Re: [liberationtech] Bangladesh's new ICT Act and Law
Dear Hasib Vhai, Thanks for sharing the new ICT Act- 2013. The new act seems to be promulgated to strangle the right of expression of a human being. ICT is an strong instrument to promote and protect human rights but now people will feel unsafe to express their opinion over political augments lest they are apprehended.As a development practitioner, I am much worried over the ICT Act law. Faruque On Tue, Aug 20, 2013 at 1:18 PM, Hasib Ahsan hasib.ah...@gmail.com wrote: Is Bangladesh going to a new era of Digital Darkness? Freedom of the net will not only be questioned but also be punished. According to the new act, law enforcement agencies can arrest any person without a warrant. Previously we have seen, persons were taken into custody for sharing status against political decisions in Social Media and blogs. Now, we might see some more from the new act. You can find the news below - http://www.thedailystar.net/beta2/news/ominous-draft-cleared-by-govt/ Thanks Hasib *Hasib Ahsan* *Senior Program and Research Manager * *mPower Social Enterprises Ltd.* *ICT Head of Operation (Project Manager), *USAID Agricultural Extension Support Activity Project (2012-2017) *Project Manager, *WaterAid mobile based Programme Management Information System (mPMIS) *Project Manager, *mLivestock intelligence for Shiree (DFID, UkAid) *Senior Program Manager, *iStrategy Limited (Rockefeller Foundation e-Health project with GoB) *Cell:* +8801711076753 *Skype:* nadeem_hasib *Website:* www.mpower-social.com -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] [Dewayne-Net] Are Hackers the Next Bogeyman Used to Scare Americans Into Giving Up More Rights?
Julian, If it weren't for the late, great Howard Zinn, I wouldn't have known the extent of the USA's egregious crimes in Laos. nbsp;They tend to teach a very different version of history here. Your summation of our present situation is spot-on (if somewhat kinder than my own views of the majority of my fellow citizens.) gt;gt;Up until that point, we have a hostage situation. It truly feels that way. nbsp;The propaganda here is just awful, and the lack of critical thinking skills amongst the general populace makes for a credulous lot. We can but hope these latest disclosures via the brave Ed Snowden will shake enough of them from their stupor long enough to stand and take action. -Shelley https://prism-break.org/ On Aug 19, 2013 8:28 PM, Julian Oliver lt;jul...@julianoliver.comgt; wrote: [...] OT: Speaking of violence, greetings from Vientiane, Laos, where I'm told to greet with I'm not an American!. Seems locals are still a bit grumpy about the 70+ civilians killed by U.S. bombs in the Vietnam War. There were more bombs dropped here by U.S. (260 million) than all the bombs dropped in WWII. The U.S. wasn't at war with Laos. 80 million bombs still lie in the fields, unexploded, and no U.S. gov since the war will help clean up. Few Americans would know of this. Many won't even know where or what Laos is. U.S. taxpayers bankrolled that death and suffering. I don't think the majority of people in the U.S. would be OK with that if transparently given the choice to do so again today. Americans - generally speaking - aren't a violent blood-thirsty people. They are however - generally speaking - drunk on national myths, spun-out on bad news and kept very much out of touch with what their government (as a group of powerful people) actually does - what it is interested in, what it wants. This is why whistleblowing is so very important. Only in knowledge can a democracy ever take seed. If, after tangible knowledge of such violence wrought, (under so and so terms, at such and such cost, with these and these goals) citizens are /still/ to vote in favour, then sad and terrible that country is. Up until that point, we have a hostage situation. Cheers! -- Julian Oliver PGP B6E9FD9A http://julianoliver.com http://criticalengineering.org -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] Cryptocat: Call for Translators. Please Participate!
Dear Libtech, Echoing Commotion's recent call for translators on this list: Cryptocat is adding cool new features (and modifying some existing ones) over the upcoming weeks, all of which necessitate the translation of various new words and sentences for the user interface. Currently, Cryptocat is available in almost 40 languages, and maintaining these translations would be impossible without the participation of language speakers from around the world. You can very easily contribute to Cryptocat translations here: https://www.transifex.com/projects/p/Cryptocat/resource/cryptocat/ Just pick a language and fill it up to 100%! If you know people who can help, I urge you to please forward this email to them. The following languages are priority. Any language not on this list is considered not necessary to fully translate at the moment. Catalan Arabic Chinese (Hong Kong) Chinese (China) Urdu Tibetan Russian Estonian Czech German Danish Spanish Basque Greek Farsi French Japanese Hebrew Bengali Italian Khmer Korean Latvian Dutch Norwegian Polish Portuguese Bulgarian Swedish Turkish Vietnamese Uighur Thanks very much, and please don't forget to pass this around to people who may know these languages and be able to translate from English. NK -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Cryptocat: Call for Translators. Please Participate!
I'll do the Persian language :) A On 20 August 2013 12:42, Nadim Kobeissi na...@nadim.cc wrote: Dear Libtech, Echoing Commotion's recent call for translators on this list: Cryptocat is adding cool new features (and modifying some existing ones) over the upcoming weeks, all of which necessitate the translation of various new words and sentences for the user interface. Currently, Cryptocat is available in almost 40 languages, and maintaining these translations would be impossible without the participation of language speakers from around the world. You can very easily contribute to Cryptocat translations here: https://www.transifex.com/projects/p/Cryptocat/resource/cryptocat/ Just pick a language and fill it up to 100%! If you know people who can help, I urge you to please forward this email to them. The following languages are priority. Any language not on this list is considered not necessary to fully translate at the moment. Catalan Arabic Chinese (Hong Kong) Chinese (China) Urdu Tibetan Russian Estonian Czech German Danish Spanish Basque Greek Farsi French Japanese Hebrew Bengali Italian Khmer Korean Latvian Dutch Norwegian Polish Portuguese Bulgarian Swedish Turkish Vietnamese Uighur Thanks very much, and please don't forget to pass this around to people who may know these languages and be able to translate from English. NK -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Cryptocat: Call for Translators. Please Participate!
I'll do the Turkish Language. -- Dr.Arif YILDIRIM On Tue, Aug 20, 2013 at 3:13 PM, Amin Sabeti aminsab...@gmail.com wrote: I'll do the Persian language :) A On 20 August 2013 12:42, Nadim Kobeissi na...@nadim.cc wrote: Dear Libtech, Echoing Commotion's recent call for translators on this list: Cryptocat is adding cool new features (and modifying some existing ones) over the upcoming weeks, all of which necessitate the translation of various new words and sentences for the user interface. Currently, Cryptocat is available in almost 40 languages, and maintaining these translations would be impossible without the participation of language speakers from around the world. You can very easily contribute to Cryptocat translations here: https://www.transifex.com/projects/p/Cryptocat/resource/cryptocat/ Just pick a language and fill it up to 100%! If you know people who can help, I urge you to please forward this email to them. The following languages are priority. Any language not on this list is considered not necessary to fully translate at the moment. Catalan Arabic Chinese (Hong Kong) Chinese (China) Urdu Tibetan Russian Estonian Czech German Danish Spanish Basque Greek Farsi French Japanese Hebrew Bengali Italian Khmer Korean Latvian Dutch Norwegian Polish Portuguese Bulgarian Swedish Turkish Vietnamese Uighur Thanks very much, and please don't forget to pass this around to people who may know these languages and be able to translate from English. NK -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Seeing threats, feds target instructors of polygraph-beating methods
Speech in an of itself is generally not target-able. However, speech that accompanies some action can be. Someone saying I'm going to shoot the president might get you a visit from the Secret Service but not arrested. Someone saying that and buying a gun and flying to D.C. could actually get prosecuted, even if they posed no real threat. Here, it isn't so much the speech that is being targeted. If he is teaching people how to lie to Federal prosecutors and he knows that they are going to lie to Federal prosecutors he is aiding in the commission of a crime. However, just publishing a book on techniques or even teaching someone without knowing that they are potentially to be questioned/interrogated, then no crime has been committed. Jason Cronk On 8/19/2013 10:42 PM, Tom Ritter wrote: I'm trying to think of how you could prosecute free speech (in the US). It's not illegal to talk about how to use rusty nails to create themite - that's been in the Anarchist Cookbook for years. It's a somewhat fine line between X should be killed and incitement to murder but as all the Assange and Snowden press has shown, that's not a great indicator. I don't _think_ nuclear secrets is actually protected, it's just that the individuals who know about them are contracted/NDA-ed/under classified restrictions. ESPECIALLY when polygraphs aren't actually accepted by the courts, as far as I know. /sigh So far, authorities have targeted at least two instructors, one of whom has pleaded guilty to federal charges, several people familiar with the investigation told McClatchy. Love to know the inside details of the person who pleaded guilty, and why. -tom *R. Jason Cronk, Esq., CIPP/US* /Privacy Engineering Consultant/, *Enterprivacy Consulting Group* enterprivacy.com * phone: (828) 4RJCESQ * twitter: @privacymaverick.com * blog: http://blog.privacymaverick.com -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Fwd: Avaaz in grave danger due to GMail spam filters
Hi everyone, this is Matt Holland, head of online stuff here at Avaaz. I would have replied sooner, but just returned from a week away. I've been a member of the list for a while, because I learn a ton from all of you. I haven't had anything valuable to contribute before now, but glad to have the opportunity to switch from lurker to poster. So, some replies: Moritz: I'd be thrilled if everyone could use an email account from Riseup or similar, but as others have said it's pretty hard to convince people to change their email service, and convenience often trumps other concerns. Our judgement is that we accomplish more overall by meeting people where they are, even though that involves these sorts of Gmail hassles sometimes. Tom O: It's true that some people sign a petition and then disappear, but actually a high percentage of Avaaz members stay engaged over time. This isn't an advertisement for Avaaz, but you might not know that the petitions are just the tip of the iceberg -- we have scores of organizers around the world who use that citizen pressure as a tool to lobby decisionmakers, get stories into the media, affect administrative policy decisions, shame corporations into changing their behavior, etc. Rich: We actually do run our email lists in-house, sent from our own MTA's, with appropriate SPF records, DKIM signature, list-precedence headers, etc. etc. Our message to members was focused on getting into a particular tab at Gmail though; I think if we were having problems with those basic list-management issues we'd be more likely to see our messages being marked spam or just dropped outright. Jillian: I think Ricken's response was more about the Executive Director engaging in a lengthy debate about that particular issue back in 2012. As an organization we work closely with all sorts of allies all over the world, and I have personal relationships with several people on this list. I gain a huge amount from this community and the work many of you do individually, and I hope I can return the favor some day. -- Matt Holland Chief Online Officer Avaaz www.avaaz.org Email: m...@avaaz.org Skype: tm_matt PGP keyhttp://keyserver1.pgp.com/vkd/DownloadKey.event?keyid=0xE2A4F7982BE302CB (at keyserver.pgp.com) Fingerprint: 3150 3B69 3B8A 9786 C951 EDE0 E2A4 F798 2BE3 02CB -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Cryptocat: Call for Translators. Please Participate!
I will do Bengali. On Tuesday, August 20, 2013, Neil Blazevic neilblaze...@gmail.com wrote: What would be the process to add other languages? I could potentially round up some Swahili translators one day. Neil Sent from a mobile device On 20 Aug 2013 14:42, Nadim Kobeissi na...@nadim.cc wrote: Dear Libtech, Echoing Commotion's recent call for translators on this list: Cryptocat is adding cool new features (and modifying some existing ones) over the upcoming weeks, all of which necessitate the translation of various new words and sentences for the user interface. Currently, Cryptocat is available in almost 40 languages, and maintaining these translations would be impossible without the participation of language speakers from around the world. You can very easily contribute to Cryptocat translations here: https://www.transifex.com/projects/p/Cryptocat/resource/cryptocat/ Just pick a language and fill it up to 100%! If you know people who can help, I urge you to please forward this email to them. The following languages are priority. Any language not on this list is considered not necessary to fully translate at the moment. Catalan Arabic Chinese (Hong Kong) Chinese (China) Urdu Tibetan Russian Estonian Czech German Danish Spanish Basque Greek Farsi French Japanese Hebrew Bengali Italian Khmer Korean Latvian Dutch Norwegian Polish Portuguese Bulgarian Swedish Turkish Vietnamese Uighur Thanks very much, and please don't forget to pass this around to people who may know these languages and be able to translate from English. NK -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] South-by-Southwest Interactive Workshop on Surveillance, Technology, and Privacy
from: Bobby Chesney rches...@law.utexas.edu http://www.lawfareblog.com/2013/08/south-by-southwest-interactive-workshop-on-surveillance-technology-and-privacy/ In connection with the annual South-by-Southwest Interactive (SXSWi) conference here in Austin, UT’s Robert S. Strauss Center for International Security and Law has proposed a nifty event focused on the intersection of privacy, technology, and surveillance. The proposal is for a 2.5 hour workshop featuring Susan Landau, Tim Edgar, Jeff Rosen, and me. The catch is: there are thousands of proposals every year, and voting by the public plays an important role in the selection process. So, if you think you might be in Austin for SXSWi, or in any event if you just want to lend us your support, your help would be most welcome. Here is the announcement and the link for voting (and here’s avideo in which I demonstrate that it is in fact quite difficult not to look and sound uncomfortable on camera…yeesh.). Is privacy dead? Is Big Brother always watching? Or are enhanced surveillance programs necessary in a world where terrorism is an ever-present threat? The Strauss Center has proposed to host a workshop at this year’s South by Southwest (SXSW) Interactive to get to the heart of these issues by engaging in conversation with experts in technology, intelligence, law, and policy and you – the audience! But to make it all happen, the proposal needs your vote. Vote now for the workshop “After Snowden: Privacy, Surveillance, and the NSA.”[Note: the SXSW system asks you to register, and then lets you pick out proposals you want to support] Edward Snowden’s dramatic revelations of classified information this summer set off a massive public debate concerning the intersection of technological change, national security, and privacy. Alas, that debate is not always sufficiently well informed when it comes to its legal, policy, and technical aspects. This workshop is meant not to evangelize in favor of any one particular solution, but rather to provide attendees with a sophisticated-but-accessible foundation for sharpening (or perhaps changing) their own views. It brings together dynamic, nationally known experts in technology, privacy policy, civil liberties, law, and U.S. government intelligence policy. The workshop will delve into the technical and policy aspects of national security surveillance, the evolution of the legal architecture governing the NSA, and the way that things may develop in the years ahead. It will also deploy classroom “voting” technology and other participatory measures to directly engage attendees. But to make this a reality, the proposal needs your vote! If you think this conversation would be a great addition to SXSW Interactive, please take the time to vote for the workshop on SXSW’s Panel Picker. Voting is open from now until September 6, so get your vote in today! The Robert S. Strauss Center for International Security and Law at The University of Texas at Austin provides the imagination, leadership and intellectual innovation required to help meet the challenges of the 21st century. It is designed to be a new kind of institution, one that engages the best minds in academia, government and the private sector in developing practical solutions to the pressing problems of an increasingly globalized world. The Center seeks the widest possible audience, enriching the public debate and giving guidance to decision makers on how to respond to dangers and opportunities in global affairs. For more information on the Strauss Center, visit our website at www.strausscenter.org. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] FYI: SXSW proposed panel discussion
NSA and the future of web users and web companies On Thursday, June 6, 2013, the PRISM story broke, shattering any trust we had in the US government with regards to online privacy. At a pinnacle point in technological advancement, the tech industry is now faced with the prospect of National Security Letters, data subpoenas and constant privacy and security concerns from customers. This panel will be a frank discussion about the NSA, online surveillance, and the privacy expectations from the perspective of both web users and web companies. This will be a conversation that presents the societal benefits of network analysis alongside the fears and concerns. Questions Answered 1. What to do when you receive a National Security Letter 2. How to handle your customers' and users' questions and concerns 3. How to protect your customers and users 4. What you can do to protect your business 5. What to expect from the NSA in the future Speakers * Matthew Prince CloudFlare https://www.cloudflare.com/ * Nicholas Merrill The Calyx Institute https://calyxinstitute.org/ * Cesar Hidalgo MIT http://chidalgo.com/index.html * Brad Burnham Union Square Ventures http://www.usv.com/ Organizer Kristin Tarr CloudFlare https://www.cloudflare.com/ Cast Your Vote: http://panelpicker.sxsw.com/vote/23181 -- Nicholas Merrill Executive Director The Calyx Institute 287 Spring Street New York, NY 10013 -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Trsst: An Open and Secure Alternative to Twitter
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 08/18/2013 01:47 AM, Edwin Chu wrote: I came across this project in kickstarter. Subscribers of this list may find it interesting. (Btw I am not associated with them) -- Welcome to Trsst: An Open and Secure Alternative to Twitter Post your thoughts, share links, and follow other interesting people or web sites, using the web or your mobile or any software of your choice. All of your private posts to individuals or friends and family are securely encrypted so that even your hosting provider - or government - can't unlock them. All of your public posts are digitally signed so you can prove that no one - and no government - modified or censored your writings. You control your identity and your posts and can move them to another site or hosting provider at any time. Think of Trsst as an RSS reader (and writer) that works like Twitter but built for the open web. The public stuff stays public and search-indexable, and the private stuff is encrypted and secured. Only you will hold your keys, so your hosting provider can't sell you out. http://www.kickstarter.com/projects/1904431672/trsst-a-distributed-secure-blog-platform-for-the-o/description Today on Twitter I (@arRMorgan) had an extended engagement with the Trsst (@TrsstProject) developers. In this email, I have included my questions and the Trsst Team's responses, as well as any follow-up commentary I had. Hashtags and other such characters have been eliminated. Overall, I was very pleased with the speed, clarity, and content of their responses to my questions. Cheers, Rianna Morgan * Q1: Will the TrsstProject Free and Open Source? Are there plans to open the source at any point? https://twitter.com/arRMorgan/status/369883363768676352 Trsst: Yes. We're starting with the critical bit - the client - out in the open in JS w/ off-the-shelf open-source. Needs many eyes. Trsst: The server will follow because the first cut is kind of quick-and-dirty code to test the client, and server is dumb anyway. RM: JavaScript? Rather concerning for me, honestly. Most #cryptographers I've read seem to think it lends itself to insecurity. *** Q2: With TrsstProject does all #encryption take place client side? Not totally clear from white paper. https://twitter.com/arRMorgan/status/369884124128882688 Trsst: YES. Client-side crypto is what makes it work. Reference impl is in JS, but we want to see many hardened native clients. Trsst: We like to say: it's all https get and post, so you can write our own client with openssl+curl+bash if you trust your binaries RM: That is freaking awesome though! Client-side is a great way to make dragnet #surveillance difficult. Very glad to hear that. ** Q3: In what jurisdiction does @TrsstProject intend for its servers to be located? https://twitter.com/arRMorgan/status/369886356840783872 Trsst: We're in the US, but doesn't matter given that the servers don't store anything non-public that isn't encrypted. Trsst: If your client randomizes which trsst servers you pull from and post to, then the connection logs won't be useful either. ** Q4: Will TrsstProject have a function for password retrieval? https://twitter.com/arRMorgan/status/369892215520112640 Trsst: We never see or hear the password used to encrypt your keystore, nor do we want to. Probably the weak link wrt consumer UX. ** Q5: For the record, will @TrsstProject ever have access to user's secret keys? https://twitter.com/arRMorgan/status/369892369845329921 Trsst: No server -- not ours not anybody -- ever decrypts your keystore. Only happens inside the client and never leaves your PC. Trsst: For consumer UX need to figure out how to move a keystore from one device to another (PC+mobile), but never decrypted. ** Q6: Can end users run @TrsstProject peers? https://twitter.com/arRMorgan/status/369893971897495553 Trsst: YES. PLEASE DO. :) A trsst server is just an http server with agreed upon conventions for accepting and relaying RSS snippets. RM: That is so dang cool! Seems like y'all really get the what and why behind a decentralised service. ** Q7: What licence will you use for the TrsstProject's software? https://twitter.com/arRMorgan/status/369894066340646912 Trsst: We always lean GPL but people have issues, so #Apache, #MIT, all/none of the above? Dunno honestly. RM: FWIW, I'm a big fan of the GPL! ** Q8: Will 'following'
Re: [liberationtech] Google confirms critical Android crypto flaw
On Thu, Aug 15, 2013 at 3:38 PM, Maxim Kammerer m...@dee.su wrote: On Thu, Aug 15, 2013 at 2:34 PM, Nathan of Guardian nat...@guardianproject.info wrote: The best description is here: http://armoredbarista.blogspot.ch/2013/03/randomly-failed-weaknesses-in-java.html Unbelievable… It seems that PRNG implementers suffer from NIH syndrome. If you are going to use /dev/urandom, then use it all the time, and rely on code that's reviewed and maintained by thousands of kernel people, not just your favorite buggy seeded PRNG du-jour. And even sans the bugs, consider something like the following in Apache Harmony (precursor of Dalvik's class library) [1, p. 131]: iv = sha1(iv,concat(state, cnt)); cnt = cnt + 1; return iv; So they're essentially constructing a state-based bit stream that varies in each block, and hash it with SHA-1 — exposing each intermediate hash value in the middle. Who the hell told them it's safe from cryptanalysis POV? E.g., SP800-90A's Hash_DRBG [2, p. 40] resembles nothing of the sort. [1] http://dx.doi.org/10.1007/978-3-642-36095-4_9 [2] http://csrc.nist.gov/publications/nistpubs/800-90A/SP800-90A.pdf I have looked at (what I believe is) the code, finally: git clone https://android.googlesource.com/platform/libcore git blame luni/src/main/java/org/apache/harmony/security/provider/crypto/SHA1PRNG_SecureRandomImpl.java Long story short — unbelievable POS monstrosity (of course), and Google shares the blame. The paper authors are completely right — seed[BYTES_OFFSET] is not assigned anywhere where it matters, and the initial seed gets continuously partly overwritten with the counter at the same offset 0. The funny part is that even if Apache Harmony people were to get that part right, the PRNG would still possibly have entropy issues due to this gem (slightly simplified below): lastWord = seed[BYTES_OFFSET] == 0 ? 0 : (seed[BYTES_OFFSET] + 7) 3 - 1; They didn't notice that subtraction takes precedence over bitshift, so this last word (8 bytes — just to confuse with 4-byte words in SHA-1, I presume) is taken from the wrong place in the array. How did I notice the precedence blunder? Why, there is a commit: Author: Nick Kralevich n...@google.com Date: Wed Oct 20 13:53:55 2010 -0700 fix operator precedence bug when calculating bits. -bits = seedLength 3 + 64; // transforming # of bytes into # of bits +bits = (seedLength 3) + 64; // transforming # of bytes into # of bits So this Google guy noticed a precedence bug in one place, but left the one a few lines above it (dating to Apache Harmony) intact. Not his problem, probably — corporate programming at its finest. Had he fixed the bug above as well, he might have noticed (or not) that the output stream for a given seed remained completely unchanged. In short, don't use Google's security-related code for anything important. -- Maxim Kammerer Liberté Linux: http://dee.su/liberte -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
