[liberationtech] ChatSecure (Gibberbot!) v12 for Android is out

2013-10-24 Thread Nathan of Guardian 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


"The Guardian Project’s award-winning open-source app “Gibberbot” for
Android, has been rebranded to “ChatSecure” for its version 12 release,
unifying the branding with the iPhone and iPad apps, while offering
major updates in security from the device through the network."

Announcement is online at:
https://guardianproject.info/2013/10/24/chatsecure-v12-provides-comprehensive-security-and-a-whole-new-look/

Highlights for the folks here... some interesting new features,
addressing the types of threats, risks, and needs for trainers and
support organizations thar are part of this list.

- - Ability to sync desktop OTR keys and verified fingerprints from
Pidgin, Adium, Jitsi etc to Android using new KeySync utility

- - Supporting for creating "burner" accounts directly from the app,
completely over Tor on services like Dukgo.com or Jabber.ccc.de

- - Full local data encryption and app locking, end-to-end message
encryption, and hardened TLS/SSL connections

- - Ability to work without the internet or blocked hosts, using
Bonjour/LAN chat, on a mesh, wifi "phone tether" network, or just by
plugging in a cheap wifi box in the middle of nowhere

- - Encrypted file sharing tunneled inside the OTR encryption session

- - A "Panic" button for quick app kill, uninstall and wipe of local
encrypted database

... and some solid steps forward on usability, look and feel and
overall friendliness, including more emoji smileys than you could ever
want or need.

If you want to know more, we'll be hosting open office hours this
Friday via IRC chat, OStel calls, and Google Hangouts.

Best,
 Nathan and the Guardian Project crew

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJSaMXBAAoJEKgBGD5ps3qpukUQAIa7R7R64UkwF0gOcPgf1X7P
47OVoT/SOFTpH1LgJYHpGThfL44rcOrAEbj0fJJA0Zi1pv+37N9t1oiM4Fj7hQFU
NFLl7/zTGOW7+z3tsMKTfNvPOjqvtSa3V34fPEcHNOsKgwFpvJk8o1QEUM0RczA3
gtKoC2b/NmMPiLONWA+8ei9qUJTvU9sbPQFnhHyXqx2gHMKjKd9NBp2O7QZVIj0+
qUPHKINVKjG14h8KvWg/Q6UuVEI4PhRpVo6Aq6x/d+xUpD47bu1m/XjoET1eZPwy
rBkjykp7uL7XQvvr0Tpmu/gNB4Acy+5QKZaNsxoi7SwtBU/T8ZaFkdpHveCGSbYn
IdfYzOvU6U6LXQtA/W45d+SQKJoLV8naWovp8P5OXhqzXSD+iKd43mXnfqk3NtqF
Hfo4ggD683FTXs6gmGCXDpe1KyFHkNeKTWx6FHc0yBwUTWxMkMg0/Iaxije3oNr9
lTSSRiyQrsJQNO2esMCZZF/Nd9I5aG4oawPGC0exhNNgVCPP8YguFfDqKnynWqLA
HqpZpA5hEH+MKCL9Rzr6W2fvtO0I7xAMJlF7rSNxyqk8o20lmauGEd7BzmpH5E/d
3pkWKSOzy1FNxriRI9NblUCzdItn+EHxuoVfLdarnSrOg+/FCCv0TB93RLWL4E+L
K9OxAXCPxZ81oOCYu45X
=HZpU
-END PGP SIGNATURE-
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Randomize MAC of Android phone?

2013-10-24 Thread Timur Mehrvarz 
On 21.10.2013 01:53, coderman wrote:
> On Sat, Oct 19, 2013 at 2:32 AM, Jerzy Łogiewa  wrote:
>> ...
>> Is it possible to randomize wifi MAC of Andorid phone on power up?
> 
> this works for most wifi devices if you have root; just modify init
> scripts to ifconfig hw ether a random mac (you can do this in shell).

'ifconfig wlan0 hw ether' is working well on my Linux laptop.

But it does not work at all with any of my (many) Android devices. I
usually see "SIOCSIFHWADDR: operation not supported" and I am unable to
connect to any AP until I reboot and try again with the original MAC
address.

Has anybody ever successfully changed the MAC of, say, a Galaxy Nexus
device?

-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] ChatSecure (Gibberbot!) v12 for Android is out

2013-10-24 Thread Ben Laurie 
On 24 October 2013 08:01, Nathan of Guardian
 wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
>
> "The Guardian Project’s award-winning open-source app “Gibberbot” for
> Android, has been rebranded to “ChatSecure” for its version 12 release,
> unifying the branding with the iPhone and iPad apps, while offering
> major updates in security from the device through the network."

Can you explain why it needs these permissions:

use accounts on the device
find accounts on the device
view configured accounts
add or remove accounts

?
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

[liberationtech] Fwd: Firefox OS: What it is - and what it means for you and your union

2013-10-24 Thread Yishay Mor 
Any thoughts on this?
___
   http://www.yishaymor.org
learning; design; technology; research


-- Forwarded message --
From: LabourStart 
Date: 24 October 2013 11:11
Subject: Firefox OS: What it is - and what it means for you and your union
To: yish...@gmail.com


**
 Coming soon to your country.
  Is this email not displaying correctly?
View it in your
browser.

   [image: Firefox OS book
cover.]Back
in 1993 I was asked to look into how unions were using computer networks
and email.

The result was my 1996 book on the labour movement and the internet -- and
after that, LabourStart.

Twenty years on and I've been looking into how we in the trade union
movement use the new communications tools -- smartphones and tablets -- and
the result is a new book I've just co-authored with Jeremy Green, "Firefox
OS for 
Activists
".

*Firefox what?*

Chances are you've heard of the iPhone and iPad, and probably Android
phones and tablets too. Maybe you even own one of these devices.

You may even know about Blackberry and Microsoft phones and tablets --
though they haven't made much headway in the fight against the two giants,
Apple and Google.

Firefox OS is part of a new breed of alternative, open source mobile
operating systems that aim to take on the big corporations.

It's been created by the non-profit Mozilla Foundation and in our view,
it's a very big deal.

Firefox OS phones are already available for sale in a number of countries
(Spain, Germany, a few Latin American countries) and will soon be available
where you live.

They're extremely cheap, and making apps that run on them is cheaper and
easier than doing them for Apple and Android products.

Firefox OS is part of a broader open source revolution that includes such
things as the Ubuntu Touch project -- and even Fairphone, the first attempt
to create an "ethical" mobile phone that, among other things, respects
workers' rights.

You can read more about our book, see the full table of contents, and even
read a sample chapter here:

http://www.labourstart.org/firefoxos

I hope you'll find it of interest and will order copies for yourself and
your union.

Remember that every copy you purchase helps LabourStart's campaigning
activities.

Thanks.



Eric Lee
 *Copyright © 2013 LabourStart, All rights reserved.*
You are receiving this message because you opted in at our website (
http://www.labourstart.org) - most likely when you signed up to support one
of our online campaigns in support of workers' rights.
*Our mailing address is:*
LabourStart
Unit 168, Lee Valley Technopark
Ashley Road, Tottenham
London, England N17 3LN
United Kingdom

Add us to your address
book

  unsubscribe from this
list|
update
subscription 
preferences|
view
email in 
browser
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

[liberationtech] Cyber Dialogue video short

2013-10-24 Thread Ronald Deibert 
Hi LibTech

Here's a video short that was produced by Citizen Lab's Masashi Crete-Nishihata 
and Eric Pedicielli that draws from discussions at our last year's Cyber 
Dialogue
event (event details are here: http://cyberdialogue.ca).  It was shown at a 
couple of workshops at this week's IGF in Bali, where we are holding follow up 
dialogues.

Video short is here:
http://vimeo.com/77650794

Cheers
Ron



Ronald Deibert
Director, the Citizen Lab 
and the Canada Centre for Global Security Studies
Munk School of Global Affairs
University of Toronto
(416) 946-8916
PGP: http://deibert.citizenlab.org/pubkey.txt
http://deibert.citizenlab.org/
twitter.com/citizenlab
r.deib...@utoronto.ca



-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] [guardian-dev] Randomize MAC of Android phone?

2013-10-24 Thread Timur Mehrvarz 
On 24.10.2013 13:57, Alvin Schurman wrote:
> You might try this:
> 
> https://github.com/poliva/random-scripts/blob/master/android/change-mac-nexus4.sh
> 
> It changes the mac by manipulating /data/misc/wifi/ info.
> 
> Let me know if it works.  I altered and cross compiled macchanger for a
> rooted phone and that didn't work for me either.

This N4 hack seems to be the one working exception. However,
"WCNSS_qcom_cfg" is highly device specific. So this hack will not work
with other devices. And will it still work under 4.4?

The Android Wifi kernel drivers seem to not implement the functionality
behind 'ifconfig wlan0 hw ether' (what is behind the ioctl call being
used by ifconfig). So, it looks like 'root' alone does not give you the
ability to modify the MAC in any generic way. You will need to patch
your kernel - and all the other kernels as well.

-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] ChatSecure (Gibberbot!) v12 for Android is out

2013-10-24 Thread Axel Simon 

On 2013-10-24 12:01, Ben Laurie wrote:

On 24 October 2013 08:01, Nathan of Guardian
 wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


"The Guardian Project’s award-winning open-source app “Gibberbot” 
for
Android, has been rebranded to “ChatSecure” for its version 12 
release,

unifying the branding with the iPhone and iPad apps, while offering
major updates in security from the device through the network."


Can you explain why it needs these permissions:

use accounts on the device
find accounts on the device
view configured accounts
add or remove accounts

?


I believe it is because ChatSecure adds its own account on the device, 
likely to enable linking with people in your usual address book.

But I'll let Nathan answer that in more detail. :)

Great stuff otherwise, congratulations to the Guardian Project!

Any chance it will appear soon in the Guardian Project f-droid repo?
It doesn't seem to be there now: gibberbot-latest.apk 19-Aug-2013 12:33 
4.0M at https://guardianproject.info/repo/


Cheers

axel


--
Axel Simon

--
mail/jabber/gtalk: axelsi...@axelsimon.net
twitter / identi.ca: @AxelSimon
--
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change 
to digest, or change password by emailing moderator at compa...@stanford.edu.

Re: [liberationtech] ChatSecure (Gibberbot!) v12 for Android is out

2013-10-24 Thread Nathan of Guardian 


Ben Laurie  wrote:
>On 24 October 2013 08:01, Nathan of Guardian
> wrote:
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>>
>> "The Guardian Project’s award-winning open-source app “Gibberbot” for
>> Android, has been rebranded to “ChatSecure” for its version 12
>release,
>> unifying the branding with the iPhone and iPad apps, while offering
>> major updates in security from the device through the network."
>
>Can you explain why it needs these permissions:
>
>use accounts on the device
>find accounts on the device
>view configured accounts
>add or remove accounts

ChatSecure can utilize your existing, pre-authorized Google Account on your 
device to sign into Google Talk / Hangouts chats without requiring you to enter 
in your password again. This makes using the app with accounts that have 2-step 
auth enabled quite easy, not requiring a cumbersome application password etc.

The user is prompted once to grant permission for the app to do so before any 
sensitive credentials are revealed. We really only need view/read account 
permission, but there are not fine grain enough permissions to do so in the 
Android API.

As a side note, we have begun exploring using the remove account permission as 
part of the Panic feature, allowing the user to both remove the app, and 
temporarily disable access to their Google account from their phone in two taps.

Thanks for taking a look!

-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] ChatSecure (Gibberbot!) v12 for Android is out

2013-10-24 Thread Nathan of Guardian 


Axel Simon  wrote:
>I believe it is because ChatSecure adds its own account on the device, 
>likely to enable linking with people in your usual address book.
>But I'll let Nathan answer that in more detail. :)

We do not actually support that yet in this app, but are doing so with our 
GnuPG for Android app.

>
>Great stuff otherwise, congratulations to the Guardian Project!
>
>Any chance it will appear soon in the Guardian Project f-droid repo?
>It doesn't seem to be there now: gibberbot-latest.apk 19-Aug-2013 12:33

Yes, today! Our update process for our own repo is a bit cumbersome at the 
moment. Will have it updated today in our repo, and work to ensure f-droid.org 
also is up to date.

+n
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] [SPAM:###] Re: Google Unveils Tools to Access Web From Repressive Countries | TIME.com

2013-10-24 Thread Jillian C. York 
Thanks Adam,

I appreciate your note, and I'm glad to hear what you have to say.

Forgive me, but I don't agree with you that everyone at Google Ideas shares
our goals.  Look into some of the other work that Jared Cohen does and it
becomes apparent that for him and his ilk, human rights concerns only exist
within dictatorships, not democracies.  Some of his colleagues have put
people I know directly at risk, and that I cannot forgive easily.

So while I'm glad to see that Lantern is behind this, I'm deeply
disappointed to see Cohen's involvement.

Best,
Jillian


On Tue, Oct 22, 2013 at 11:44 PM, Adam Fisk wrote:

> Hi Everyone-
>
> First off, apologies for the radio silence. My libtech reading has
> decreased in direct proportion to the volume of traffic, which seems in
> turn to have increased in direct proportion to my personal volume of work,
> so I'm a bit late to the game. To provide some context, over at Brave New
> Software we're still primarily focused on 
> Lanternand have been rolling out a series of 
> 1.0.0 beta releases we would greatly
> appreciate everyone's feedback on. We've been trying hard to improve our
> documentation, and all of our code is of course open 
> source with
> an ever improving body of more detailed 
> documentation we're
> in the process of migrating .
>
> That said, we have been involved with UProxy  since
> the earliest stages and have written some of the code, but with the
> University of Washington and Google Ideas really doing the heavy lifting.
> We do, however, strongly believe in the potential of WebRTC to provide both
> interesting cover traffic as well as usability improvements that come as a
> result of reusing technology already built into the browser. One of the
> primary goals of both Lantern and UProxy is to build solutions that can
> scale to a large number of users without incurring unsustainable costs, and
> allowing ordinary users to provide access easily is a huge part of that
> effort. Another really vital aspect to both Lantern and UProxy is blocking
> resistance, and particularly the idea that trust networks are a promising
> path forward in that regard. I think we're seeing this now with private Tor
> networks where bridges are distributed through trusted contacts, and that's
> exactly what we're after with both Lantern and UProxy.
>
> I will say that I completely agree with both the criticisms on some of the
> messaging and with the security approach (which applies to both uproxy and
> Lantern), and I'll elaborate on that. At BNS we have not controlled any of
> the messaging, but as you said Roger, the following:
>
> > It's completely encrypted and there's
> > no way for the government to detect what?s happening because it just
> > looks like voice traffic or chat traffic.
>
> is a gross overstatement. I'm personally of the belief that the above is
> simply not possible or at the very least extremely hard and unsolved, as I
> think we've discussed a bit in person with regard to the efforts to
> disguise Tor traffic as Skype traffic. I'm not sure I've ever said this
> directly, but I'll say now publicly that you're one of the technologists I
> personally hold in the highest possible regard, and I always welcome any
> criticisms you may have. You've also given Lantern really valuable advice
> from its earliest days, which I really appreciate. The above quote I think
> is an unfortunate combination of a limited understanding of the technology
> and conversation with a reporter who will pick the juiciest sound bites,
> but it's clearly incorrect and just dangerous.
>
> I also quickly wanted to also acknowledge Sascha's excellent point about
> trust network mapping:
>
> > I would be more concerned with adversary externaly
> > observing the connections, seeing that a group of people from within
> > country X are connecting to the same ip in country Y , thus relating
> > those people in that group as sharing a node in a social graph, so to
> > each other, while they might not have seen them as related before..
>
> This is a concern that was discussed at some length yesterday at the
> Google Ideas Summit, and it's a really astute observation others have also
> made, most recently at CTS in Berlin. With Lantern it's considerably less
> of an issue because Lantern uses 
> Kaleidoscope to
> also share connections of contacts who are not direct friends, in Lantern's
> case up to four degrees away. While that raises its own concerns in terms
> of proxying through essentially total strangers (again with blocking
> resistance as the goal), it does mitigate against social network mapping
> attacks. In both the UProxy and Lantern cases, however, there is more
> thought and research to be done, as it's not immediately obvious how
> significant it i

Re: [liberationtech] [guardian-dev] Randomize MAC of Android phone?

2013-10-24 Thread Alvin Schurman 
You might try this:

https://github.com/poliva/random-scripts/blob/master/android/change-mac-nexus4.sh

It changes the mac by manipulating /data/misc/wifi/ info.

Let me know if it works.  I altered and cross compiled macchanger for a
rooted phone and that didn't work for me either.
On Oct 24, 2013 5:52 AM, "Timur Mehrvarz"  wrote:
>
> On 21.10.2013 01:53, coderman wrote:
> > On Sat, Oct 19, 2013 at 2:32 AM, Jerzy Łogiewa 
wrote:
> >> ...
> >> Is it possible to randomize wifi MAC of Andorid phone on power up?
> >
> > this works for most wifi devices if you have root; just modify init
> > scripts to ifconfig hw ether a random mac (you can do this in shell).
>
> 'ifconfig wlan0 hw ether' is working well on my Linux laptop.
>
> But it does not work at all with any of my (many) Android devices. I
> usually see "SIOCSIFHWADDR: operation not supported" and I am unable to
> connect to any AP until I reboot and try again with the original MAC
> address.
>
> Has anybody ever successfully changed the MAC of, say, a Galaxy Nexus
> device?
>
> ___
> Guardian-dev mailing list
>
> Post: guardian-...@lists.mayfirst.org
> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>
> To Unsubscribe
> Send email to:  guardian-dev-unsubscr...@lists.mayfirst.org
> Or visit:
https://lists.mayfirst.org/mailman/options/guardian-dev/alvin.schurman%40gmail.com
>
> You are subscribed as: alvin.schur...@gmail.com
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] [guardian-dev] Randomize MAC of Android phone?

2013-10-24 Thread coderman 
On Thu, Oct 24, 2013 at 5:23 AM, Timur Mehrvarz
 wrote:
> ...
> The Android Wifi kernel drivers seem to not implement the functionality
> behind 'ifconfig wlan0 hw ether' (what is behind the ioctl call being
> used by ifconfig).


i've had success with HTC, LG, and Samsung devices. less so with
Motorola or newer hardware.

this is not really the kernel itself, but rather the wifi chipset - a
new kernel on the devices you're having trouble with won't fix this
ioctl.

unfortunately this problem is getting worse, not better.


best regards,
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] [SPAM:###] Re: Google Unveils Tools to Access Web From Repressive Countries | TIME.com

2013-10-24 Thread Adam Fisk 
Thanks for the note Jillian, and I fully admit I have a tendency to be bit
overly optimistic about these things and perhaps have too much faith in the
ability of corporations to ultimately be productive partners. There's an
inherent misalignment of incentives that is problematic outside of the
individuals involved. I think your skepticism is essential and all of our
continued vigilance warranted. That said, I know the rest of the uProxy
team itself is aware and even wary of these issues, so I think you're right
to point out that painting all of Google Ideas with the same brush is
dangerous. I only know a tiny sliver of Google Ideas well, and that's the
uProxy team, but I can certainly attest to the uProxy team's recognition of
the complexity involved from a larger political perspective and even from
the perspective of Google's involvement.

The only ultimate hedges here are structural, of course, and I think it
will help a great deal when the uProxy GitHub repository is opened up to
the public. I want to emphasize again that the University of Washington and
Google Ideas really did the heavy lifting on uProxy, with the BNS not
contributing as much as we'd like primarily because we've had our hands
full with Lantern. That's also not an effort to distance ourselves from it
but rather an effort to give credit where credit is due. Working off an
open source repository, however, uProxy has the advantage of a really
strong team of highly skilled engineers with input from other parts of
Google including engineers with more of a security focus as well as from
the highly skilled team over at UW. I think the open source nature of the
project really tips the scales here and makes Google participation
unquestionably a net positive in that they're able to pour resources into
promising technology that everyone in the community can scrutinize. I think
the non-technical aspects are where things have the potential to derail,
but I'm hopeful we can all help prevent that.

That's the report from my window on the world.

-Adam



On Thu, Oct 24, 2013 at 8:00 AM, Jillian C. York wrote:

> Thanks Adam,
>
> I appreciate your note, and I'm glad to hear what you have to say.
>
> Forgive me, but I don't agree with you that everyone at Google Ideas
> shares our goals.  Look into some of the other work that Jared Cohen does
> and it becomes apparent that for him and his ilk, human rights concerns
> only exist within dictatorships, not democracies.  Some of his colleagues
> have put people I know directly at risk, and that I cannot forgive easily.
>
> So while I'm glad to see that Lantern is behind this, I'm deeply
> disappointed to see Cohen's involvement.
>
> Best,
> Jillian
>
>
> On Tue, Oct 22, 2013 at 11:44 PM, Adam Fisk wrote:
>
>> Hi Everyone-
>>
>> First off, apologies for the radio silence. My libtech reading has
>> decreased in direct proportion to the volume of traffic, which seems in
>> turn to have increased in direct proportion to my personal volume of work,
>> so I'm a bit late to the game. To provide some context, over at Brave New
>> Software we're still primarily focused on 
>> Lanternand have been rolling out a series of 
>> 1.0.0 beta releases we would greatly
>> appreciate everyone's feedback on. We've been trying hard to improve our
>> documentation, and all of our code is of course open 
>> source with
>> an ever improving body of more detailed 
>> documentation we're
>> in the process of migrating 
>> .
>>
>> That said, we have been involved with UProxy  since
>> the earliest stages and have written some of the code, but with the
>> University of Washington and Google Ideas really doing the heavy lifting.
>> We do, however, strongly believe in the potential of WebRTC to provide both
>> interesting cover traffic as well as usability improvements that come as a
>> result of reusing technology already built into the browser. One of the
>> primary goals of both Lantern and UProxy is to build solutions that can
>> scale to a large number of users without incurring unsustainable costs, and
>> allowing ordinary users to provide access easily is a huge part of that
>> effort. Another really vital aspect to both Lantern and UProxy is blocking
>> resistance, and particularly the idea that trust networks are a promising
>> path forward in that regard. I think we're seeing this now with private Tor
>> networks where bridges are distributed through trusted contacts, and that's
>> exactly what we're after with both Lantern and UProxy.
>>
>> I will say that I completely agree with both the criticisms on some of
>> the messaging and with the security approach (which applies to both uproxy
>> and Lantern), and I'll elaborate on that. At BNS we have not controlled any
>> of the messaging, but as you said Roger, the following:
>>
>> > It's completely encrypt

Re: [liberationtech] [SPAM:###] Re: Google Unveils Tools to Access Web From Repressive Countries | TIME.com

2013-10-24 Thread Adam Fisk 
Now that's what I call a productive, collaborative email. Awesome. Thanks
Roger. Responses inline.

Yep. I think using trust networks to solve the "how do I learn about a
> proxy to use" question could work well for some (many) users. I haven't
> looked at all the Lantern details lately, but if I had to guess it
> would be Lantern's transport that falls first (to use the phrase from
> one of the pluggable transport researchers who was looking at it today,
> "udt encapsulated tls handshake is really easy to regex").
>

Yup completely agreed. The UDT piece of Lantern is definitely the weak
link, although I will say it's also an interesting weak link in that
there's unlikely to be a censor out there now that can quickly DPI some
pretty weird UDP packets going across the wire at least using currently
available software. Then again, maybe you know something I don't, and maybe
it is possible to apply a global regex rule to all UDP traffic from some of
these boxes (clearly it's possible generally, but is it possible
country-wide *now*?). Lantern does also use TCP when NAT-PMP or UPnP are
working on one of the endpoints, so it's a combination of the two.


> Now the point isn't to guess which part will be the weakest link. Or
> to say "well ok if they write a DPI rule for it we'll fix it then". The
> right goal imo would be to make it so it's easy to switch to the webrtc
> transport, or obfs3, or something else that turns out to not be broken
> at that time, while still using the same discovery mechanism.
>
> In that sense uproxy as I understand it might be described as "the
> lantern discovery mechanism, but with a webrtc transport rather than a
> udt transport".
>

Precisely, albeit with the TCP caveat above.


> > I think we're seeing this now with private Tor
> > networks where bridges are distributed through trusted contacts, and
> that's
> > exactly what we're after with both Lantern and UProxy.
>
> Just to clarify, it isn't private Tor networks. It's one big public
> Tor network (everybody needs to use the same one for anonymity),
> but private bridges. (Bridges are basically unlisted relays
> that let you use as your first hop to reach the public relays:
> https://www.torproject.org/docs/bridges )
>

Excellent point.


>
> >  The above quote I think
> > is an unfortunate combination of a limited understanding of the
> technology
> > and conversation with a reporter who will pick the juiciest sound bites,
> > but it's clearly incorrect and just dangerous.
>
> Right -- I think we're all getting more experience than we'd like this
> year talking to journalists whose deadline is "in four hours" and who
> have no interest in actually learning about the issues. :/
>

Umm, yeah. I need to learn to STFU =).


>
>
> Preventing or slowing the 'social network mapping' attack is an important
> goal.
>
> But this discussion also reminds me a lot of the "Zig-zag between bridges
> and users" attack:
>
> "Start with a set of known bridge addresses. Watch your firewall to
> see who connects to those bridges. Then watch those users, and see what
> other addresses they connect to. Wash, rinse, repeat."
>
> You can read more about it as attack #10 at
>
> https://blog.torproject.org/blog/research-problems-ten-ways-discover-tor-bridges
>
> In the Lantern / uProxy case I could probably speed the attack by feeding
> users a cookie on one of the censored websites (or a component the
> website draws in like an ad network), and then making a list of other
> addresses whose requests include that cookie. (But here I am making a
> point about how ignoring privacy will harm your circumvention tool, and
> you've already declared that you're a circumvention tool not a privacy
> tool, so I'll put that point aside for now. :)
>
> I wonder how much change Kaleidoscope would need to implement the 'cells'
> idea in the blog post. As you say, much research remains.
>

Yup. Kaleidoscope addresses the issue of discoverability through first
choosing which proxy addresses get propagated via a random walk but then
routing along that random walk consistently after that first route
selection, if that makes sense, such that new nodes in the system can't
learn about all of the existing nodes because all existing routing is
consistently using the formerly-chosen routes. So it's similar to the cell
ideas in the sense that it's like a courier who initially didn't know the
shopkeeper she's supposed to drop off a letter too such that a letter gets
passed along, but once the courier knows the shopkeeper she never goes to
any other shopkeeper.

Definitely more work to be done, but we're really interested in
interoperating using pluggable transports for sure. The other part in terms
of discovery is really interesting as well, and I'd be happy to talk more
about it. Interestingly I think that part is extremely easy. Really all
Lantern does is log into Google Talk and then give mode peers/bridges
advertise Lantern support through the -lan- extension in their Jabb

[liberationtech] Fwd: GB Secure Messenger V 06 released

2013-10-24 Thread R.R. D. 
fwd fyi

-- Forwarded message --
Subject: GoldBug Secure Messenger V 06 released


GoldBug - Secure Instant Messenger / V 0.6.2088 released.

http://goldbug.sf.net
https://sourceforge.net/projects/goldbug/

Download:
https://sourceforge.net/projects/goldbug/files/goldbug-im_0.6._RELEASE/

Encryption Model: (SSL ->  (AES -> (RSA -> (Message

GoldBug is a secure Instant Messenger. You can be sure with using GoldBug
(GB), that no third party can look into your chat communication. Private
user-to-user communication remains private. GoldBug therefore uses strong
multi-encryption with different layers of modern encryption technologies of
well known and revised crypto libraries (like libgcrypt (GnuPG) and
OpenSSL). The app offers as well decentral and encrypted Email and
decentral public E*IRC-Chat.

GB is a Desktop / Mobile GUI Interface based on libspoton:
http://spot-on.sf.net


New Features and Improvements:
(1) Introduction of ElGamal encryption key pairs (as alternative to
RSA-Keys).
(2) Signature key pairs are extended to a choice of: DSA and RSA.
(3) Added Accounts for chat-servers/neighbors-connections: Create a
dedicated connection on your EMPP-Chat-Server for friends only with a
password.
(4) Added pop-up windows per 1:1-friend-chat (doubleclick on a friend to
open it).
(5) Allow neighbors to be defined such that (non-ssl)-plaintext connections
are prohibited (HTTPS-Only-Connections, Default: enabled - For that reason,
please remove neighbors.db. in case you overtake your ".spoton"-datapath).
(6) Introduced threaded peers: Go parallel with your processes!
(7) Added Magnet-Uri Scheme for e*IRC/Buzz-Chat Channels as kind of
Booksmarks for your echoed IRC-like-Chatrooms!
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] [cryptography] Fwd: GB Secure Messenger V 06 released

2013-10-24 Thread grarpamp 
On Thu, Oct 24, 2013 at 5:50 PM, R.R. D.  wrote:
> fwd fyi
> -- Forwarded message --
> Subject: GoldBug Secure Messenger V 06 released
> http://goldbug.sf.net

Forwarded eh? From who, or where? ... 'mikeweber', 'berndhs'?
Public mailing list, forum, website, bugtracker, IRC?
You keep spamming this software at us and never have anything
to actually *say*. Care to meet up at a con, give a little presentation,
sign some keys? Have any design whitepapers for the libraries?
I can respect the silent anon developer thing (hi satoshi ;), but it doesn't
work for a *lot* of people. Are you asking for a design or code review?
Some testing/UI feedback? Help us out here, what's the deal?
I'm sure folks would help. But as other's have said, lots of questions,
few answers.

Also, please quit sending me invites to things.
Cute puppy and nice echo music video though (complete with
SeaLand imagery).

But hey, if it attracts more people who end up watching this
video as linked from your site, it's all good.
https://www.youtube.com/watch?v=0U37hl0n9mY
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

[liberationtech] ACLU amicus brief in the Lavabit appeal

2013-10-24 Thread d.nix 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


http://legaltimes.typepad.com/files/aclu-lavabit.pdf

- --
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.20 (MingW32)

iQEcBAEBAgAGBQJSafRiAAoJEDMbeBxcUNAe3DAH/1C6ZySo9+Ge2kCu7rDS6tcv
p9qRNaX1GbwuSjAT5P7r7Dbf/BdYf7HY/Cl3gAqpOv2uQqw7/dRDs1elAucaCaeP
EknINz81IpL47Smph5MMBBVN+IyNog7iCQ1XZeoPiiL9W0SU89pBvmcMmRUmjiM0
wQMPZLRdkieWyiw/iXntUyxLIrFH0D/vCNmAfk/zOElkDL9y6cv7VdygtVgW+pmZ
UecLGPtsedzattq1rKoL9vwLJ7VmNOr2sT8ostAciKfIUOrPU1dC7M/zUZXv9nir
4G9Q+GT1qhe9mk4DdO06Hko7hAPBaBHNduFT/nUgtaiAjMzwd0Nr9aMz0tiB2PI=
=oX7e
-END PGP SIGNATURE-
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] ACLU amicus brief in the Lavabit appeal

2013-10-24 Thread James S. Tyre 
EFF's amicus:

https://www.eff.org/files/2013/10/24/lavabitamics.pdf

--
James S. Tyre
Law Offices of James S. Tyre
10736 Jefferson Blvd., #512
Culver City, CA 90230-4969
310-839-4114/310-839-4602(fax)
jst...@jstyre.com
Special Counsel, Electronic Frontier Foundation
https://www.eff.org


> -Original Message-
> From: liberationtech-boun...@lists.stanford.edu [mailto:liberationtech-
> boun...@lists.stanford.edu] On Behalf Of d.nix
> Sent: Thursday, October 24, 2013 9:33 PM
> To: liberationtech; cypherpu...@cpunks.org
> Subject: [liberationtech] ACLU amicus brief in the Lavabit appeal
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> 
> http://legaltimes.typepad.com/files/aclu-lavabit.pdf
> 
> - --
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2.0.20 (MingW32)
> 
> iQEcBAEBAgAGBQJSafRiAAoJEDMbeBxcUNAe3DAH/1C6ZySo9+Ge2kCu7rDS6tcv
> p9qRNaX1GbwuSjAT5P7r7Dbf/BdYf7HY/Cl3gAqpOv2uQqw7/dRDs1elAucaCaeP
> EknINz81IpL47Smph5MMBBVN+IyNog7iCQ1XZeoPiiL9W0SU89pBvmcMmRUmjiM0
> wQMPZLRdkieWyiw/iXntUyxLIrFH0D/vCNmAfk/zOElkDL9y6cv7VdygtVgW+pmZ
> UecLGPtsedzattq1rKoL9vwLJ7VmNOr2sT8ostAciKfIUOrPU1dC7M/zUZXv9nir
> 4G9Q+GT1qhe9mk4DdO06Hko7hAPBaBHNduFT/nUgtaiAjMzwd0Nr9aMz0tiB2PI=
> =oX7e
> -END PGP SIGNATURE-
> --
> Liberationtech is public & archives are searchable on Google. Violations of 
> list
> guidelines will get you moderated:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
> change to
> digest, or change password by emailing moderator at compa...@stanford.edu.

-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.