[liberationtech] what to install on a secure communication device
I'm looking to build a list for reasonably secure (no snake oil) ways to communicate (search, store, etc.). My ad hoc list so far is: Pidgin/OTR cables Jitsi Tor YaCy RetroShare TorChat Tahoe LAFS GnuNet No doubt I'm missing a lot. Any further suggestions? -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] what to install on a secure communication device
Why not also JonDonym? The problem with TOR for productivity is its bandwith. There are also some pretty good commercial services. Andreas --Originalnachricht-- Von: Eugen Leitl Absender: liberationtech-boun...@lists.stanford.edu An: cypherpu...@cpunks.org An: Liberation Technologies An: zs-...@zerostate.is Antwort an: liberationtech Betreff: [liberationtech] what to install on a secure communication device Gesendet: 31. Aug. 2013 10:47 I'm looking to build a list for reasonably secure (no snake oil) ways to communicate (search, store, etc.). My ad hoc list so far is: Pidgin/OTR cables Jitsi Tor YaCy RetroShare TorChat Tahoe LAFS GnuNet No doubt I'm missing a lot. Any further suggestions? -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] what to install on a secure communication device
On Sat, Aug 31, 2013 at 10:46:15AM +, andreas.ba...@nachtpult.de wrote: > Why not also JonDonym? The problem with TOR for productivity is its bandwith. Because it's officially backdoored. > There are also some pretty good commercial services. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] what to install on a secure communication device
Is irssi-otr working yet? You could add that. Mixmaster/mixminion? On Saturday, August 31, 2013, Eugen Leitl wrote: > > I'm looking to build a list for reasonably secure (no snake oil) > ways to communicate (search, store, etc.). My ad hoc list so far is: > > Pidgin/OTR > cables > Jitsi > Tor > YaCy > RetroShare > TorChat > Tahoe LAFS > GnuNet > > No doubt I'm missing a lot. Any further suggestions? > -- > Liberationtech is a public list whose archives are searchable on Google. > Violations of list guidelines will get you moderated: > https://mailman.stanford.edu/mailman/listinfo/liberationtech. > Unsubscribe, change to digest, or change password by emailing moderator at > compa...@stanford.edu . > -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] what to install on a secure communication device
You should also think of the OS, due to the NSA scandal closed source OSes like OS X and Microsoft Windows are unusable. How about something pseudo-commercial like SL or CentOS? -Original Message- From: Tom O Sender: liberationtech-boun...@lists.stanford.edu Date: Sat, 31 Aug 2013 21:43:59 To: liberationtech Reply-To: liberationtech Subject: Re: [liberationtech] what to install on a secure communication device -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] what to install on a secure communication device
On 31 August 2013 12:43, Tom O wrote: > Is irssi-otr working yet? irssi-otr has mostly worked for ages. > You could add that. Mixmaster/mixminion? > > > On Saturday, August 31, 2013, Eugen Leitl wrote: > >> >> I'm looking to build a list for reasonably secure (no snake oil) >> ways to communicate (search, store, etc.). My ad hoc list so far is: >> >> Pidgin/OTR >> cables >> Jitsi >> Tor >> YaCy >> RetroShare >> TorChat >> Tahoe LAFS >> GnuNet >> >> No doubt I'm missing a lot. Any further suggestions? >> -- >> Liberationtech is a public list whose archives are searchable on Google. >> Violations of list guidelines will get you moderated: >> https://mailman.stanford.edu/mailman/listinfo/liberationtech. >> Unsubscribe, change to digest, or change password by emailing moderator at >> compa...@stanford.edu. >> > > -- > Liberationtech is a public list whose archives are searchable on Google. > Violations of list guidelines will get you moderated: > https://mailman.stanford.edu/mailman/listinfo/liberationtech. > Unsubscribe, change to digest, or change password by emailing moderator at > compa...@stanford.edu. > -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] what to install on a secure communication device
That's good news then On Saturday, August 31, 2013, Ben Laurie wrote: > > > > On 31 August 2013 12:43, Tom O 'cvml', 'winterfi...@gmail.com');>> wrote: > >> Is irssi-otr working yet? > > > irssi-otr has mostly worked for ages. > > >> You could add that. Mixmaster/mixminion? >> >> >> On Saturday, August 31, 2013, Eugen Leitl wrote: >> >>> >>> I'm looking to build a list for reasonably secure (no snake oil) >>> ways to communicate (search, store, etc.). My ad hoc list so far is: >>> >>> Pidgin/OTR >>> cables >>> Jitsi >>> Tor >>> YaCy >>> RetroShare >>> TorChat >>> Tahoe LAFS >>> GnuNet >>> >>> No doubt I'm missing a lot. Any further suggestions? >>> -- >>> Liberationtech is a public list whose archives are searchable on Google. >>> Violations of list guidelines will get you moderated: >>> https://mailman.stanford.edu/mailman/listinfo/liberationtech. >>> Unsubscribe, change to digest, or change password by emailing moderator at >>> compa...@stanford.edu. >>> >> >> -- >> Liberationtech is a public list whose archives are searchable on Google. >> Violations of list guidelines will get you moderated: >> https://mailman.stanford.edu/mailman/listinfo/liberationtech. >> Unsubscribe, change to digest, or change password by emailing moderator at >> compa...@stanford.edu > 'compa...@stanford.edu');>. >> > > -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] what to install on a secure communication device
On 08/31/2013 04:47 AM, Eugen Leitl wrote: I'm looking to build a list for reasonably secure (no snake oil) ways to communicate (search, store, etc.). My ad hoc list so far is: Pidgin/OTR cables Jitsi Tor YaCy RetroShare TorChat Tahoe LAFS GnuNet No doubt I'm missing a lot. Any further suggestions? One of those nine software titles you've listed does _not_ give you reasonable security ATM, as outlined by the author on the front page of the website that explains what the software does. Since that author took the time to describe the current state of the software as a reaction to increased interest in that software (very cool), I'd suggest having a look and reading it fully. Best, Jonathan -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] [tahoe-dev] reproducible builds for Tahoe-LAFS: where do we start?
- Forwarded message from Zooko O'Whielacronx - Date: Sat, 31 Aug 2013 14:12:07 + From: Zooko O'Whielacronx To: tahoe-dev Subject: [tahoe-dev] reproducible builds for Tahoe-LAFS: where do we start? Folks: Here's some recent news: http://m.washingtonpost.com/world/national-security/us-spy-agencies-mounted-231-offensive-cyber-operations-in-2011-documents-show/2013/08/30/d090a6ae-119e-11e3-b4cb-fd7ce041d814_story.html That article says that the U.S. espionage agencies have surreptitiously installed sophisticated malware on tens of thousands of remote machines, and have plans to increase that number into the millions. It is important to remember that while the U.S. espionage establishment is the one that is currently having its activities and plans exposed, it is not the only one of its kind. It is safe to assume that there are many other organizations with similar capabilities engaged in similar activities. It is also likely that some of those groups are engaged not in warfare but in industrial espionage or other kinds of theft or sabotage. In this modern world, it would be very useful if you could check whether the binaries that you are running are the same as the binaries that other people are running that were ostensibly built from the same source code. That way, implanted malware would be more likely to be exposed. This is the idea of "reproducible builds", as championed by Tor ¹, Bitcoin ², and Debian ³. LWN.net recently had a nice overview article about this: ⁴. Now: how do we start? We have a trac ticket: https://tahoe-lafs.org/trac/tahoe-lafs/ticket/2057# reproducible builds But I don't understand what the next step on the path to really protecting users. The situation we're considering here is that a user is installing Tahoe-LAFS, for example by running "sudo apt-get install tahoe-lafs" on Debian, and the computer that was used to build the tahoe-lafs Debian package had malware running on it, that inserted a backdoor into the tahoe-lafs Debian package. How can we help users to defend against that? There are lots of other packagers which provide installable versions of Tahoe-LAFS to their users. For example, the "pkgsrc/NetBSD" system ⁵, whose Tahoe-LAFS package is maintained by Greg Troxel, who reads this mailing list. If you click on the big friendly blue "Download Tahoe-LAFS" button on the front page of https://Tahoe-LAFS.org, it takes you to a menu of packages provided by different free-and-open-source operating systems. One thing that worries me about this issue is that it is one of those things were different open source projects can reasonably assume that it is Someone Else's Problem to fix this. I've often seen this: when there is an issue that spans multiple open source projects, that it is hard to make progress on that issue, since every open source project has a theory of how it ought to be fixed by some other open source project taking responsibility for it. So what can we do to push on this issue now? Regards, Zooko ¹ https://blog.torproject.org/blog/deterministic-builds-part-one-cyberwar-and-global-compromise ² https://en.bitcoin.it/wiki/Release_process ³ https://wiki.debian.org/ReproducibleBuilds ⁴ http://lwn.net/Articles/564263/ ⁵ ftp://ftp.netbsd.org/pub/pkgsrc/current/pkgsrc/filesystems/tahoe-lafs/README.html ___ tahoe-dev mailing list tahoe-...@tahoe-lafs.org https://tahoe-lafs.org/cgi-bin/mailman/listinfo/tahoe-dev - End forwarded message - -- Eugen* Leitl http://leitl.org";>leitl http://leitl.org __ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] [Cryptography] The Case for Formal Verification
- Forwarded message from coderman - Date: Fri, 30 Aug 2013 12:19:39 -0700 From: coderman To: Cypherpunks list , cpunks Subject: Re: [Cryptography] The Case for Formal Verification On Thu, Aug 29, 2013 at 11:50 PM, Eugen Leitl wrote: > ... > Much of what has changed is proof technology, and it is a > technology. The tools for doing formal verification are now, for the > first time, just barely usable for real work on interesting programs, > and getting better all the time... > > There are usually several arguments against formal verification:... > 1) We don't know what to specify, so what help does proving a buggy > specification do us? this is the crux; where the human meets the machine is always a large, evolving, complicated attack surface. e.g. usability and design level requirements and behavior. in the order of precedence of security risks, much bigger holes must be addressed before formal verification provides return on time invested. if you're building verified compilers, or micro kernels, or core libraries, this doesn't apply to you. ;) i want seL4 in a Qubes isolation model, formally verified CryptoBox, > 2) Who would bother writing a proof vastly larger than their program? this makes no sense to me; patently absurd on the face of it. why test code with clusters that are larger than your build systems? why do we exist? ... utility of quality measures can not be judged on superficial metrics like "size in GB" or "processor hours". anyone using this argument as a disqualifier is not qualified to make such an assessment. > 3) You can't prove programs of interesting size anyway. > ... > For 3 ("you can't prove anything big enough to be useful!"), the Quark > project: > http://goto.ucsd.edu/quark/ > showed you don't need to prove a program of interesting size. You can > defend millions of lines of buggy code with a "software firewall" made > of formally verified code. this is a great approach and fits in well with other security through isolation defense in depth. combining the strengths of formal verification at critical core points within a system, and then leveraging that robust core to isolate, constrain, mediate between higher level applications seem most reasonable, tractable, with the best return on time invested. if i had a wishlist it would be: - 64bit CompCert (not just 64bit int support :) - verified virtualization isolation model (seL4 Qubes like system?) - verified crypto_sign_edwards25519sha512batch and crypto_sign_nistp256sha512ecdsa implementations - verified compression, regexp, and other common libraries that are useful at the security boundary between isolated domains or applications. some of the work done for quark might be partially applicable to some of the above, but most of the verification is browser specific (related to things like messaging and tab isolation, proper cookie handling, socket communication, etc.) where's the github for Coq kernels? > So, if you're interested, how do you get started doing such things? > ... > Coq is, sadly, needlessly hard for the beginner. It has poor > documentation, bad error messages and bad error behavior. These are > not inherent problems, they're problems just with this instance of > things -- people could build better if there was enough interest, and > I hope that as these technologies become more popular people will > build far better versions of the tools. some other good resources: ProofWeb: http://prover.cs.ru.nl/login.php particularly the courses available for the online interface to Coq. frama-c: http://frama-c.com/ i just came across this, it looks quite useful, but have not used it in any depth yet... > ... we need more people in the world experimenting with > verification if we're going to get truly trustworthy software going > forward. Lemma stating_the_obvious: (* formal verification as a useful component of defense in depth is self-evident *) Qed. “The future is here. It's just not widely distributed yet.” -- Gibson - End forwarded message - -- Eugen* Leitl http://leitl.org";>leitl http://leitl.org __ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] what to install on a secure communication device
On Sat, Aug 31, 2013 at 4:47 AM, Eugen Leitl wrote: > > I'm looking to build a list for reasonably secure (no snake oil) > ways to communicate (search, store, etc.). My ad hoc list so far is: > > Pidgin/OTR > cables > Jitsi > Tor > YaCy > RetroShare > TorChat > Tahoe LAFS > GnuNet > > No doubt I'm missing a lot. Any further suggestions? TrueCrypt-encrypted data saved on microSD cards sent over sneakernet, optionally hidden in a hollow bootheel? Small amounts of sensitive data stored in innocuous-seeming formats through steganography (eg, http://www.jjtc.com/Steganography/tools.html ), made publicly available? Thank you for your time, -- DataPacRat "Then again, I could be wrong." -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] FW: NSA Admits: Okay, Okay, There Have Been A Bunch Of Intentional Abuses, Including Spying On Love Interests | Techdirt
Tomasz, you seem to have a dark view of human nature. On the other hand, if this were happening, would we ever find out? -- Matt Johnson On Sun, Aug 25, 2013 at 10:20 AM, Tomasz Rola wrote: > On Sat, 24 Aug 2013, coderman wrote: > > [...] >> LOVEINT, as excellent in the mind's eye it may be as focal point for >> outrage, >> is clearly just the tip of the ice berg. > > LOVEINT, excellent cover up for PAEDOINT... Because human nature mixed > with NSA makes me expect this, too. > > Regards, > Tomasz Rola > > -- > ** A C programmer asked whether computer had Buddha's nature. ** > ** As the answer, master did "rm -rif" on the programmer's home** > ** directory. And then the C programmer became enlightened... ** > ** ** > ** Tomasz Rola mailto:tomasz_r...@bigfoot.com ** > -- > Liberationtech is a public list whose archives are searchable on Google. > Violations of list guidelines will get you moderated: > https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, > change to digest, or change password by emailing moderator at > compa...@stanford.edu. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] FW: NSA Admits: Okay, Okay, There Have Been A Bunch Of Intentional Abuses, Including Spying On Love Interests | Techdirt
On Sat, Aug 31, 2013 at 4:10 PM, Matt Johnson wrote: > Tomasz, you seem to have a dark view of human nature. some may argue willingly participating in and furthering an illegal, global surveillance infrastructure is a character flaw consistent with other morally objectionable behavior ;) > ... On the other > hand, if this were happening, would we ever find out? in the case of MI5 agent Geoffrey Prime it was the local police: """ The case that really shocked Mrs Thatcher was the traitor Geoffrey Prime. In the 1970s he had worked at the top secret listening centre GCHQ and had been selling all it's secrets to the Russians. And yet again it wasn't MI5 who uncovered his treachery - it was the local police in Cheltenham. In 1982 a policeman came to his house enquiring about his car - a rather distinct two-tone brown and white Mk IV Cortina - a which had been seen in the vicinity of an assault on a young girl. Prime told the policeman that he had been at home all day. But that evening he and his wife Rhona went for a drive to the top of Cleeve Hill. As they sat in the twilight Prime told Rhona that he was the man the police were looking for. And not only that, he was also a Russian spy. Here is part of a very powerful interview Rhona Prime gave to the BBC where she describes that day - and what she then did. Prime was a paedophile - and had used spying techniques to monitor the activities of thousands of young girls around Cheltenham. He had created a vast set of index cards which showed when the girls were most likely to be alone at home. He then went round to their houses in his two tone Cortina and sexually assaulted them. """ http://www.bbc.co.uk/blogs/adamcurtis/posts/BUGGER -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] FW: NSA Admits: Okay, Okay, There Have Been A Bunch Of Intentional Abuses, Including Spying On Love Interests | Techdirt
On Sat, 31 Aug 2013, Matt Johnson wrote: > Tomasz, you seem to have a dark view of human nature. Yes. This is learnt attitude. I realize there is nothing to be proud of, but you know what, once I adopted it, I've got pleasant surprises. Maybe not so many in absolute numbers, but still, infinitely more than I have expected :-). > On the other hand, if this were happening, would we ever find out? Someone, some day, certainly, or maybe, will. Regards, Tomasz Rola -- ** A C programmer asked whether computer had Buddha's nature. ** ** As the answer, master did "rm -rif" on the programmer's home** ** directory. And then the C programmer became enlightened... ** ** ** ** Tomasz Rola mailto:tomasz_r...@bigfoot.com ** -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Sociological studies of covert mass-surveillance organisations
This isn't exactly what you're looking for, but an alleged anonymous TSA screener started a blog. I think that some of the details, such as the fact that they allegedly have acronyms for bogus bag checks designed to inconvenience passengers who are "difficult" speaks volumes. http://boingboing.net/2012/12/21/anonymous-tsa-insider-blog.html - Greg On 8/31/13 2:14 AM, Luis Felipe R. Murillo wrote: On 08/30/2013 01:54 PM, Yosem Companys wrote: From: Caspar Bowden I realize this is an improbable request (I think), but is anyone aware of any Surveillance Studies research on the organisations conducting * covert/secret* mass-surveillance (a "securitocracy") many thanks any pointers I am not particularly familiar with this literature, but I know of a few pointers. This seminar in Brazil brought together researchers studying surveillance and social control. They had three panels of interest ('Internet and Surveillance', 'New Technologies of Surveillance', and 'Institutional Surveillance'): http://www2.pucpr.br/ssscla/ These two references are central in the debate (so Caspar must be super familiar with them): - Foucault, Michel. "Discipline and Punish" (redefining the debate on the nature of power and the nature of state power): http://www.foucault.info/documents/disciplineandpunish/foucault.disciplineandpunish.panopticism.html - Deleuze, Gilles. "Society of Control" (updating Foucault's treatment of surveillance to the contemporary 'society of control'): http://www.nadir.org/nadir/archiv/netzkritik/societyofcontrol.html best! luisfelipe. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] Is Silent Circle open-source yet?
Periodic reminder that despite promises and people's positive emotional investments in Phil Zimmerman, Silent Circle is still not open source. http://issilentcircleopensourceyet.com We need an IsHemlisOpenSourceYet.com -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.