Re: [liberationtech] OTRon: Chrome extension for end-to-end FB chat encryption
On Tue, Jan 28, 2014 at 10:43 PM, Omar Rizwan omar.riz...@gmail.com wrote: Haven't spread it widely yet or made it easy to install, I'm looking for feedback both on how well it works (it needs some more testing and does have some functionality bugs -- you may be blocked from FB chat for a few minutes if it goes wrong!), how easy it is to use, and on the general approach. Disclaimer: I haven't read the source, tried the extension or otherwise gotten to know about this tool other than reading OP. The reason I'm writing anyway is that this is important to know generally. Facebook records the text in text fields even before they're submitted [1]. Therefore, if this tool relies on Facebook's own text fields (or anything within the DOM, really), they can completely circumvent this OTR implementation. The right way to do this would be to spawn something out of the reach of Facebook JS. That means, spawning a separate chat window in the context of the extension, or use window.prompt in either context (the contents of a window.prompt cannot be read before the OK button is pressed). JC [1] http://www.slate.com/articles/technology/future_tense/2013/12/facebook_self_censorship_what_happens_to_the_posts_you_don_t_publish.html -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] Fwd: A hacker's guide to Amsterdam
-- Forwarded message -- From: Jens Christian Hillerup j...@hillerup.net Date: Jul 19, 2013 11:12 AM Subject: A hacker's guide to Amsterdam To: Hackerspaces General Discussion List disc...@lists.hackerspaces.org Cc: ... So I'll be coming to Amsterdam on the 27th of July, following the UbiCrypt summer school on reverse engineering in Germany (anyone going? let's hook up!) I plan on showing up at the OHM site a few days in advance to help with the build-up etc, but that still leaves me with two or three days in A'dam. I'm looking for suggestions for things to see that might be of interest for hackers -- small or large, well-known or obscure. I've not been in Amsterdam for ten years, so my knowledge of the city is close to nil. Technical stuff, DIY stuff, urban exploration stuff, graffiti stuff and hackerspaces is my deal. If anyone has suggestions (or even a place to crash), I'm all ears! Thanks, JC -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] DecryptoCat
On Thu, Jul 4, 2013 at 11:36 AM, KheOps khe...@ceops.eu wrote: Just came accross this: http://tobtu.com/decryptocat.php Eep! It seems like the saying given enough eyeballs, all bugs are shallow has become obsolete, huh? Peer review is an integral part to developing secure cryptography implementations, but unfortunately this fundamentally crashes with the hacker mantra of just do it. It's a shame that this project did not get this kind of attention until after people started relying on it---that could have saved a lot of people from a lot of shouting in any case. So what do we do about this? Opening the source code as an argument for security no longer suffices. How can we raise money for rigid and independent quality assurance of software that in this case is designed to potentially saving lives? And how can we make sure that this money flows into the fund and out to the QAers on a regular basis? I don't know, sadly, but I'd love to discuss it. JC -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
[liberationtech] AdLeaks - a whistleblowing platform
We designed the AdLeaks system to work with partners who embed AdLeaks ads or AdLeaks bugs into their web pages. Our ads contain code that encrypts an empty message with the AdLeaks public key and sends the ciphertext back to AdLeaks. This happens on all users' web browsers. A whistleblower's browser substitutes the ciphertext with encrypted parts of a disclosure. The protocol ensures that an adversary who can eavesdrop on the network communication cannot distinguish between the transmissions of regular browsers and those of whistleblowers' browsers. AdLeaks ads are authenticated so that a whistleblower's browser can tell them apart from other code. Consequently, whistleblowers never have to navigate to any particular site to communicate with AdLeaks once our ads are sufficiently widespread. http://www.adleaks.org/how.html -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] AdLeaks - a whistleblowing platform
Quickly noting that I'm not affiliated with AdLeaks, just passing on the information. On Sun, Jun 23, 2013 at 1:56 PM, Andrea St and...@gmail.com wrote: it sounds different from globaleaks project. Am i right? Yes. GlobaLeaks seeks to establish an open-source version of the submission system of Wikileaks such that any and everyone can make their own leaks site. The core development team of GlobaLeaks is also on this list, so I'll let them describe it further. This project, on the other hand, cleverly uses how every internet user is exposed to ads on a daily basis. The people designing some web page with ads (say a news site) can then choose to make it sort-of AdLeaks-boosted. For a regular visitor to the news site, their browser will encrypt a block of red herring data (no content of interest), but if a whistleblower comes by they have the chance to encrypt not red herring but the content that they want to leak. The thing is that an adversary that is able to monitor the traffic to the news site will not be able to distinguish between leaks and noise, since it won't have the decryption key. In short: having *all* visitors to the site encrypt and submit *something* is the novelty in this approach. JC -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Secure and Cheap Provider in Sweden or Iceland?
On Thu, Jun 13, 2013 at 8:51 PM, Lorenzo Franceschi Bicchierai lorenzo...@gmail.com wrote: In lieu of the recent NSA leaks, I'm going to transfer my website to a new provider in either Sweden or Iceland (because well, you never know). Griffin Boyce suggested I use moln.is, do you guys have any other suggestion? Any other kind of advice? I've heard good stuff about greenqloud.com. Not only are they in Iceland, but they seem to have a pretty good environmental observance, if you value that. JC -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Stop promoting Skype
On Fri, Jun 7, 2013 at 9:23 AM, Nadim Kobeissi na...@nadim.cc wrote: STOP PROMOTING THE INTERNET Stop promoting 'murica. And help me test and develop my project escapetools that is meant for taking out your data from services like GMail and saving them in a way that can be used in infrastructure coorporatives like fripost.org. http://github.com/jchillerup/escapetools JC PS: This email was (sadly) brought to you all by GMail. -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Secure, inexpensive hosting of activist sites
On Thu, Apr 18, 2013 at 10:45 PM, Hisham almiraatb...@gmail.com wrote: Activists whose sites come under attack struggle to find cheap solutions to keep their websites safely guarded. Many of them are looking for secure, inexpensive hosting. I've come across many such cases, from Senegal, to Zambia to Egypt to Morocco. Some of them ask for temporary hosting to be able to stay online until they can stand on their feet again. I'd be grateful if someone could help with this one. Are there secure and inexpensive solutions out there? There's also NearlyFreeSpeech.net if you're OK with US companies. They are cheap. They do charge for traffic, though, but stack it with CloudFlare as Nadim pointed out and you're good, even in case of DDoS. JC -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] SUBSCRIPTION
On Tue, Apr 2, 2013 at 7:30 PM, Mark Gleicher mgle...@gmail.com wrote: HELP. I would like to know how I would unsubscribe. Hi Mark, Please follow the instructions in the end of this mail (and all other mails on this list) Best, JC -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Fwd: You are awesome, Treat yourself to a love one
On Sun, Mar 31, 2013 at 11:21 AM, Andreas Bader andreas.ba...@nachtpult.dewrote: How could that happen?? This Email Adress is existing since a week or two and is only used for trusted contacts and Libtech/Drones List! The liberationtech archives are publicly available. https://mailman.stanford.edu/pipermail/liberationtech/ JC -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Efficient digital one-way communication
On Mon, Mar 4, 2013 at 4:40 PM, Michael Rogers mich...@briarproject.org wrote: Last year I spent some time playing with audio encoding of data for transmission over handheld radios. The state of the art here is dialup modems - on a good day they can get 56,000 bits per second over a channel designed for voice, but that requires advanced modulation and error correction techniques. The radio hams have packet radio (AX.25 and APRS) running at 1,200-9,600 bps over long distances using simple modulation and no error correction. Some early home computers used audio cassettes for storage (300-1,200 bps, CUTS or Kansas City Standard). Nice information, thanks. Would it be wrong to assume larger data rates to be attainable on an FM link than over the telephone line? For music etc. FM has far superior sound quality in any case. If you want to support purely one-way communication (no acks), you'll need to forward error correct the data. Hamming codes and parity checks are simple to implement but they'll eat a lot of your bandwidth; Reed-Solomon codes are more bandwidth-efficient but also more complex. Yes, I thought of that too in September. Luckily I've taken courses in abstract algebra and error-correcting codes at my university; I think I'd be able to write a working RS implementation from my theory books. Another thing I didn't tell in my first mail is that I've been wanting to design a protocol for metadata, too, since it doesn't really make sense to decode and save half files anyway. It would also make it possible to send the file names and file sizes beforehand so the receiver can know how much of the file s/he has already received. And yes, I want this to be truly one-way -- no acks. The idea is that I want the receiving end to need as little hardware as possible: one FM radio and one computer with a sound card (and this software). The sender obviously has access to an FM transmitter (or whatever becomes the sound carrier). This modulation algorithm should not provide authenticity of the sender, instead cryptographic signing of the data should happen at higher levels of the stack. Some Java code for modulation, framing and error correction is here if you're interested: http://briar.git.sf.net/git/gitweb.cgi?p=briar/sandpit;a=tree;f=src/net/sf/briar/sandpit/modem http://briar.git.sf.net/git/gitweb.cgi?p=briar/sandpit;a=tree;f=src/net/sf/briar/sandpit/fec Thanks a lot! I'll have a look at it soon. JC -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Efficient digital one-way communication
Whoops, we're drifting off-list. I've included the relevant parts (and committed a stereo fix to the main repo that fixes the bug from my second mail). On Mon, Mar 4, 2013 at 6:46 PM, Kurtiss Hare kurt...@gmail.com wrote: Also, couldn't having a large frequency span be challenging to carry over FM? I should probably grok http://en.wikipedia.org/wiki/Frequency_modulation before discussing that detail further. My naive model of the idea here is to consider the number of audibly distinct (and computationally discernible) instruments capable of delivery through FM. For a given note, each one has a distinct overtone series which lends it a unique timbre. Depending on the sophistication of your decoder, I would think the number of euphonic sounding configurations to be quite high. Well, instruments get their timbre from the *weighting* of the overtones, not their existence or non-existence. I'm concerned that if we go into the game of actually weighting these overtones (rather than just choosing whether they should be there or not), decoding becomes too difficult. We're already spanning three octaves as it is, so they'd definitely need to have less amplitude than the fundamentals. I'll do some experiments when I get the time... JC -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Efficient digital one-way communication
On Mon, Mar 4, 2013 at 7:26 PM, Don Marti dma...@zgp.org wrote: begin Jens Christian Hillerup quotation of Mon, Mar 04, 2013 at 06:53:05PM +0100: Whoops, we're drifting off-list. I've included the relevant parts (and committed a stereo fix to the main repo that fixes the bug from my second mail). DTMF uses two pitches at a time - http://en.wikipedia.org/wiki/Dual-tone_multi-frequency_signaling Chords might be a way to get more information in. Yes, and then I can scrap the stereo encoding again. I'd rather have it optional than required. And I agree, it would make more sense to pick eight notes and use them as a bitmap. We'd face the same problems as we did before with the harmonies, but that problem does not get any bigger or smaller so I don't see the point in not implementing it. Idea: parity information in the overtones? Not applicable if we go with Reed-Solomon codes, though. JC -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
[liberationtech] Efficient digital one-way communication
Hi, One thing I've been thinking a lot about recently is how to make digital one-way communication feasible for activists, sort of sending digital information to the broad public. I believe that FM is a good medium for this because the transmitters are cheap and everybody has a radio. Hook up the radio to your sound card, and demodulate the audio back into data, and there you go. I did a quick hack back in September, called modulera [1]. The idea is to exploit how pentatonic polyphony always sounds good, regardless of the notes picked (as long as they're within the scale). The way it works is that it takes three octaves of some pentatonic scale (in this case F# major), and silence. This gives 16 different notes. Split up a byte into two nibbles and you get your two tones. I realize this approach has a way too low bitrate, but I like the aesthetic in having the modulated data also be easy on the ears. For any real use, this would likely need to be scrapped to increase bitrate. Feel free to try the script, though! I've included the output of the script modulating itself. I basically just wanted to throw it out here. Does anybody have experience in modulating data? Has this kind of digital one-way communication been done in an activist setting before? Does it make sense to kick off a project aimed at creating a easily usable system capable of modulating and demodulating data at modest bitrates (15KB/s)? JC [1] https://github.com/jchillerup/modulera -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Efficient digital one-way communication
On Sun, Mar 3, 2013 at 3:25 PM, Jens Christian Hillerup j...@hillerup.net wrote: I did a quick hack back in September, called modulera [1]. The idea is to exploit how pentatonic polyphony always sounds good, regardless of the notes picked (as long as they're within the scale). The way it works is that it takes three octaves of some pentatonic scale (in this case F# major), and silence. This gives 16 different notes. Split up a byte into two nibbles and you get your two tones. Oh, and before anyone notices, there is currently no way of telling the ordering the nibbles at demodulation time. Also 0xAA = 0xA0 = 0x0A. As I said, this is (for now) just a toy; there are certainly things that need to be addressed. JC -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] // The 'Kill Packet' - feedback wanted //
On Mon, Feb 25, 2013 at 7:37 PM, Julian Oliver jul...@julianoliver.com wrote: Consider the case one has volatile data on a remote machine that needs to be removed as fast and as discretely as possible. The last thing you want to be doing is whipping out the laptop and logging in via SSH, an SFTP browser etc and manually deleting that data. Rather, it would be more convenient to just hit a single button on your phone or click a single icon that sends a network packet to the server, triggering a script that proceeds to delete your data and/or back it up to another trusted server. I think this project is roughly what you're looking for: https://github.com/qnrq/panic_bcast JC -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] // The 'Kill Packet' - feedback wanted //
On Mon, Feb 25, 2013 at 8:11 PM, Julian Oliver jul...@julianoliver.com wrote: Very nice! I would see this as a companion project as it doesn't quite do the same thing - it's whole disk focused rather than on deletion of directories themselves (which could be followed with a reboot cycle and killing the journal on EXT3/4). I agree it's not exactly what you requested, but it is rather easily patchable: https://github.com/qnrq/panic_bcast/blob/master/panic_bcast.py#L79-L84 At least you have the communications thing written for you. JC -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Cryptography super-group creates unbreakable encryption
On Thu, Feb 7, 2013 at 11:41 AM, Andreas Bader noergelpi...@hotmail.de wrote: Notionally there is no unbreakable encryption. Practically there is a unbreakable encryption (AES, SHA-3); our standarts are more than adequate. The risk with encryptions is more the possibility of a hardware hack. Or a bad guy beating the shit out of you with a 5 Dollar Wrench until you tell him the password. In real life no one will use a super computer to break our hardcore encrypted harddrives. I think Nadim was being sarcastic. I'm also eager to see what comes from this. I too think it's rather odd that these supposedly respectable cryptographers are so blatantly ignoring Kirchoff's principle. Quickly skimmed the article; it seems that you have to trust them to *actually* encrypt your stuff on your phone before storing it on their servers. As with so many others, it'd behoove them to put their code where their mouths are; I don't mind them making money off of this, but at least they should stop leveraging their big names in the industry to get a lot of media attention around them selling snake-oil. JC -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Cryptography super-group creates unbreakable encryption
On Thu, Feb 7, 2013 at 5:34 PM, scarp sc...@tormail.org wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Jens Christian Hillerup: Hear-hear. They don't need to open-source their software to convince me, as long as they are open about their protocol at least. And what if there's a second set of decryption master keys? You're willing to trust them because they say We're famous guys, we won't do anything bad, and plus we hate naughty governments. No, I think we agree. I meant by protocol that it'd be possible for me to create a client for the service from scratch (maybe even the server part, too, but not strictly needed), i.e. I get to choose the encryption key(s), etc. Sorry for the misunderstanding. JC -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
