Re: [liberationtech] OTRon: Chrome extension for end-to-end FB chat encryption
On Tue, Jan 28, 2014 at 10:43 PM, Omar Rizwan omar.riz...@gmail.com wrote: Haven't spread it widely yet or made it easy to install, I'm looking for feedback both on how well it works (it needs some more testing and does have some functionality bugs -- you may be blocked from FB chat for a few minutes if it goes wrong!), how easy it is to use, and on the general approach. Disclaimer: I haven't read the source, tried the extension or otherwise gotten to know about this tool other than reading OP. The reason I'm writing anyway is that this is important to know generally. Facebook records the text in text fields even before they're submitted [1]. Therefore, if this tool relies on Facebook's own text fields (or anything within the DOM, really), they can completely circumvent this OTR implementation. The right way to do this would be to spawn something out of the reach of Facebook JS. That means, spawning a separate chat window in the context of the extension, or use window.prompt in either context (the contents of a window.prompt cannot be read before the OK button is pressed). JC [1] http://www.slate.com/articles/technology/future_tense/2013/12/facebook_self_censorship_what_happens_to_the_posts_you_don_t_publish.html -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] OTRon: Chrome extension for end-to-end FB chat encryption
Yeah. To be precise, there isn't any evidence that they record the *text* of such aborted posts, but they certainly record the behavior, and they could easily record the text as well. This extension injects an iframe on a different origin and does I/O in that (+ some anti-phishing tokens), so I think it should be safe against compromise by Facebook JS. Nadim has said that there's still a danger here, though, so I'll wait for him to detail that attack before pronouncing anything definitive. On Wed, Jan 29, 2014 at 1:26 AM, Jens Christian Hillerup j...@hillerup.net wrote: On Tue, Jan 28, 2014 at 10:43 PM, Omar Rizwan omar.riz...@gmail.com wrote: Haven't spread it widely yet or made it easy to install, I'm looking for feedback both on how well it works (it needs some more testing and does have some functionality bugs -- you may be blocked from FB chat for a few minutes if it goes wrong!), how easy it is to use, and on the general approach. Disclaimer: I haven't read the source, tried the extension or otherwise gotten to know about this tool other than reading OP. The reason I'm writing anyway is that this is important to know generally. Facebook records the text in text fields even before they're submitted [1]. Therefore, if this tool relies on Facebook's own text fields (or anything within the DOM, really), they can completely circumvent this OTR implementation. The right way to do this would be to spawn something out of the reach of Facebook JS. That means, spawning a separate chat window in the context of the extension, or use window.prompt in either context (the contents of a window.prompt cannot be read before the OK button is pressed). JC [1] http://www.slate.com/articles/technology/future_tense/2013/12/facebook_self_censorship_what_happens_to_the_posts_you_don_t_publish.html -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] blatant groveling: my book It's Complicated
Hey danah - congratulations! Looks like a major achievement and an important read. FWIW, I tweeted it. Quick question: how relevant do you think this book would be for parents outside the US? cheers, Yishay ___ http://www.yishaymor.org learning; design; technology; research On 28 January 2014 20:12, danah boyd danah-t...@danah.org wrote: Friends Colleagues - In less than a month, my new book - *It's Complicated: The Social Lives of Networked Teens *(see: http://www.danah.org/itscomplicated/ ) - will be published. This is the product of ten years worth of research into how social media has inflected American teen life. I'm writing today in the hopes that you might consider pre-ordering a copy (or two grin). This book (published by Yale University Press) is a cross trade/academic book. Pre-sales and first week sales significantly affect how a trade book is marketed and distributed. Even though this book is based on grounded data, I've written it to be publicly accessible in the hopes that parents, educators, journalists, and policy makers will read it and reconsider their attitude towards technology and teen practices. The book covers everything from addiction, bullying, and online safety to privacy, inequality, and the digital natives debate. I suspect that the chapter on privacy might be of particular interest to the folks on this list. If you have the financial wherewithal to buy a copy, I'd be super grateful. If you don't, I *totally* understand. Either way, I'd be super super super appreciative if you could help me get the word out about the book. I'm really hoping that this book will alter the public dialogue about teen use of social media. *You can pre-order it at:* - Amazon (Hardcover, Kindle, Audiobook): http://www.amazon.com/exec/obidos/ASIN/0300166311/apophenia-20 - Powell's: http://www.powells.com/biblio/62-9780300166316-0 - Yale University Press: http://yalepress.yale.edu/yupbooks/book.asp?isbn=9780300166316 Fingers crossed that y'all will find it useful and interesting. {{hug}} danah -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] *My* new book: DotCombat
Granted, it's not written yet, but I'm starting to feel like I'm the only one in this space who *hasn't* written a book, haha. Calling dibs on the title. ;-) ~Griffin PS: Everyone's books (that I've read so far) have been awesome. It's just amusing that I wind up debating the nuances of censorship and circumvention with people who have book deals. :D -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] Please submit work on media and protest to the CITASA pre-ASA Symposium | Mobilizing Ideas
From: Jennifer Earl jennifere...@email.arizona.edu I am writing to invite you to submit a paper to the ASA pre-conference symposium, [New] Media Cultures. I know there is a lot of great work out there looking at political communication, social movements in the media and/or new media, and using media-based data. All of that work would be appropriate for this workshop and I hope you will consider submitting. http://mobilizingideas.wordpress.com/2014/01/29/please-submit-work-on-media-and-protest-to-the-citasa-pre-asa-symposium/ -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] *My* new book: DotCombat
On Jan 29, 2014, at 7:05 AM, Griffin Boyce grif...@cryptolab.net wrote: Granted, it's not written yet, but I'm starting to feel like I'm the only one in this space who *hasn't* written a book, haha. Calling dibs on the title. ;-) See if you can get it to #1 on Amazon pre-orders! :-) -Bill -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Concerns with new Stanford University security mandate
On 01/26/2014 08:12 AM, Guido Witmond wrote: On 01/26/14 10:20, Tomer Altman wrote: To Liberation Tech: Stanford is implementing a new security policy detailed here: http://ucomm.stanford.edu/computersecurity/ I am personally very concerned about steps #2 and #3. BigFix is basically a back door managed by IBM that gives them and Stanford control over your device. The IDF tool effectively means that the Stanford administration can continuously search your personal laptop for any objectionable material. While there are some technical cases where one may be exempt from these new requirements, the way that it is being pushed out at Stanford is making people believe that they cannot use their cell phones or laptops on campus (i.e., connecting to the Internet, checking Stanford email, calendars, etc.) without agreeing to all of these requirements. I fully support Stanford improving security on their own computers and networks, but installing a backdoor and surveillance systems on personal laptops seems to cross a line for me. Especially in an institution devoted to open inquiry. Especially in light of the mass surveillance revelations this past year. I tried reaching out to the EFF, but did not receive any reply. I expressed by concern to the Stanford administration. They replied to a few of my emails, but it left me with more questions than answers. I am asking for advice from the community on whether this kind of encroachment has any precedents. I'm also curious to hear people's thoughts on this matter. Thank you in advance, ~Tomer Altman Dear mr Altman, From the link: No more Windows XP: Good riddance. BigFix: the missing package manager for Windows. What every self respecting unix/linux/bsd/etc system already has. Good. How is a centralized service that requires the user to download and install a binary from the web anything like apt? Don't get me wrong, nearly anything is better than just bare Windows. But an honest, courageous approach would actually encourage the oddball student who runs Debian Wheezy or whatever else that is lightyears ahead of Windows in terms of security. Does this security mandate do that, or does it merely hope that the ideal of academic freedom will just get fed up and go find some other domain to bother? -Jonathan -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] *My* new book: DotCombat
Bill Woodcock wrote: See if you can get it to #1 on Amazon pre-orders! :-) -Bill The only real downside with taking pre-orders is that I might, eventually, have to write a book. ;-) ~Griffin -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Concerns with new Stanford University security mandate
On 01/29/14 19:57, Jonathan Wilkes wrote: On 01/26/2014 08:12 AM, Guido Witmond wrote: BigFix: the missing package manager for Windows. What every self respecting unix/linux/bsd/etc system already has. Good. How is a centralized service that requires the user to download and install a binary from the web anything like apt? Don't get me wrong, nearly anything is better than just bare Windows. But an honest, courageous approach would actually encourage the oddball student who runs Debian Wheezy or whatever else that is lightyears ahead of Windows in terms of security. Does this security mandate do that, or does it merely hope that the ideal of academic freedom will just get fed up and go find some other domain to bother? I fully agree, being Microsoft free since 1999, myself. However, the apt-package manager doesn't upgrade anything compiled into usr/local, hence, the need for a scanner. The important thing is that BigFix can report to the user of the PC, or to university sysadmins. What matters is how they deal with any findings. That's a classic case of Who watches the watchers. Quoting the Stanford policy: Other personally-owned devices used at home or on the wireless Stanford Guest Network are encouraged to follow these mandates, but not required to at this time. Other devices stands for those not used at campus or at home for use with PII-information. Translated: Other (for non-work related) devices, used at home ... are not required ... at this time That suggests that private devices are next. I stand corrected. It has feeling of control for the sake of control. My suggestions to mr Altman (from a private message): Buy some time and use Linux/FreeBSD or Qubes-OS for your private computer use, their scanning programs are not available on these platforms yet. Use these only for personal use. Leave these computers at home. Use a dumb phone to keep contact for family business, like picking up children after school, etc. It teaches the kids that when you are at work they can't expect an immediate reply if it is not an emergency. Keep a strict separation between work and private life. Laptops are cheap. Use a separate, university controlled laptop at home for work-stuff, such as collaboration with researchers and so. Tell everyone that you maintain that separation and spread the word amongst colleagues. It's hard, but I believe it's the only way to sanity. Regards, Guido Witmond. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] LUKS Self-Destruct feature introduced in Kali Linux
This might be of interest to some on this list: http://www.kali.org/how-to/nuke-kali-linux-luks/ The LUKS encrypted partition self-destructs if a specific nuke password is used. Our main purpose for introducing this feature in Kali Linux is to simplify the process of securely traveling with confidential client information. While “LUKS Nuking” your drive will result in an inaccessible disk, it is possible to backup your keyslots beforehand and restore them after the fact. What this allows us to do is to “brick” our sensitive laptops before any travel, separate ourselves from the restoration keys (which we encrypt), and then “restore” them to the machines once back in a safe location. This way, if our hardware is lost or otherwise accessed midway through our travels, no one is able to restore the data on it, including ourselves. This above description seems to me to be an extreme case of 2FA. Is it actually useful? By contrast, Guardian Project's ChatSecure has a simple self-destruct button and TrueCrypt allows for hidden volumes that can be accessed through a different password. -- Pranesh Prakash Policy Director, Centre for Internet and Society T: +91 80 40926283 | W: http://cis-india.org --- Access to Knowledge Fellow, Information Society Project, Yale Law School M: +1 520 314 7147 | W: http://yaleisp.org PGP ID: 0x1D5C5F07 | Twitter: https://twitter.com/pranesh_prakash -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] blatant groveling: my book It's Complicated
The short answer is: it depends. Certain chapters will be more or less relevant. For example, the section on race and inequality is very American-centric but the discussion of digital natives and addiction is not. The issues of bullying and privacy are somewhere in-between. Much to my surprise, one of the first requests for doing a translation is Mandarin and my hunch was that China is the place where this is least relevant. But maybe not? On Jan 29, 2014, at 5:44 AM, Yishay Mor wrote: Hey danah - congratulations! Looks like a major achievement and an important read. FWIW, I tweeted it. Quick question: how relevant do you think this book would be for parents outside the US? cheers, Yishay ___ http://www.yishaymor.org learning; design; technology; research On 28 January 2014 20:12, danah boyd danah-t...@danah.org wrote: Friends Colleagues - In less than a month, my new book - It's Complicated: The Social Lives of Networked Teens (see: http://www.danah.org/itscomplicated/ ) - will be published. This is the product of ten years worth of research into how social media has inflected American teen life. I'm writing today in the hopes that you might consider pre-ordering a copy (or two grin). This book (published by Yale University Press) is a cross trade/academic book. Pre-sales and first week sales significantly affect how a trade book is marketed and distributed. Even though this book is based on grounded data, I've written it to be publicly accessible in the hopes that parents, educators, journalists, and policy makers will read it and reconsider their attitude towards technology and teen practices. The book covers everything from addiction, bullying, and online safety to privacy, inequality, and the digital natives debate. I suspect that the chapter on privacy might be of particular interest to the folks on this list. If you have the financial wherewithal to buy a copy, I'd be super grateful. If you don't, I *totally* understand. Either way, I'd be super super super appreciative if you could help me get the word out about the book. I'm really hoping that this book will alter the public dialogue about teen use of social media. You can pre-order it at: - Amazon (Hardcover, Kindle, Audiobook): http://www.amazon.com/exec/obidos/ASIN/0300166311/apophenia-20 - Powell's: http://www.powells.com/biblio/62-9780300166316-0 - Yale University Press: http://yalepress.yale.edu/yupbooks/book.asp?isbn=9780300166316 Fingers crossed that y'all will find it useful and interesting. {{hug}} danah -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- My New Book: It's Complicated: The Social Lives of Networked Teens Pre-Order it now! http://bit.ly/dmbItsComplicated (pretty please) taken out of context / i must seem so strange -- ani http://www.danah.org/ || @zephoria -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Concerns with new Stanford University security mandate
On 01/29/2014 04:50 PM, Guido Witmond wrote: On 01/29/14 19:57, Jonathan Wilkes wrote: On 01/26/2014 08:12 AM, Guido Witmond wrote: BigFix: the missing package manager for Windows. What every self respecting unix/linux/bsd/etc system already has. Good. How is a centralized service that requires the user to download and install a binary from the web anything like apt? Don't get me wrong, nearly anything is better than just bare Windows. But an honest, courageous approach would actually encourage the oddball student who runs Debian Wheezy or whatever else that is lightyears ahead of Windows in terms of security. Does this security mandate do that, or does it merely hope that the ideal of academic freedom will just get fed up and go find some other domain to bother? I fully agree, being Microsoft free since 1999, myself. However, the apt-package manager doesn't upgrade anything compiled into usr/local, hence, the need for a scanner. Hi Guido, Before I write anything else: Is the BigFix client free software? Couldn't figure it out from a quick look at the website. Thanks, Jonathan -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] Web development help with news site
Hi, We are a small community news website. We are looking for web development assistance. We expect the work to require around 5-6 hours. We'll pay a flat rate of 100 dollars for everything. Here's what we want: We are re-launching our subscription-based news service soon. We'd like to set up e-commerce capabilities on our website( www.AmericaInArabic.net) for subscription purchases. We used several plugins and they work except it all comes out unprofessional and rather clumsy. W'd like buyers/subscribers to be able to buy several subscriptions at once and put them in a cart. For example, subscription to Egypt news is charged differently from the rate for Saudi Arabia or news about Yemen, or Kuwait etc. But someone can buy any country-related news they like by adding them to a shopping cart before checking out . We'd like to do recurring billing every month for subscribers. Right now I set up the money side with PayPal which we do not like much. We also have some trouble with aligning both right to left and left to right text. We need some flexibility with that and be able to run the site with two languages (English and Arabic). We'd also like to streamline the site in general and make it look more professional and increase its security. We are open to other ideas to make the site look and function professionally. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] Fwd: Important-regarding data and device attestation
- Forwarded Message - From: Tomer Altman taltm...@stanford.edu To: Christine Scholberg chris.scholb...@stanford.edu Cc: Jack Guo-Qing Zeng gqz...@stanford.edu, Michael Duff michael.d...@stanford.edu Sent: Wednesday, January 29, 2014 7:55:57 PM Subject: Re: Important-regarding data and device attestation Hello Christine, I am sorry that my name appears on your list, but there must be an error. I have completed my attestation. I have a Linux laptop and a mobile device not running a compatible operating system. I have sent emails to Dr. Jack Zeng and to Dr. Randy Livingston with questions, such as what is the definition of Stanford business, and I am awaiting clarification (Michael Duff will be replying for Dr. Livingston). I have also applied for a variance, and am awaiting word on the results. In the mean-time, there is no need to prod me to do anything further. I am awaiting an update from the appropriate authorities. Thank you, ~Tomer Altman - Original Message - From: Christine Scholberg chris.scholb...@stanford.edu To: Chris Scholberg chris.scholb...@stanford.edu Sent: Wednesday, January 29, 2014 1:06:20 PM Subject: Important-regarding data and device attestation Hello, I am receiving regular updates and your name appears on my list of those who are not fully compliant with mobile device attestation policies. I know these policies are onerous, but we have no choice and need to individually manage the security of devices used for Stanford business. Instructions have been provided to you several times, so I look forward to your name NOT being on the list I receive tomorrow. Thank you, Chris Chris Scholberg Director of Finance and Administration Stanford Prevention Research Center Stanford Center for Biomedical Informatics Research HIP + BeWell Stanford Center for Health Research on Women and Sex Differences in Medicine (WSDM) Stanford University School of Medicine Medical School Office Building 1265 Welch Road, Room X205 Stanford, CA 94305-5479 Stanford mail code 5479 650-498-4046 CONFIDENTIALITY NOTICE: Information contained in this message and any attachments is intended only for the addressee(s). If you believe that you have received this message in error, please notify the sender immediately by return electronic mail, and please delete it without any further review, disclosure, or copying. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Fwd: Important-regarding data and device attestation
Unbelievable panoptic paranoia! And coming from Stanford! Good thing my daughters went to Columbia and Brown, instead! ROFL On Jan 29, 2014 9:57 PM, Tomer Altman taltm...@stanford.edu wrote: - Forwarded Message - From: Tomer Altman taltm...@stanford.edu To: Christine Scholberg chris.scholb...@stanford.edu Cc: Jack Guo-Qing Zeng gqz...@stanford.edu, Michael Duff michael.d...@stanford.edu Sent: Wednesday, January 29, 2014 7:55:57 PM Subject: Re: Important-regarding data and device attestation Hello Christine, I am sorry that my name appears on your list, but there must be an error. I have completed my attestation. I have a Linux laptop and a mobile device not running a compatible operating system. I have sent emails to Dr. Jack Zeng and to Dr. Randy Livingston with questions, such as what is the definition of Stanford business, and I am awaiting clarification (Michael Duff will be replying for Dr. Livingston). I have also applied for a variance, and am awaiting word on the results. In the mean-time, there is no need to prod me to do anything further. I am awaiting an update from the appropriate authorities. Thank you, ~Tomer Altman - Original Message - From: Christine Scholberg chris.scholb...@stanford.edu To: Chris Scholberg chris.scholb...@stanford.edu Sent: Wednesday, January 29, 2014 1:06:20 PM Subject: Important-regarding data and device attestation Hello, I am receiving regular updates and your name appears on my list of those who are not fully compliant with mobile device attestation policies. I know these policies are onerous, but we have no choice and need to individually manage the security of devices used for Stanford business. Instructions have been provided to you several times, so I look forward to your name NOT being on the list I receive tomorrow. Thank you, Chris Chris Scholberg Director of Finance and Administration Stanford Prevention Research Center Stanford Center for Biomedical Informatics Research HIP + BeWell Stanford Center for Health Research on Women and Sex Differences in Medicine (WSDM) Stanford University School of Medicine Medical School Office Building 1265 Welch Road, Room X205 Stanford, CA 94305-5479 Stanford mail code 5479 650-498-4046 CONFIDENTIALITY NOTICE: Information contained in this message and any attachments is intended only for the addressee(s). If you believe that you have received this message in error, please notify the sender immediately by return electronic mail, and please delete it without any further review, disclosure, or copying. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.