Re: [liberationtech] FW: NSA Admits: Okay, Okay, There Have Been A Bunch Of Intentional Abuses, Including Spying On Love Interests | Techdirt

[coderman]

On Sat, Aug 24, 2013 at 5:21 AM, michael gurstein  wrote:
> Okay, so we have a few joke "abuses" to divert attention but what about the
> intentional non-abuses and the non-joke ones...


what this demonstrates is two fold:

first, that any motive which may arise, no matter how petty, has
resulted in abuses of these systems for personal ends.

second, that any procedural or technical controls around preventing
these abuses are insufficient or even lacking entirely.


LOVEINT, as excellent in the mind's eye it may be as focal point for outrage,
 is clearly just the tip of the ice berg.
-- 
Liberationtech is a public list whose archives are searchable on Google. 
Violations of list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Standalone JS apps vs. browser extensions, which is better?

[Griffin Boyce]

On 08/24/2013 05:13 PM, Francisco Ruiz wrote:
>
> My encryption app, PassLok, is currently in the shape of a standalone,
> static web page with two text boxes where users copy and paste plain
> or encrypted messages. I am considering the possibility of making a
> browser extension version out of it, probably along the lines of
> myMail-crypt or Mailvelope for Chrome, to provide a tighter
> integration with email programs (or at least with Gmail, which is very
> popular these days).
>

I suspect you're going to get lots of different answers to this
question, but here is how I see it:

  Offering a browser extension or downloadable application is far
superior to having it in website format, because you can offer GPG
signatures and the user doesn't have to worry that you've been forced to
change the code server-side (or that they've got network interference). 

  You shouldn't be storing collections of passwords on your server, in
any format, ever. This is just begging for trouble, either from hackers,
broken servers, or government agencies.

  Release your app as a proper downloaded app. Allow people to save
their passwords locally. And have someone help you with threat
modeling.  It doesn't prevent all problems, but it turns a huge problem
into a few small problems, and puts much of the burden back onto the
user to secure their computer and local network.

Just my $0.02

best,
Griffin

-- 
"Cypherpunks write code not flame wars." --Jurre van Bergen
#Foucault / PGP: 0xAE792C97 / OTR: sa...@jabber.ccc.de

My posts, while frequently amusing, are not representative of the thoughts of 
my employer. 

-- 
Liberationtech is a public list whose archives are searchable on Google. 
Violations of list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Standalone JS apps vs. browser extensions, which is better?

[Eduardo Robles Elvira]

Hello Francisco:

We have the same dilemma in our online decision-taking software (Agora
voting). Browser extensions are more secure by being more static i.e.
the code is not loaded visiting a website. In general, this is a
problem of trust. If you're doing client-side encryption you have
multiple ways of doing it:

1. You could trust the website code, but it might get hacked or the
government might send a request to them, or they might do a
man-in-the-middle attack, etc. Please read the story of Hushmail!! [1]
2. You could create a site-specific browser extension as you propose.
This way, at least it gets more difficult to hack the system, as it
would require a new version of the browser extension.
3. You could create a more generic browser extension that adds support
for general encryption techniques and try to standarise it so that
browsers ship this. The idea is not to have to trust the website at
all, just your webbrowser.

I explored a bit case 3 in my final career project in the university
and here is a post about it
https://edulix.wordpress.com/2012/01/08/the-server-in-the-middle-problem-and-solution/

Regards,
--
[1] https://en.wikipedia.org/wiki/Hushmail#Compromises_to_email_privacy

On Sat, Aug 24, 2013 at 11:13 PM, Francisco Ruiz  wrote:
> My encryption app, PassLok, is currently in the shape of a standalone,
> static web page with two text boxes where users copy and paste plain or
> encrypted messages. I am considering the possibility of making a browser
> extension version out of it, probably along the lines of myMail-crypt or
> Mailvelope for Chrome, to provide a tighter integration with email programs
> (or at least with Gmail, which is very popular these days).
>
> But let me frame this as a general issue, since I am sure there are other
> developers who are wondering if browser extensions are the way to go. They
> tend to make things easier for the user, but at some cost. I’d like to know
> more exactly what is the trade-off.
>
> There is a lot going for making an extension that ties with a web mail
> service. For instance:
>
> 1.  1. Users would be able to store their contacts’ public keys within
> the app, so the extension would fetch them automatically once recipients’
> emails are typed.
>
> 2.  2. Extensions, I am told, can be better protected from tampering by
> an enemy than a simple web page, even if that page travels by TLS/SSL.
>
> On the other hand:
>
> 1.  1. Users would be forced to trust me, the developer, concerning the
> security of the extension, while right now they can look at the code and
> decide for themselves if they want to use it.
>
> 2.  2. The extension could be broken by Google changing things in Chrome
> or Gmail, which would force me to be constantly updating it.
>
> 3.  3. In the examples I mentioned above, public keys are stored locally
> in the computer, which would break the principle of perfect portability that
> PassLok is based on. This would not be so much of a problem if the keys
> could be stored in the Cloud, but I haven’t seen an example that does it
> satisfactorily.
>
> 4. 4.  There’s also the issue that Google does no longer have a clean
> nose concerning cooperation with spy agencies (with or without judicial
> warrants), so they could change my code and weaken the extension without my
> knowledge.
>
> 5.  5. Browser extensions don’t yet run on mobile devices, again against
> one of PassLok’s design principles.
>
> What do you think? Given the state of affairs these days, with some secure
> mail services compromised and others shutting down because of the threat of
> government interference, is it still worthwhile to invest the effort in
> developing an extension in order to streamline user experience?
>
> Thanks!
>
> --
> Francisco Ruiz
> Associate Professor
> MMAE department
> Illinois Institute of Technology
>
> PL13lok=WsH3zTgZn8V3hnIqjdbfPus+5YF5n+LBRPuH9USMMp8izPv+hsLoZKv+jaCFMapJFfiA11Q9yJU1K1Wo0TbjXK/=PL13lok
>
> get the PassLok privacy app at: http://passlok.com
>
> --
> Liberationtech is a public list whose archives are searchable on Google.
> Violations of list guidelines will get you moderated:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe,
> change to digest, or change password by emailing moderator at
> compa...@stanford.edu.



-- 
Eduardo Robles Elvira +34 668 824 393skype: edulix2
http://www.wadobo.comit's not magic, it's wadobo!
-- 
Liberationtech is a public list whose archives are searchable on Google. 
Violations of list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

[liberationtech] Standalone JS apps vs. browser extensions, which is better?

[Francisco Ruiz]

My encryption app, PassLok, is currently in the shape of a standalone,
static web page with two text boxes where users copy and paste plain or
encrypted messages. I am considering the possibility of making a browser
extension version out of it, probably along the lines of myMail-crypt or
Mailvelope for Chrome, to provide a tighter integration with email programs
(or at least with Gmail, which is very popular these days).

But let me frame this as a general issue, since I am sure there are other
developers who are wondering if browser extensions are the way to go. They
tend to make things easier for the user, but at some cost. I’d like to know
more exactly what is the trade-off.

There is a lot going for making an extension that ties with a web mail
service. For instance:

1.  1. Users would be able to store their contacts’ public keys within
the app, so the extension would fetch them automatically once recipients’
emails are typed.

2.  2. Extensions, I am told, can be better protected from tampering by
an enemy than a simple web page, even if that page travels by TLS/SSL.

On the other hand:

1.  1. Users would be forced to trust me, the developer, concerning the
security of the extension, while right now they can look at the code and
decide for themselves if they want to use it.

2.  2. The extension could be broken by Google changing things in
Chrome or Gmail, which would force me to be constantly updating it.

3.  3. In the examples I mentioned above, public keys are stored
locally in the computer, which would break the principle of perfect
portability that PassLok is based on. This would not be so much of a
problem if the keys could be stored in the Cloud, but I haven’t seen an
example that does it satisfactorily.

4. 4.  There’s also the issue that Google does no longer have a clean
nose concerning cooperation with spy agencies (with or without judicial
warrants), so they could change my code and weaken the extension without my
knowledge.

5.  5. Browser extensions don’t yet run on mobile devices, again
against one of PassLok’s design principles.

What do you think? Given the state of affairs these days, with some secure
mail services compromised and others shutting down because of the threat of
government interference, is it still worthwhile to invest the effort in
developing an extension in order to streamline user experience?
Thanks!

-- 
Francisco Ruiz
Associate Professor
MMAE department
Illinois Institute of Technology

PL13lok=WsH3zTgZn8V3hnIqjdbfPus+5YF5n+LBRPuH9USMMp8izPv+hsLoZKv+jaCFMapJFfiA11Q9yJU1K1Wo0TbjXK/=PL13lok

get the PassLok privacy app at: http://passlok.com
-- 
Liberationtech is a public list whose archives are searchable on Google. 
Violations of list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Announcing Scramble.io

[Nicolai]

On Fri, Aug 23, 2013 at 06:22:02PM -0400, Tom Ritter wrote:

> SSL is Secure and Memorable, but highly centralized.  (It is secure
> because you have to prove ownership of a name to get a certificate for
> it.)
> This technique is Secure and Decentralized - but not memorable.

Agreed regarding scramble.io.  I think DNSCurve and CurveCP would be
more likely to fit under Secure and Memorable, with questions about
Decentralization, since DNS itself is highly centralized.  And when I
say memorable, I mean that the public keys are not exposed to the user,
so it's actually not applicable.  You use CNAMEs for CurveCP keys [0],
and end users don't need to know NS records to look up example.com.

So I suppose from a Zooko's Triangle perspective, CurveCP & DNSCurve
would be in a different category than scramble.io.

Nicolai
0. dig curvecp.chocolatine.org
-- 
Liberationtech is a public list whose archives are searchable on Google. 
Violations of list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

[liberationtech] Free Feedspot RSS Reader Pro subscription to Stanford researchers, practitioners, and journalists

[Anuj Agarwal]

Hello!

My name is Anuj. I'm Founder of Feedspot - A Google Reader+Google Alerts
replacement. Researchers, Practitioners, Bloggers and other professionals
use it to keep up with their favorites news sites and blogs.

http://www.feedspot.com 

Feedspot is an Information Technology tool for consuming news. I thought
members of Libernationtech might find it very useful. I recently launched
Feedspot and got reviewed by
TechCrunch
.

I'd like to invite LibernationTech members to try Feedspot and give
everyone one year pro subscription. Please use  STANFORD_FEEDSPOT as promo
code to enable your Annual Pro
Membership.

Should you have any questions, please feel free to reach me.

Best,
Anuj
-- 
Liberationtech is a public list whose archives are searchable on Google. 
Violations of list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Announcing Scramble.io

[Ralph Holz]

Hi,

> Off the top of my head, other techniques that make the same tradeoff are:
>  - Tor Hidden Services, as you mentioned
>  - SSH & OpenPGP fingerprints (here's my fingerprint, no matter where
> you find it, that's my identifier)
>  - YURLs http://www.waterken.com/dev/YURL/httpsy/
>  - From the above URL: Freenet's CHKs, Mnet's mnetids, Chord's keys,
> Freenet's SSKs, SPKI's certificates

Add this here:
https://gnunet.org/sites/default/files/grothoff_slides_berlin.pdf

>From slide 39.

Ralph


-- 
Ralph Holz
I8 - Network Architectures and Services
Technische Universität München
http://www.net.in.tum.de/de/mitarbeiter/holz/
Phone +49.89.289.18043
PGP: A805 D19C E23E 6BBB E0C4  86DC 520E 0C83 69B0 03EF
-- 
Liberationtech is a public list whose archives are searchable on Google. 
Violations of list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

[liberationtech] FW: NSA Admits: Okay, Okay, There Have Been A Bunch Of Intentional Abuses, Including Spying On Love Interests | Techdirt

[michael gurstein]

Okay, so we have a few joke "abuses" to divert attention but what about the
intentional non-abuses and the non-joke ones... Unless the NSA folks are
just a bunch of love sick adolescents without plans for after retirement or
some aspirations for making a killing in the stock  market or that the way
in which the national interests of the US are defined no longer includes
maintaining a lead in certain strategic industries--aircraft manufacture,
chip design, gene splicing or whatever--then this is just pablum for the
gullible.

M

-Original Message-
From: liberationtech-boun...@lists.stanford.edu
[mailto:liberationtech-boun...@lists.stanford.edu] On Behalf Of James S.
Tyre
Sent: Saturday, August 24, 2013 11:56 AM
To: 'liberationtech'; 'cpunks'
Subject: Re: [liberationtech] NSA Admits: Okay, Okay, There Have Been A
Bunch Of Intentional Abuses, Including Spying On Love Interests | Techdirt

Best summary: https://twitter.com/slworona/status/370946271646711809

--
James S. Tyre
Law Offices of James S. Tyre
10736 Jefferson Blvd., #512
Culver City, CA 90230-4969
310-839-4114/310-839-4602(fax)
jst...@jstyre.com
Policy Fellow, Electronic Frontier Foundation https://www.eff.org


> -Original Message-
> From: liberationtech-boun...@lists.stanford.edu
> [mailto:liberationtech- boun...@lists.stanford.edu] On Behalf Of 
> coderman
> Sent: Friday, August 23, 2013 9:46 PM
> To: liberationtech; cpunks
> Subject: Re: [liberationtech] NSA Admits: Okay, Okay, There Have Been 
> A Bunch Of Intentional Abuses, Including Spying On Love Interests | 
> Techdirt
> 
> LOVEINT!!!
> 
> oh god this alone makes it all worth it,,, thank you Snowden!
> 
> P.S. setup a bitcoin donation address.
> 
> best regards,
> 
> 
> 
> 
> On Fri, Aug 23, 2013 at 9:21 PM, Yosem Companys 
> 
wrote:
> > http://www.techdirt.com/articles/20130823/18432024301/nsa-admits-oka
> > y-
> > okay-there-have-been-bunch-intentional-abuses-including-spying-loved
> > -o
> > nes.shtml
> >
> > NSA Admits: Okay, Okay, There Have Been A Bunch Of Intentional 
> > Abuses, Including Spying On Love Interests
> >
> > from the and-we're-just-now-telling-congress dept
> >
> > So, this week, we wrote about the NSA quietly admitting that there 
> > had been intentional abusesof its surveillance infrastructure, 
> > despite earlier claims by NSA boss Keith Alexander and various folks 
> > in Congress that there had been absolutely no "intentional" abuses.
> > Late on Friday (of course) the NSA finally put out an official 
> > statement admitting to an average of one intentional abuser per year 
> > over the past ten years. The AP is reporting that at least one of 
> > the abuses involved an NSA employee spying on a former spouse.
> > Meanwhile, the Wall Street Journal suggests that spying on love 
> > interests happens somewhat more
> often:
> >
> > The practice isn't frequent - one official estimated a handful of 
> > cases in the last decade - but it's common enough to garner its own
spycraft label:
> > LOVEINT.
> >
> > A handful is still significantly more than once. And it's a lot more 
> > than the "zero" times we'd been told about repeatedly by defenders 
> > of the program.
> >
> > While the NSA says it takes these abuses seriously, there's no 
> > indication that the analyst was fired.
> >
> > Much more troubling is that it appears that the NSA only told its 
> > oversight committee in the Senate about all of this a few days ago:
> >
> > The Senate Intelligence Committee was briefed this week on the 
> > willful violations by the NSA's inspector general's office, as first 
> > reported by Bloomberg.
> >
> > "The committee has learned that in isolated cases over the past 
> > decade, a very small number of NSA personnel have violated NSA 
> > procedures - in roughly one case per year," Sen. Dianne Feinstein, 
> > the California Democrat who chairs the committee, said in a 
> > statement
Friday.
> >
> > Of course, this is the same Dianne Feinstein who, exactly a week 
> > ago, said the following:
> >
> > As I have said previously, the committee has never identified an 
> > instance in which the NSA has intentionally abused its authority to 
> > conduct surveillance for inappropriate purposes.
> >
> > Yeah. Because apparently the NSA chose not to tell the committee 
> > until a few days later, despite it happening for years.
> >
> > And, of course, they release this all on a Friday night, hoping that 
> > it'll avoid the news cycle...
> >
> > In the meantime, the NSA just made Senator Feinstein look like a 
> > complete fool. She's been its strongest defender in Congress for 
> > years, and has stood up for it time and time again, despite all of 
> > this questionable
> activity.
> > Then, last week, it lets her tell lies about it without telling her 
> > beforehand that there had been such abuses. At this point, it's 
> > abundantly clear that Feinstein's "oversight" of the NSA is a joke.
> > She's either incompetent or lying. Either way, it appears that the 
> 

Re: [liberationtech] Announcing Scramble.io

[Michael Rogers]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi DC,

Thanks for the reply. Responses to your responses inline. ;-)

On 23/08/13 21:51, DC wrote:
> The hash format (first 80 bits of SHA-1, encoded base32) is the
> same as Onion URLs use. How do they avoid preimage attacks? (I
> thought generating 2^80 keypairs and checking each one to see if
> the public key matches was simply too much work, maybe I'm wrong
> though.)

80 bits may not be enough to defend against a well-funded adversary
these days - that's one aspect of the Tor hidden services design that
"needs some love".

https://blog.torproject.org/blog/hidden-services-need-some-love

"...the current 80-bit security of onion addresses does not inspire
confidence against impresonation attacks."

> How exactly is the symmetric key used to encrypt the private key?
> What block cipher mode do you use? Is there authentication as well
> as encryption?
> 
> 
> (Currently I'm using the first 128 bits of a SHA hash as the key,
> then AES-128 symmetric encryption.)

What block cipher mode of operation do you use? If the mode of
operation requires padding, what padding scheme do you use? Do you
authenticate the ciphertext? If so, what MAC function do you use, and
how do you derive the MAC key?

These are nitpicky questions, but they could be important for security
if the server's compromised.

> ... after implementing your suggestion, it will be PBKDF2 instead,
> and I'll generate a random salt for each user. (That way, an
> attacker can only try to brute-force one account at a time, instead
> of all of them.)

Awesome!

Cheers,
Michael
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJSGKGPAAoJEBEET9GfxSfMIkMH/ioS8guoBIfgNXowtEzNSrHh
akUNxgBQuklMs8ayo+lsWL3VU3/nmjz+gO4jia1mXuRDYTRbz3vmQl1XxhH++eeT
2ci3jCXkc0uLMJ9Do1XFSweO+RGw4qXh0fYNlzkKmNZ9u5b8Y4LOWxDgL60+Ah33
FINtoMG3y/DHthKhyrQc+5pavY5oXAjtom11Hpy03MC0SjhQaW/4WqOgd0hl1Cqa
hBkgd83YuqQ7Mqg4QBCdcL0xyPuQWKaGOPd1eDYUl2qyntpiUQJsMPVLTrNILPQW
xHhr7o7QvNga4MBqExUY1uimaVXwXqIZOGFaagRBZgF0buBIVWYoMsmiaXyfou4=
=bSd1
-END PGP SIGNATURE-
-- 
Liberationtech is a public list whose archives are searchable on Google. 
Violations of list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

[liberationtech] New Email: davidwo...@gmail.com

[oaks]

You have emailed to o...@mindfreedom.org
I no longer work for mindfreedom.

My personal email is:
davidwo...@gmail.com

Please make a note of that. Because of my disabilities I'll do my my best to 
read emails,
but I may not be able to respond personally.

For more info see the August 22nd 2013 entry on my blog at
http://www.davidwoaks.com


-- 
Liberationtech is a public list whose archives are searchable on Google. 
Violations of list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] NSA Admits: Okay, Okay, There Have Been A Bunch Of Intentional Abuses, Including Spying On Love Interests | Techdirt

[Karel Bílek]

I secretly hoped that is an Onion article.

On Sat, Aug 24, 2013 at 6:46 AM, coderman  wrote:
> LOVEINT!!!
>
> oh god this alone makes it all worth it,,, thank you Snowden!
>
> P.S. setup a bitcoin donation address.
>
> best regards,
>
>
>
>
> On Fri, Aug 23, 2013 at 9:21 PM, Yosem Companys  wrote:
>> http://www.techdirt.com/articles/20130823/18432024301/nsa-admits-okay-okay-there-have-been-bunch-intentional-abuses-including-spying-loved-ones.shtml
>>
>> NSA Admits: Okay, Okay, There Have Been A Bunch Of Intentional Abuses,
>> Including Spying On Love Interests
>>
>> from the and-we're-just-now-telling-congress dept
>>
>> So, this week, we wrote about the NSA quietly admitting that there had been
>> intentional abusesof its surveillance infrastructure, despite earlier claims
>> by NSA boss Keith Alexander and various folks in Congress that there had
>> been absolutely no "intentional" abuses. Late on Friday (of course) the NSA
>> finally put out an official statement admitting to an average of one
>> intentional abuser per year over the past ten years. The AP is reporting
>> that at least one of the abuses involved an NSA employee spying on a former
>> spouse. Meanwhile, the Wall Street Journal suggests that spying on love
>> interests happens somewhat more often:
>>
>> The practice isn’t frequent — one official estimated a handful of cases in
>> the last decade — but it’s common enough to garner its own spycraft label:
>> LOVEINT.
>>
>> A handful is still significantly more than once. And it's a lot more than
>> the "zero" times we'd been told about repeatedly by defenders of the
>> program.
>>
>> While the NSA says it takes these abuses seriously, there's no indication
>> that the analyst was fired.
>>
>> Much more troubling is that it appears that the NSA only told its oversight
>> committee in the Senate about all of this a few days ago:
>>
>> The Senate Intelligence Committee was briefed this week on the willful
>> violations by the NSA's inspector general's office, as first reported by
>> Bloomberg.
>>
>> "The committee has learned that in isolated cases over the past decade, a
>> very small number of NSA personnel have violated NSA procedures — in roughly
>> one case per year," Sen. Dianne Feinstein, the California Democrat who
>> chairs the committee, said in a statement Friday.
>>
>> Of course, this is the same Dianne Feinstein who, exactly a week ago, said
>> the following:
>>
>> As I have said previously, the committee has never identified an instance in
>> which the NSA has intentionally abused its authority to conduct surveillance
>> for inappropriate purposes.
>>
>> Yeah. Because apparently the NSA chose not to tell the committee until a few
>> days later, despite it happening for years.
>>
>> And, of course, they release this all on a Friday night, hoping that it'll
>> avoid the news cycle...
>>
>> In the meantime, the NSA just made Senator Feinstein look like a complete
>> fool. She's been its strongest defender in Congress for years, and has stood
>> up for it time and time again, despite all of this questionable activity.
>> Then, last week, it lets her tell lies about it without telling her
>> beforehand that there had been such abuses. At this point, it's abundantly
>> clear that Feinstein's "oversight" of the NSA is a joke. She's either
>> incompetent or lying. Either way, it appears that the NSA is running circles
>> around her, and isn't subject to any real Congressional oversight. At some
>> point, you'd think that maybe she'd stop defending it and actually start
>> doing her job when it comes to oversight. You'd think the fact that it let
>> her make a complete fool of herself by claiming there had been no
>> intentional abuses should make Feinstein realize that the NSA situation is
>> out of control. But, tragically, this seems unlikely. Even her statement
>> seems to want to minimize the seriousness of the fact that she -- the person
>> in charge of oversight -- was completely kept in the dark about very serious
>> intentional abuses. Senator Feinstein just got hung out to dry by the NSA.
>> You'd think she'd stop going to bat for it and its lies.
>>
>> Either way, we've now gone from General Keith Alexander and Feinstein
>> claiming "no abuses," to them saying no "intentional" abuses, to this latest
>> admission of plenty of intentional abuses, including spying on lovers.
>> Perhaps, instead of lying, it's time for the NSA to come clean and to get
>> some real oversight.
>>
>>
>> --
>> Liberationtech is a public list whose archives are searchable on Google.
>> Violations of list guidelines will get you moderated:
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe,
>> change to digest, or change password by emailing moderator at
>> compa...@stanford.edu.
>
-- 
Liberationtech is a public list whose archives are searchable on Google. 
Violations of list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubs

Re: [liberationtech] NSA Admits: Okay, Okay, There Have Been A Bunch Of Intentional Abuses, Including Spying On Love Interests | Techdirt

[coderman]

On Fri, Aug 23, 2013 at 10:25 PM, James S. Tyre  wrote:
> Best summary: https://twitter.com/slworona/status/370946271646711809


indeed; this codename gives the lie to all the congressional
testimony, to all the claims of controls and judiciary oversight, to
all the attestations of full compliance.

it's beautiful in laying bare the capriciousness to which the entire
intelligence juggernaut can be brought to bear against arbitrary
individuals; personal pettiness more than sufficient.
-- 
Liberationtech is a public list whose archives are searchable on Google. 
Violations of list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Announcing Scramble.io

[Randolph D.]

Hi DC, your problem has already benn solved, the AES end.to.end key can
(and is often ) be transferred in a GnuPG like secured environment, e.g.
like http://goldbug.sf.net -  a full p2p decentral Email client - is using
it. Does your service use a central approach? as only client side is
secure, you need clients to be in use.


2013/8/23 DC 

> Hi everyone,
>
> I'm DC, and I've been lurking here for a few weeks :)
>
> Since the NSA leaks, I've been inspired to work on an old dream:
> end-to-end encrypted email.
>
> One difficult problem in public-key encryption is key exchange: how to get
> a recipient's public key and know it's really theirs.
>
>
-- 
Liberationtech is a public list whose archives are searchable on Google. 
Violations of list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.