[liberationtech] JonDonym (was: Security Focused Live Linux Distros)

[Fabian Keil]

Eugen Leitl  wrote:

> On Thu, Sep 12, 2013 at 05:08:10PM -0400, John Love wrote:
> > I'm researching security, privacy, and anonymity focused live Linux
> > environments like Liberté Linux, TAILS, JonDoNYM, and Whonix. There's
> 
> JonDoNYM is backdoored, and hence not playing in the same league.
>
> http://en.wikipedia.org/wiki/Java_Anon_Proxy
> 
> In July 2003, the German BKA[8][9] obtained a warrant to force the Dresden
> Mix operators to log access to a specific web address, which had been
> associated with child pornography. AN.ON then decided to introduce a
> crime detection function in the server software in order to make this
> possible.

I don't think so.

According to: http://anon.inf.tu-dresden.de/strafverfolgung/bericht_en.pdf
the backdoor was implemented after being politely asked by the
LKA Hessen without any legal obligation to do so.

The warrant came afterwards and apparently didn't even require the
mix operators to enable the already implemented backdoor (due to being
based on StPO §§ 100 g and h) but the operators decided to do it anyway.

Later on the logged data was handed over to the officials "under protest"
because it was more convenient than potentially getting equipment seized:

| To prevent further damage (through searching of institute rooms and
| confiscation of institute computers) to the TU Dresden and the project
| partners, the logged data was relinquished under protest to the officials.

Given that the court decision was already overruled in September,
it's unlikely that the seized computers would have been analysed in
time (that is, if they were actually seized in the first place).

Fabian
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] city-based citizen privacy groups?

[Fabian Keil]

Blibbet  wrote:

> I'm trying to build a list of contacts to city-based privacy groups, to 
> see if a multi-city coalition would be helpful.
> 
> So far, I know about Seattle, Oakland, and Los Angeles:
[...]
> Does anyone know of any other groups, or any existing list of groups?

Just in case you are interested in cities outside the US as well,
here's a list of local AK Vorrat (German Working Group on Data Retention)
groups (note that some are inactive at the moment):
https://wiki.vorratsdatenspeicherung.de/Ortsgruppen

AK Vorrat's main focus is working against data retention laws,
but some local groups also organise Cryptoparties, camera walks,
etc.

Here in Cologne we are currently helping organise a protest march
against mass surveillance on 2014-04-12:
http://cologne.stopwatchingus.info/demo-12-april/en.html

Obviously you and the organisations you represent are all invited.
We can also use help from afar, please don't hesitate to contact me.

Fabian
-- 
AK Vorrat Köln-Bonn
http://www.ak-vorrat.org/koeln-bonn
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] One third IT managers think can Cloud compute with encrypted data

[Fabian Keil]

"Caspar Bowden (lists)"  wrote:

> I downloaded Ponemon/Thales new survey of n=4275 IT managers (United 
> States, the United Kingdom, Germany, France, Australia, Japan, Brazil, 
> and Russia)  a couple of days ago by registering here 
> , but they appear to have now pulled the report.
> 
> It is remarkable that one third IT managers not only think that it is 
> possible to compute with encrypted data, but that they are doing so already.
> 
> Here's the relevant text (red is my emphasis) and screenshot with graphs
> 
> [If they don't understand this, what else don't they understand about 
> their organization's security?]
> 
> CB
> 
> *Who controls the encryption keys*

I don't doubt that (at least) one third of the questioned "IT managers"
don't understand their organisation's security, but without a definition
of "control" I'd assume that "Ponemon/Thales" were merely asking who
legally controls the encryption keys.

Otherwise one would also have to mention the people who wrote
the OS, the firmware, the application, people who provide software
and hardware updates, cleaning personal, successful attackers etc.,
even when not looking at "cloud" environments.

Fabian
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Google keeps the chat history even you enabled the OTR

[Fabian Keil]

carlo von lynX  wrote:

> On Thu, May 08, 2014 at 08:15:04AM -0500, Anthony Papillion wrote:
> > The bottom line is that, bug or not, privacy conscious people need to
> > simply stay away from Google. And I don't mean just Google Search or
> > Chat. I mean /all/ of Google, Everything they offer.
> 
> AFAICT that's not enough. You need to make sure the cookies
> are grilled because every single googleapisomething using
> scripts, fonts etc from the google cdn may like to fingerprint
> you as you pick the stuff up. even if you grill the cookies
> your combination of browser, ip, screen resolution etc is
> enough. so either you filter google domains entirely, or you
> use tor combined with a cookie filter. btw, does anyone have
> suitable privoxy filters? i tried to write some radical
> reject-all-google-domains rules, but they don't work. not
> only are all browsers p0wned by google, even privoxy is..  ;-D

Please have a look at:
http://www.privoxy.org/user-manual/contact.html

>From your description it's unclear to me what you did,
what you expected Privoxy to do and what Privoxy actually
did.

A definition of "p0wned by google" would be great, too.

Fabian
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Launch of our free online digital security training courses

[Fabian Keil]

Security First  wrote:

> In partnership with Advocacy Assembly, we are delighted to announce the
> launch of our free online digital security training courses.
> 
> The topics covered are:
> 
> -Phishing, Malware and Social Engineering
> 
> -Secure Communications
> 
> -Secure Passwords and Encryption of Data
> 
> -Staying Safe Online and Using Social Media
> 
> Each course should take about 20 minutes to complete and has lots of
> videos, quizzes and further resources for further learning. All courses
> are available in English, Farsi and Arabic.
> 
> Get them for free here:
> https://advocacyassembly.org/en/partners/securityfirst/

When I try to access that URL the request gets intercepted by a
Cloudflare message that tries (but fails) to trick my system into
executing proprietary and unsigned software from Google.

Is this part of the training?

Fabian
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.