Re: [liberationtech] Has LinkedIn launched a borderline Denial of Service attack against Tor?
It appears to be caused by a known DoS bug in the Tor Browser Bundle that was patched 4 months ago: https://trac.torproject.org/projects/tor/ticket/10905 https://trac.torproject.org/projects/tor/ticket/9901 Given the method of triggering the bug - when no Content-Type header is specified and more than 512 bytes of content are sent - it seems unlikely that LinkedIn was intentionally DoSing the Tor Browser Bundle users; that's simply how they chose to configure their web server - for all clients, not just those using the Tor Browser Bundle. Mustafa On 30/06/14 14:04, s.g.dav...@lse.ac.uk wrote: Hello all, For some time now I've been concerned about the inability of many Tor users to access LinkedIn - and more importantly, the fact that attempting to use LinkedIn results in a fatal freeze. It seems to me that something isn't right here, so I've written a short piece on it. I'd be grateful for any thoughts you have. http://www.privacysurgeon.org/blog/incision/has-linkedin-launched-a-borderline-denial-of-service-attack-against-tor/ Best wishes Simon _ Simon Davies Associate Director LSE Enterprise The London School of Economics Founder, Privacy International privacysurgeon.org s.g.dav...@lse.ac.uk Please access the attached hyperlink for an important electronic communications disclaimer: http://lse.ac.uk/emailDisclaimer -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] About Confide
So yesterday a very user-friendly mobile application called Confide was released that claims to be your off-the-record messenger[1]. It has been getting a ton of press attention recently and has raised $1.9m in seed funding[2]. It claims with end-to-end encryption and disappearing messages, Confide is bringing off-the-record conversations online. What do people think of this? It is obviously a joke and a no-go to be used as something to be relied on for encrypted communications given that there is literally no information about the encryption used and it's closed sourced/can't be verified. However, the interesting thing about this is that it seems to be more focused around preventing the client itself from archiving chat messages rather than the server. For example, it boasts screenshot protection (Snapchat style?), and the FAQ states more specifically, we think common use cases will include: Job referrals, HR issues, deal discussions, and even some good-natured office gossip[3]. Nevertheless, the unverifiable claims it make about encryption are worrying, and what's more worrying is a future of multi-million dollar funded weak sauce encryption applications that give a false sense of security that feed on an actual desire by users for privacy following the NSA leaks, that are more successful at attracting users than open source alternatives that are verifiable secure, thanks to the vast amount of resources they have in marketing. Confide has raised $1.9 million in seed funding from WGI Group, Google Ventures, First Round Capital, SV Angel, Lerer Ventures, CrunchFund, Lakestar, Marker, David Tisch’s BoxGroup, Yelp CEO and co-founder Jeremy Stoppelman, Entourage creator Doug Ellin, and Access Hollywood host Billy Bush.[4] [1] https://getconfide.com/ [2] http://techcrunch.com/2014/02/04/confide-1-9m/ [3] https://getconfide.com/faq [4] http://techcrunch.com/2014/04/24/confide-android/ -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] About Confide
On 26/04/14 22:18, Shava Nerad wrote: Anyone who is lauding the verifiability of open source security software had best show that their code has been regularly and thoroughly audited. It will be very easy for closed source alternatives -- snake oil or legit -- for some time to point to heartbleed as a fatal flaw of hubris in the argument that open sourcing is panacea to the trust issue. It shook me. Two years, undisclosed? What a waste. We really don't have a single solution that fits in one statement that a consumer or naive investor is likely to understand. So, there is going to be education required, more than before. If you believe a single long-standing vulnerability invalidates the security advantages of open-source, you should really learn what a fallacy is. (joepie91) In all kinds of communities. I am not sure we have really assessed this yet. Can we assume that people who audit our code are going to disclose -- or sell the brokerable flaws? How many eyes are there on your code, and how many are likely to share their findings with you? This is turning into an arms race. And open source is also open to exploitation, if we do not have enough eyes on our side, enough resources. This is an important issue to examine at this point for every project, wouldn't you think? I think those are fair point. Taking a wild guess: the people who aren't willing to share vulnerabilities could be more highly motivated because they're paid to do so (intelligence agencies, exploit production companies). People who are willing to share vulnerabilities may not be likewise directly rewarded for doing so or as motivated, unless there is a bug bounty or it is a paid audit. However, is the not enough eyes on our side problem really exclusive to open source software? Vulnerabilities in closed source software are still found all the time through black-box testing. Many of them go unreported. Shava Nerad shav...@gmail.com mailto:shav...@gmail.com On Apr 26, 2014 3:51 PM, Mustafa Al-Bassam m...@musalbas.com mailto:m...@musalbas.com wrote: So yesterday a very user-friendly mobile application called Confide was released that claims to be your off-the-record messenger[1]. It has been getting a ton of press attention recently and has raised $1.9m in seed funding[2]. It claims with end-to-end encryption and disappearing messages, Confide is bringing off-the-record conversations online. What do people think of this? It is obviously a joke and a no-go to be used as something to be relied on for encrypted communications given that there is literally no information about the encryption used and it's closed sourced/can't be verified. However, the interesting thing about this is that it seems to be more focused around preventing the client itself from archiving chat messages rather than the server. For example, it boasts screenshot protection (Snapchat style?), and the FAQ states more specifically, we think common use cases will include: Job referrals, HR issues, deal discussions, and even some good-natured office gossip[3]. Nevertheless, the unverifiable claims it make about encryption are worrying, and what's more worrying is a future of multi-million dollar funded weak sauce encryption applications that give a false sense of security that feed on an actual desire by users for privacy following the NSA leaks, that are more successful at attracting users than open source alternatives that are verifiable secure, thanks to the vast amount of resources they have in marketing. Confide has raised $1.9 million in seed funding from WGI Group, Google Ventures, First Round Capital, SV Angel, Lerer Ventures, CrunchFund, Lakestar, Marker, David Tisch’s BoxGroup, Yelp CEO and co-founder Jeremy Stoppelman, Entourage creator Doug Ellin, and Access Hollywood host Billy Bush.[4] [1] https://getconfide.com/ [2] http://techcrunch.com/2014/02/04/confide-1-9m/ [3] https://getconfide.com/faq [4] http://techcrunch.com/2014/04/24/confide-android/ -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu mailto:compa...@stanford.edu. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Another loss for the Internet
On 19/02/14 20:56, Mitar wrote: This change effectively allows a website to prevent bookmarklets from working. In essence, content providers can prevent users to execute their own bookmarklets and change how website behaves. It requires users to use extensions and not simple scripts. Interestingly Mozilla Firefox has since 2009 allowed website which implement Content Security Policy (CSP) to prevent users to execute their own bookmarklets - albeit by mistake! https://blog.mozilla.org/security/2009/06/19/shutting-down-xss-with-content-security-policy/#comment-105895 Before a bug fix, even Firebug was subject to CSP: http://code.google.com/p/fbug/issues/detail?id=6291 Facebook have also implemented something similar (not using CSP) for webkit browsers (namely Google Chrome). They are using the browser's console API to prevent JavaScript execution in the developer console. https://stackoverflow.com/questions/21692646/how-does-facebook-disable-browsers-integrated-developer-tools On 19/02/14 23:39, Gregory Maxwell wrote: There are other ways of dealing with fringe liabilities, go insure against it— for example. Shackling the users control of their own devices and their own experience on the internet shouldn't be an acceptable solution. The 5th principle of the Mozilla manifesto is Individuals must have the ability to shape the Internet and their own experiences on the Internet. It will be interesting to see what may happen if web specifications which contradict the principle are approved. I speculate that it may be argued that the principle is still upheld as CSP can trivially be disabled in the config. https://www.mozilla.org/en-US/about/manifesto/ -- musalbas https://twitter.com/musalbas -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Another loss for the Internet
Hi! On 20/02/14 02:03, Mitar wrote: Hi! On Wed, Feb 19, 2014 at 5:24 PM, Mustafa Al-Bassam m...@musalbas.com wrote: Before a bug fix, even Firebug was subject to CSP: http://code.google.com/p/fbug/issues/detail?id=6291 Which bug fix? This is still unfixed in Firefox: https://mail.google.com/mail/u/0/#label/00/1444bef5825ee4d0 I can't open that link as it seems to be a private Gmail link(?), but according to http://code.google.com/p/fbug/issues/detail?id=6291#c68 it was fixed. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] New EFF Lawsuit: American Sues Ethiopian Government for Spyware Infection
This is great. Would also like to add that yesterday a criminal complaint was filed in the UK for a similar situation: https://www.privacyinternational.org/press-releases/privacy-international-seeking-investigation-into-computer-spying-on-refugee-in-uk Mustafa On 18/02/14 18:16, Nate Cardozo wrote: Hi LibTech, Today, we sued the Ethiopian Government for its use of the malware described in last year's Citizen Lab report. Thanks to Citizen Lab for their amazing work. Details below. Best, Nate -- Nate Cardozo Staff Attorney Electronic Frontier Foundation 815 Eddy Street San Francisco, CA 94109 n...@eff.org | 415.436.9333 x146 Help EFF defend our rights in the digital world https://www.eff.org/donate https://www.eff.org/press/releases/american-sues-ethiopian-government-spyware-infection February 18, 2014 American Sues Ethiopian Government for Spyware Infection Months of Electronic Espionage Put American Citizen and Family at Risk Washington, D.C. - An American citizen living in Maryland sued the Ethiopian government today for infecting his computer with secret spyware, wiretapping his private Skype calls, and monitoring his entire family's every use of the computer for a period of months. The Electronic Frontier Foundation (EFF) is representing the plaintiff in this case, who has asked the court to allow him to use the pseudonym Mr. Kidane – which he uses within the Ethiopian community – in order to protect the safety and wellbeing of his family both in the United States and in Ethiopia. We have clear evidence of a foreign government secretly infiltrating an American's computer in America, listening to his calls, and obtaining access to a wide swath of his private life, said EFF Staff Attorney Nate Cardozo. The current Ethiopian government has a well-documented history of human rights violations against anyone it sees as political opponents. Here, it wiretapped a United States citizen on United States soil in an apparent attempt to obtain information about members of the Ethiopian diaspora who have been critical of their former government. U.S. laws protect Americans from this type of unauthorized electronic spying, regardless of who is responsible. A forensic examination of Mr. Kidane's computer showed that the device had been infected when he opened a Microsoft Word document that contained hidden malware. The document had been an attachment to an email message sent by agents of the Ethiopian government and forwarded to Mr. Kidane. The spyware contained in the attachment was a program called FinSpy, a suite of surveillance software marketed exclusively to governments by the Gamma Group of Companies. In the several months FinSpy was on Mr. Kidane's computer, it recorded a vast array of activities conducted by users of the machine. Traces of the spyware inadvertently left on his computer show that information – including recordings of dozens of Skype phone calls – was surreptitiously sent to a secret control server located in Ethiopia and controlled by the Ethiopian government. The infection appears to be part of a systematic program by the Ethiopian government to spy on perceived political opponents in the Ethiopian diaspora around the world. Reports from human rights agencies and news outlets have detailed Ethiopia's campaign of international espionage, aimed at jailing opposition and undermining dissent. But Ethiopia is not alone. CitizenLab – a group of researchers based at the University of Toronto, Canada – has found evidence that governments around the world use FinSpy and other technologies to spy on human rights and democracy advocates across the globe. The problem of governments violating the privacy of their political opponents through digital surveillance is not isolated – it's already big and growing bigger, said EFF Legal Director Cindy Cohn. Yet despite the international intrigue and genuine danger involved in this lawsuit, at bottom it's a straightforward case. An American citizen was wiretapped at his home in Maryland, and he's asking for his day in court under longstanding American laws. In the complaint filed in U.S. District Court in Washington, D.C., today, Mr. Kidane asks for a jury trial as well as damages for violations of the U.S. Wiretap Act and state privacy law. The Ethiopian Embassy in Washington received a courtesy copy of the lawsuit, and the District Court will formally serve the Ethiopian Foreign Ministry in Addis Ababa with copies of the papers in both English and Amharic. Richard M. Martinez, Mahesha P. Subbaraman, and Samuel L. Walling of Robins, Kaplan, Miller Ciresi L.L.P. are assisting EFF as co-counsel on this case. For the full complaint in Kidane v. Ethiopia: https://www.eff.org/document/complaint-32 For more on this case: https://www.eff.org/cases/kidane-v-ethiopia Contacts: Nate Cardozo Staff Attorney Electronic Frontier