Re: [liberationtech] Examples of integrated health delivery using ICTs

2013-09-18 Thread Jon Camfield 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Beyond these resources, there's a ton of activity in this space from
traditional development orgs:

RTI's "ICT4D" (tech for development) team has a ton of health projects:
http://www.rti.org/page.cfm?objectid=318AC349-9637-4176-A4967867C9E30EB2

IntraHealth: http://www.intrahealth.org/page/ehealth (disclaimer, I
used to sit on one of their advisory boards)

Jhpiego (affiliated with Johns Hopkins) also has a strong health+tech
team: http://www.jhpiego.org/en/content/what-we-do

Datadyne also does mobile + health data collection, using a
closed-source, but sustainable business-as-a-service model

Tostan does less (AFAIK) in tech/systems work, but has the strongest
community-led model I've come across.

You might also check out the members and work around the
mHealthAlliance: http://www.mhealthalliance.org

Cheers,
Jon

On Saturday, September 14, 2013 07:31 AM, Willow Brugh wrote:
> Aston University has some initiatives around this, as does Tiny
> Devices out of MIT (I think), but I don't know much beyond that.
> 
> Willow Brugh // willowbl00  schedule
> research , work 
> , or social 
> time with me
> 
> 
> On Fri, Sep 13, 2013 at 11:31 PM, Allen Gunn
> mailto:gun...@aspirationtech.org>>
> wrote:
> 
> OpenMRS.org is a great platform and very vibrant open source
> community focused on supporting healthcare delivery, primarily in
> Africa.
> 
> peace, gunner
> 
> On 09/13/2013 11:57 AM, Yosem Companys wrote:
>> From: *Atanu Garai* 
>> >>
> 
>> Dear All,
> 
>> __ __
> 
>> In last few years, several donors announced grants for ICT
>> projects to deliver integrated health services in underserved
>> communities. I am looking for examples of those projects
>> implemented or in the process of being implemented to examine the
>> project design, approach, and implementation methods. Shall be
>> thankful for any references to such projects.
> 
>> __ __
> 
>> Regards,
> 
>> Atanu
> 
> 
> 
> 
> 
> -- Liberationtech is public & archives are searchable on Google. 
> Violations of list guidelines will get you moderated: 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech. 
> Unsubscribe, change to digest, or change password by emailing 
> moderator at compa...@stanford.edu .
> 
> 
> 
> 

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJSObWnAAoJEKmYlZ/5Jr+L3PkQAMVFsmXt2a5kUtUcSLLpNs4W
BZ+nZytjGVH7EesDIMCbwsfo29jRbzjFKlxOyEldRr6YPuJ0pG0M6fmm2NaHuHwJ
rf52QgL5GzJV7E9w4YzVpHnwsEnYZ0tAXmdzQBkxEG6edbF8EpqAd4SME6ZCpcHb
2YtsbSIPsiT6aNH2+nhSTcylMIijI3NWxrhzBH4VCedz42EJCuhT1zALaKYazeDF
Eg72HFsZ5QnwBo5f9x+EhflGygeP2+8o2OXyjG84fEaCcF8glNNHUw1gormyQ9T6
DTfpsvNghaRetccJSV3YunRnVajsxyhm0OvReHJlkzmllu6FSsETqhgGy2xdRf9x
/WJztGLuEEqUfhDs/l+cbJTwBEOsn3aSoVcf1ZOUGz4FFsNZwnVityNbgoIGXYHF
wffeJjlMQ6K6TRZUolLGUG4sGtDOa2ei1Aoc/APRqTZcnWtSp+AjpZvCawJH7jRW
y268QQfXBboaFjOdGOsgLPXNHtL7b76DmsUQOW+YAcX9UREhH2HhMU4QT7gB2/qJ
rGwlDZ2IY09jg/iUeW1FcEUgBoGCsmIg0CWxSSYT0dMjoZIfvVsZu9NEO3U3xfa7
V3ufZ+R0F24CE2z2uSrVNUv9kxdmDW9gd/SRdbuExQFXQy1XM7twJbBJtxdlRw5i
ALq4Fsyjt7u5fC9MBAvW
=bjkR
-END PGP SIGNATURE-
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Naive Question

2013-09-12 Thread Jon Camfield 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Wednesday, September 11, 2013 05:52 PM, R. Jason Cronk wrote:
> Anything which potentially signaled your receipt of an NSL would
> be grounds for prosecution under the gag-order. This is what the
> prosecutor was alluding to when he signaled that Lavabit's shut
> down was tantamount to a violation because his shut down
> essentially communicated the fact that he was under a court order
> to do something which he couldn't talk about.

For large companies, I wonder how resignations would count in this?
Could an NSL require, say, the lead cryptographer of an org to /not/
resign?

> 
> Making your service secure such that you can't be forced to do this
> sort of thing (or such that it would be obvious, say open in
> reviewing your open source code) would be the only way to go.
> 
> *R. Jason Cronk, Esq., CIPP/US* /Privacy Engineering Consultant/,
> *Enterprivacy Consulting Group* 
> 
> * phone: (828) 4RJCESQ * twitter: @privacymaverick.com * blog:
> http://blog.privacymaverick.com
> 
> 
> 

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJSMcPsAAoJEKmYlZ/5Jr+LOFEQALGGllWT14o8PIUnWf5ZWZIU
vlJEDgU/fDHBV12SnLM51+dMUrKf50FpLRNFhxoiIJ5s+FXHBAkZfCLzLKfj2tcN
oJn9/Uzcx0+6yjNvC6QM/MBP3aHhYKwDSDjA1YAaIix0twYimQdl7iBjMWXPVS6+
ECc9KB3q+s/TwgWdG/Nh4L43gBaR0X3C1uooW1j9q0OizCSMTw8dlKUgdbiGAJ6i
zSOzL0swYeMjyqKce6+kVu6NrehQEbOxisM55AQ5CF8E5IyzWXeKZOqbnWyOhp/q
ivyGZPxchLBsSYLpMHEv+duuszwzGGr3dYHucACqzk8USTKMM9hQytfq8exxirfi
mqvKKFhaeD3jOeYUnzfW1y0FVAhn/kt2jOtEy16nnAoYWZiU3JVa7ABy5YsRuyOE
fxz8qOn+Qfrh9DXJYRs77xFobyfUjhC57IxDYjTWuHbY8/wh75t2ZhNOieq4wm8m
sneQ20fShOy5Qe53BjqADagf5PnmZf9GzYtMgfSP3rtvnw2ALvNHUxpYsgh4NnnJ
eKPiLFeKYQIbLvoHiA0a/K6LK+ZDf3Ioo2Qjz3FVEZFOCj17IA7clxjRU7fkkIxr
0qdnAvKWYCTbutEFzfwh+GSVNOrQZroOO5Pyy1O3j/2uMpzXIHhgNQNKSiN60gDl
dWN+O09ZuKBUqt/dKWgz
=nwpH
-END PGP SIGNATURE-
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Naive Question

2013-09-10 Thread Jon Camfield 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Monday, September 09, 2013 05:09 PM, Jonathan Wilkes wrote:
> On 09/09/2013 03:40 PM, Case Black wrote:
>> There's a more subtle variant to this idea...
[SNIP]
> In short I don't think there's a hack for this one, it just
> requires old fashioned activism and mobilization to reveal what
> these secret interpretations of the law actually are and try to
> work to get rid of them.  (Well, I guess greater decentralization
> and privacy-overlays are a good way to get around it but that's a
> long term thing AFAICT.)

A naive thought experiment add-on:

There has always been a huge trust factor in hosted services - do they
really not log?  What are their configuration files?  How can we build
transparency into how the servers are configured and what code they
are actually, currently running in a way that would reveal malicious
changes?  (Obviously, there's also a security challenge here, in that
you have to really be on top of your updates and on the watch for
intrusions with this level of transparency).

In the end, it still becomes a iterative process where whatever
transparency system is put up can still be subverted by a skilled
governmental adversary, but it'd still be nice to have more than a
company's word about their logging policies.

Jon
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJSLzJHAAoJEKmYlZ/5Jr+Lf8cQAIEPpy8mQnAaTKXWVmJ0Qwc8
6w53cXTLJ8ECl2gYX9qAwhrzvPG2t8QZA/mRfMaPVV3mcvegcFiXMrZp6yoKH3LY
VDVy0WZKhjPGsIWtGzO1wq0eNFTEf0rb7Anoq5NUUHv6ZcxoLieEpO3cdTBXf4Vm
H09BunB4kWfqTiuVJOkxLRTKshbUZPmZSRG5Xc9fr3eJVFugKbH6d/lMGq6YLLCo
/XgSqy11ggFaRJ11CH/DyNgHxi6TN4x+euPtOOO/ruXd7wgtx9n4j2LbSLeZvHw+
6k/7e1EQxX/0uk+iY7TUIzzgyv94nenut0oP+jJybX6FqEXpZCNKeSMp3XcYqgPn
LiJe5zIiRAdz80NqI62TKRC7mjp6DjB0cFsXpDqXOymOqPrz6It5lMCZcDD4nyDM
UghAxB2gNxNZYidk8gEb9xUEqDd1pQC6kBJkOMf6xf6K1P/5bG4GbObr6EbtU6r6
//Bfe8LRJUVSCqjNGrQ9UhEHas51T/yJdqloYYK1YjjpX1P6eBq7Xd5wwU66j5Oi
y9/EMrBGnLQpz2z739m7ShjIsfY2Cc8ZtEtJ77ktJujrqmxAOTgwaEGhVjm1oSDI
qzcwLoaX59tjfrvstJEbIyPBvvKgPzBbjIYmaD8qlpw8SBe72isWeLW+Y//FWbku
URlsdK1JgvINHeoq4aW1
=llkI
-END PGP SIGNATURE-
-- 
Liberationtech is a public list whose archives are searchable on Google. 
Violations of list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Is Most Encryption Cracked?

2013-07-17 Thread Jon Camfield 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Wednesday, July 17, 2013 01:54 PM, Collin Anderson wrote:
> Wait, forgive me Libtech for amusing myself at the cost of your 
> collective inboxes but, is it just me or is the security page on
> what purports to be a security tool empty?
> https://unsene.com/security.html


They're taking security-by-obscurity to new, "innovative" levels.
- -Jon

> 
> On Wed, Jul 17, 2013 at 1:50 PM, Collin Anderson 
> mailto:col...@averysmallbird.com>>
> wrote:
> 
>> So, AES-128 is what they're using?
> 
> Mo' money, mo' key length.
> 
> */What?s the difference between the free version and the premium 
> version?/*
> 
> /The free version provides 256-bit AES encryption and 2GB of free
> encrypted storage and allows sharing of files of up to 50MB. The
> premium version provides up to 1048-bit AES encryption and 50GB of
> encrypted storage and allows sharing of files of up to 40GB. Also,
> the key in the free version is pre-generated and stored on our
> servers, while with the premium version the user has the option to
> generate his own key and store it locally for even greater
> security.  Keep in mind there is no ?password recovery?, so you
> definitely won?t want to forget your passphrase!/
> 
> 
> 
> On Wed, Jul 17, 2013 at 1:38 PM,  > wrote:
> 
> On Wed, 17 Jul 2013 10:18:44 -0700 Collin Sullivan
> mailto:coll...@benetech.org>> wrote:
> 
>> http://unsene.com/blog/2013/06/15/is-most-encryption-broken/
> 
> haystack called and wants its media pitch back
> 
> They say AES is broken and yet, "Military-grade security protects
> your important private messages, photos and videos, everywhere.
> It's so strong that we can't export it to Cuba, Iran, Sudan, and
> North Korea."
> 
> So, AES-128 is what they're using? I believe you can only export 
> 64-bit or less keys without a license.
> 
> This entire thing is dripping in snakeoil.
> 
> -- Andrew http://tpo.is/contact pgp 0x6B4D6475 -- Too many emails?
> Unsubscribe, change to digest, or change password by emailing
> moderator at compa...@stanford.edu 
> or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 
> 
> 
> 
> -- *Collin David Anderson* averysmallbird.com
>  | @cda | Washington, D.C.
> 
> 
> 
> 
> -- *Collin David Anderson* averysmallbird.com
>  | @cda | Washington, D.C.
> 
> 
> -- Too many emails? Unsubscribe, change to digest, or change
> password by emailing moderator at compa...@stanford.edu or changing
> your settings at
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJR5t4oAAoJEKmYlZ/5Jr+Lgl4P/3FtSh7MgWCxJzL+OeTmciUz
3kse8vkAqjRZQ0n3vm+p7tFZeW0Jk5HMSJ75/bMZiV/VQk2WYTllf5e9aOzResN7
FKuSmQTXWlNTym4zs5IQEa3dTa/054p4rWmPDOBgYjIOFuqoSAbJQxHY8Tv24xgW
W//ZNh327Iuo1B3yNmM0PumQcNpp/jFpu8WgJKfcYFc9DeoQ8Utj4HNKElC6OK0l
88qwb/lLilCOiwcNORvF3Aq/R4y8Hk9TlXCiYq4iENMJcYES1dp0QGzqrMkS5pDb
p+32Rt5pzaGShA6iX/VxTJ7K8V6Q21VoB9EYgSwsFVItzkUiCmXMCLt2Ay073a+G
UCq93LuRDsdkyM/NDo6eu//XgQjecZlo+72T5KE3kDsMz/WQWemJUmGeKtdP9NXX
vFrOGWOS8tKxWugcgIpHK+aEGlZXZsb/NIaIUgahO6DIQIVVVgPcTv89hX3wlC4g
wrE1eFJhPiVzp+hw++fuEo58Gvporm3eeEhWkGLk3FHUAPSCMeaeJ4bSIQL4Kp1C
ksG1be8QBN5ju+psZIFFsPBlEhdg7YkOfXhWMHi4FVTnYEBuK0LrEij9xUe9yIjr
CyEQbK0g7ytxd9F6PTKt5VLbNu+d7csChHND+LulDhmFUDN0c52nJtYbkh1TscTq
JXp8AJZFl44jsAUM23QN
=pARL
-END PGP SIGNATURE-
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Secure Android guide?

2013-07-15 Thread Jon Camfield 
Julian - this is an excellent and concise quickstart guide to Android
security -- have you considered posting it into
https://github.com/opensafermobile/materials ?  Those materials which
were posted on the http://safermobile.org/ site (which is now
offline), but they're beginning to show their age.

Jon

On Saturday, July 13, 2013 10:30 AM, Julian Oliver wrote:
> ..on Sat, Jul 13, 2013 at 03:13:41PM +0200, Jerzy Łogiewa wrote:
>> Hello!
>> 
>> If I want Android phone and have it be most secure, how to do it?
>> Is there some guide with steps?
>> 
>> Like this:
>> 
>> 1- Buy some handset such as X, Y 2- Re-flash to Z firmware 3-
>> Change P settings to J ... 4- Install OrBot, RedPhone, and so on
>> 
>> What is recommended here by experts?
>> 
>> PS: I am willing to have device ONLY for secure communications.
> 
> Disclaimer: while some journalists/people call me an expert I've
> never, ever named myself as such!
> 
> Firstly, smartphones are a huge risk if you're really concerned
> about your security. Nonetheless, here's a start:
> 
> You can install CyanogenMod - and not install the Google suite -
> for a pleasant and largely Google-free experience. To be safer,
> don't install a nightly build. Take out the SIM card. Flash
> CyanogenMod using the simple instructions for your device on their
> website. Encrypt the file-system once the device is installed. Set
> up a 6-or-more line swipe pattern without visual feedback (and keep
> your screen clean!). Disable developer mode and MTP browsing, until
> you need it. Connect the device to a wireless network you control.
> Install DroidWall (or similar open source firewall) and lock down
> any unknown and/or promiscuous processes (vastly less with
> CyanogenMod than Android). Don't use Google Play. Download and
> install OopenVPN client and tunnel to your favourite trusted 
> OpenVPN server. Put on OrBot and run the OrWeb Tor browser.  Edit
> your exit nodes to those that suit.  Install Firefox and requisite
> extensions that protect against cookie tracking etc. Use StartPage
> instead of Google as your default search engine.  Don't install any
> random games or other software. If you need something like a PDF
> reader, be sure it's open source and the APK you download checksums
> out (SHA256).
> 
> I've done the above, more or less, with my last two Android phones.
> My SIII is especially good to work with. I've audited it on the
> wire and I trust working with it so far. How you use it is another
> thing. If you rarely need to make calls over the cellular network
> then use Airplane Mode until you need to call - that'll get you off
> the grid where cell provider location tracking/logging is 
> concerned. Better still, don't use a SIM card at all and
> tunnel/ZRTP VoIP with something like RedPhone.
> 
> Cheers,
> 

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] eternity USENET (Re: Internet blackout)

2013-06-28 Thread Jon Camfield 
On Friday, June 28, 2013 12:28 PM, Eleanor Saitta wrote:
> On 2013.06.28 04.21, Rich Kulawiec wrote:
>> On Fri, Jun 21, 2013 at 04:56:24PM +0100, Michael Rogers wrote:
>>> I agree - "no smartphones" is sound advice. "No phones" is
>>> even better. But the problem is, nobody follows that advice. So
>>> we have to be pragmatic.
> 
>> [snip insightful comments]
> 
>> I would like to agree with you -- and in part, I do.
> 
>> But I'll suggest that the yardstick for "pragmatic" has moved 
>> considerably during the last few weeks.
> 
> And yet, the yardstick for what users will accept hasn't moved
> more than a half inch.  Yes, we're going to get more people to try
> to use better tools now.  They'll still fail, because the tools
> still aren't designed for them and they still do actually have
> other jobs to do.
[snip]

> Did you know that there's a private bus line going in in San
> Francisco that you can't ride without an iPhone?  Now, what was
> that again about telling people to not carry phones?

Or the unspoken but equally massive database that our credit cards
generate about our location and detailed buying habits; but try living
any approximation of a normal life without one.

> I understand very well that giving people advice that is
> insufficient isn't acceptable.  However, giving people advice
> they're going to ignore wastes their time, destroys your ability to
> be an adviser on issues where they might take your advice, and
> doesn't result in any better outcomes.
> 
> We as the security community need to stop doing this and come up
> with a third option that understands that our users have multiple 
> priorities.  If we don't want to understand the world our users
> live in and their needs, we might as well all fuck off to a cave
> somewhere.
> 
> E.

Channeling Gunner for a moment, can we get a love bomb here?

I think the key is that it's time to *also* support the "average"
user.  We can't stop working to create systems that are as secure as
possible for the people who are directly targeted and whose lives are
at risk -- but we also cannot only support that very motivated individual.

If we can improve the baseline - making everyone more secure from a
variety of threats, we start winning at a much longer-term game; and
we make the extra mile that people on front line have to do to be even
more secure a bit less challenging.

This means tools have to be easier, and need to be usable at a basic
level without training.  Is the level of security they'll be at good
enough for {insert problematic context/country here} ? No, of course
not, but it's a hell of a lot better than an unpatched WinXP box with
out-of-date anti-virus and outlook express.

I feel like the ladder for security tools is missing rungs on the
bottom 2/3ds of it, and we're at an amazing (and frightening) point in
history to build those rungs in.

/end friday rant

Jon

> -- Too many emails? Unsubscribe, change to digest, or change
> password by emailing moderator at compa...@stanford.edu or changing
> your settings at
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Microsoft Accesses Skype Chats

2013-05-20 Thread Jon Camfield 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 05/18/2013 06:43 AM, Rich Kulawiec wrote:
> First: thanks for the followup/information/analysis.  Most
> helpful.

To follow up on what I'd mentioned as possible further things to test,
yes it does follow redirects (but sadly does not follow looped
redirects), and yes it follows things that the skype client has
determined are links (generally anything that starts with www..., not
just http...).

Interestingly, Firefox, on hitting my redirect-loop, bounced back and
forth for a bit before giving up, the MS scan only hit the URLs once.
 Is this because it's coded to detect loops, or is it only scanning
links once per some timeframe?

> Second:
[great walk-through of why this summary below is accurate snipped]
> 
> Bottom line: either Microsoft is telling the truth, in which case
> this was a hopelessly inept and ridiculously ineffective "malware
> scanning" exercise, or they're lying and just threw this fabricated
> story against the wall to see if it would stick.  My money's on the
> latter: I think they're evil, not stupid.

I agree -- not sure I'd go straight to "evil," but I find it too far
of a stretch for the current explanation to hold.


> ---rsk
> 

Jon


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJRmnVNAAoJEKmYlZ/5Jr+LVQEP/3gC7SYXvRfT68Q2xLXqM7SH
ESilV8WUgi9dGmcGZqbjTNs20ZIUOGUeejnVCknIxIwYhs8rt7PV2E42g7YK0PAN
SI860P+HCkdDH6w2VefsvmA3yjM+baaNz8K/J0kf3ON30VptBmcmDyFDwLQ9M41L
mAr/P9quKEzt2RdShCZ59ctdxsQkFgc/Zy8Fmaxgd5IrFzgR2DdtJkU3lSHU+ttn
pRQ54LAPZJwKYa3UJMa1fDn4HoQ9SC0+qgYSapwG5JyBwvSjq5bwIGCwN1yg1/BC
QiaWnk6EfULHtPibT5iy8sQmiqvldnrYtHHTOCa/gUSTXZiNJVq5/w9VCiuGb1IK
AgIAtBRAjl0QDUHgE4r0I7Q6DbfHX6nqQEvCvyOGscyHfHYT6Qfq6gXMgeuYY0eR
IUVwJFtwQwnANhfQogc3NQTMFa7vU9whB52rzlvzF9bx2BgI528Eh3cRYyFqgCKg
RES+dyoIeJhoaTi9NpcJvmZBEY/vDsndLpabcy21TaXXk0Xv+2uion1rSq3PXXtV
tLjojrFqW0lnFbcTWrvCs4Aoxl22ynEFrycQwR+O4RhEk8Ph+ynZhB+Gddx2YSvx
0+VSeg/tAKrd5ep4a85ptkO3XcQSPTDGsu4sZ/qsvkhCBJcVwZuMEzKSjMt/pHEr
7THovA4a+Pf60tYp7GTZ
=knHg
-END PGP SIGNATURE-
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Microsoft Accesses Skype Chats

2013-05-17 Thread Jon Camfield 
On 05/17/2013 07:31 AM, Rich Kulawiec wrote:
> On Tue, May 14, 2013 at 09:14:19PM +0530, Pranesh Prakash wrote:
>> Heise Security is reporting that Microsoft accesses links sent over
>> Skype chat.[1]
> 
> Everyone who thinks that's the *only* thing that Microsoft is quietly
> doing behind everyone's back, raise your hand.
> 
> And incidentally, the proffered rationale for this doesn't fly, given
> that (a) they're only sending HEAD: actually scanning destination URLs
> for malware et.al. would require fetching the whole page and (b) they're
> only retrieving HTTPS URLs (per Heise) which is not what someone actually
> looking for malware would do.

Let me address (b) first - I want to clarify that there is HEAD scanning
on HTTP URLs, *not just HTTPS*.

This comes from the same IP, with a 2-3 hour delay from posting in skype
to seeing in the logs:

65.52.100.214 - - [15/May/2013:09:16:33 -0700] "HEAD /skype.html
HTTP/1.1" 200 320 "-" "-"

I'm doing some follow-up tests to see if it follows redirects, links
posted without http:// or https:// , links without www.* and so on.
This could inform the utility of (a) (I'm arguing as a devil's advocate
here).  Given that MS might have an existing catalog of malware sites
and/or a separate method for finding new ones; this HEAD scanning may be
looking for new, unknown redirects to known malware sites. (However,
this wouldn't find in-page redirects or javascript redirects/additions,
and a number of other "popular" malware/adspam distribution tools).

  Moreover (c) even if they classified
> a URL as malicious, let's say https://example.net/blah, the recipient
> of said URL is likely to access it via a data path outside their control,
> thus -- unless they blocked it *inside* Skype -- they have no way to
> prevent access to it and delivery of whatever malware payload awaits.

Skype does detect and activate links based on some regex-like system, so
it's remotely possible that this same process could have an overridden
link to a pass-through warning page/etc.

Also could be worth testing...

> 
> Source code is truth; all the rest is smoke and mirrors, hype and PR.
> If Microsoft had the *slightest* interest in telling y'all the truth,
> then they would have answered the group letter earlier this spring with
> code, not with glib prose crafted by a committee of talented spokesliars.
> 
> ---rsk
> 
> p.s. Heise's discovery is an existence proof that it's possible to
> intercept the contents.  Therefore we must presume that other entities
> besides Microsoft may have this capability -- doubly so given that some
> of those entities have not only the resources, but the motivation.

It's also possible that the skype client is reporting these urls
separately from the content of a chat as part of its link-verification
and activation.  As you say, without the source, it's not really knowable.

More interesting, the IP is listed by ARIN as being from Redmond, which
means that at the very least, the URLs pass through the US and could be
subject to warrants, NSLs, and so forth; which is somewhat at odds with
the Skype-data-is-in-Luxembourg text from
http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/
:

"What is Microsoft and Skype’s position on CALEA?
The U.S. law, Communications Assistance for Law Enforcement Act, does
not apply to any of Microsoft’s services, including Skype, as Microsoft
is not a telecommunications carrier. Skype is an independent division
headquartered and operating under Luxembourg law."

J

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Secure, inexpensive hosting of activist sites

2013-04-22 Thread Jon Camfield 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 04/18/2013 04:45 PM, Hisham wrote:
> Hi all,
> 
> Activists whose sites come under attack struggle to find cheap
> solutions to keep their websites safely guarded. Many of them are
> looking for secure, inexpensive hosting. I've come across many such
> cases, from Senegal, to Zambia to Egypt to Morocco. Some of them
> ask for temporary hosting to be able to stay online until they can
> stand on their feet again.
> 
> I'd be grateful if someone could help with this one. Are there
> secure and inexpensive solutions out there?
> 
> Best,
> 
> -- Hisham Almiraat

For the hosting side, you should also look at VirtualRoad; I've
recently been working with their team on a humanitarian site, and
they've been nothing but amazing.

For DDoS protection, there is also Deflect.ca - it's an open source
DDoS mitigation tool (any group can set a Deflect system up for a
family of sites using a collection of low-cost virtual servers), and
it is also providing this as a free service to qualifying sites
(independent media, human rights, and related).  The benefit of this
is that you can set it up before an attack; it adds a level of
security to your site, speeds it up, and you keep 100% control over
the site itself.

Jon

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJRdUh0AAoJEKmYlZ/5Jr+LW0AQAIBLy/E2Q5+Hcm7JntRe7tIc
2pMe5FUYHuYN/IDGGfvlviltUjFbsKAaLzwAsOjoC6M80nS5HbsI5tqDtLhZfSxF
MqeOdsYppsEp5l/gr8GU4qwsOVWqYvDND50pgiDDh5oFlxaE8X0rQcueSPuYDc3F
TN6X/STG59mG8wJia4S+AA2IieNM87mmuYUNyKr4Lh9LQmrgwKqObhEn5oabOXwF
0/BQYXq6JEkCbBYEc1eUQK/1+5OtJAcEpopZHD3me9Pt4fT4N5ivclY1rNwpG3Qe
HgoeIadq3jRRiHdf2zzvnRjsjgvN+/xq/IwJohiLlFzPY7NwWV9n9zcAuWCrjgH1
y6Y1povBKe+ZQNHA/p1FqeVCoxL0TtW8ZCrtP5NKW/GiB/t8hxo0J+cvBxpcLoZv
mpg5GqHOh2ScCUd14mysS0XH8wzbMskHjrvubE7OMg1nNBow2BcutJreiDGqoYnQ
Tos/uOWgoINBeM7DSLzBCqBP0i3br6Zpjvo6Sf5aTH1IDOcTsHfp44SAENgL8YnN
c8+rh+uVPYeUtw1sqWq/Vud5eMqLZhITKAAUzzq1KZOz+KIZJIh/X9YV6RpPcbkr
/D9kxCwuYurF0vqOL2PwvZDRyDb+dGwLOCTTUIz11lGEkJAD5oq1Jsc+X7PYNqRE
sQduUaTf/HRnCBB8x8WL
=MaI7
-END PGP SIGNATURE-
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech