Re: [liberationtech] "To Protect and Infect" - the edges of privacy-invading technology
On Tue, Dec 31, 2013 at 8:02 PM, Hannes Frederic Sowa wrote: >... > Most of the implants are installed without we surely know if the vendors > did know about that or am I missing something? are you only considering this 30C3/catalog set of docs? venally complicit to conveniently compromised to blissfully ignorant compromise of hardware vendors goes back to CryptoAG and as recently as the BULLRUN leaks. a bit too long and complicated a thread for this list, i think... > I also don't count RSA as a hardware vendor in this case, as the > backdoored RNG was included in their bSafe suite, which is purely > software. sure, just another example of in scope target for a "compromise all the things" approach. my point was to highlight their response as particularly deceptive and inexcusable when observing how the various parties not only respond, but act, in response to these leaks. (e.g. Google deploying crypto over their internal fibers is positive action. sitting silent or deflecting criticism not confidence inspiring...) best regards, -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] Commotion Wireless source code & downloads
Hi all, Just wanted to shoot a couple of links to the source code for Commotion, since there seemed to be some confusion. The project is kind of huge ^_^;; Source for all packages on github: https://github.com/opentechinstitute Pre-built router images: https://commotionwireless.net/download/routers NOTE: signing key for images is: 0x55A525F8EFE57820BA2A40F7D3F54B1ED01D01F1 Base repo for routers: https://github.com/opentechinstitute/commotion-router (as part of the build process, it pulls in numerous other repos, so be sure to check the make files if you want to hack on it) Android apk: https://commotionwireless.net/download/android Commotion Linux (developer release): https://github.com/opentechinstitute/commotion-linux-py Documentation: https://commotionwireless.net/docs/cck (It's also on github and we accept patches!) https://github.com/opentechinstitute/commotion-docs/ This project is really important to all of us, so if there's a dead link or you find a bug, or you think usability could be improved in some way, or the documentation doesn't cover you -- LET US KNOW! We're all really friendly and are always happy to accept patches or rewrite instructions if that's what's needed. best, Griffin Boyce (Happy New Year!) -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Commotion: 13 years in the making...
Julian Oliver said: Great stuff! I've been following the project and look forward to trialing it. Reading your About page (not the FAQ), I feel it's a little misleading to say "Commotion is a free, open-source communication tool". Rather, it's a platform built atop (leveraging) a wide array of external, community-developed projects - from B.A.T.M.A.N/OpenMesh, OpenWrt to OpenBTS and more. Keep up the good work in 2014! Thanks! ^_^ The project is free, and open-source, and used to communicate. There are already communities who have deployed/used Commotion networks, a good example of which is Redhook WiFi. The nomenclature is really tricky, because our work goes way beyond router firmware, so sometimes the project is easier to understand if we say software or tool, and focus on the ways it can be used. So no, I don't think it's misleading *at all* to call it a free, open-source, communications tool, because it is all of those things. Commotion leverages and builds upon the work of lots of great projects like Serval and OpenWRT, but I think that's a positive aspect of the project. :D Happy New Year! (it's still 2013 here haha) Griffin Boyce (While I do work on the Commotion Wireless project, I *don't* speak on their behalf) -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] "To Protect and Infect" - the edges of privacy-invading technology
On Tue, Dec 31, 2013 at 10:04 AM, Hannes Frederic Sowa wrote: > ... > There is a very big difference e.g. I (and a lot of other people too, I > guess) will react to vendors whose debug interfaces where just hijacked > by the NSA to install backdoors and where the vendors worked hand in > hand with the NSA to do so deliberately. agreed. we've got some years to wait for a definitive full picture. http://cryptome.org/2013/11/snowden-tally.htm - 932 pages (~1.6%) of reported 58,000. NSA head claims 200,000 (~.40% of that released) > If such FUD is spread against vendors, which in my opinion, do actually have a > valid interest in trying to stop those back doors, what do you think will a > lot of members of this community do? vendor responses are fairly self evident. bad: RSA less-bad: Cisco good/proactive: SilentCircle etc,... we could get into details of what makes a good vendor response vs. one that is clearly weasel worded accountability deflection, don't think this list is the place however. > Until now I saw no facts that I distrust the major hardware vendors. then you're not paying attention :) > I don't want to see what the PR persons on those accused companies' twitter > feeds will have to go through now. I guess lots of overreaction is happening > now, which is not helpful at all. corporate media sucks to more or less degree; i feel bad for anyone who touches it. glad it's not my problem! best regards, -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] 13 years in the making...
..on Tue, Dec 31, 2013 at 03:02:28PM -0500, Sascha Meinrath wrote: > Hi all, > > Commotion v1.0 is out! Helping spread safe, secure, ubiquitous wireless > connectivity for all: http://www.newamerica.org/node/99668 > > We've come such a helluva long way from our humble Y2K beginnings of a group > of > hackers meeting up in my living room... But, as Samuel Johnson once said, > "Great > works are performed not by strength but by perseverance" (that and an > incredibly > talented and dedicated team ;). > > Now we just need to spread the word to all our Internet Freedom-loving peeps. Great stuff! I've been following the project and look forward to trialing it. Reading your About page (not the FAQ), I feel it's a little misleading to say "Commotion is a free, open-source communication tool". Rather, it's a platform built atop (leveraging) a wide array of external, community-developed projects - from B.A.T.M.A.N/OpenMesh, OpenWrt to OpenBTS and more. Keep up the good work in 2014! -- Julian Oliver PGP 36EED09D http://julianoliver.com http://criticalengineering.org -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] 13 years in the making...
On Tue, 31 Dec 2013 15:02:28 -0500 Sascha Meinrath wrote: > Commotion v1.0 is out! Helping spread safe, secure, ubiquitous wireless > connectivity for all: http://www.newamerica.org/node/99668 Gee, wouldn't it be nice if the announcement told us where we could *get* this nifty stuff? I got as far as https://commotionwireless.net/, but then the "download" link gives me an error page... Further digging leads to https://commotionwireless.net/download, which is fine. Source appears to be at https://github.com/opentechinstitute. Thanks, jon -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] 13 years in the making...
Hi all, Commotion v1.0 is out! Helping spread safe, secure, ubiquitous wireless connectivity for all: http://www.newamerica.org/node/99668 We've come such a helluva long way from our humble Y2K beginnings of a group of hackers meeting up in my living room... But, as Samuel Johnson once said, "Great works are performed not by strength but by perseverance" (that and an incredibly talented and dedicated team ;). Now we just need to spread the word to all our Internet Freedom-loving peeps. Happy New Year!!! --Sascha -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] "To Protect and Infect" - the edges of privacy-invading technology
On Mon, Dec 30, 2013 at 10:19:21PM -0800, coderman wrote: > On Mon, Dec 30, 2013 at 9:14 PM, Hannes Frederic Sowa > wrote: > > ... > > Actually, somehow, I have a feeling of relief to see that major hardware > > vendors don't seem to specifically work hand in hand with the NSA to > > implement backdoors. > > you're assuming this dump is exhaustive. this is a very specifically > themed/focused release of top end tactics and exploits (essentially > weaponized platforms for targeted attacks). Jake says as much about > what they're dropping, which while impressive, has still gone through > the "best interest of public safety scrutinizing and censorship" > rigmarole. > > the indiscriminate, wholesale compromises are just getting started... > these disclosures will have more impact: financially to the impacted > vendors, effectively to IC as known vulnerable hardware and software > is replaced, and to the public at large now exposed to even more > essentially incomprehensible disclosures of vulnerability and > compromise. Sorry, no. It is absolutely important to be exhaustive and correct here. Otherwise this whole thing could get out of hands and could get much worse. There is a very big difference e.g. I (and a lot of other people too, I guess) will react to vendors whose debug interfaces where just hijacked by the NSA to install backdoors and where the vendors worked hand in hand with the NSA to do so deliberately. And we cannot just assume that because it looks like the easiest way to deal with this for us now and blame others! Also, if this talk does not specifically say that those vendors were working with the NSA, it would have been important to make clear that we don't know and we cannot judge them by the facts presented now. A lot of people, which seem to be really loud, often get this wrong. If such FUD is spread against vendors, which in my opinion, do actually have a valid interest in trying to stop those back doors, what do you think will a lot of members of this community do? Cut off communication with those vendors, place them on their I-will-never-work-there lists? And I say, that they will still sell shitloads of trucks of hardware. As a manager with no technical background on such an accused company, what do you think will they do? Will they push things like secure boot down our throats? Will they make all the hardware much more closed in fear this community does bad PR against them otherwise? Is that the outcome we want? On past Chaos Communication Congresses I really think those vendors would have been cheered for having an open JTAG interface on a board. It seems days have changed. Until now I saw no facts that I distrust the major hardware vendors. I already have a bad feeling with that but I need to be still reasonable here, too. I cannot accuse those companies by the facts presented until now. But essentially, it is important that this community does work hand in hand with those vendors who are willing to and just got exploited by the NSA to not bring them to the wrong conclusions and make tampering with the hardware more hard but instead make open source bios and firmwares that users can build and verify themselves. Make documentation more open, show them people do care about that. If secure boot or other means get established, show the users how they can use that for *their* own good, build up *their* own crypto chains etc. Make firmware source-code trackable via source repos, provides ways to rebuild those code bit-by-bit. Provide repositories with changes, instead of giant source code drops. Otherwise a new generation of NSA backdoors will have it much easier to be really hidden in those hardware. That may add additional costs for those companies. So show them it is worth it! > > I don't see that having a JTAG connector publicaly > > accessible on a RAID controller as a hint for that. The other disclosures > > also point to my conclusion that the NSA is mostly working on their > > own. Of course, not all of Snowden's documents are released yet and > > hence my feeling could be deceiving. > > this is just an example of how, when the NSA pursues "all means and > methods in parallel, without restraint" seemingly innocuous oversights > are intentionally leveraged and discouraged from remediation for use > in tailored access (black bag / targeted) attacks. Yeah, the NSA and NSA only. Until now I have no facts that anyone but the NSA does so deliberately. > > I thought it could be worse. > > it is worse. Let's don't make it worse ourselfs. ;) I don't want to see what the PR persons on those accused companies' twitter feeds will have to go through now. I guess lots of overreaction is happening now, which is not helpful at all. Greetings, Hannes -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change pa
Re: [liberationtech] "To Protect and Infect" - the edges of privacy-invading technology
On Tue, Dec 31, 2013 at 06:14:56AM +0100, Hannes Frederic Sowa wrote: > On Mon, Dec 30, 2013 at 08:56:57PM -0500, grif...@cryptolab.net wrote: > > This talk is divided into two parts. Morgan Marquis-Boire and Claudio > > Guarnieri talking about the militarization of the internet in part one, > > including both targeted and dragnet surveillance in deep-packet > > inspection. (See also Citizen Labs' work on BlueCoat). In part two, > > Jake Appelbaum talks about some of the most hardcore and cutting-edge > > NSA surveillance tactics and equipment. (See also yesterday's Der > > Spiegel articles). > > > > Part 1: http://www.youtube.com/watch?v=XZYo9TPyNko > > > > Part 2: https://www.youtube.com/watch?v=b0w36GAyZIA > > Actually, somehow, I have a feeling of relief to see that major hardware > vendors don't seem to specifically work hand in hand with the NSA to > implement backdoors. I don't see that having a JTAG connector publicaly > accessible on a RAID controller as a hint for that. The other disclosures > also point to my conclusion that the NSA is mostly working on their > own. Of course, not all of Snowden's documents are released yet and > hence my feeling could be deceiving. Also: >From the talk I got the impression, that attacks on iPhones always seem to work. The slide from der Spiegel shows that this infection only works via close access method and a remote infection path would be available in the future (the slide is from 2008, but we don't know if this actually exists now): http://www.spiegel.de/static/happ/netzwelt/2014/na/v1/pub/img/Handy/S3222_DROPOUTJEEP.jpg I guess the slide got accidentally chopped off in the talk or am I missing something? The UPD+RC6 story does not make sense to me, too (how could they know about the encryption algorithm if they didn't dissect the actual bytes). I also don't believe that current state of TLS would help much preventing those redirection attacks. Greetings, Hannes -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] "To Protect and Infect" - the edges of privacy-invading technology
On Mon, Dec 30, 2013 at 08:56:57PM -0500, grif...@cryptolab.net wrote: > This talk is divided into two parts. Morgan Marquis-Boire and Claudio > Guarnieri talking about the militarization of the internet in part one, > including both targeted and dragnet surveillance in deep-packet > inspection. (See also Citizen Labs' work on BlueCoat). In part two, > Jake Appelbaum talks about some of the most hardcore and cutting-edge > NSA surveillance tactics and equipment. (See also yesterday's Der > Spiegel articles). > > Part 1: http://www.youtube.com/watch?v=XZYo9TPyNko > > Part 2: https://www.youtube.com/watch?v=b0w36GAyZIA Actually, somehow, I have a feeling of relief to see that major hardware vendors don't seem to specifically work hand in hand with the NSA to implement backdoors. I don't see that having a JTAG connector publicaly accessible on a RAID controller as a hint for that. The other disclosures also point to my conclusion that the NSA is mostly working on their own. Of course, not all of Snowden's documents are released yet and hence my feeling could be deceiving. I thought it could be worse. Bye, Hannes -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Assange message to CCC sabotaged
Wer weiss. On 12/31/2013 09:59 AM, andreas.ba...@nachtpult.de wrote: > Felix von Leitner says that is's not like that, check his blog at > blog.fefe.de :) > -Original Message- > From: Richard Brooks > Sender: liberationtech-boun...@lists.stanford.edu > Date: Tue, 31 Dec 2013 09:54:56 > To: liberationtech > Reply-To: liberationtech > Subject: [liberationtech] Assange message to CCC sabotaged > > The Sueddeutsche Zeitung seems to think his speech > was disrupted as a type of feminist protest > > http://sz.de/1.1853271 > > -- === R. R. Brooks Associate Professor Holcombe Department of Electrical and Computer Engineering Clemson University 313-C Riggs Hall PO Box 340915 Clemson, SC 29634-0915 USA Tel. 864-656-0920 Fax. 864-656-5910 email: r...@acm.org web: http://www.clemson.edu/~rrb -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Assange message to CCC sabotaged
Felix von Leitner says that is's not like that, check his blog at blog.fefe.de :) -Original Message- From: Richard Brooks Sender: liberationtech-boun...@lists.stanford.edu Date: Tue, 31 Dec 2013 09:54:56 To: liberationtech Reply-To: liberationtech Subject: [liberationtech] Assange message to CCC sabotaged The Sueddeutsche Zeitung seems to think his speech was disrupted as a type of feminist protest http://sz.de/1.1853271 -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] Assange message to CCC sabotaged
The Sueddeutsche Zeitung seems to think his speech was disrupted as a type of feminist protest http://sz.de/1.1853271 -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
