys stored to disk. Clear private key wiped from memory on log-out. 6. Whenever a message is stored for the user (regardless of login state), the system encrypts it with the public key. 5. When a user logs in, their login password is turned into the hard variant and used to symmetrically decrypt the private key. This private key is placed in secure memory, etc. 7. When the user views a message (or presumably searches an encrypted index of messages), it uses the private key in memory to decrypt it. 7. When the user logs out, the private key in memory is wiped. This means that access to decrypted message content was only available when a user was logged in. From a surveillance perspective, this means that the private key would have to be read from memory or during the write to memory. (I still don't know how password changes would work here... maybe they just re-encrypt the private key with the new hard variant?) This is all to say that I suspect the government's order requested ongoing access to the private key(s) in memory for some subset of Lavabit users, such that they could ask in the future for the encrypted contents of those users' accounts and easily look up these private keys to get the message cleartext. It's unclear to me if this would require an order that ordered Lavabit to write software to do this (e.g., a backdoor), but it sounds like that's the case. And it seems clear that by shutting down the service last week, no one can log-in again such that their ciphertext is safe. best, Joe -- Joseph Lorenzo Hall Senior Staff Technologist Center for Democracy Technology 1634 I ST NW STE 1100 Washington DC 20006-4011 (p) 202-407-8825 (f) 202-637-0968 j...@cdt.org PGP: https://josephhall.org/gpg-key fingerprint: BE7E A889 7742 8773 301B 4FA1 C0E2 6D90 F257 77F8 -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] In defense of client-side encryption
Hi Steve. I want to thank you for taking your time to help me. Your comments are awesome. May I follow up with some short questions, right after some of your comments? Many thanks in advance. On Mon, Aug 12, 2013 at 7:18 PM, Steve Weis stevew...@gmail.com wrote: Francisco, you assume that all browsers will save a static version of the page identically. This is not the case. I ran a test using 'wget https://passlok.site44.com' and Chrome's Save As. The former will actually match the hash value you've posted, but the latter does not. I spotted at least 5 differences in Chrome's saved output: 1. Unicode: wget returned escaped Unicode characters. Chrome saved output containing actual Unicode characters. Your suggested method of cutting from view-source and pasting into a text editor may be unpredictable, and dependent on a user's OS and locale. I think the Unicode characters got in when I added the qr.js code, which had comments in Korean ;-) Do you think it's maybe best to get rid of anything that is not strict ASCII? The code doesn't need any special characters. 2. Relative link re-writing: wget returned relative links. Chrome replaced them with absolute links, so that links work locally. I've toyed with the idea of making absolute the couple relative links in there: the png for making a mobil icon, and the help page. Maybe it's better if they are absolute so the browser doesn't change them, uh? 3. Whitespace: Chrome stripped out some whitespace. I've tried to make super-sure that the code has no leading and no trailing spaces or linefeeds, so maybe wget is adding spaces? 4. Style rewriting: Chrome replaced some style elements like background-color: #FFA0A0 with rgb(230, 255, 230);. 5. Chrome extensions: I have locally installed extensions that modify page contents, e.g. AdBlock and DoNotTrackMe. My locally saved copy of Passlok had elements that were injected into it by some extensions. Any of these will break your manual hash validation. These are specific to my version of Chrome, but other browsers may alter saved content similarly. I've spent a lot of time making the code run nice and polishing the user interface. I didn't suspect code validation was going to be this difficult. Truth is, most users are never going to bother with validating the code, but a few will care intensely about this. To work, you must assume that your user has a local client (say wget or curl) that can save a canonical copy of your page without modification. Browsers do not guarantee this. Then you must assume the user has a locally installed tool to compute the hash, like sha256sum or openssl. Then they would need to point their browser at the locally downloaded file to actually use it. If you depend on locally installed software outside the browser and use local storage, the user is better off just using locally installed software to do the crypto. PS - I noticed some oddness glancing through the source. For example, the makepub() function strips 6 bits of a Base64-encoded leading 0 for no apparent reason. The rest of the code has to remember to keep adding back in the missing Base64 character or else it will break. The only reason I can think of someone doing this is because they didn't understand why the randomly generated Base64 value always started with 'A'. Ah, you saw that. It's the elliptic curve output. SJCL handles points and exponents as complex recursive objects. In order to display them for the user, I extract the data and convert it into base64. For reasons that I don't fully understand (probably having to do with 521, the true bit length of the elliptic curve numbers, not being divisible by 6), those strings always start with A. Since I intensely dislike displaying supposedly random-looking strings that always begin with the same character, I strip it, but instruct the functions that read those strings from the interface to add it again before they do any calculations. Thanks again, Steve! On Sun, Aug 11, 2013 at 7:37 PM, Francisco Ruiz r...@iit.edu wrote: I still have to read through the references you supply, but I can already see a misconception. They refer to the dangers of carrying out cryptography with javascript-containing dynamic pages. My previous posting referred to _perfectly static_ pages, which are supposed to be always the same coming from the server, not modified by the browser in any way, and which, in fact, you can save and store somewhere safe and never again have to get from the server. I believe the intrinsic security of this kind of javascript code is no different from that of compiled code, which also should be checked for tampering, so long as it uses standard functions that are not likely to be modified in browser updates. Sorry about the confusion. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated:
Re: [liberationtech] Speculation as to what the US government ordered Lavabit to do?
On 13.08.2013 23:54, Joseph Lorenzo Hall wrote: This is all to say that I suspect the government's order requested ongoing access to the private key(s) in memory for some subset of Lavabit users, such that they could ask in the future for the encrypted contents of those users' accounts and easily look up these private keys to get the message cleartext. Yes, that is my also my thinking. It's unclear to me if this would require an order that ordered Lavabit to write software to do this (e.g., a backdoor), but it sounds like that's the case. And it seems clear that by shutting down the service last week, no one can log-in again such that their ciphertext is safe. Sounds very similar to what happened with Hushmail around 2007. I do believe they had a secure client, but were forced to put in a backdoor. Java Anon Proxy (JAP) developed at my university in Germany was convinced to put in a backdoor by extra-legal pressure in 2003. -- Moritz Bartl https://www.torservers.net/ -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Is spideroak really zero-knowledge?
Oh. Yes. I definitely remember reading User Authentication Process a few weeks ago. That's why I feel like they implement the zero-knowledge psw proof. Why did they take it down? NSA on the move already? Percy Alpha(PGP https://en.greatfire.org/contact#alt) GreatFire.org Team On Tue, Aug 13, 2013 at 2:52 AM, elijah eli...@riseup.net wrote: On 08/13/2013 12:32 AM, Tony Arcieri wrote: On Mon, Aug 12, 2013 at 11:02 PM, Percy Alpha percyal...@gmail.com mailto:percyal...@gmail.com wrote: @Tony, The secret that keeps your data accessible to you alone is your SpiderOak password, which is never transmitted to SpiderOak in its original form. https://spideroak.com/engineering_matters Again, they seem to be talking about client-side encryption here. A zero-knowledge proof around a password looks a bit more like this: https://en.wikipedia.org/wiki/Secure_Remote_Password_protocol#Protocol Short of implementing something like SRP they don't have a true zero knowledge system IMO Curious, they used to actually include some notes on how they use a zero knowledge proof for authentication, but it has been taken down. Waybackmachine has the old text: http://web.archive.org/web/20130430135938/https://spideroak.com/engineering_matters Perhaps they changed how they do authentication. -elijah -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] Passlok's broken security model
Hi Francisco. I split this off into a new thread, since it touches on some points on why the security model for Passlok is broken. Comments inline... On Tue, Aug 13, 2013 at 2:54 PM, Francisco Ruiz r...@iit.edu wrote: 1. Unicode: wget returned escaped Unicode characters. Chrome saved output containing actual Unicode characters. Your suggested method of cutting from view-source and pasting into a text editor may be unpredictable, and dependent on a user's OS and locale. I think the Unicode characters got in when I added the qr.js code, which had comments in Korean ;-) Do you think it's maybe best to get rid of anything that is not strict ASCII? The code doesn't need any special characters. No, there are other Unicode characters in the document, e.g. U+25BC. Manually removing these characters isn't going to help you. I changed my browser's default encoding. That changes the charset in the html tag, as well as some characters in the body. I tried UTF-8, Arabic, and Chinese encodings and they all saved with slightly different data, which will all fail to verify with your single hash value. Chrome ships with like 30 different supported encodings and each browser may handle this differently, so there are many potential hash values from your page. I've spent a lot of time making the code run nice and polishing the user interface. I didn't suspect code validation was going to be this difficult. Truth is, most users are never going to bother with validating the code, but a few will care intensely about this. If users have to trust the code that is served every time they visit Passlok, then users have to trust you and your hosting provider Site44 entirely. If Site44 were compromised or subpoenaed, you may not even know about it. You suggested users download the Passlok page, validate it themselves, and run their local copy. Now you say that nobody is going to bother, which means we're back to the security model of trusting you and your hosting provider entirely. Ah, you saw that. It's the elliptic curve output. SJCL handles points and exponents as complex recursive objects. In order to display them for the user, I extract the data and convert it into base64. For reasons that I don't fully understand (probably having to do with 521, the true bit length of the elliptic curve numbers, not being divisible by 6), those strings always start with A. Since I intensely dislike displaying supposedly random-looking strings that always begin with the same character, I strip it, but instruct the functions that read those strings from the interface to add it again before they do any calculations. You admit you don't understanding what's going on with the encoding, but decided to intentionally corrupt an encoded key value because you didn't like a string looking non-random? The consequence is that you added unnecessary code complexity to fix the key value every time you want to use it. Did you change any other part of the crypto implementation based on aesthetics? -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.