Re: [liberationtech] Crowdsourcing in Policy-Making: The Impact of Blended Expert
for those who cannot attend this seminar and the other scheduled in October and after, it would be great to have the podcast and/or slides available online. thanks -- fiorella de cindio liberationtech liberationtech@lists.stanford.edu writes: Crowdsourcing in Policy-Making: The Impact of Blended Expertise on Law-Making Process When: October 3, 2013 / 4:30 p.m. - 6:00 p.m. Host: Center for Democracy, Development, and the Rule of LawCDDRL Seminar Series Featuring: Tanja Aitamurto, Stanford University Location: Wallenberg Hall, 450 Serra Mall, Building 160, Stanford, CA 94305-2055 More: [ http://r20.rs6.net/tn.jsp?e=0015E8HU5E8sGA-MRkqyHr7rVtXtCsSDYbsznDEP1klu4KVddtGprajH1aW9JBz-c9QEYetPVnpaViiMCMYvW8tKQxkzFBNJ79aJkhWtDNKZFTVQ0hWYHHnqQBjOAcQIMFXNayD1iJvE1Zn9ADZNPFZiEUJRCaGbeiE0GCebBvQoZqmtnPWAhhTAzxyoeGBAkOZ-V2g65r7o1BfOVSalIWJLhgYPZ Gz1suEDZAJQFupWJDhdKVYL0v6CsUAtBXHtC7fWzHSKJrbXi8= ]Website -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. == Fiorella De Cindio associate professor University of Milan Computer Science Department via Comelico 39/41 I20135 MILANO (Italy) tel. +39-02-5031 6288 (direct) 6327 (lab) email: fiorella.decin...@unimi.it http://eng.di.unimi.it/ecm/home/research/milan-laboratories/civic-informatics-laboratory -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] Chokepoint Project News - DNShonest + World Bank
Chokepoint Project News : 28/9/13 Hello all, Please allow us to take a few moments of your time and show you what weve been up to. Dont worry, you have NOT been registered anywhere and will NOT have to do anything to never hear from us again. (More about that at the end of this text.) We have been making steady progress behind the scenes and are very happy to finally be able to show off some of our hard work: DNShonest We have integrated the DNShonest remote DNS probing tool created by Joss Wright of the Oxford Internet Institute into Chokepoint Projects Structured Human Rights Analytics platform. This allows us to do a number of things : 1. See for each Domain Name Server if it lies about the domains we ask it about. 2. See which Autonomous Systems contain DNS servers that lie about domains 3. See who owns the Autonomous Systems that contain lying DNS systems This iteration is testing a small set of domain servers (200) in China for replies given to a small set of domains (180). We are running the probe every hour which results in a little less than 18000 queries. The results are then tested for suspicious replies, which in turn are tested for states of lying, probably lying and maybe lying. From these results statistics are generated which are visualized on our public dashboard. Country page : https://beta.chokepointproject.net/country/CN?show=2013-09-21 Worldmap : https://beta.chokepointproject.net/ Lying is a big claim, and in this case it explicitly means that a reply given by a domain name server is not the reply it should give. We have tried to avoid false positives as much as possible, and first identifying suspicious replies, after which additional probes aid in determining if something is a lie or not. More information is available at https://beta.chokepointproject.net/about Worldbank : In this release we also show a visualization of a selection of Worlbank data, this is intended primarily to provide some basic contextual insight into the country for which data is presented. In the case of China, the internet usage in 2011 (most recent Worldbank statistic) was 38.4% of the country. In the context of the DNShonest results this means that 61.6% of the Chinese population is unaffected by these lying DNS servers. Of course the internet usage will have increased somewhat over the past 21 months, so this conclusion should not be seen as representative of the current situation. Whats next? Well, a lot. First of all, we will start rolling this out to all countries and increase both the number of servers tested and the numbers of domains tested. Additionally, we can already see improvements to the dashboard visualizations that should be made. Thanks Many thanks are in order for the Internet Protection Lab who provided some sorely needed funding out of a donation made by the Dutch .nl registrar SIDN. If you like our work so far, please consider throwing a little funding our way. Any amount, no matter how large will help us build more, faster and shinier tools (and pay the rent on our cardboard box sub-basement walk-downs.) https://chokepointproject.net/donate/ About this mail : Please note that this mail is NOT a newsletter (yet). You have NOT been registered anywhere by us. You are receiving this mail because you probably met one of our team somewhere in the world and handed out your card. If you WANT to receive updates from us in the future, please subscribe here https://chokepointproject.net/newsletter/. Do nothing and you will never hear from us again. (Not through this medium at least) For more information : email i...@chokepointproject.net website https://chokepointproject.net/ follow us on twitter https://twitter.com/ChokePointP -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at
Re: [liberationtech] Crowdsourcing in Policy-Making: The Impact ofBlended Expert
Hi Fiorella, I'll probably publish the slides on Slideshare after the preso. I don't know if there will be a podcast, will check that out Thanks for your interest! best, Tanja On Sat, Sep 28, 2013 at 1:05 AM, fiorella de cindio fiorella.decin...@unimi.it wrote: [image: Boxbe] https://www.boxbe.com/overview This message is eligible for Automatic Cleanup! (fiorella.decin...@unimi.it) Add cleanup rulehttps://www.boxbe.com/popup?url=https%3A%2F%2Fwww.boxbe.com%2Fcleanup%3Ftoken%3DyVl4i6OkojufjywbdiaE73vpxZ48qS75rGiAlYJTm%252FLaGxRPyzcnKTj85HmITZrO2k15Dnvyv6ba9GNYOmhm1hVrVo5xccZhncDD%252FASOuw4%252BCbYwEJSIiEqVygRWQV29UWsGk9IzHrC2QBigko99PA%253D%253D%26key%3Drp3m%252F4hSz2WxKpgflz6%252FgiDXxHwg%252BeMF1e1xeuGnMKc%253Dtc_serial=15258469124tc_rand=132810255utm_source=stfutm_medium=emailutm_campaign=ANNO_CLEANUP_ADDutm_content=001| More infohttp://blog.boxbe.com/general/boxbe-automatic-cleanup?tc_serial=15258469124tc_rand=132810255utm_source=stfutm_medium=emailutm_campaign=ANNO_CLEANUP_ADDutm_content=001 for those who cannot attend this seminar and the other scheduled in October and after, it would be great to have the podcast and/or slides available online. thanks -- fiorella de cindio liberationtech liberationtech@lists.stanford.edu writes: Crowdsourcing in Policy-Making: The Impact of Blended Expertise on Law-Making Process When: October 3, 2013 / 4:30 p.m. - 6:00 p.m. Host: Center for Democracy, Development, and the Rule of LawCDDRL Seminar Series Featuring: Tanja Aitamurto, Stanford University Location: Wallenberg Hall, 450 Serra Mall, Building 160, Stanford, CA 94305-2055 More: [ http://r20.rs6.net/tn.jsp?e=0015E8HU5E8sGA-MRkqyHr7rVtXtCsSDYbsznDEP1klu4KVddtGprajH1aW9JBz-c9QEYetPVnpaViiMCMYvW8tKQxkzFBNJ79aJkhWtDNKZFTVQ0hWYHHnqQBjOAcQIMFXNayD1iJvE1Zn9ADZNPFZiEUJRCaGbeiE0GCebBvQoZqmtnPWAhhTAzxyoeGBAkOZ-V2g65r7o1BfOVSalIWJLhgYPZ Gz1suEDZAJQFupWJDhdKVYL0v6CsUAtBXHtC7fWzHSKJrbXi8= ]Website -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. == Fiorella De Cindio associate professor University of Milan Computer Science Department via Comelico 39/41 I20135 MILANO (Italy) tel. +39-02-5031 6288 (direct) 6327 (lab) email: fiorella.decin...@unimi.it http://eng.di.unimi.it/ecm/home/research/milan-laboratories/civic-informatics-laboratory -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- www.tanjaaitamurto.com Studying the Open X at Stanford: crowdsourcing, crowdfunding, open innovation, open data. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] SaferScript (Rough draft)
Hey LiberationTech,
I was going to try to polish this idea and develop it, but it's probably
better
off being developed by people with experience developing Firefox addons
and/or
who understand PKI in-and-out. Also, due to complications in my own life, I
do
not have the time or energy to invest in such an undertaking.
I've previously shared this with Micah Lee of the EFF and his friend
Garrett.
This is just a very rough draft. If anyone wants to take this up as a FOSS
project, feel free; I only ask that Taylor and I be mentioned somewhere in
the
credits.
___ _ _ _
/ | / _|/ | (_) | |
| (___ __ _| |_ ___ _ _| (___ ___ _ __ _ _ __ | |_
\___ \ / _` | _/ _ \ '__\___ \ / __| '__| | '_ \| __|
) | (_| | || __/ | ) | (__| | | | |_) | |_
|_/ \__,_|_| \___|_| |_/ \___|_| |_| .__/ \__|
| |
|_| (The name is
negotiable)
___
\
;
\ Making Javascript Safer, Preventing XSS
Payloads ;
\ @voodooKobra (Scott
Arciszewski) ;
\ Further suggestions by @DefuseSec (Taylor
Hornby);
\__;
WHAT IS IT?
An optional way to configure only digitally signed Javascript for websites
set up to use it.
COMPONENTS
o Browser plugin (Firefox at first, eventually Chrome Opera?)
o Netbeans plugin (for developers)
o CLI Program (integrates with gnupg) for the server
o Source file on the server
o Publicly accessible whitelist file
o Network of notaries which audit the signed whitelists to detect abuse
_
| The Browser Plugin
\__
|
|
| For security-conscious users, the SaferScript browser plugin would
request |
| a whitelist of .js files (and their sha256 checksums), which should
be |
| signed by the developer's GPG private
key. |
|
|
| (Note: In case SHA-256 is ever broken it needs to be able to support
other |
| hash functions, such as the SHA-3 family, Whirlpool, and
RIPEMD.) |
|
|
| If we do not know the public key, we will request it from the server
and |
| check with notaries that the user trusts that they see the same key.
If|
| the website has been queried before, the notary will also compare
the |
| public key it received with the one
archived. |
|
|
| The code will then verify the signature of the whitelist. If it
matches, |
| then each .js file will be downloaded and their checksums will be
verified |
| before they are loaded into memory. If any of their checksums
doesn't |
| match, then that .js file is not loaded and the user is
notified. |
|
|
| For public key verification, The browser will then send an SHA-256
digest |
| of the whitelist to a notary. If the notary does not have a record of
that |
| whitelist, our network will request the whitelist and compare the
digest |
| with the one submitted by the user. If it doesn't match, the user
is |
| notified and they fail back to a copy that was signed and stored in
the|
| public
record. |
|
|
| If the signature matches but it is an updated version of the
Javascript|
| (and the notary has cached a copy of the same whitelist), the user will
be |
| notified of the change and asked if they wish to examine the
differences |
| between the old version and the new version. (This can be turned off
for |
| non-tech-savvy users; all changes that any user experiences should
be |
| mirrored on the notaries, assuming they have opted
in.)|
|
|
| No other Javascript will load. Even inline function calls (onClick=
etc) |
| will have to be rewritten as $(#objectID).click( function() {
});|
|
|
| If the GPG signature doesn't match, NO Javascript will load for the
entire |
| domain until the developer updates the signed whitelist with new
checksums |
| and an updated
signature. |
|
|
| Two further levels of paranoia will also be available: If a .css file
is |
| specified in the whitelist, no other stylesheet changes (outside of
those |
| made by trusted Javascript) will be registered. Additionally, if a
.png, |
| .jpg, .gif (etc) file is listed, all other images will be
blacklisted. |
| These paranoid modes are entirely optional and suited to
self-contained|
| apps rather than content portals that depend on user-generated
content.|
|
|
| Notaries are selected when a user
Re: [liberationtech] SaferScript (Rough draft)
That is /ugly/ as heck. Sorry.
https://defuse.ca/b/MQrZXLiE - link valid for 6 months
On Sat, Sep 28, 2013 at 8:28 PM, Scott Arciszewski kobrasre...@gmail.comwrote:
Hey LiberationTech,
I was going to try to polish this idea and develop it, but it's probably
better
off being developed by people with experience developing Firefox addons
and/or
who understand PKI in-and-out. Also, due to complications in my own life,
I do
not have the time or energy to invest in such an undertaking.
I've previously shared this with Micah Lee of the EFF and his friend
Garrett.
This is just a very rough draft. If anyone wants to take this up as a FOSS
project, feel free; I only ask that Taylor and I be mentioned somewhere in
the
credits.
___ _ _ _
/ | / _|/ | (_) | |
| (___ __ _| |_ ___ _ _| (___ ___ _ __ _ _ __ | |_
\___ \ / _` | _/ _ \ '__\___ \ / __| '__| | '_ \| __|
) | (_| | || __/ | ) | (__| | | | |_) | |_
|_/ \__,_|_| \___|_| |_/ \___|_| |_| .__/ \__|
| |
|_| (The name is
negotiable)
___
\
;
\ Making Javascript Safer, Preventing XSS
Payloads ;
\ @voodooKobra (Scott
Arciszewski) ;
\ Further suggestions by @DefuseSec (Taylor
Hornby);
\__;
WHAT IS IT?
An optional way to configure only digitally signed Javascript for
websites
set up to use it.
COMPONENTS
o Browser plugin (Firefox at first, eventually Chrome Opera?)
o Netbeans plugin (for developers)
o CLI Program (integrates with gnupg) for the server
o Source file on the server
o Publicly accessible whitelist file
o Network of notaries which audit the signed whitelists to detect abuse
_
| The Browser Plugin
\__
|
|
| For security-conscious users, the SaferScript browser plugin would
request |
| a whitelist of .js files (and their sha256 checksums), which should
be |
| signed by the developer's GPG private
key. |
|
|
| (Note: In case SHA-256 is ever broken it needs to be able to support
other |
| hash functions, such as the SHA-3 family, Whirlpool, and
RIPEMD.) |
|
|
| If we do not know the public key, we will request it from the server
and |
| check with notaries that the user trusts that they see the same key.
If|
| the website has been queried before, the notary will also compare
the |
| public key it received with the one
archived. |
|
|
| The code will then verify the signature of the whitelist. If it
matches, |
| then each .js file will be downloaded and their checksums will be
verified |
| before they are loaded into memory. If any of their checksums
doesn't |
| match, then that .js file is not loaded and the user is
notified. |
|
|
| For public key verification, The browser will then send an SHA-256
digest |
| of the whitelist to a notary. If the notary does not have a record of
that |
| whitelist, our network will request the whitelist and compare the
digest |
| with the one submitted by the user. If it doesn't match, the user
is |
| notified and they fail back to a copy that was signed and stored in
the|
| public
record. |
|
|
| If the signature matches but it is an updated version of the
Javascript|
| (and the notary has cached a copy of the same whitelist), the user will
be |
| notified of the change and asked if they wish to examine the
differences |
| between the old version and the new version. (This can be turned off
for |
| non-tech-savvy users; all changes that any user experiences should
be |
| mirrored on the notaries, assuming they have opted
in.)|
|
|
| No other Javascript will load. Even inline function calls (onClick=
etc) |
| will have to be rewritten as $(#objectID).click( function() {
});|
|
|
| If the GPG signature doesn't match, NO Javascript will load for the
entire |
| domain until the developer updates the signed whitelist with new
checksums |
| and an updated
signature. |
|
|
| Two further levels of paranoia will also be available: If a .css file
is |
| specified in the whitelist, no other stylesheet changes (outside of
those |
| made by trusted Javascript) will be registered.
Re: [liberationtech] SaferScript (Rough draft)
Have you considered putting your notes and code somewhere online, such as GitHub? It would be a lot easier to get feedback and make public changes there. ~Griffin Scott Arciszewski wrote: That is /ugly/ as heck. Sorry. https://defuse.ca/b/MQrZXLiE - link valid for 6 months On Sat, Sep 28, 2013 at 8:28 PM, Scott Arciszewski kobrasre...@gmail.com mailto:kobrasre...@gmail.com wrote: Hey LiberationTech, I was going to try to polish this idea and develop it, but it's probably better off being developed by people with experience developing Firefox addons and/or who understand PKI in-and-out. Also, due to complications in my own life, I do not have the time or energy to invest in such an undertaking. I've previously shared this with Micah Lee of the EFF and his friend Garrett. This is just a very rough draft. If anyone wants to take this up as a FOSS project, feel free; I only ask that Taylor and I be mentioned somewhere in the credits. -- Cypherpunks write code not flame wars. --Jurre van Bergen #Foucault / PGP: 0xAE792C97 / OTR: sa...@jabber.ccc.de My posts are my own, not my employer's. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] SaferScript (Rough draft)
I'm giving the idea away. I don't have any code written, just that rough draft. I was hoping to get feedback and suggestions from a few people so I could make a solid idea, then move forward with making it a reality, but life's demands are getting in the way of ambition. Feel free to post it where ever you'd like. I'll probably copy paste it to pastebin and a few other places for the sake of keeping it accessible. Have you considered putting your notes and code somewhere online, such as GitHub? It would be a lot easier to get feedback and make public changes there. ~Griffin -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] Snowden for the Sakharov Prize
From: Erik JOSEFSSON erik.josefs...@europarl.europa.eu Dear all, It takes time for the political machinery in the European Parliament to process Snowden's revelations. If you want to help speed that process up, please consider to tweet, mail and blog about the nomination of Snowden for the Sakharov Prize. *The decisive vote on candidates is on Monday 30 September.*** Article19 article: http://www.article19.org/join-the-debate.php/111/view/ DFRI letter to MEPs: http://article.gmane.org/gmane.org.user-groups.dfri/765 Private tweet: https://twitter.com/erikjosefsson/status/383502328407400449 Best regards. //Erik -- Erik Josefsson Advisor on Internet Policies Greens/EFA Group http://www.greens-efa.eu/36-details/josefsson-erik-138.html GSM: *+32484082063* BXL: PHS 04C075 TEL: +3222832667 SBG: WIC M03005 TEL: +33388173776 -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
