Re: [liberationtech] Whatsapp, a Trojan horse for seekers of easy privacy?

[hellekin]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 01/15/2015 09:07 PM, Al Billings wrote:
> You said that I was a “compatriot of that service”
>
*** Oh, sorry, I thought you were an U.S. citizen.

==
hk

-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQJ8BAEBCgBmBQJUuagPXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRFQ0IyNkIyRTNDNzEyMTc2OUEzNEM4ODU0
ODA2QzM2M0ZDMTg5ODNEAAoJEEgGw2P8GJg9wwYP/29gXD1Ch0xF7XLonose0MYZ
nRUgy/TiyM0USO5BjWzG+OoVx04rw9NEZ98ex3rDKSZynMLNMChmeTutlwJFMpkE
Yiq5pD8GMZ+4p3xMa10u830aUxRYxFyaASPEdRF3aylVahC5DQAk87H0DgJfQ7y2
7424SJpXHxsDb+W5wvwe4Z+2YASd0B17Zp0GIV68w+6RBiFEwuW5TWq1ZULGxf01
HP/wPdtWEy0jH5ilbHna5bJBS7zdomiDZMcknVdQIPs5/aSJLhOrg+bu67+Gx6BA
ETAgHQhylwaW3p2qdNCSgCqfe5gBvnW/rz0XIM5EH3tud1p4QQeHdsJtyto4fecM
OuCF3tZq6p2+enpP1BKibvxX7PDeKZLiK9ZPe6OC+Eh+R3ZeDQ+01wLLqE06/Nx4
yXUkSpoqriqLJEfnX/zLmZ5cyuiQPDqWCsjWu4Mnd6Ss53KfH5w5HQkUiSSTLw7q
ozH6U1SnrRFVi637Q2DUpqV2as8GfLp9IfGV8MjP2KOMs29acujOEhAXpyoMFOM6
h4ghKyz6lF5sbYymvYi+/3amKv1ut3KMyLV21/WxUCY5Xbp1QARzkR+Xvnc5f93z
sVPyrfdrHzTpgGMDnf5vGNLv4dpgG5DTmA6z1GbAEHFMI5uz2E7P5lEGjzUjiYoi
OeXn0I1zM7WKlGQ5njXz
=orI+
-END PGP SIGNATURE-
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Videos for a GNU Internet

[Cristina [efecto99]]

El 16/01/15 a las 21:11, carlo von lynX escibió:
> Since 31c3 has been very interesting in terms of
> politics and hacking, but not as much concerning
> technologies that are supposed to lead us out of
> the broken Internet, here are the missing videos
> from the #youbroketheinternet sessions, exploring
> the options for a GNU Internet built from scratch.

> 
> Enjoy, and keep your mind open for exciting new thinking.


Thanks a lot Carlo!!!

Cristina (99)
www.foike.org



-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

[liberationtech] Videos for a GNU Internet

[carlo von lynX]

Since 31c3 has been very interesting in terms of
politics and hacking, but not as much concerning
technologies that are supposed to lead us out of
the broken Internet, here are the missing videos
from the #youbroketheinternet sessions, exploring
the options for a GNU Internet built from scratch.


Routing panel feat. I2P, cjdns, secushare and others:

http://cdn.media.ccc.de/congress/2013/workshops/30c3-WS-en-YBTI_Routing-Panel_I2P_GNUnet_Tor_secushare.webm

Sybil-attack resistant mesh routing using GNUnet:

http://cdn.media.ccc.de/congress/2013/workshops/30c3-WS-en-YBTI_Mesh-Bart_Polot-GNUnet_Wireless_Mesh_DHT.webm

cjdns, Hyperboria and Project Meshnet:

http://cdn.media.ccc.de/congress/2013/workshops/30c3-WS-en-YBTI_Mesh-Caleb_J_Delisle-cjdns-Hyperboria.webm

Mesh networking panel feat. Freifunk, cjdns and GNUnet:

http://cdn.media.ccc.de/congress/2013/workshops/30c3-WS-en-YBTI_Mesh_Routing-Panel-cjdns_freifunk_GNUnet_net2o.webm

NaCl, a Networking and Cryptography library:

http://cdn.media.ccc.de/congress/2013/workshops/30c3-WS-en-YBTI_OS-Bernstein_Lange_Schwabe-NaCl_and_TweetNaCl.webm

"We'll make ourselves a GNU one" - YBTI project presentation
in German at Easterhegg 2014:

http://cdn.media.ccc.de/events/eh2014/webm/eh14-5808-de-Well_make_ourselves_a_GNU_one_webm.webm
in English at ThinkTwice 2014:
https://www.youtube.com/watch?v=iGxjN-lfr_Y

Enjoy, and keep your mind open for exciting new thinking.


-- 
http://youbroketheinternet.org
 ircs://psyced.org/youbroketheinternet
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Whatsapp, a Trojan horse for seekers of easy privacy?

[Leif Ryge]

On Fri, Jan 16, 2015 at 02:12:38PM -0800, Al Billings wrote:
> 
> > On Jan 16, 2015, at 2:07 PM, Leif Ryge  wrote:
> > 
> > 
> > I did see two answers earlier, Iceland and Switzerland. There are many
> > other countries besides those two where it also seems very unlikely that
> > companies would be subjected to the sort of legal orders that we now know
> > US companies routinely receive. That obviously doesn't mean that TAO or
> > GCHQ's equivalent won't try to compromise them without their knowledge, but
> > that approach is obviously a much riskier and less reliable than the legal
> > means used in the US.
> 
> What makes you think Iceland and Switzerland don’t have security and
> intelligence services that could have legal orders issued or that
> occasionally cooperate internationally with other organizations? Is it simply
> because Wikileaks managed to be in Iceland for quite a while?
> 
> Al

Secret orders requiring technology companies to help spy on their customers are
unheard of in many countries, and something that would cause significant
public outrage were they found to exist, but they're something we've known
about in the US for at least a decade (long before Snowden or Wikileaks).

I'm sure similar orders exist in places where we don't know about them, but
given the possibility of leaks that each secret order entails I maintain that
it seems unlikely it's happening on a large scale in places like Iceland.

But, given that we can't prove that negative, it is obviously necessary to
remove single-points-of-failure in our software distribution systems.
Deterministic builds (with independent signers of each build in many legal
jurisdictions) and recording releases in public append-only logs (with notaries
in many different legal jurisdictions) are the two ways that I know how to
solve this problem. Either is good, and doing both would be better.

Hopefully in a few years everything will work that way. Probably the NSA will
try to sabotage some standards along the way, but I'm optimisitic that they'll
fail. However, until that reality exists, where we don't need to rely on
("trust") single entities to authenticate our software updates, I think
preferring to rely on 3rd parties in non-US countries is hardly unreasonable.

~leif
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Whatsapp, a Trojan horse for seekers of easy privacy?

[Al Billings]

> On Jan 16, 2015, at 2:07 PM, Leif Ryge  wrote:
> 
> 
> I did see two answers earlier, Iceland and Switzerland. There are many other
> countries besides those two where it also seems very unlikely that companies
> would be subjected to the sort of legal orders that we now know US companies
> routinely receive. That obviously doesn't mean that TAO or GCHQ's equivalent
> won't try to compromise them without their knowledge, but that approach is
> obviously a much riskier and less reliable than the legal means used in the 
> US.

What makes you think Iceland and Switzerland don’t have security and 
intelligence services that could have legal orders issued or that occasionally 
cooperate internationally with other organizations? Is it simply because 
Wikileaks managed to be in Iceland for quite a while?

Al
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Whatsapp, a Trojan horse for seekers of easy privacy?

[Leif Ryge]

On Fri, Jan 16, 2015 at 01:37:12PM -0800, Al Billings wrote:
> 
> > On Jan 16, 2015, at 12:18 PM, carlo von lynX 
> > wrote:
> > 
> > Al, you may want to deviate the discussion towards the 10.000th debate
> > about proprietary vs free software, but the topic here is the impossibility
> > for a U.S. company to deliver what it promises.
> 
> And I asked, and got no answer, as to which nation a company could be in and
> not be just as potentially compromised. I’m still waiting for a substantive
> answer.
> 
> Al

I did see two answers earlier, Iceland and Switzerland. There are many other
countries besides those two where it also seems very unlikely that companies
would be subjected to the sort of legal orders that we now know US companies
routinely receive. That obviously doesn't mean that TAO or GCHQ's equivalent
won't try to compromise them without their knowledge, but that approach is
obviously a much riskier and less reliable than the legal means used in the US.

As to the proprietary software issue, while I personally recommend using only
free software, at least one of the solutions to the problem of targetted
malicious software updates applies equally well to both: record hashes of all
released binaries in a decentralized append-only log so that users can at least
be reasonably sure that they're running the same thing as everyone else. (There
are several efforts underway in this direction.)

~leif
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Whatsapp, a Trojan horse for seekers of easy privacy?

[Al Billings]

> On Jan 16, 2015, at 12:18 PM, carlo von lynX  
> wrote:
> 
> You may find it funny, but apparently employees at Google want to
> believe PRISM can't possibly have happened. Anything that serves as
> an excuse to legitimize staying in that company, earning all that money.

I also see a fundamental hostility here by some list members to people that 
work in Silicon Valley. I’m curious as to what they think acceptable employment 
is? Only certain free software companies?
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Whatsapp, a Trojan horse for seekers of easy privacy?

[Al Billings]

> On Jan 16, 2015, at 12:18 PM, carlo von lynX  
> wrote:
> 
> Al, you may want to deviate the discussion towards the 10.000th
> debate about proprietary vs free software, but the topic here is
> the impossibility for a U.S. company to deliver what it promises.

And I asked, and got no answer, as to which nation a company could be in and 
not be just as potentially compromised. I’m still waiting for a substantive 
answer.

Al
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Whatsapp, a Trojan horse for seekers of easy privacy?

[carlo von lynX]

Al, you may want to deviate the discussion towards the 10.000th
debate about proprietary vs free software, but the topic here is
the impossibility for a U.S. company to deliver what it promises.

Should the U.S. develop an interest in regaining international
trust, they would need to remove several inappropriate laws plus
improve the separation of powers. The U.S. is one of the world's
oldest democracies and it shows, centuries of special interest
politics have convoluted it - most Americans I meet tell me it 
actually isn't a democracy. I don't like hearing that. And I don't
like the influence it is exercising on younger democracies. And 
New York City will never go back to being as cool as it was in
the 80s.

On Fri, Jan 16, 2015 at 01:52:57PM -0600, Cypher wrote:
> I was under the impression that the government couldn't make you
> actively lie to someone. For example, if I have a message on my page
> that says "we do not collect any user data" and the government makes
> me collect data on an existing user, that's acceptable. But they could
> not stop me from changing that sign and force me to lie. I'd assume
> that would be the case with WhatsApp. Once the visuals are surfaced,
> each new encrypted connection would be forcing the service to actively
> tell a lie, which, as I understand it, isn't legal. Of course, IINAL
> so I don't know.

I remember reading or hearing that upon reception of an NSL you are
not supposed to batter an eye and change anything about the way you
interact with the public. Also, your legal theory doesn't match up
with what was said in Caspar Bowden's presentation. It's also not at
all obvious, that the NSA would openly confront the leadership of a
company. If there is any suitable technology administrator, they can
require her to cooperate without anyone else in the company knowing -
this is in fact very advantageous for the NSA, since they can consult
their own data bases for suitable people: not very strong ethically,
possibly with documented sins the NSA can blackmail them with.

And then there's also the option of accessing the infrastructure the
company is using, for instance by controlling the hosts that run any
rented VPS systems - but that is unlikely the scenario in the case
of Whatsapp. That's more the type of approach they need to use with
servers located outside the U.S.

That is why the theories the Google employees are exchanging among
each other are humbug. Of course the NSA can have a backdoor in order
to consult Google data bases and make it look like random Gmail traffic.
You may find it funny, but apparently employees at Google want to
believe PRISM can't possibly have happened. Anything that serves as
an excuse to legitimize staying in that company, earning all that money.

I haven't said anything new, just reflecting what I picked up since
those dramatic days in June.

-- 
http://youbroketheinternet.org
 ircs://psyced.org/youbroketheinternet
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Whatsapp, a Trojan horse for seekers of easy privacy?

[Cypher]

On 01/15/2015 11:29 AM, carlo von lynX wrote:
> On Thu, Jan 15, 2015 at 08:49:31AM -0800, Steve Weis wrote:
>> Note you said "users will never know" if e2e is being used, but
>> as Moxie says "we'll be surfacing this into the UI" of upgraded
>> clients.
> 
> There is a systemic legal problem by which neither Facebook, nor 
> Whatsapp, nor Textsecure nor Moxie are in a position to guarantee 
> that whatever is surfaced into the UI actually means what it says.

I was under the impression that the government couldn't make you
actively lie to someone. For example, if I have a message on my page
that says "we do not collect any user data" and the government makes
me collect data on an existing user, that's acceptable. But they could
not stop me from changing that sign and force me to lie. I'd assume
that would be the case with WhatsApp. Once the visuals are surfaced,
each new encrypted connection would be forcing the service to actively
tell a lie, which, as I understand it, isn't legal. Of course, IINAL
so I don't know.


-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Whatsapp, a Trojan horse for seekers of easy privacy?

[Al Billings]

> On Jan 16, 2015, at 10:43 AM, carlo von lynX  
> wrote:
> 
> so will you return on topic or do you want to
> produce the impression the Whatsapp issue is about proprietary
> software in general, which it isn't?

The Whatsapp “issue” was addressed at least 15 messages ago.
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Whatsapp, a Trojan horse for seekers of easy privacy?

[carlo von lynX]

Except for the totally unacceptable way you are speaking of a
human being here, you aren't saying anything which is incompatible
with what I said... so will you return on topic or do you want to
produce the impression the Whatsapp issue is about proprietary
software in general, which it isn't?


On Fri, Jan 16, 2015 at 10:19:22AM -0800, Al Billings wrote:
> The problem is that I am a practical person who lives in the real world. 
> Telling people “Throw away all of your Apple/Microsoft word processing and 
> often software. Throw away all of your games. Throw away all of the software 
> you bought because you can’t trust any of these.” is going to be met with 
> being ignored or marginalized and with utter derision. There is a reason 
> Stallman is seen as a crazy wing nut and it isn’t just because he eats his 
> own toe jam.
> 
> Yes, there are people that will only run open source software. Then there is 
> the other 99.999% of the human race. *Those* are the people that need to be 
> helped.
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Whatsapp, a Trojan horse for seekers of easy privacy?

[Al Billings]

> On Jan 16, 2015, at 2:07 AM, Rich Kulawiec  wrote:
> 
>  Open source is not merely ideal, open source
> is MANDATORY.  It is not sufficient, of course, but it is necessary.
> All closed-source software not only may be, but *must be* immediately
> dismissed as unsuitable for use, with prejudice, as it and anyone pushing
> it are both unworthy of any further discussion.  (Except, perhaps, as
> examples of fraud.)

The problem is that I am a practical person who lives in the real world. 
Telling people “Throw away all of your Apple/Microsoft word processing and 
often software. Throw away all of your games. Throw away all of the software 
you bought because you can’t trust any of these.” is going to be met with being 
ignored or marginalized and with utter derision. There is a reason Stallman is 
seen as a crazy wing nut and it isn’t just because he eats his own toe jam.

Yes, there are people that will only run open source software. Then there is 
the other 99.999% of the human race. *Those* are the people that need to be 
helped.

Al
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Receiving phone verification and 2-Step Verification codes through a 'number inside Iran'

[Collin Anderson]

I think that's reasonable, not only due to the potential for interception
or blocking of the messages, but also because these usually have a shorter
lifespan, which should provide some added protection against the phishing
of 2FA codes.

On Fri, Jan 16, 2015 at 12:54 PM, S.Aliakbar Mousavi  wrote:

> I think regardless of its sender, since the authority can read the SMS it
> would be better to ask users inside the country to use the app rather than
> a mobile phone number.
>
> On 16 January 2015 at 12:44, Amin Sabeti  wrote:
>
>> Google has sent its codes via SMS with Iranian number since 6 months ago.
>>
>> On 16 January 2015 at 17:39, Collin Anderson 
>> wrote:
>>
>>>
>>> On Fri, Jan 16, 2015 at 12:10 PM, elham gheytanchi <
>>> elhamu...@hotmail.com> wrote:
>>>
 I think it means the codes are generated by the state agencies.

>>>
>>> They are not, the international companies would contract with an SMS
>>> gateway to send codes. That SMS gateway should be a more or less a dumb
>>> pipe that transmits whatever it is sent by the provider. It so happens that
>>> now the pipe is closer to the user but the source stays the same. The SMS
>>> gateway and telecommunications companies can certainly surveil or modify
>>> the content (the latter wouldn't be useful for 2FA), but it should not
>>> generate the codes.
>>>
>>>
>>> --
>>> *Collin David Anderson*
>>> averysmallbird.com | @cda | Washington, D.C.
>>>
>>> --
>>> Liberationtech is public & archives are searchable on Google. Violations
>>> of list guidelines will get you moderated:
>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech.
>>> Unsubscribe, change to digest, or change password by emailing moderator at
>>> compa...@stanford.edu.
>>>
>>
>>
>> --
>> Liberationtech is public & archives are searchable on Google. Violations
>> of list guidelines will get you moderated:
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech.
>> Unsubscribe, change to digest, or change password by emailing moderator at
>> compa...@stanford.edu.
>>
>
>
>
> --
> S.Aliakbar Mousavi
>
>
>
> --
> Liberationtech is public & archives are searchable on Google. Violations
> of list guidelines will get you moderated:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech.
> Unsubscribe, change to digest, or change password by emailing moderator at
> compa...@stanford.edu.
>



-- 
*Collin David Anderson*
averysmallbird.com | @cda | Washington, D.C.
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Receiving phone verification and 2-Step Verification codes through a 'number inside Iran'

[S.Aliakbar Mousavi]

I think regardless of its sender, since the authority can read the SMS it
would be better to ask users inside the country to use the app rather than
a mobile phone number.

On 16 January 2015 at 12:44, Amin Sabeti  wrote:

> Google has sent its codes via SMS with Iranian number since 6 months ago.
>
> On 16 January 2015 at 17:39, Collin Anderson 
> wrote:
>
>>
>> On Fri, Jan 16, 2015 at 12:10 PM, elham gheytanchi > > wrote:
>>
>>> I think it means the codes are generated by the state agencies.
>>>
>>
>> They are not, the international companies would contract with an SMS
>> gateway to send codes. That SMS gateway should be a more or less a dumb
>> pipe that transmits whatever it is sent by the provider. It so happens that
>> now the pipe is closer to the user but the source stays the same. The SMS
>> gateway and telecommunications companies can certainly surveil or modify
>> the content (the latter wouldn't be useful for 2FA), but it should not
>> generate the codes.
>>
>>
>> --
>> *Collin David Anderson*
>> averysmallbird.com | @cda | Washington, D.C.
>>
>> --
>> Liberationtech is public & archives are searchable on Google. Violations
>> of list guidelines will get you moderated:
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech.
>> Unsubscribe, change to digest, or change password by emailing moderator at
>> compa...@stanford.edu.
>>
>
>
> --
> Liberationtech is public & archives are searchable on Google. Violations
> of list guidelines will get you moderated:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech.
> Unsubscribe, change to digest, or change password by emailing moderator at
> compa...@stanford.edu.
>



-- 
S.Aliakbar Mousavi
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Receiving phone verification and 2-Step Verification codes through a 'number inside Iran'

[Amin Sabeti]

Google has sent its codes via SMS with Iranian number since 6 months ago.

On 16 January 2015 at 17:39, Collin Anderson 
wrote:

>
> On Fri, Jan 16, 2015 at 12:10 PM, elham gheytanchi 
> wrote:
>
>> I think it means the codes are generated by the state agencies.
>>
>
> They are not, the international companies would contract with an SMS
> gateway to send codes. That SMS gateway should be a more or less a dumb
> pipe that transmits whatever it is sent by the provider. It so happens that
> now the pipe is closer to the user but the source stays the same. The SMS
> gateway and telecommunications companies can certainly surveil or modify
> the content (the latter wouldn't be useful for 2FA), but it should not
> generate the codes.
>
>
> --
> *Collin David Anderson*
> averysmallbird.com | @cda | Washington, D.C.
>
> --
> Liberationtech is public & archives are searchable on Google. Violations
> of list guidelines will get you moderated:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech.
> Unsubscribe, change to digest, or change password by emailing moderator at
> compa...@stanford.edu.
>
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Receiving phone verification and 2-Step Verification codes through a 'number inside Iran'

[Collin Anderson]

On Fri, Jan 16, 2015 at 12:10 PM, elham gheytanchi 
wrote:

> I think it means the codes are generated by the state agencies.
>

They are not, the international companies would contract with an SMS
gateway to send codes. That SMS gateway should be a more or less a dumb
pipe that transmits whatever it is sent by the provider. It so happens that
now the pipe is closer to the user but the source stays the same. The SMS
gateway and telecommunications companies can certainly surveil or modify
the content (the latter wouldn't be useful for 2FA), but it should not
generate the codes.


-- 
*Collin David Anderson*
averysmallbird.com | @cda | Washington, D.C.
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

[liberationtech] Invite to Iran Cyber Dialogue 2015

[Sophie ASL19]

Hello Libtech,

Writing to invite you to *Iran Cyber Dialogue (ICD)
* an annual conference on ICT development,
internet policy, and diplomacy organized by us, ASL19 .

The theme this year is: *Iran, Internet, Opportunities and Challenges *and
the Dialogue will be held in *Valencia, Spain on March 5-6*, as part
of Circumvention
Tech Festival
.

Registration can be found here
.
Please also feel free to contact me, Sophie at sop...@asl19.org, if you
have any questions.

The Iran Cyber Dialogue has been effective in galvanizing a global
community working towards improved access to information and freedom of
expression in Iran.

We would be happy to have Libtech folks join us in Valencia.

Many thanks,

Sophie Lowe
ASL19

IRAN CYBER DIALOGUE

IRAN, INTERNET, OPPORTUNITIES AND CHALLENGES

March 5-6, 2015, Valencia, Spain
AGENDA

DAY 1: Thursday, March 5, 2015 (Public)


   -

   Panel: Iran and the West: International security, internet policy and
   diplomacy.
   -

   Panel: Technology as Catalyst: Will the evolving tech ecosystem support
   better online access to information?
   -

   Panel: Building Effective Responses to Opportunities and Challenges: Given
   the opportunities and challenges in Iran’s tech ecosystem, how can we
   formulate effective responses?
   -

   Live Product Launches and Product Demos
   -

   Private Agenda Hacking for Day 2’s Hands-on Sessions facilitated


DAY 2: Friday, March 6, 2015 (Pre-Registered Only)

A full-day of workshops and panels, attended only by pre-registered
guests. Approximately
10-11 hands-on outcome-driven sessions. By attending, all participants
agree to abide by the Chatham House Rule
. Here’s a tentative
list of sessions, with more to come!


   -

   Circumvention and Censorship Issues / Tools
   -

   Best practices from Other Regions
   -

   Privacy and Surveillance Issues / Tools
   -

   Monitoring Information Controls Online
   -

   Mobile Penetration: Opportunities and Risks
   -

   ICT for Economic Development, Startups, Entrepreneurship
   -

   Diplomacy, Sanctions and Its Impact on Technology
   -

   Funding for Digital Rights
   -

   Security for Journalists and Activists

-- 

Sophie Lowe
sop...@asl19.org

Development & Communications Manager
ASL19

PGP: 8F46 CAD8 CE3E ABA9 6F95 BB7C FA26 FE32 51DA BC06
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Receiving phone verification and 2-Step Verification codes through a 'number inside Iran'

[elham gheytanchi]

I think it means the codes are generated by the state agencies.

From: col...@averysmallbird.com
Date: Fri, 16 Jan 2015 11:23:12 -0500
To: liberationtech@lists.stanford.edu
Subject: Re: [liberationtech] Receiving phone verification and 2-Step 
Verification codes through a 'number inside Iran'


On Fri, Jan 16, 2015 at 10:42 AM, Nariman Gharib  wrote:
I want to know anybody here know is it a big deal or not and how we can solve 
this issue?
Their SMS partner probably now has a relationship with a local 
telecommunications services company. I'm not sure it's anymore dangerous than 
if the messages were from an international number since it's all equally 
accessible to interception, which is not to say there isn't concerns in that 
regards. I should hope those codes wouldn't be generated by a service 
accessible by Iranian authorities. 

-- 
Collin David Andersonaverysmallbird.com | @cda | Washington, D.C.


-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.   -- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Receiving phone verification and 2-Step Verification codes through a 'number inside Iran'

[Collin Anderson]

On Fri, Jan 16, 2015 at 10:42 AM, Nariman Gharib 
wrote:

> I want to know anybody here know is it a big deal or not and how we can
> solve this issue?
>

Their SMS partner probably now has a relationship with a local
telecommunications services company. I'm not sure it's anymore dangerous
than if the messages were from an international number since it's all
equally accessible to interception, which is not to say there isn't
concerns in that regards. I should hope those codes wouldn't be generated
by a service accessible by Iranian authorities.


-- 
*Collin David Anderson*
averysmallbird.com | @cda | Washington, D.C.
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

[liberationtech] Receiving phone verification and 2-Step Verification codes through a 'number inside Iran'

[Nariman Gharib]

Hi Libtech,

Many users in Iran are reporting that, since 2-3 months ago when they are
trying to active a application through text
messages(Telegram,Whatsapp,skype...) or receiving 2-step verification for
Google or Facebook, they will receive it through a number inside Iran and
sometimes through mobile USSD.

I want to know anybody here know is it a big deal or not and how we can
solve this issue?

Many Thanks
@Listentous
N

-- 
PGP: 0xa53963936999cbb6
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Brace for the Quantified Society

[Alfonso De Gregorio]

Dear Rafal,

On Tue, Jan 13, 2015 at 9:15 PM, Rafal Rohozinski
 wrote:
...
> What is the Quantified Society? Quite simply, it is the unblinking,
> unrelenting and uncensored exposure to systems and devices designed to
> monitor and measure every aspect of human existence. In some ways it is like
> Bentham’s Panopticon wherein we eagerly volunteer our information in return
> for access to (near) total awareness. It thrives on our smart phones, smart
> scales, GoPros and Fitbits. It digests the digital shadow of our loved ones
> on social media. It follows our teens and their online tribes. We tolerate
> the quantification of ourselves for very human reasons: vanity, a sense of
> belonging, and convenience.

With the gross domestic product (GDP) per capita based on purchasing
power parity (PPP) steadily increasing year-on-year [WorldBank],
citizens are more and more motivated to satisfy --- and have the
ability to pursue --- those needs that are positioned higher in the
Maslow's hierarchy [Maslow1, Maslow2]. That is to say that vanity
(understood as a need for attention [NBL]), belongingness, and
convenience are working as incentives in the global zettabyte economy.

Hence, as we transition from the surveillance state to the Quantified
Society, we are compelled to reconsider our role in it --- again.
Jonathan Zittrain famously remarked that whenever we are observable,
we are not the customer, we are the product [Zittrain]. But all of
this assumes a passive role. Whenever we purposely expose ourselves,
we are not longer the product, we are also quantification apparatchiks
and investors. As apparatchiks we hold our quantum of liability bag.
As investors we have our interests at stake.

> A quantum shift in technological change is underway that makes the debate on
> metadata surveillance look antiquated. The breathtaking fusion of the cloud,
> big data, genomics, robotics, artificial intelligence and wearables is
> changing the rules of the game. Consider that within five years the human
> race will collectively generate more than 40 zettabytes of data a day. To
> get your head around this figure try counting every grain of sand in the
> world and then multiply them seventyfold. We are moving from the
> surveillance state to the Quantified Society.

We are moving from the surveillance state to the Quantified Society
and the data are moving along with us. Dan Geer summarized the trend
better than I could have hope to do it [Geer]:

"""
As you well know, more and more data is collected and more and more
of that data is in play.  The general, round-numbers dynamic of
this trend are these: Moore's Law continues to give us two orders
of magnitude in compute power per dollar per decade while storage
grows at three orders of magnitude and bandwidth at four.  These
are top-down economic drivers and they relentlessly warp what is
the economically optimum computing model.  The trend is clear; the
future is increasingly dense with stored data but, paradoxically,
despite the massive growth of data volume, that data becomes more
mobile with time.
"""

As mobility of data is crucial for global surveillance, I am reminded
of Zuboff's Laws of digital age.

If interested to discuss this topic at greater length, then please be in touch.

With thanks as ever,

-- Alfonso @secYOUre

References:

[Geer] Geer Jr. D. E., (2013), Trends in Cyber Security, NRO,
http://geer.tinho.net/geer.nro.6xi13.txt

[Maslow1] Maslow, A.H. (1943). A theory of human motivation.
Psychological Review 50 (4) 370–96. Retrieved from
http://psychclassics.yorku.ca/Maslow/motivation.htm

[Maslow2] http://en.wikipedia.org/wiki/Maslow%27s_hierarchy_of_needs

[NBL] Netemeyer, R. G., Burton, S., and Lichtenstein, D. R. (1995).
Trait aspects of vanity: Measurement and relevance to consumer
behavior. Journal of Consumer Research, Vol. 21, March: 612-626.

[WorldBank] GDP per capita, PPP (current international $), The World
Bank Group (2015),
http://data.worldbank.org/indicator/NY.GDP.PCAP.PP.CD/countries?display=graph

[Zittrain] Zittrain, J. (2011) Meme patrol: “When something online is
free, you’re not the customer, you’re the product.”
http://blogs.law.harvard.edu/futureoftheinternet/2012/03/21/meme-patrol-when-something-online-is-free-youre-not-the-customer-youre-the-product/
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

[liberationtech] Technology is changing the nature of conflict

[Nathan Andrew Fain]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Starting with a Wikipedia edit from 2008 from within the US military
that hinted at the British/US intelligence conspiracy Snowden would
expose with certainty in 2013, the article attempts to look at the
changes happening to the ethos of War and Soldiery.

https://medium.com/@cyphunk/the-nature-of-conflict-is-changing-f9ef39709cab

Thoughts and discussion most welcome.

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iEYEARECAAYFAlS5FycACgkQveagdEkPM4D/egCfcdYK9bfUNOTbnDJ9XCA03ALh
EQ0An3V1B2UkLU9JJ56l7KIQum7geNzR
=QhBx
-END PGP SIGNATURE-
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

[liberationtech] Technology is changing the nature of conflict

[Nathan Andrew Fain]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Starting with a Wikipedia edit from 2008 from within the US military
that hinted at the British/US intelligence conspiracy Snowden would
expose with certainty in 2013, the article attempts to look at the
changes happening to the ethos of War and Soldiery.

https://medium.com/@cyphunk/the-nature-of-conflict-is-changing-f9ef39709cab

More interesting that the US administration prosecuting
more whistleblowers than all administrations before it
combined is that there "are" more whistleblowser than
ever before


Thoughts and discussion most welcome.

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iEYEARECAAYFAlS5F9MACgkQveagdEkPM4C/fgCeKNQjq+CCm5fKYIlayqV8W+ie
wVYAoN0Y7Y7aVCQmaa67EurhowdmBTZC
=e5Db
-END PGP SIGNATURE-
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Whatsapp, a Trojan horse for seekers of easy privacy?

[Rich Kulawiec]

On Thu, Jan 15, 2015 at 02:46:56PM -0800, Al Billings wrote:
> > I thought software freedom and access to the source code was considered
> > a requirement for considering a system secure.
> 
> According to whom? I think open source (I???ll leave aside whether ???open 
> source??? is ???free software???) is ideal but it is not the only thing worth 
> discussing. Otherwise, we wouldn???t be discussing most mobile applications.

According to me, among others.  Open source is not merely ideal, open source
is MANDATORY.  It is not sufficient, of course, but it is necessary.
All closed-source software not only may be, but *must be* immediately
dismissed as unsuitable for use, with prejudice, as it and anyone pushing
it are both unworthy of any further discussion.  (Except, perhaps, as
examples of fraud.)

Please read:


https://mailman.stanford.edu/pipermail/liberationtech/2013-March/007499.html

Yes, this does mean that most mobile applications are (at best)
worthless crap.  Some of them, no doubt, have been backdoored deliberately.
(Why not?  It's just good business. [1])  Others likely have gaping security
and privacy holes that will remain largely undiscovered *except* for those
with access to the source code, which I hope everyone here realizes
probably includes any intelligence agency that can trouble itself
to make the effort to acquire it.  (It would be extremely naive and
appallingly stupid to suggest otherwise.)  Of course, their resources,
while quite large, are still finite so I'm sure not everything attracts
their attention: but certainly anything usable/popular enough to matter
will be swept up in due course and subjected to analysis.  Such analysis
may be shared (as we've seen) and may lead to active attempts to exploit
the application, which will, given the available expertise, probably succeed.

---rsk

[1] Just like this is good business:


http://www.propublica.org/article/zombie-cookie-the-tracking-cookie-that-you-cant-kill
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

[liberationtech] Crypto Party: Phnom Penh, Cambodia, 17 January

[Rick Valenzuela]

Hi all -- 

I'm generally a lurker/reader of the mailing list, but I'd like to invite you 
to an event tomorrow in Phnom Penh. Our foreign correspondents club here will 
be 
hosting a Crypto Party. The target audience is journalists, though we've had 
interested already from rights workers and business people, and we expect most 
attendees will have little knowledge of security issues and practices. We'll 
start with a slideshow presentation and workshop, and the rest of the afternoon 
will be there as a drop-in center. We're also encouraging key-signing.

Below is the message that was sent out to our mailing list. 


** Crypto Party: a secure communications workshop **



** Saturday, January 17, 2-7pm ** ** Meta House, 37 Sothearos Boulevard ** 


Did you know that every intelligence agency in the world can read your e-mail 
and track your online activities in realtime? The Overseas Press Club of 
Cambodia 
and Meta House will arrange a crypto party this Saturday. We will cover 
communications security, physical security, operations security and information 
system 
security from a journalistic perspective.

Drop by our workshop to learn how to communicate securely via e-mail and 
instant messaging, how to survive border checkpoints and keeping confidential 
information and sources protected. We will provide guidance to help you get 
through the many pitfalls of modern communication methods.

We live in a digital era where every step is monitored and analyzed. If you are 
a journalist, rights worker or just overly cautious and interested in the 
topics 
we will cover, we welcome your attendance. The event is free of charge and open 
to the public.

SCHEDULE:
14:15 Introductionary talks
14:45 Technical demonstrations and examples
15:00 Hands-on workshop (and drop-in)

Hope to see you there, and please pass this on to anyone who may be interested!

For more information, please contact Rick Valenzuela, OPCC president, at 
r...@rickv.com or +855 (0)92 470 702.


-- 
Rick Valenzuela
Videojournalist :: Photojournalist
Phnom Penh, Cambodia
+855 92 470 702 :: r...@rickv.com
GnuPG ID: 0xD5644029
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.