Re: [liberationtech] Time validation for 2-step verification codes

[Nadim Kobeissi]

The two-step verification used by Google is based on the TOTP protocol [1]
which is the open standard for this sort of thing.

To answer your questions Amin:

1. Tokens last 60 seconds according to the TOTP standard.
2. Your journalist friends would be very well-advised to use an app [2]
instead of SMS codes. By using an authenticator app, they will be able to
obtain codes without using SMS and even with their phone completely not
connected to a network.

[1] http://tools.ietf.org/html/rfc6238
[2] https://support.google.com/accounts/answer/1066447?hl=en



On Wed, Aug 27, 2014 at 11:29 AM, Amin Sabeti  wrote:

> Hi,
>
> Recently, a bunch of Iranian journalists/ activists have been targeted by
> Iranian hackers.
>
> Some of them said their 2-step verification was active during the attack
> but hacker could reuse the code that sent by Google via SMS and passed
> 2-step verification!
>
> I was wonder to know if some folks here know the validation time for the
> 2-step verification code that users receive through SMS not the app.
>
> Cheers,
>
> Amin
>
> --
> Liberationtech is public & archives are searchable on Google. Violations
> of list guidelines will get you moderated:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech.
> Unsubscribe, change to digest, or change password by emailing moderator at
> compa...@stanford.edu.
>
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Matasano Crypto Challenges

[Nadim Kobeissi]

These challenges are really great. Another source of similar training is  
Stanford University's online cryptography classes, taught (for free!) by  
Dan Boneh.


Boneh's classes include practical assignments that are almost identical to  
the CryptoPals challenges, but it's still worth doing both the challenges  
and the classes since the classes also cover a lot of theory/math  
background.


You can sign up here for Cryptography I:
https://www.coursera.org/course/crypto

Cryptography II is about to start in a month or so:
https://www.coursera.org/course/crypto2

NK

On Mon, 11 Aug 2014 20:49:44 -0400, Steve Weis  wrote:


Matasano Security posted 6 sets of their crypto challenges online, which
may be of interest to anyone trying to learn more about implementing and
breaking crypto:
http://cryptopals.com/

The challenges start with basics and move through a variety of attacks.
They've provided solutions implemented in 10 different programming
languages.



--
NK
--
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change 
to digest, or change password by emailing moderator at compa...@stanford.edu.

[liberationtech] gazaDeaths.com

[Nadim Kobeissi]

Dear LiberationTech,
I wanted to share with you GazaDeaths.com, a website for keeping track of 
statistics and names of Palestinian casualties from the current Israeli 
offensive on Gaza.

http://gazadeaths.com/

The website will update automatically with information from Al Jazeera and the 
Gaza Health Ministry. The code is available on GitHub:
https://github.com/kaepora/gazaDeaths/

Regards,
NK
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Cryptocat: Call for Translators. Please Participate!

[Nadim Kobeissi]

Thanks so much for your help, everyone.

We just added two additional sentences that need translating.
https://www.transifex.com/projects/p/Cryptocat/resource/cryptocat/

NK

On 2013-08-20, at 1:38 PM, Buddhadeb Halder  wrote:

> I will do Bengali.
> 
> On Tuesday, August 20, 2013, Neil Blazevic  wrote:
> > What would be the process to add other languages? I could potentially round 
> > up some Swahili translators one day.
> > Neil
> >
> > Sent from a mobile device
> >
> > On 20 Aug 2013 14:42, "Nadim Kobeissi"  wrote:
> >>
> >> Dear Libtech,
> >>
> >> Echoing Commotion's recent call for translators on this list:
> >>
> >> Cryptocat is adding cool new features (and modifying some existing ones) 
> >> over the upcoming weeks, all of which necessitate the translation of 
> >> various new words and sentences for the user interface. Currently, 
> >> Cryptocat is available in almost 40 languages, and maintaining these 
> >> translations would be impossible without the participation of language 
> >> speakers from around the world.
> >>
> >> You can very easily contribute to Cryptocat translations here:
> >> https://www.transifex.com/projects/p/Cryptocat/resource/cryptocat/
> >>
> >> Just pick a language and fill it up to 100%! If you know people who can 
> >> help, I urge you to please forward this email to them.
> >>
> >> The following languages are priority. Any language not on this list is 
> >> considered not necessary to fully translate at the moment.
> >> Catalan
> >> Arabic
> >> Chinese (Hong Kong)
> >> Chinese (China)
> >> Urdu
> >> Tibetan
> >> Russian
> >> Estonian
> >> Czech
> >> German
> >> Danish
> >> Spanish
> >> Basque
> >> Greek
> >> Farsi
> >> French
> >> Japanese
> >> Hebrew
> >> Bengali
> >> Italian
> >> Khmer
> >> Korean
> >> Latvian
> >> Dutch
> >> Norwegian
> >> Polish
> >> Portuguese
> >> Bulgarian
> >> Swedish
> >> Turkish
> >> Vietnamese
> >> Uighur
> >>
> >> Thanks very much, and please don't forget to pass this around to people 
> >> who may know these languages and be able to translate from English.
> >>
> >> NK
> >>
> >> --
> >> Liberationtech is a public list whose archives are searchable on Google. 
> >> Violations of list guidelines will get you moderated: 
> >> https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
> >> change to digest, or change password by emailing moderator at 
> >> compa...@stanford.edu.
> > -- 
> Liberationtech is a public list whose archives are searchable on Google. 
> Violations of list guidelines will get you moderated: 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
> change to digest, or change password by emailing moderator at 
> compa...@stanford.edu.

-- 
Liberationtech is a public list whose archives are searchable on Google. 
Violations of list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

[liberationtech] Cryptocat: Call for Translators. Please Participate!

[Nadim Kobeissi]

Dear Libtech,

Echoing Commotion's recent call for translators on this list:

Cryptocat is adding cool new features (and modifying some existing ones) over 
the upcoming weeks, all of which necessitate the translation of various new 
words and sentences for the user interface. Currently, Cryptocat is available 
in almost 40 languages, and maintaining these translations would be impossible 
without the participation of language speakers from around the world.

You can very easily contribute to Cryptocat translations here:
https://www.transifex.com/projects/p/Cryptocat/resource/cryptocat/

Just pick a language and fill it up to 100%! If you know people who can help, I 
urge you to please forward this email to them.

The following languages are priority. Any language not on this list is 
considered not necessary to fully translate at the moment.
Catalan
Arabic
Chinese (Hong Kong)
Chinese (China)
Urdu
Tibetan
Russian
Estonian
Czech
German
Danish
Spanish
Basque
Greek
Farsi
French
Japanese
Hebrew
Bengali
Italian
Khmer
Korean
Latvian
Dutch
Norwegian
Polish
Portuguese
Bulgarian
Swedish
Turkish
Vietnamese
Uighur

Thanks very much, and please don't forget to pass this around to people who may 
know these languages and be able to translate from English.

NK
-- 
Liberationtech is a public list whose archives are searchable on Google. 
Violations of list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Cryptocat Hackathon, NYC, August 17-18!

[Nadim Kobeissi]

Just a last friendly reminder for those planning to attend today/this weekend! 
:-)

We're just about to start!

Schedule:
https://blog.crypto.cat/2013/08/cryptocat-hackathon-august-17-18-new-york-city/

NK

On 2013-08-10, at 11:33 AM, Nadim Kobeissi  wrote:

> Hi everyone,
> I just wanted to share the happy news that the Cryptocat Hackathon has a 
> sign-up rate composed of more than 35% women so far. This is really awesome.
> 
> Having more women participating in such events may help bridge the gender gap 
> in the tech scene. I'm glad that for some reason Cryptocat is attractive to 
> both genders. I think it has something to do with the focus on accessibility 
> and the fact that cats are appealing to everyone, no matter your gender! :3
> 
> Let's hope for a 50% women sign-up rate next time!
> 
> https://twitter.com/cryptocatapp/status/366219529577168898
> 
> NK
> 
> On 2013-08-07, at 11:36 PM, Kyle Maxwell  wrote:
> 
>> https://github.com/cryptocat/cryptocat naturally! :D
>> 
>> On Wed, Aug 7, 2013 at 3:09 PM, Anthony Papillion
>>  wrote:
>>> -BEGIN PGP SIGNED MESSAGE-
>>> Hash: SHA512
>>> 
>>> On 08/07/2013 12:10 PM, Nadim Kobeissi wrote:
>>>> (Moving on from my very, very expensively made point?)
>>>> 
>>>> Dear Libtech,
>>>> 
>>>> Cryptocat, in collaboration with OpenITP, will be hosting the very
>>>> first Cryptocat Hackathon weekend in New York City, on the weekend
>>>> of the 17th and 18th of August 2013! We're going to have a coding
>>>> track as well as a *special track for journalists*, so please
>>>> spread the word!
>>>> 
>>>> https://blog.crypto.cat/2013/08/cryptocat-hackathon-august-17-18-new-york-city/
>>>> 
>>>> Join us on August 17-18 for the Cryptocat Hackathon and help
>>>> empower people worldwide by improving useful tools and discussing
>>>> the future of making privacy accessible. This two day event will
>>>> take place at the OpenITP offices, located on 199 Lafayette Street,
>>>> Suite 3b, New York City.
>>>> 
>>>> Tweet: https://twitter.com/cryptocatapp/status/36515529735183974
>>> 
>>> This is exciting, Nadim. I'm nowhere near NYC but would be interested
>>> in contributing code if the time arose. I apologize for doing
>>> absolutely no research on this at all before asking (again, time) but
>>> where can I grab the latest CryptoCat source?
>>> 
>>> Thanks!
>>> Anthony
>>> 
>>> 
>>> 
>>> -BEGIN PGP SIGNATURE-
>>> 
>>> iQIcBAEBCgAGBQJSAqleAAoJEAKK33RTsEsVjhAQAITJLjOwwHbVAHGdLRdvVELG
>>> wkSDD8wdfeIk2x9k2slAIIpB8T8DYZk6jC3z/McKC4BbQNqZ4nbi5CaABDJDJIyb
>>> eoJiNASgQLnPWk9lh3WbkArJhDZLM4dtF59DbVTLo/OiNn6rwgC4tWlcMWifNMCU
>>> 57N/FdVVjc3VpTTpbewr4+XqfGlA7QB2G+oG/khvHhtK9tyzbul2PIQtIrdeSgQI
>>> JqRUtHf9z3cyzg4Z/ohQgeTWHbLD+UDF5Vqi6pzFv00C745SkL0EjBpADzbiGayg
>>> swKJleXxQYRTxJmdo/s/U52w1p/H1wEsAeeM6qOIz3zIOHg0xiU0Ufjy32JB0iDL
>>> wJDrzm4BML56sWS3DdJY+7/ZdPcj2KanOWNo4KWFbcsbYYFgeWPrOhASt/QMDyOD
>>> C/IUYKGqiv0HfqT4RUOxJV1ZqreXaYtTg6dxgY7I55rAlKDUcoJ/dtZULgwBspDV
>>> FgGAyWRCIEDT+cmZOJbvgrTYRH2bKZT59XiAcp+g4d7KtRKvX0GijHcscNqbPFRL
>>> iC3vuAIqlwzP94zXey9HTRjzf18NZmQ0py5C6Y2TDXIoZosHLUd+3JQ8EpoidE/B
>>> UW80ymdMrFl0n39vaD8XihsjbLFQyN1Ei+4wtHvRIvNJa60fOg3LR8lz+AMQ4B6r
>>> IfMVjMR/a3KU09wYjSpZ
>>> =AtB1
>>> -END PGP SIGNATURE-
>>> --
>>> Liberationtech list is public and archives are searchable on Google. Too 
>>> many emails? Unsubscribe, change to digest, or change password by emailing 
>>> moderator at compa...@stanford.edu or changing your settings at 
>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>> 
>> 
>> 
>> -- 
>> @kylemaxwell
>> --
>> Liberationtech list is public and archives are searchable on Google. Too 
>> many emails? Unsubscribe, change to digest, or change password by emailing 
>> moderator at compa...@stanford.edu or changing your settings at 
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 

-- 
Liberationtech is a public list whose archives are searchable on Google. 
Violations of list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Google confirms critical Android crypto flaw

[Nadim Kobeissi]

On 2013-08-15, at 6:14 AM, Nathan of Guardian  
wrote:

> Signed PGP part
> On 08/15/2013 12:07 AM, Nadim Kobeissi wrote:
> > Hot on the heels of last week's Bitcoin wallet for Android heist,
> > Google has confirmed that this was due to a critical crypto flaw in
> > Android, which could affect security in thousands of apps according
> > to Ars Technica:
> 
> The only silver lining from their post was that HTTP/SSL connections
> were not affected, so this only really affects apps that are
> generating keys at the Java layer, which include apps like Android
> Privacy Guard (APG) and our own Gibberbot.

I was in fact wondering about Gibberbot when I heard about this bug. Glad 
you're releasing a fix soon.

It would be cool if you could write a blog post detailing how the bug affected 
Gibberbot, it would definitely be an interesting read as to how such a bug can 
affect encrypted IM apps.

Cryptocat had its own RNG fiasco recently as well, which was documented in this 
excellent blog post by Sophos Labs:
http://nakedsecurity.sophos.com/2013/07/09/anatomy-of-a-pseudorandom-number-generator-visualising-cryptocats-buggy-prng/

> 
> Gibberbot v12 alpha (now renamed Chat Secure) is available with the
> fix, and we'll be pushing a public beta extremely soon to Google Play.

I approve of the name change! ChatSecure sounds so much better.

See you this weekend, Nathan!

NK

> 
> +n
> 
> -- 
> Liberationtech is a public list whose archives are searchable on Google. 
> Violations of list guidelines will get you moderated: 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
> change to digest, or change password by emailing moderator at 
> compa...@stanford.edu.

-- 
Liberationtech is a public list whose archives are searchable on Google. 
Violations of list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

[liberationtech] Google confirms critical Android crypto flaw

[Nadim Kobeissi]

Hey Libtech,
Hot on the heels of last week's Bitcoin wallet for Android heist, Google has 
confirmed that this was due to a critical crypto flaw in Android, which could 
affect security in thousands of apps according to Ars Technica:

"Google developers have confirmed a cryptographic vulnerability in the Android 
operating system that researchers say could generate serious security glitches 
on hundreds of thousands of end user apps, many of them used to make Bitcoin 
transactions.

[…]

"We have now determined that applications which use the Java Cryptography 
Architecture (JCA) for key generation, signing, or random number generation may 
not receive cryptographically strong values on Android devices due to improper 
initialization of the underlying PRNG," he wrote. "Applications that directly 
invoke the system-provided OpenSSL PRNG without explicit initialization on 
Android are also affected."

http://arstechnica.com/security/2013/08/google-confirms-critical-android-crypto-flaw-used-in-5700-bitcoin-heist/

NK
-- 
Liberationtech is a public list whose archives are searchable on Google. 
Violations of list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

[liberationtech] Dalai Lama's Website Hacked, Now Serving Malware

[Nadim Kobeissi]

Hey Libtech,
The Dalai Lama's Chinese website has been hacked and is now serving malware to 
visitors in China:

"Hackers have attacked Dalai Lama's Chinese-language website, installing an 
unidentified piece of malware which could have compromised visitors' computers, 
a spokesperson said.
The brief attack targeted the Tibet.net, which is the official site of the 
Tibetan government-in-exile, providing information about the parliament, 
cabinet, administrative departments and public offices.
“We are a prominent target for attacks by Chinese hackers,” Tashi Phuntsok, a 
spokesperson for the exiled government based in the northern Indian town of 
Dharamshala, told AFP news agency."

http://www.aljazeera.com/news/asia/2013/08/20138141115513658.html

NK-- 
Liberationtech is a public list whose archives are searchable on Google. 
Violations of list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

[liberationtech] Snowden: Unencrypted Journalist-Source Communications "Unforgivably Reckless"

[Nadim Kobeissi]

Hey LibTech,

In a recently published interview with the New York Times, Edward Snowden 
called unencrypted communications between journalists and sources "unforgivably 
reckless":

"I was surprised to realize that there were people in news organizations who 
didn’t recognize any unencrypted message sent over the Internet is being 
delivered to every intelligence service in the world. In the wake of this 
year’s disclosures, it should be clear that unencrypted journalist-source 
communication is unforgivably reckless."

http://www.nytimes.com/2013/08/18/magazine/snowden-maass-transcript.html

I hope sending this along will be useful for journalists on this list as well 
as for those who need extra material to help them convince their journalist 
friends to adopt privacy-preserving practices. As usual, I'll take the 
opportunity to again vouch for the need for accessible, easy to use encryption, 
like what Guardian Project, Whisper Systems and Cryptocat are working on.

NK
-- 
Liberationtech is a public list whose archives are searchable on Google. 
Violations of list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Can JavaScript cryptography be trusted? (was: In defense of client-side encryption)

[Nadim Kobeissi]

Quickly adding my blog post on the matter to this thread. Would love to hear 
discussion regarding it:

http://log.nadim.cc/?p=33

NK

On 2013-08-13, at 1:58 AM, Tony Arcieri  wrote:

> On Mon, Aug 12, 2013 at 3:07 PM, Ali-Reza Anghaie  
> wrote:
> I'm sorry but aren't we spending a lot of time conflating code
> quality, secure coding practices, software distribution, .. with
> ~JavaScript in a browser~?
> 
> I think the title of the thread has a lot to do with that. Fixed! ;)
> 
> -- 
> Tony Arcieri
> -- 
> Liberationtech is a public list whose archives are searchable on Google. 
> Violations of list guidelines will get you moderated: 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
> change to digest, or change password by emailing moderator at 
> compa...@stanford.edu.

-- 
Liberationtech is a public list whose archives are searchable on Google. 
Violations of list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Hayden on 'Internet Freedom' as State Dept. Money Laundering Against US Security Interests

[Nadim Kobeissi]

On 2013-08-12, at 8:53 PM, Collin Anderson  wrote:

> Libtech,
> 
> A friend passed along little noticed comments by Gen. Hayden in June, which I 
> would suggest are the most direct elaboration on the differences between the 
> American security apparatus and piracy development efforts. The actual 
> interview is long, but there is one statement in particular that would serve 
> everyone to read and share wherein Hayden speaks openly on the intelligence 
> services trying to crack anonymity and criticizes Clinton for supporting such 
> projects.
> 
> Rough Transcript:
> 
> "We need to pull the rest of American thinking into this in a relevant way.  
> Secretary Clinton gave two speeches on cyber stuff while she was secretary.  
> And if you're you know you think of the world as security and liberty she 
> broke left literally both times in both of her speeches she came down on on 
> cyber freedom.  Society at the same time cyber communities out there are 
> trying to crack the nut on anonymity on the net because you realize that's 
> the root of many many dangers out there as cyber communities just chugging 
> away at that. The secretary of state is laundering money through NGOs to 
> populate software throughout the Arab world to prevent the people in the Arab 
> street from being tracked by their government.  Alright so on the one hand 
> we're fighting anonymity on the other hand we're chucking products out there 
> to protect anonymity on the net."

I really appreciate the honesty here in Gen. Hayden's statement.

I wish I had seen this earlier this year when I was writing my term paper for 
graduation. I was trying to argue that Internet freedom had effectively become 
a foreign policy warring venue for the United States after Clinton's Freedom to 
Connect speech in February 2011, which was probably the first speech of the 
"two speeches on cyber stuff" that Hayden refers to. The speech itself was 
likely engendered by things like spikes of Tor usage in Tunisia and Egypt 
during the Spring (and the speed in which it followed those spikes is quite a 
testament to the quickness of the think tanks advising Clinton's speechwriters!)

What's also interesting is the (perhaps unintentional) distinction between 
which governments you're trying to protect people from. You're populating the 
software to Arab citizens to prevent specifically their government from 
tracking them. This presumably includes other governments that the U.S. wants 
to encourage revolutions in, such as Iran, and disenfranchised groups such as 
Tibetans.

Here's the thing: you ultimately have two types of software that the U.S. is 
interested in funding:

Software Type A: Software that protects useful dissidents and anyone else from 
all governments (to an extent), including the U.S. government.
Software Type B: Software that protects useful dissidents in certain countries 
from their own governments (that the U.S. wants overthrown because they are 
very inconvenient to its foreign affairs, like maybe Iran under Ahmadinejad), 
but that the U.S. government itself can crack.

The scary thing here is that the U.S. would, from a realist standpoint, be more 
interested in funding type B software than type A software, since type B 
software would satisfy both its domestic and foreign goals, while type A would 
only satisfy its foreign goals, leaving General Hayden angry and frustrated 
with all the money that's being, from his perspective, laundered in order to 
create a contradictory, troublesome situation. Maybe we should be thinking 
about this!

Personally, I certainly wouldn't call it money laundering, though. A lot of 
good has come from this NGO funding.

NK


> 
> Video: http://youtu.be/9lizGN981Rw
> Link: http://b.averysmallbird.com/entries/hayden-comments
> 
> Cordially,
> Collin
> -- 
> Collin David Anderson
> averysmallbird.com | @cda | Washington, D.C.
> -- 
> Liberationtech is a public list whose archives are searchable on Google. 
> Violations of list guidelines will get you moderated: 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
> change to digest, or change password by emailing moderator at 
> compa...@stanford.edu.

-- 
Liberationtech is a public list whose archives are searchable on Google. 
Violations of list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] In defense of client-side encryption

[Nadim Kobeissi]

On 2013-08-11, at 10:36 PM, danimoth  wrote:

> On 11/08/13 at 01:10pm, Francisco Ruiz wrote:
>> Twice again, privacy has taken a hit across the land. Lavabit and Silent
>> Mail are gone, and to quote Phil Zimmermann, “the writing is on the wall”
>> for any other encrypted email provider located in US territory. This is
>> sure to be repeated for servers located in Europe and other countries. Is
>> this the end of encrypted email?
> 
> [cut]
> 
> IMHO you are making big statements, taking a lot of risks, and a lot of
> people's life on your back, as we're not playing here. Are you sure to
> have big enough shoulder?
> 
> First, it is in Javascript. Who needs cryptography, SHOULD NOT use
> javascript. Google can help you ([1] for example, [2] if
> you are coming from a 48h non-stop no-sleep marathon).
> 
> Second, someone posted about your random number generator, and you
> ignored it. But this is a minor problem, as all things are in
> Javascript.
> 
> Third, you use Javascript. But, wait, I need to sleep. Please stop
> spamming an insecure-by-design product.

I think it's a bit short-sighted to criticize encryption because of the 
programming language it's implemented in. JavaScript encryption doesn't have 
problems because of the programming language, but because of the APIs, 
environment and mechanisms surrounding the language.

I've investigated many of the challenges surrounding proper implementation in 
those contexts, and have written a blog post to this effect. I would be 
interested in hearing some feedback! http://log.nadim.cc/?p=33

NK

> 
> Last thing: People, please, use PGP instead of these circus things.
> 
> 
> [1] http://www.matasano.com/articles/javascript-cryptography/
> [2] https://www.google.it/search?q=why%20is%20bad%20crypto%20javascript
> 
> -- 
> Liberationtech is a public list whose archives are searchable on Google. 
> Violations of list guidelines will get you moderated: 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
> change to digest, or change password by emailing moderator at 
> compa...@stanford.edu.

-- 
Liberationtech is a public list whose archives are searchable on Google. 
Violations of list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Cryptocat Hackathon, NYC, August 17-18!

[Nadim Kobeissi]

Hi everyone,
I just wanted to share the happy news that the Cryptocat Hackathon has a 
sign-up rate composed of more than 35% women so far. This is really awesome.

Having more women participating in such events may help bridge the gender gap 
in the tech scene. I'm glad that for some reason Cryptocat is attractive to 
both genders. I think it has something to do with the focus on accessibility 
and the fact that cats are appealing to everyone, no matter your gender! :3

Let's hope for a 50% women sign-up rate next time!

https://twitter.com/cryptocatapp/status/366219529577168898

NK

On 2013-08-07, at 11:36 PM, Kyle Maxwell  wrote:

> https://github.com/cryptocat/cryptocat naturally! :D
> 
> On Wed, Aug 7, 2013 at 3:09 PM, Anthony Papillion
>  wrote:
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA512
>> 
>> On 08/07/2013 12:10 PM, Nadim Kobeissi wrote:
>>> (Moving on from my very, very expensively made point?)
>>> 
>>> Dear Libtech,
>>> 
>>> Cryptocat, in collaboration with OpenITP, will be hosting the very
>>> first Cryptocat Hackathon weekend in New York City, on the weekend
>>> of the 17th and 18th of August 2013! We're going to have a coding
>>> track as well as a *special track for journalists*, so please
>>> spread the word!
>>> 
>>> https://blog.crypto.cat/2013/08/cryptocat-hackathon-august-17-18-new-york-city/
>>> 
>>> Join us on August 17-18 for the Cryptocat Hackathon and help
>>> empower people worldwide by improving useful tools and discussing
>>> the future of making privacy accessible. This two day event will
>>> take place at the OpenITP offices, located on 199 Lafayette Street,
>>> Suite 3b, New York City.
>>> 
>>> Tweet: https://twitter.com/cryptocatapp/status/36515529735183974
>> 
>> This is exciting, Nadim. I'm nowhere near NYC but would be interested
>> in contributing code if the time arose. I apologize for doing
>> absolutely no research on this at all before asking (again, time) but
>> where can I grab the latest CryptoCat source?
>> 
>> Thanks!
>> Anthony
>> 
>> 
>> 
>> -BEGIN PGP SIGNATURE-
>> 
>> iQIcBAEBCgAGBQJSAqleAAoJEAKK33RTsEsVjhAQAITJLjOwwHbVAHGdLRdvVELG
>> wkSDD8wdfeIk2x9k2slAIIpB8T8DYZk6jC3z/McKC4BbQNqZ4nbi5CaABDJDJIyb
>> eoJiNASgQLnPWk9lh3WbkArJhDZLM4dtF59DbVTLo/OiNn6rwgC4tWlcMWifNMCU
>> 57N/FdVVjc3VpTTpbewr4+XqfGlA7QB2G+oG/khvHhtK9tyzbul2PIQtIrdeSgQI
>> JqRUtHf9z3cyzg4Z/ohQgeTWHbLD+UDF5Vqi6pzFv00C745SkL0EjBpADzbiGayg
>> swKJleXxQYRTxJmdo/s/U52w1p/H1wEsAeeM6qOIz3zIOHg0xiU0Ufjy32JB0iDL
>> wJDrzm4BML56sWS3DdJY+7/ZdPcj2KanOWNo4KWFbcsbYYFgeWPrOhASt/QMDyOD
>> C/IUYKGqiv0HfqT4RUOxJV1ZqreXaYtTg6dxgY7I55rAlKDUcoJ/dtZULgwBspDV
>> FgGAyWRCIEDT+cmZOJbvgrTYRH2bKZT59XiAcp+g4d7KtRKvX0GijHcscNqbPFRL
>> iC3vuAIqlwzP94zXey9HTRjzf18NZmQ0py5C6Y2TDXIoZosHLUd+3JQ8EpoidE/B
>> UW80ymdMrFl0n39vaD8XihsjbLFQyN1Ei+4wtHvRIvNJa60fOg3LR8lz+AMQ4B6r
>> IfMVjMR/a3KU09wYjSpZ
>> =AtB1
>> -END PGP SIGNATURE-
>> --
>> Liberationtech list is public and archives are searchable on Google. Too 
>> many emails? Unsubscribe, change to digest, or change password by emailing 
>> moderator at compa...@stanford.edu or changing your settings at 
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 
> 
> 
> -- 
> @kylemaxwell
> --
> Liberationtech list is public and archives are searchable on Google. Too many 
> emails? Unsubscribe, change to digest, or change password by emailing 
> moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

-- 
Liberationtech is a public list whose archives are searchable on Google. 
Violations of list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Bill Gates on Project Loon vs malaria

[Nadim Kobeissi]

I actually agree with Bill Gates here. If I had his money, I would make sure 
people have clean water, toilets, condoms, before even starting to consider 
working on Internet access.

Sure, his comments are "below the belt" as Andrés says below, but this is only 
because he is unfairly attacking a noble, unrelated project. But the question 
he raises is: if you have unlimited money and want to tackle what you perceive 
as a human rights necessity, what do you go for?

From my perspective of the world, the Internet should be on the bottom of this 
list. Sure, it should *be* on the list, but people who think that it's a 
priority really need to examine the kind of awful problems that the world has 
right now. No water, no food, no shelter, no hygiene, no toilets, no education, 
no condoms, no medication… all of those things need to be solved before we 
start worrying about the lack of Internet.

Michael Glassman notes (also earlier in this thread):
"Famine is not caused by lack of food but by lack of knowledge about access and 
location to food - something I believe is much more easily overcome through 
Internet access perhaps."

It doesn't just work like that, I don't think. You don't just open Internet 
access and fund Internet centres and expect knowledge problems to work 
themselves out. Basic necessities need to be fulfilled first, and in that 
scenario, that deeply includes education. And in order to focus on education, 
you're going to need less malaria and more shelter, toilets and hygiene… I hope 
I'm making my point clearly here.

This is a super interesting issue! I guess I'm going to stick to the 
conservative side here, though. The Internet is the current human rights issue 
for developed regions of the Middle East and North Africa (and deservedly 
so!!), but in some other parts of the world, we're just not there yet. There 
are more basic problems to solve, and this is only a testament to how harsh the 
world can be.

NK



On 2013-08-09, at 7:25 PM, Kyle Maxwell  wrote:

> http://www.theguardian.com/technology/2013/aug/09/bill-gates-google-project-loon
> 
> ===
> 
> Bill Gates criticises Google's Project Loon initiative
> 
> Former Microsoft chief says low-income countries need more than just
> internet access
> 
> ===
> 
> Google's Project Loon initiative wants to provide internet access for
> the developing world from a network of balloons floating in the
> stratosphere. Former Microsoft boss Bill Gates isn't keen on the idea.
> 
> "When you're dying of malaria , I suppose you'll look up and see that
> balloon, and I'm not sure how it'll help you. When a kid gets
> diarrhoea, no, there's no website that relieves that," Gates told
> Business Week, in an interview about the work of the Bill & Melinda
> Gates Foundation.
> 
> "Certainly I'm a huge believer in the digital revolution. And
> connecting up primary-healthcare centres, connecting up schools, those
> are good things. But no, those are not, for the really low-income
> countries, unless you directly say we're going to do something about
> malaria."
> 
> Gates also questioned Google's commitment to projects in developing
> countries through its Google.org arm and related initiatives.
> 
> "Google started out saying they were going to do a broad set of
> things. They hired Larry Brilliant, and they got fantastic publicity,"
> said Gates. "And then they shut it all down. Now they're just doing
> their core thing. Fine. But the actors who just do their core thing
> are not going to uplift the poor."
> 
> Project Loon was announced in June as Google launched a pilot scheme
> with 30 balloons above New Zealand, providing internet access through
> receivers on the ground.
> 
> "We believe that it might actually be possible to build a ring of
> balloons, flying around the globe on the stratospheric winds, that
> provides Internet access to the earth below," explained project lead
> Mike Cassidy at the time, suggesting speeds could eventually match
> today's 3G networks.
> 
> "As a result, we hope balloons could become an option for connecting
> rural, remote, and under-served areas, and for helping with
> communications after natural disasters. The idea may sound a bit crazy
> – and that's part of the reason we're calling it Project Loon – but
> there's solid science behind it."
> 
> Google has worked with organisations trying to tackle healthcare in
> developing countries through its Google for Nonprofits initiative,
> with case studies on its website for Direct Relief International ,
> Unicef and Charity: Water outlining some of its efforts.
> 
> Meanwhile, Google.org's webpage for its Crisis Response activities
> makes prominent use of a photo of someone using their mobile phone in
> the aftermath of a disaster in Haiti, supplied by the Bill & Melinda
> Gates Foundation.
> 
> Gates' views on malaria are heartfelt, though. It's described as a
> "top priority" for the Foundation , which has so far committed nearly
> $2bn (£1.3bn) in grants tow

Re: [liberationtech] From Snowden's email provider. NSL??? (Recipe for Secure Audio, Video, Chat, File Transfer)

[Nadim Kobeissi]

On 2013-08-09, at 1:55 PM, Fabio Pietrosanti (naif)  
wrote:

> Il 8/9/13 10:59 AM, Julien Rabier ha scritto:
>> Le 09 août - 11:48, Nadim Kobeissi a écrit :
>>> On 2013-08-09, at 11:31 AM, Ali-Reza Anghaie  wrote:
>>> 
>>>> On Fri, Aug 9, 2013 at 4:26 AM, Nadim Kobeissi  wrote:
>>>>> For what it's worth, and even though I think it's pretty unlikely that 
>>>>> Cryptocat will receive such an order,
>>>> *snip*
>>>> 
>>>> You're right but that should provide little comfort - when they come
>>>> after the non-business platform libtech to cypherpunk services - they
>>>> don't use legal orders. It gets much worse. -Ali
>>> Well at least now they know how to shut Cryptocat down :P
>>> 
>>> NK
>> One good way to reduce the impact of such an order would be to call for moar
>> cryptocat instances. Decentralize, spread datalove, <3
>> 
>> https://github.com/cryptocat/cryptocat/wiki/Server-Deployment-Instructions
>> I think I'm going to try to deploy a cryptocat server in the next days and
>> see how it goes.
> You should consider testing CryptoCat with OpenFire XMPP Server.

Here, you get issue 404 :-)
https://github.com/cryptocat/cryptocat/issues/404

NK

> 
> This is because with OpenFire + Chrome you can also do end-to-end
> encrypted WebRTC Audio/Video call.
> 
> So the right Recipie is:
> - OpenFire as XMPP server http://www.igniterealtime.org/projects/openfire/
> - CryptoCat as a Chat+Filetransfer client Client (for Chrome Plugin)
> - Chrome as a Secure Audio/Video client with WebRTC
> 
> Everything can be setup by a Poweruser with no specific ninja Linux skills.
> 
> If someone want to make this recipie working, i think that the world
> would appreciate with an
> 
> "easy to be setup, independently run, audio, video, file transfer, chat
> infrastructure accessible with a web browser" .
> 
> 
> -- 
> Fabio Pietrosanti (naif)
> HERMES - Center for Transparency and Digital Human Rights
> http://logioshermes.org - http://globaleaks.org - http://tor2web.org
> 
> --
> Liberationtech list is public and archives are searchable on Google. Too many 
> emails? Unsubscribe, change to digest, or change password by emailing 
> moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] From Snowden's email provider. NSL???

[Nadim Kobeissi]

On 2013-08-09, at 1:24 PM, Nick  wrote:

> On Fri, Aug 09, 2013 at 11:26:21AM +0300, Nadim Kobeissi wrote:
>> On 2013-08-08, at 11:53 PM, Mike Perry  wrote:
>>> It is profoundly encouraging to see that people of such courage and
>>> integrity as the Lavabit staff exist, and are willing to put everything
>>> on the line to stand up against this madness.
>> 
>> +1.
>> For what it's worth, and even though I think it's pretty unlikely that 
>> Cryptocat will receive such an order, I've posted a pledge on our Twitter 
>> feed:
>> https://twitter.com/cryptocatapp/status/365733575351480321
> 
> Would implementing some sort of build assurance thing like Tor have
> done recently help here? So if the government said "please put a
> back door for us", you could legitimately say "sorry, not possible
> without people noticing". That's an even better option than
> "crypto.cat is now closed, you may like to complain to the US
> government about that."

Yup, Cryptocat has had build assurance for quite some time. "Sorry, not 
possible to backdoor without people noticing" is still a valid line of defence 
and has been one for a while.

But I guess it was still worth it to tweet that in the event that even that 
line of defence is somehow circumvented, in the (unlikely, I know) circumstance 
that we get some sort of legal order that's definitely beyond our capacity to 
swerve around, then yeah, Cryptocat would rather cease development. It's just a 
simple extra assurance.

NK

> 
> Note that I haven't yet had a chance to read about the verified build
> stuff in any detail, and I'm not sure how easy it would be to verify
> such a build against what's on one of the browser extension / addon
> stores. So maybe I'm talking nonsense ;)
> --
> Liberationtech list is public and archives are searchable on Google. Too many 
> emails? Unsubscribe, change to digest, or change password by emailing 
> moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] From Snowden's email provider. NSL???

[Nadim Kobeissi]

On 2013-08-09, at 11:59 AM, Julien Rabier  wrote:

> Le 09 août - 11:48, Nadim Kobeissi a écrit :
>> 
>> On 2013-08-09, at 11:31 AM, Ali-Reza Anghaie  wrote:
>> 
>>> On Fri, Aug 9, 2013 at 4:26 AM, Nadim Kobeissi  wrote:
>>>> For what it's worth, and even though I think it's pretty unlikely that 
>>>> Cryptocat will receive such an order,
>>> *snip*
>>> 
>>> You're right but that should provide little comfort - when they come
>>> after the non-business platform libtech to cypherpunk services - they
>>> don't use legal orders. It gets much worse. -Ali
>> 
>> Well at least now they know how to shut Cryptocat down :P
>> 
>> NK
> 
> One good way to reduce the impact of such an order would be to call for moar
> cryptocat instances. Decentralize, spread datalove, <3
> 
> https://github.com/cryptocat/cryptocat/wiki/Server-Deployment-Instructions
> I think I'm going to try to deploy a cryptocat server in the next days and
> see how it goes.

+1! Awesome!

Also, weren't NSLs ruled unconstitutional recently?

NK

> 
> taziden
> --
> Liberationtech list is public and archives are searchable on Google. Too many 
> emails? Unsubscribe, change to digest, or change password by emailing 
> moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] From Snowden's email provider. NSL???

[Nadim Kobeissi]

On 2013-08-09, at 11:31 AM, Ali-Reza Anghaie  wrote:

> On Fri, Aug 9, 2013 at 4:26 AM, Nadim Kobeissi  wrote:
>> For what it's worth, and even though I think it's pretty unlikely that 
>> Cryptocat will receive such an order,
> *snip*
> 
> You're right but that should provide little comfort - when they come
> after the non-business platform libtech to cypherpunk services - they
> don't use legal orders. It gets much worse. -Ali

Well at least now they know how to shut Cryptocat down :P

NK

> --
> Liberationtech list is public and archives are searchable on Google. Too many 
> emails? Unsubscribe, change to digest, or change password by emailing 
> moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] From Snowden's email provider. NSL???

[Nadim Kobeissi]

On 2013-08-08, at 11:53 PM, Mike Perry  wrote:

> It is profoundly encouraging to see that people of such courage and
> integrity as the Lavabit staff exist, and are willing to put everything
> on the line to stand up against this madness.

+1.
For what it's worth, and even though I think it's pretty unlikely that 
Cryptocat will receive such an order, I've posted a pledge on our Twitter feed:
https://twitter.com/cryptocatapp/status/365733575351480321

NK

> 
> David Johnson:
>> https://lavabit.com/
>> 
>> My Fellow Users,
>> I have been forced to make a difficult decision: to become complicit in
>> crimes against the American people or walk away from nearly ten years of
>> hard work by shutting down Lavabit. After significant soul searching, I
>> have decided to suspend operations. I wish that I could legally share with
>> you the events that led to my decision. I cannot. I feel you deserve to
>> know what’s going on--the first amendment is supposed to guarantee me the
>> freedom to speak out in situations like this. Unfortunately, Congress has
>> passed laws that say otherwise. As things currently stand, I cannot share
>> my experiences over the last six weeks, even though I have twice made the
>> appropriate requests.
>> What’s going to happen now? We’ve already started preparing the paperwork
>> needed to continue to fight for the Constitution in the Fourth Circuit
>> Court of Appeals. A favorable decision would allow me resurrect Lavabit as
>> an American company.
>> This experience has taught me one very important lesson: without
>> congressional action or a strong judicial precedent, I would _strongly_
>> recommend against anyone trusting their private data to a company with
>> physical ties to the United States.
>> Sincerely,
>> Ladar Levison
>> Owner and Operator, Lavabit LLC
>> Defending the constitution is expensive! Help us by donating to the Lavabit
>> Legal Defense Fund
>> here
>> .
> 
>> --
>> Liberationtech list is public and archives are searchable on Google. Too 
>> many emails? Unsubscribe, change to digest, or change password by emailing 
>> moderator at compa...@stanford.edu or changing your settings at 
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 
> 
> -- 
> Mike Perry
> --
> Liberationtech list is public and archives are searchable on Google. Too many 
> emails? Unsubscribe, change to digest, or change password by emailing 
> moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] New CryptoCat bug

[Nadim Kobeissi]

On 2013-08-08, at 12:25 PM, Jillian C. York  wrote:

> Dear LibTech, 
> 
> I would like to express my concern that the CatFacts function of CryptoCat is 
> not operating. This is a Very Important Function to ensure the physical, 
> mental and spiritual health of cryptocat users and I am deeply, deeply 
> concerned about its inoperability. 

Jillian,
My sincerest excuses regarding this. Cryptocat claims full responsibility for 
this issue. There was indeed a bug that would limit the number of cat facts 
displayed per Cryptocat session to a maximum of 2 (two) cat facts. This has 
already been fixed and is awaiting release in the next version:
https://github.com/cryptocat/cryptocat/commit/83af5be7bb575187a404bb56e11f14a1ba866d9f

In the meantime, Cryptocat will be deploying a Cat Care Package in order to 
alleviate the shortage of cat media that Cryptocat users may be facing. The Cat 
Care Package may be accessed here:
https://www.youtube.com/watch?v=lAIGb1lfpBw

We are currently in the process of writing a meow-dvisory to address the 
situation. It may take us a mew moments, but I am purr-sonally confident that 
we will do everything paw-ssible to prevent this situation from cat-apulting 
into something worse.

Thanks very much for your patience and understanding.

NK

> 
> Perhaps some time at the upcoming hackathon should be spent improving this 
> function.
> 
> Thanks, 
> Jillian
> 
> 
> -- 
> Note: I am slowly extricating myself from Gmail. Please change your address 
> books to: jilliancy...@riseup.net or jill...@eff.org.
> 
> US: +1-857-891-4244 | NL: +31-657086088
> site:  jilliancyork.com | twitter: @jilliancyork 
> 
> "We must not be afraid of dreaming the seemingly impossible if we want the 
> seemingly impossible to become a reality" - Vaclav Havel
> --
> Liberationtech list is public and archives are searchable on Google. Too many 
> emails? Unsubscribe, change to digest, or change password by emailing 
> moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

[liberationtech] Cryptocat Hackathon, NYC, August 17-18!

[Nadim Kobeissi]

(Moving on from my very, very expensively made point…)

Dear Libtech,

Cryptocat, in collaboration with OpenITP, will be hosting the very first 
Cryptocat Hackathon weekend in New York City, on the weekend of the 17th and 
18th of August 2013! We're going to have a coding track as well as a special 
track for journalists, so please spread the word!

https://blog.crypto.cat/2013/08/cryptocat-hackathon-august-17-18-new-york-city/

Join us on August 17-18 for the Cryptocat Hackathon and help empower people 
worldwide by improving useful tools and discussing the future of making privacy 
accessible. This two day event will take place at the OpenITP offices, located 
on 199 Lafayette Street, Suite 3b, New York City.

Tweet: https://twitter.com/cryptocatapp/status/365155297351839746

Tracks

The Cryptocat Hackathon will feature two tracks to accomodate the diversity of 
the attendees:

Coding Track with Nadim

Join Nadim in discussing the future of Cryptocat and contributing towards our 
efforts for the next year. Multi-Party OTR, encrypted video chat using WebRTC, 
and more exciting topics await your helping hands!

Journalist Security Track with Carol

Join Carol in a hands-on workshop for journalists on how to protect your 
digital security and privacy in your working environment. Carol Waters is a 
Program Officer with Internews’ Internet Initiatives, and focuses on digital 
and information security issues.

See you there!

NK
--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] going back to Nadim's original question

[Nadim Kobeissi]

On 2013-08-07, at 3:22 PM, Shava Nerad  wrote:

> Forgive me, but I'd like to ask a question here.
> Tor is a tool that is undeniably, directly marketed toward activists in 
> high-risk environments. Tor's presentations at conferences centre around how 
> Tor obtains increased usage in Arab Spring countries that matches the 
> timeline of revolutionary action. It's incredibly direct. Tor's own 
> spokespeople encourage people in Iran, Egypt and so on to use Tor and only 
> Tor as the most secure tool for activist anonymity, and privacy.
> Now, we find out that the FBI has been sitting on an exploit since an unknown 
> amount of time that can compromise the Tor Browser Bundle, which is currently 
> the main way to download Tor and the only way to download Tor for the average 
> end-user, and is deploying it en-masse to the visitors of what seems to be 
> around half of all Tor hidden services, which have also been compromised
> I've gotten quite some flak from certain people at Tor for supposedly 
> marketing Cryptocat to activists, which is not something I do, but that the 
> media did last year. We know for a fact that Tor does in fact market to 
> activists. And yet, I have a feeling that the flak towards Tor, for something 
> this incredibly huge, will be quite small, on this mailing list and on other 
> discussion forums, especially compared to the kind of vitriol Cryptocat 
> receives.
> I would like an explanation as to why this is the case.
> NK
> 
> Forgive me but I would like to answer a question here.
> 
> The reason, since you ask, Nadim, is that it is because you are a contentious 
> person who attacks people relentlessly who you feel are rivals, whether they 
> are Tor or Silent Circle, or anyone else in the landscape.  You go after them 
> to wear them down, with some attitude that you are some crusader for good, 
> when in reality, you are just going after people to wear them out with the 
> same points over and over again because you want to be seen as better than 
> they are.  It seems to be about ego and stamina.  

Sorry, Libtech, I have no idea why this was sent to the list and not to me 
individually.

Shava,
The amount of sheer, unfiltered anger and hatred in your email is really messed 
up. But I'll answer it.

Let me first clarify that I absolutely do not see Tor or Silent Circle as a 
rival. Tor is anonymity software. Silent Circle is encrypted phone call 
software for mobile phones. I make encrypted web chat software, which is 
completely unrelated to Tor and only quite distantly related to Silent Circle. 
It makes absolutely no sense for me to see those two as competitors.

With that clarified, I'll answer your email, even though I don't think it 
belongs on this list, but should have been sent to me privately.

Yes, I was a relentless with Jacob. The reason I did this was simply to try and 
show him what it feels like to be treated like this when you have a security 
vulnerability. This is exactly how Jacob treats every project around him when 
they're in a bad situation, when he's in a good mood. When he's in a bad mood, 
he is incredibly abusive.

I did not mean to attack Tor. But I sent critical responses to Jacob's emails. 
I did this because the guy needs to learn a lesson about what it feels like to 
be treated like this. Jacob has a problem. For years, I have been abused in 
private and in public by Jacob regarding my work on Cryptocat, in ways that are 
so underhanded that if I described them on this list, you would not even 
believe me. He does this to *many projects*. You obviously have no idea what 
I'm talking about, or you wouldn't have sent this email. But many do, and they 
understand. I think Tor needs to very urgently stop legitimizing someone like 
him.

Tor reacted responsibly. Jacob reacted the way he usually does, except with an 
additional small dash of professionalism due to the pressure. I wanted to use 
this opportunity to give Jacob a taste of his own medicine with the hope that 
he will understand what it feels like for him to treat anyone in a weak 
situation the way he does. Notice that I stopped sending emails when he did in 
fact politely concede to my concerns, and I I didn't even go a tenth as far as 
he has done with me and other projects.

> 
> Vitriol is what you produce, Nadim, and so it is what you invite when 
> something erupts in your own vicinity.  That's karma.  Look what you are 
> laying in terms of land mines for when something comes up for your own stuff? 
>  Think about it.  You are being relentless, and  you are taking time away 
> from emergency response from people who are strapped for time right now.  
> It's not sane.

You're saying that it's normal for people to expect "land mines" when 
"something comes up with [their] own stuff". Well, this is exactly what 
happened here. I've been abused professionally and personally by Jacob for 
years. I privately, politely, correctly complained to Tor but was snubbed off 
quite unceremo

Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

[Nadim Kobeissi]

On 2013-08-07, at 1:05 PM, Jacob Appelbaum  wrote:

> Nadim Kobeissi:
>> 
>> On 2013-08-07, at 12:58 PM, Jacob Appelbaum  wrote:
>> 
>>> Nadim Kobeissi:
>>>> 
>>>> On 2013-08-07, at 12:44 PM, Jacob Appelbaum  wrote:
>>>> 
>>>>> Bbrewer:
>>>>>> "We're understaffed, so we tend to pick the few things we might
>>>>>> accomplish and writing such advisory emails is weird unless there is an
>>>>>> exceptional event. Firefox bugs and corresponding updates are not
>>>>>> exceptional events. :("
>>>>>> 
>>>>>> Pardon me,
>>>>>> But it does seem that this one was.
>>>>>> 
>>>>>> No?
>>>>> 
>>>>> Yeah, this was such a case - a month ago, we didn't know it was such a
>>>>> case - no one did, not even Mozilla.
>>>> 
>>>> That's funny — didn't Mozilla issue a security advisory for it a month 
>>>> ago? That would imply that they actually did know that it was such a case.
>>>> 
>>> 
>>> The exploit is the exceptional event. Roger just covered this with
>>> exceptional clarity.
>>> 
>>> Al - did Mozilla know it was being exploited in the wild, a month ago?
>>> Was there a known difference at the time between this bug and say, the
>>> others which were fixed in the ESR17 release cycle?
>> 
>> Does an exploit need to exist in the wild and be discovered first in order 
>> to warrant a security advisory? I didn't know this!
>> 
> 
> The advisory was about bug being exploited in the wild, so, yes. That
> was covered well in Roger's last email.

I'm aware, I did read his email. I was just under the impression that you 
publish advisories about *vulnerabilities*, not about *exploits*. But perhaps 
you're teaching me (and the rest of the community) something new here! ;-)

> 
> I'd encourage you to read Roger's email (again, or for the first time).
> Specifically the part where we encouraged users to upgrade, notified
> every browser user that there was a security update and so on.

That's pretty great, but it doesn't count as an advisory, no matter how hard 
you seem to want it to.
THIS is an advisory: 
https://lists.torproject.org/pipermail/tor-announce/2013-August/89.html

NK

> 
> All the best,
> Jacob
> --
> Liberationtech list is public and archives are searchable on Google. Too many 
> emails? Unsubscribe, change to digest, or change password by emailing 
> moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

[Nadim Kobeissi]

On 2013-08-07, at 12:58 PM, Jacob Appelbaum  wrote:

> Nadim Kobeissi:
>> 
>> On 2013-08-07, at 12:44 PM, Jacob Appelbaum  wrote:
>> 
>>> Bbrewer:
>>>> "We're understaffed, so we tend to pick the few things we might
>>>> accomplish and writing such advisory emails is weird unless there is an
>>>> exceptional event. Firefox bugs and corresponding updates are not
>>>> exceptional events. :("
>>>> 
>>>> Pardon me,
>>>> But it does seem that this one was.
>>>> 
>>>> No?
>>> 
>>> Yeah, this was such a case - a month ago, we didn't know it was such a
>>> case - no one did, not even Mozilla.
>> 
>> That's funny — didn't Mozilla issue a security advisory for it a month ago? 
>> That would imply that they actually did know that it was such a case.
>> 
> 
> The exploit is the exceptional event. Roger just covered this with
> exceptional clarity.
> 
> Al - did Mozilla know it was being exploited in the wild, a month ago?
> Was there a known difference at the time between this bug and say, the
> others which were fixed in the ESR17 release cycle?

Does an exploit need to exist in the wild and be discovered first in order to 
warrant a security advisory? I didn't know this!

NK

> 
> All the best,
> Jacob
> 
> --
> Liberationtech list is public and archives are searchable on Google. Too many 
> emails? Unsubscribe, change to digest, or change password by emailing 
> moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

[Nadim Kobeissi]

On 2013-08-07, at 12:44 PM, Jacob Appelbaum  wrote:

> Bbrewer:
>> "We're understaffed, so we tend to pick the few things we might
>> accomplish and writing such advisory emails is weird unless there is an
>> exceptional event. Firefox bugs and corresponding updates are not
>> exceptional events. :("
>> 
>> Pardon me,
>> But it does seem that this one was.
>> 
>> No?
> 
> Yeah, this was such a case - a month ago, we didn't know it was such a
> case - no one did, not even Mozilla.

That's funny — didn't Mozilla issue a security advisory for it a month ago? 
That would imply that they actually did know that it was such a case.

NK

> 
> All the best,
> Jacob
> 
> --
> Liberationtech list is public and archives are searchable on Google. Too many 
> emails? Unsubscribe, change to digest, or change password by emailing 
> moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

[Nadim Kobeissi]

On 2013-08-06, at 4:49 PM, Jacob Appelbaum  wrote:

> Nadim Kobeissi:
>> On 2013-08-06, at 1:23 PM, Jacob Appelbaum 
>> wrote:
>> 
>>> Nadim Kobeissi:
>>>> 
>>>> On 2013-08-06, at 12:55 PM, Jacob Appelbaum
>>>>  wrote:
>>>> 
>>>>> Nadim Kobeissi:
>>>>>> 
>>>>>> On 2013-08-06, at 11:46 AM, Al Billings
>>>>>>  wrote:
>>>>>> 
>>>>>>> Nadim you seem confused by how this works. Tor doesn't need
>>>>>>> to issue advisories for Firefox issues. We, at Mozilla,
>>>>>>> already issue them. Perhaps they can link to them clearly
>>>>>>> but if you want to know about security issues Mozilla fixes
>>>>>>> in Firefox, you're best served by reading Mozilla
>>>>>>> advisories. There's not much point in duplicating them on a
>>>>>>> second site. Tor would be better served by writing
>>>>>>> advisories for its own, unique, security fixes.
>>>>>> 
>>>>>> Tor doesn't need to issue advisories for Firefox issues. Tor 
>>>>>> needs to issue advisories for Tor Browser issues, and not
>>>>>> five weeks later when s**t hits the fan. I really don't think
>>>>>> one can reasonably disagree with the above statement. Tor
>>>>>> Browser is a Firefox fork.
>>>>> 
>>>>> Should we issue a single advisory for each possible security
>>>>> issue that Firefox has already noted in their change log? Each
>>>>> confirmed security issue? Should we ask for a second CVE to
>>>>> cover each CVE they receive?
>>>> 
>>>> What's the alternative, Jake?
>>> 
>>> That was a list of choices and you didn't choose one. Please choose
>>> one or more - though not all of them make sense when put together.
>>> It was a question and well, your answer isn't much of an answer.
>> 
>> Yes, to be absolutely clear, I think Tor should issue advisories for
>> confirmed security issues in Tor Browser, since Tor Browser is a fork
>> of Firefox and is independently maintained. This is exactly what Tor
>> did this time, except next time you shouldn't wait five weeks for the
>> situation to explode.
>> 
> 
> This is where the confusion comes into play, I think. Please note the
> advisory we released this week:
> 
> 
> https://lists.torproject.org/pipermail/tor-announce/2013-August/89.html
> 
> We specifically address the one thing we *know* that is being exploited
> and we note that there are other issues, though we don't go into depth
> as upgrading is the only path forward.
> 
> Now note the Mozilla security issues for the Firefox ESR releases:
> 
>  https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html
> 
> You're on the one hand saying that we did the right thing and on the
> other, you're saying that we should issue an advisory for *confirmed*
> security issues. Mozilla confirmed a handful. Doesn't that imply that
> our advisory should have covered every thing Firefox fixed between
> versions? And if so, should we note everything, even if it doesn't
> *appear* to be a security issue? Just in case?
> 
> Now on the one hand, you're saying we waited five weeks - when in fact
> we didn't, we released an advisory within a day of discovering that TBB
> was being targeted, which is different from Firefox generally I might
> add. We did also note with the release of 3.0alpha2 that it included
> security and stability fixes as we often do when we bump Firefox.
> 
> So clearly between "hey, upgrade" and "exploit discovered" there is a
> middle ground. I'm confused by the middle ground you have chosen. It
> doesn't seem that we should wait until exploits are in the wild to note
> the security features of new releases (which we didn't, but we didn't
> issue an advisory for every Firefox issue), and yet, if an exploit is
> discovered, we should post an advisory that specifically addresses what
> we know about it, no?
> 
>>> 
>>>> Wait until the NSA exploits an innumerable amount of Tor users
>>>> and then quickly write an advisory for a bug that was quietly
>>>> fixed without a warning from Tor five weeks but still exploited?
>>> 
>>> This is not accurate. We heard about attempts at exploitation and
>>> within ~24hrs we released an advisory - we had already re

Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

[Nadim Kobeissi]

On 2013-08-06, at 1:23 PM, Jacob Appelbaum  wrote:

> Nadim Kobeissi:
>> 
>> On 2013-08-06, at 12:55 PM, Jacob Appelbaum 
>> wrote:
>> 
>>> Nadim Kobeissi:
>>>> 
>>>> On 2013-08-06, at 11:46 AM, Al Billings  
>>>> wrote:
>>>> 
>>>>> Nadim you seem confused by how this works. Tor doesn't need to 
>>>>> issue advisories for Firefox issues. We, at Mozilla, already
>>>>> issue them. Perhaps they can link to them clearly but if you
>>>>> want to know about security issues Mozilla fixes in Firefox,
>>>>> you're best served by reading Mozilla advisories. There's not
>>>>> much point in duplicating them on a second site. Tor would be
>>>>> better served by writing advisories for its own, unique,
>>>>> security fixes.
>>>> 
>>>> Tor doesn't need to issue advisories for Firefox issues. Tor
>>>> needs to issue advisories for Tor Browser issues, and not five
>>>> weeks later when s**t hits the fan. I really don't think one can
>>>> reasonably disagree with the above statement. Tor Browser is a
>>>> Firefox fork.
>>> 
>>> Should we issue a single advisory for each possible security issue
>>> that Firefox has already noted in their change log? Each confirmed
>>> security issue? Should we ask for a second CVE to cover each CVE
>>> they receive?
>> 
>> What's the alternative, Jake? 
> 
> That was a list of choices and you didn't choose one. Please choose one
> or more - though not all of them make sense when put together. It was a
> question and well, your answer isn't much of an answer.

Yes, to be absolutely clear, I think Tor should issue advisories for confirmed 
security issues in Tor Browser, since Tor Browser is a fork of Firefox and is 
independently maintained. This is exactly what Tor did this time, except next 
time you shouldn't wait five weeks for the situation to explode.

> 
>> Wait until the NSA exploits an
>> innumerable amount of Tor users and then quickly write an advisory
>> for a bug that was quietly fixed without a warning from Tor five
>> weeks but still exploited?
> 
> This is not accurate. We heard about attempts at exploitation and within
> ~24hrs we released an advisory - we had already released fixed code a
> ~month before exploitation was found in the wild. Please do not mix up
> the time-line. To restate:
> 
> 
> 2.3.25-10 (released June 26 2013)
> 2.4.15-alpha-1 (released June 26 2013)
> 2.4.15-beta-1 (released July 8 2013)
> 3.0alpha2 (released June 30 2013)
> 
> 
> The exploit was found in the wild on last weekend, I learned about it on
> or around August 4th. Please note that our patched versions were
> released nearly a month before this was found in the wild. There is no
> reason to support the conclusion that we "silently" fixed anything in
> response to an exploit. Please consider that your statement is entirely
> unsupported by evidence, Nadim.

I could be mistaken. Where's the advisory that was issued the day after, that 
mentions that a critical Tor Browser vulnerability was fixed?

> 
>> Because that is exactly what happened this
>> time. Tor can just go on doing this again and again, or yes, you
>> could issue advisories. You are maintaining your own browser called
>> Tor Browser. Stop shifting blame onto Firefox. You're the guy who
>> told me to never shift blame when you have a security vulnerability
>> in the software you yourself are shipping. Practice what you preach.
>> 
> 
> Your assessment of this situation is incorrect.
> 
> We regularly release updates that include updates to included code and
> often, we make note of the fact that the upstream code has security
> fixes included. There is no blame shifting, only a question of how to
> best share that information in a way that users will understand. I have
> asked repeatedly for examples and for details of how to improve things -
> you seem only interested in slinging mud. Perhaps this isn't the most
> useful way forward?

How am I only interested in slinging mud?! How are you even allowed to adopt a 
tone like this while doing your job as an advocate for Tor? I'm simply trying 
to advocate for Tor not waiting five weeks before releasing an advisory next 
time! Comments like this are really just not acceptable, Jake.

NK

> 
>> I sound harsh, sure, but at least I'm being productive and not
>> freaking out about my ego.
> 
> I don't think you are being productive at this point in the
> conversation. You are correct and 

Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

[Nadim Kobeissi]

I just hope people on LibTech read the kind of emails like the one Jacob just 
wrote and see why I really think this guy has no place doing outreach at all. 
Jesus.

NK

On 2013-08-06, at 1:23 PM, Jacob Appelbaum  wrote:

> Nadim Kobeissi:
>> 
>> On 2013-08-06, at 12:55 PM, Jacob Appelbaum 
>> wrote:
>> 
>>> Nadim Kobeissi:
>>>> 
>>>> On 2013-08-06, at 11:46 AM, Al Billings  
>>>> wrote:
>>>> 
>>>>> Nadim you seem confused by how this works. Tor doesn't need to 
>>>>> issue advisories for Firefox issues. We, at Mozilla, already
>>>>> issue them. Perhaps they can link to them clearly but if you
>>>>> want to know about security issues Mozilla fixes in Firefox,
>>>>> you're best served by reading Mozilla advisories. There's not
>>>>> much point in duplicating them on a second site. Tor would be
>>>>> better served by writing advisories for its own, unique,
>>>>> security fixes.
>>>> 
>>>> Tor doesn't need to issue advisories for Firefox issues. Tor
>>>> needs to issue advisories for Tor Browser issues, and not five
>>>> weeks later when s**t hits the fan. I really don't think one can
>>>> reasonably disagree with the above statement. Tor Browser is a
>>>> Firefox fork.
>>> 
>>> Should we issue a single advisory for each possible security issue
>>> that Firefox has already noted in their change log? Each confirmed
>>> security issue? Should we ask for a second CVE to cover each CVE
>>> they receive?
>> 
>> What's the alternative, Jake? 
> 
> That was a list of choices and you didn't choose one. Please choose one
> or more - though not all of them make sense when put together. It was a
> question and well, your answer isn't much of an answer.
> 
>> Wait until the NSA exploits an
>> innumerable amount of Tor users and then quickly write an advisory
>> for a bug that was quietly fixed without a warning from Tor five
>> weeks but still exploited?
> 
> This is not accurate. We heard about attempts at exploitation and within
> ~24hrs we released an advisory - we had already released fixed code a
> ~month before exploitation was found in the wild. Please do not mix up
> the time-line. To restate:
> 
> 
> 2.3.25-10 (released June 26 2013)
> 2.4.15-alpha-1 (released June 26 2013)
> 2.4.15-beta-1 (released July 8 2013)
> 3.0alpha2 (released June 30 2013)
> 
> 
> The exploit was found in the wild on last weekend, I learned about it on
> or around August 4th. Please note that our patched versions were
> released nearly a month before this was found in the wild. There is no
> reason to support the conclusion that we "silently" fixed anything in
> response to an exploit. Please consider that your statement is entirely
> unsupported by evidence, Nadim.
> 
>> Because that is exactly what happened this
>> time. Tor can just go on doing this again and again, or yes, you
>> could issue advisories. You are maintaining your own browser called
>> Tor Browser. Stop shifting blame onto Firefox. You're the guy who
>> told me to never shift blame when you have a security vulnerability
>> in the software you yourself are shipping. Practice what you preach.
>> 
> 
> Your assessment of this situation is incorrect.
> 
> We regularly release updates that include updates to included code and
> often, we make note of the fact that the upstream code has security
> fixes included. There is no blame shifting, only a question of how to
> best share that information in a way that users will understand. I have
> asked repeatedly for examples and for details of how to improve things -
> you seem only interested in slinging mud. Perhaps this isn't the most
> useful way forward?
> 
>> I sound harsh, sure, but at least I'm being productive and not
>> freaking out about my ego.
> 
> I don't think you are being productive at this point in the
> conversation. You are correct and I agree with you - you are harsh -
> I'll extend this commentary: it reflects poorly on you(r ego) and very
> little is gained by such behavior.
> 
> All the best,
> Jacob
> --
> Liberationtech list is public and archives are searchable on Google. Too many 
> emails? Unsubscribe, change to digest, or change password by emailing 
> moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

[Nadim Kobeissi]

On 2013-08-06, at 12:55 PM, Jacob Appelbaum  wrote:

> Nadim Kobeissi:
>> 
>> On 2013-08-06, at 11:46 AM, Al Billings 
>> wrote:
>> 
>>> Nadim you seem confused by how this works. Tor doesn't need to
>>> issue advisories for Firefox issues. We, at Mozilla, already issue
>>> them. Perhaps they can link to them clearly but if you want to know
>>> about security issues Mozilla fixes in Firefox, you're best served
>>> by reading Mozilla advisories. There's not much point in
>>> duplicating them on a second site. Tor would be better served by
>>> writing advisories for its own, unique, security fixes.
>> 
>> Tor doesn't need to issue advisories for Firefox issues. Tor needs to
>> issue advisories for Tor Browser issues, and not five weeks later
>> when s**t hits the fan. I really don't think one can reasonably
>> disagree with the above statement. Tor Browser is a Firefox fork.
> 
> Should we issue a single advisory for each possible security issue that
> Firefox has already noted in their change log? Each confirmed security
> issue? Should we ask for a second CVE to cover each CVE they receive?

What's the alternative, Jake? Wait until the NSA exploits an innumerable amount 
of Tor users and then quickly write an advisory for a bug that was quietly 
fixed without a warning from Tor five weeks but still exploited? Because that 
is exactly what happened this time. Tor can just go on doing this again and 
again, or yes, you could issue advisories. You are maintaining your own browser 
called Tor Browser. Stop shifting blame onto Firefox. You're the guy who told 
me to never shift blame when you have a security vulnerability in the software 
you yourself are shipping. Practice what you preach.

I sound harsh, sure, but at least I'm being productive and not freaking out 
about my ego.

NK

> 
> Your point is unclear in practice. Please do spell it out and if
> possible, please demonstrate how you do so in your own projects?
> 
> All the best,
> Jacob
> --
> Liberationtech list is public and archives are searchable on Google. Too many 
> emails? Unsubscribe, change to digest, or change password by emailing 
> moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

[Nadim Kobeissi]

On 2013-08-06, at 11:46 AM, Al Billings  wrote:

> Nadim you seem confused by how this works. Tor doesn't need to issue 
> advisories for Firefox issues. We, at Mozilla, already issue them. Perhaps 
> they can link to them clearly but if you want to know about security issues 
> Mozilla fixes in Firefox, you're best served by reading Mozilla advisories. 
> There's not much point in duplicating them on a second site. Tor would be 
> better served by writing advisories for its own, unique, security fixes.

Tor doesn't need to issue advisories for Firefox issues. Tor needs to issue 
advisories for Tor Browser issues, and not five weeks later when s**t hits the 
fan.
I really don't think one can reasonably disagree with the above statement. Tor 
Browser is a Firefox fork.

NK

> 
> Al
> 
> -- 
> Al Billings
> http://makehacklearn.org
> 
> On Tuesday, August 6, 2013 at 1:28 AM, Nadim Kobeissi wrote:
> 
>> 
>> On 2013-08-06, at 3:19 AM, Jacob Appelbaum  wrote:
>> 
>>> Griffin Boyce:
>>>> Al,
>>>> 
>>>> We may have to disagree as to the way forward. I hate to be
>>>> contentious, but it seems unlikely that Tor applied a patch without
>>>> reading firefox's changelog. Two days ago I presented a talk which
>>>> emphasized how useful Tor is -- and I stand by that. Tor is still the
>>>> best option for maintaining one's anonymity.
>>> 
>>> Hi Griffin,
>>> 
>>> Do you plan to release security advisories for all updates to the Linux
>>> kernel, GNU user space utilities and other dependences in the commotion
>>> router firmware?
>> 
>> How is this, in any way, shape or form, relevant? Are you seriously opening 
>> up Commotion's bug handling in order to sort of justify this Tor situation?
>> 
>> Tor had forked Firefox into its own browser, which is called Tor Browser. 
>> Mozilla issued an advisory for Firefox the day the bug was discovered, about 
>> five weeks ago. Tor should have issued a similar advisory for Tor Browser 
>> and consequently the Tor Browser Bundle, especially considering that the Tor 
>> Browser Bundle is by far *the* most visible way for end-users to download 
>> and use Tor these days.
>> 
>>> 
>>> I suppose no but perhaps I'm mistaken? Has anyone done so with new
>>> commotion releases? I don't see[0][1] such notes, am I missing something?
>>> 
>>> It seems impractical to note every change from downstream projects.
>>> 
>>> Clearly you seem to disagree but I do wonder where you draw the line?
>>> 
>>> Do your projects have some example where we might see the line in
>>> action, so to speak?
>>> 
>>> As far as I can tell, we issued a security advisory within twenty-four
>>> hours.
>> 
>> Actually, Tor issued a security advisory for Tor Browser a full 39 days 
>> after Mozilla did for Firefox.
>> 
>>> We spent more than a full day of multiple people's time working
>>> non-stop to understand the scope, the impact and the outcomes of this
>>> issue. We were already working on this task when you and another decided
>>> to jump up and down to let us know that we were failures by any other
>>> name. I'd say thanks but that isn't the word that comes to mind…
>> 
>> "I'd say thanks but that isn't the word that comes to mind…"
>> Dude, you're supposed to be Tor's outreach guy! Come on!
>> 
>>> 
>>> The Tor Project does not triage every single Mozilla Firefox bug. We do
>>> try to understand which bugs are security critical. We do aim to track
>>> and put our energy into ensuring our browser uses the latest ESR
>>> releases. This generally includes lots of code fixes, security as well
>>> as other kinds of fixes, though we may not always fully understand every
>>> issue - we tend to trust Mozilla's lead on this topic. TBB requires lots
>>> of effort to forward port our privacy preserving patches as they are not
>>> in the mainline Mozilla repositories. We did this as we always do with
>>> TBB releases and we released patched versions of the software before we
>>> ever even learned of the exploit discovered this weekend that targets
>>> old, unpatched users:
>>> 
>>> 2.3.25-10 (released June 26 2013)
>>> 2.4.15-alpha-1 (released June 26 2013)
>>> 2.4.15-beta-1 (released July 8 2013)
>>> 3.0alpha2 (released June 30 2013)
>>> 
>>> By a general count, it was aro

Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

[Nadim Kobeissi]

On 2013-08-06, at 3:19 AM, Jacob Appelbaum  wrote:

> Griffin Boyce:
>> Al,
>> 
>> We may have to disagree as to the way forward. I hate to be
>> contentious, but it seems unlikely that Tor applied a patch without
>> reading firefox's changelog. Two days ago I presented a talk which
>> emphasized how useful Tor is -- and I stand by that. Tor is still the
>> best option for maintaining one's anonymity.
>> 
> 
> Hi Griffin,
> 
> Do you plan to release security advisories for all updates to the Linux
> kernel, GNU user space utilities and other dependences in the commotion
> router firmware?

How is this, in any way, shape or form, relevant? Are you seriously opening up 
Commotion's bug handling in order to sort of justify this Tor situation?

Tor had forked Firefox into its own browser, which is called Tor Browser. 
Mozilla issued an advisory for Firefox the day the bug was discovered, about 
five weeks ago. Tor should have issued a similar advisory for Tor Browser and 
consequently the Tor Browser Bundle, especially considering that the Tor 
Browser Bundle is by far *the* most visible way for end-users to download and 
use Tor these days.

> 
> I suppose no but perhaps I'm mistaken? Has anyone done so with new
> commotion releases? I don't see[0][1] such notes, am I missing something?
> 
> It seems impractical to note every change from downstream projects.
> 
> Clearly you seem to disagree but I do wonder where you draw the line?
> 
> Do your projects have some example where we might see the line in
> action, so to speak?
> 
> As far as I can tell, we issued a security advisory within twenty-four
> hours.

Actually, Tor issued a security advisory for Tor Browser a full 39 days after 
Mozilla did for Firefox.

> We spent more than a full day of multiple people's time working
> non-stop to understand the scope, the impact and the outcomes of this
> issue. We were already working on this task when you and another decided
> to jump up and down to let us know that we were failures by any other
> name. I'd say thanks but that isn't the word that comes to mind…

"I'd say thanks but that isn't the word that comes to mind…"
Dude, you're supposed to be Tor's outreach guy! Come on!

> 
> The Tor Project does not triage every single Mozilla Firefox bug. We do
> try to understand which bugs are security critical. We do aim to track
> and put our energy into ensuring our browser uses the latest ESR
> releases. This generally includes lots of code fixes, security as well
> as other kinds of fixes, though we may not always fully understand every
> issue - we tend to trust Mozilla's lead on this topic. TBB requires lots
> of effort to forward port our privacy preserving patches as they are not
> in the mainline Mozilla repositories. We did this as we always do with
> TBB releases and we released patched versions of the software before we
> ever even learned of the exploit discovered this weekend that targets
> old, unpatched users:
> 
> 2.3.25-10 (released June 26 2013)
> 2.4.15-alpha-1 (released June 26 2013)
> 2.4.15-beta-1 (released July 8 2013)
> 3.0alpha2 (released June 30 2013)
> 
> By a general count, it was around a month ago that we released patched
> versions. We normally just note that we've bumped the included projects
> to their latest stable versions - though in the case of our latest
> alpha, we specifically said[2]:
> 
> "In addition to providing important security updates to Firefox and Tor,
> these release binaries should now be exactly reproducible from the
> source code by anyone."
> 
> Do you think that we should include that text with every single release?
> ie: "This update provides important security updates to Firefox and Tor"
> or something along those lines? Shall we just put that in every single
> release note? Is that really helpful?

Actually, isn't that exactly what you've said I should do with my own project, 
Cryptocat, numerous times? It's actually really illuminating that you in fact 
are committing the exact same outreach and mitigation blunders that you keep 
criticizing other projects for.

> 
> If you have a suggestion for how we might improve, I'm open to hearing
> it - though as far as I am able to tell - there isn't much to be done
> except to say "security update" next to "firefox update" in our normal
> release notes. That isn't very helpful as nearly every Firefox update in
> ESR is a security or stability related release.
> 
> Please do feel free to suggest something constructive - if we have room
> for improvement, we're happy to make it!

I think your entire email is not constructive. Roger's email with the actual 
advisory was awesome. Maybe he should represent Tor on this list from now on.

NK

> 
> All the best,
> Jacob
> 
> [0] https://commotionwireless.net/download/openwrt
> [1]
> https://commotionwireless.net/blog/new-commotion-release-dr1-ready-testing
> [2] https://blog.torproject.org/blog/tor-browser-bundle-30alpha2-released
> --
> Liberationtech list is public and a

Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

[Nadim Kobeissi]

On 2013-08-05, at 6:38 PM, Roger Dingledine  wrote:

> On Mon, Aug 05, 2013 at 04:54:00AM -0400, Roger Dingledine wrote:
>> Specifically, it would appear that the TBB updates we put out on
>> June 26 addressed this vulnerability:
> 
> https://lists.torproject.org/pipermail/tor-announce/2013-August/89.html
> has some more details now.
> 
> Or see
> https://blog.torproject.org/blog/tor-security-advisory-old-tor-browser-bundles-vulnerable
> if you prefer blog posts. :)

Awesome! :-)
This is one of those situations that, frustratingly, could have been dealt with 
better, but Roger and co. deliver in the end, as is tradition.

Tor remains an awesome project. The FBI is the likely perpetrator of the 
exploit and this should really wake up the privacy community.

NK

> 
> --Roger
> 
> --
> Liberationtech list is public and archives are searchable on Google. Too many 
> emails? Unsubscribe, change to digest, or change password by emailing 
> moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

[Nadim Kobeissi]

On 2013-08-05, at 4:19 PM, liberationt...@lewman.us wrote:

> On Mon, 5 Aug 2013 10:15:20 +0200
> Nadim Kobeissi  wrote:
> 
>> Now, we find out that the FBI has been sitting on an exploit since an
>> unknown amount of time that can compromise the Tor Browser Bundle,
>> which is currently the main way to download Tor and the only way to
>> download Tor for the average end-user, and is deploying it en-masse
>> to the visitors of what seems to be around half of all Tor hidden
>> services, which have also been compromised
> 
> Please cite first person sources on this. It's not clear the FBI did
> anything or is involved at all. There is a reddit thread implying this,
> but no statement (as of yet) from the FBI or anyone claiming
> responsibility for the javascript injection.

As Andy Isaacson said:
"The press is treating it as a likelihood.  That's no proof, of course,
but the narrative is internally consistent and most alternatives seem
quite unlikely. http://www.wired.com/threatlevel/2013/08/freedom-hosting/";

> 
> Second, it's not clear this exploit or malware has actually compromised
> current versions of Tor Browser (as released on June 26, 2013). Please
> show a working exploit against the current TBBs.

With my own project, we fixed a critical vulnerability months before it was 
publicized, and we still treated the situation as critical during publication 
due to the fact that there may have been users who may have already been 
compromised or who may not have updated. I feel that your response ignores 
those possibilities and is defensive to a fault.

Since the bug this malware exploits was fixed in previous version of the Tor 
Browser, why was no advisory issued? What if this exploit had been known, and 
used, for a whole year by malicious parties?

> 
> Third, please show data that "half of all Tor hidden services" have
> been compromised. We don't have this data because we don't track hidden
> services. If you do, please share your metrics.

Honestly your email feels really unproductive.

NK

> 
> -- 
> Andrew
> http://tpo.is/contact
> pgp 0x6B4D6475
> --
> Liberationtech list is public and archives are searchable on Google. Too many 
> emails? Unsubscribe, change to digest, or change password by emailing 
> moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

[Nadim Kobeissi]

On 2013-08-05, at 11:41 AM, Nadim Kobeissi  wrote:

> 
> On 2013-08-05, at 11:04 AM, Michael Owen  wrote:
> 
>> On Mon, Aug 5, 2013 at 9:46 AM, Nadim Kobeissi  wrote:
>>> 
>>> 
>>> Hmm. So it's more of a 38-day. Perhaps there should have been a Tor Browser 
>>> security advisory in that case.
>> 
>> I'm not sure how long the Tor bundle goes without actively complaining
>> to the user about things being out of date. Out of curiosity I
>> reloaded a 48-day old beta of 3.0 last night, and it immediately
>> complained that it was out of date and should be upgraded to the
>> latest version.
> 
> Yeah, Tor's update notifications are definitely legit. I'm just wondering why 
> there wasn't an actual advisory. I mean, all this time there seems to have 
> been a .js file that could compromise any Tor users accessing a website which 
> loads it.

Clarification: Tor Browser users, not vanilla Tor users, obviously. 

NK

> 
> NK
> 
>> 
>> Mike
>> --
>> Liberationtech list is public and archives are searchable on Google. Too 
>> many emails? Unsubscribe, change to digest, or change password by emailing 
>> moderator at compa...@stanford.edu or changing your settings at 
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 

--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

[Nadim Kobeissi]

On 2013-08-05, at 11:04 AM, Michael Owen  wrote:

> On Mon, Aug 5, 2013 at 9:46 AM, Nadim Kobeissi  wrote:
>> 
>> 
>> Hmm. So it's more of a 38-day. Perhaps there should have been a Tor Browser 
>> security advisory in that case.
> 
> I'm not sure how long the Tor bundle goes without actively complaining
> to the user about things being out of date. Out of curiosity I
> reloaded a 48-day old beta of 3.0 last night, and it immediately
> complained that it was out of date and should be upgraded to the
> latest version.

Yeah, Tor's update notifications are definitely legit. I'm just wondering why 
there wasn't an actual advisory. I mean, all this time there seems to have been 
a .js file that could compromise any Tor users accessing a website which loads 
it.

NK

> 
> Mike
> --
> Liberationtech list is public and archives are searchable on Google. Too many 
> emails? Unsubscribe, change to digest, or change password by emailing 
> moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

[Nadim Kobeissi]

On 2013-08-05, at 10:46 AM, Georg Koppen  wrote:

> On 05.08.2013 10:15, Nadim Kobeissi wrote:
>> Now, we find out that the FBI has been sitting on an exploit since an 
>> unknown amount of time that can compromise the Tor Browser Bundle
> 
> is that really so? See:
> https://blog.mozilla.org/security/2013/08/04/investigating-security-vulnerability-report/
> first comment.

Hmm. So it's more of a 38-day. Perhaps there should have been a Tor Browser 
security advisory in that case.

NK

> 
> Georg
> 
> --
> Liberationtech list is public and archives are searchable on Google. Too many 
> emails? Unsubscribe, change to digest, or change password by emailing 
> moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

[Nadim Kobeissi]

Forgive me, but I'd like to ask a question here.

Tor is a tool that is undeniably, directly marketed toward activists in 
high-risk environments. Tor's presentations at conferences centre around how 
Tor obtains increased usage in Arab Spring countries that matches the timeline 
of revolutionary action. It's incredibly direct. Tor's own spokespeople 
encourage people in Iran, Egypt and so on to use Tor and only Tor as the most 
secure tool for activist anonymity, and privacy.

Now, we find out that the FBI has been sitting on an exploit since an unknown 
amount of time that can compromise the Tor Browser Bundle, which is currently 
the main way to download Tor and the only way to download Tor for the average 
end-user, and is deploying it en-masse to the visitors of what seems to be 
around half of all Tor hidden services, which have also been compromised

I've gotten quite some flak from certain people at Tor for supposedly marketing 
Cryptocat to activists, which is not something I do, but that the media did 
last year. We know for a fact that Tor does in fact market to activists. And 
yet, I have a feeling that the flak towards Tor, for something this incredibly 
huge, will be quite small, on this mailing list and on other discussion forums, 
especially compared to the kind of vitriol Cryptocat receives.

I would like an explanation as to why this is the case.

NK

On 2013-08-04, at 10:56 PM, Griffin Boyce  wrote:

> There are really two separate issues here, and I just want to separate them 
> briefly.
> 
> 1) Tormail and other sites were hosting malicious js code that attempts to 
> break firefox 17.
> 
> 2) Freedom Hosting was shut off after its host was arrested.
> 
>   I will say from personal experience that most hidden services are 
> *extremely* permeable. Not because Tor sucks, but because people making them 
> aren't very good webmasters. They don't upgrade/patch the software running 
> their websites, and that leads to big hacks. Freedom Hosting was itself taken 
> down on at least three occasions due to poor maintenance.
> 
>   It's also not particularly difficult to script up a scanner that tests 
> hidden services for vulnerabilities, then launches malicious code. This has 
> happened again and again. But this cannot really be Tor's fault anymore than 
> it's Apache's fault. People who host hidden services must maintain their code 
> just like other websites.
> 
>   If a hidden service webhost is imperfectly set up, it's possible to upload 
> a malicious file and broadcast the IP address of the server. (Again, this 
> relies on various configuration issues and 0day, but similar has happened to 
> Freedom Hosting before).
> 
>   What does everyone else think about this?
> 
> best,
> Griffin
> 
> PS: it seems a little too ambitious to set up your own anonymity network 
> without having a solid team of scientists and cryptographers
> 
> On Sun, Aug 4, 2013 at 9:20 PM, Rich Jones  wrote:
> 1) Freedom Hosting owner arrested and TorMail appears to be distributing FBI 
> malware specifically targeting the Tor Browser Bundle.
> 
> Deets: 
> https://openwatch.net/i/200/anonymous-web-host-freedom-hosting-owner-arreste
> 
> 
> 2) I'm considering using Docker/Flynn to build an anonymous PaaS. Anybody 
> want to help with the sketches?
> 
> Deets: https://github.com/Miserlou/OnionCloud
> 
> R
> 
> --
> Liberationtech list is public and archives are searchable on Google. Too many 
> emails? Unsubscribe, change to digest, or change password by emailing 
> moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 
> 
> 
> -- 
> Just another hacker in the City of Spies.
> #Foucault / PGP: 0xAE792C97 / OTR: sa...@jabber.ccc.de
> 
> My posts, while frequently amusing, are not representative of the thoughts of 
> my employer.
> --
> Liberationtech list is public and archives are searchable on Google. Too many 
> emails? Unsubscribe, change to digest, or change password by emailing 
> moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

[liberationtech] My Cryptocat talk 24 hours after the latest vulnerability

[Nadim Kobeissi]

Libtech,
I urge everyone interested in the latest "Decryptocat" issue to watch the talk 
and 70-minute (!) Q&A that followed it. I gave this talk the day right after 
the bug.

The talk and the Q&A sessions really serve to explain my position on the 
project and I think they will clarify a lot of questions and misunderstandings. 
If you plan to evaluate Cryptocat, watch them!

Talk: http://www.youtube.com/watch?v=9wccHkrOg0k
Q&A: http://www.youtube.com/watch?v=fku_MmNvZa8

NK
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Heml.is - "The Beautiful & Secure Messenger"

[Nadim Kobeissi]

On 2013-07-11, at 4:32 PM, Andy Isaacson  wrote:

> On Thu, Jul 11, 2013 at 12:23:25PM -0700, Mitar wrote:
>> BTW. Even Tor has centralized directory servers.
> 
> It's incredibly misleading to imply that the Tor DA design provides a
> similar threat to a server-hosted-crypto proprietary privacy app.  (I'm
> not accusing you of intentionally misleading, but the claim that you're
> repeating is misleading.)
> 
> The Tor DAs are run by multiple individuals in diverse legal
> jurisdictions, and their sole purpose is to make a publicly checkable
> attestation of public facts.  The implementation run by the DAs is open
> source and has been developed in public according to a public design for
> a decade, in accordance with Kerckhoff's Principle.

I agree with your post generally, but I must beg your pardon and address 
something a bit off-topic:
A year ago, two DAs were subject to a DDoS. This prevented people from 
connecting to the Tor network very substantially. The network was largely 
inaccessible for a few hours. If DDoSing two computers can do this, you have a 
problem. Let's not downplay the fact that directory servers are indeed 
centralized and fragile. Having six servers spread across multiple IP address 
spaces doesn't exactly solve this problem.

NK

> 
> A non-open-source privacy app developed by a single company has a
> corporate nexus of control, a single jurisdiction to get a secret
> warrant in, and a single codebase and update server/signing-key to
> compromise giving 'the keys to the castle'.
> 
> Even if an attacker were to secretly compromise all of the Tor DAs and
> publish a malicious consensus, the break is only to anonymity, not to
> message privacy.  (Granted, anonymity is a major selling point for Tor
> and that break would be a major problem, but it's still not as severe a
> break as the messaging app compromise.)
> 
>> And it does not
>> really matter if the code there is open source or not, because you
>> anyway cannot know if they are really running some particular code
>> there or not.
> 
> Being closed source doesn't fix this problem, so how is that a useful
> response to the advice "never trust a closed source privacy app"?
> 
> Seatbelts don't help when your car flies off a cliff.  It's still a good
> idea to wear your seatbelt, for the 99% of crashes where they do help.
> 
> Having open review of the design and implementation of your privacy app
> isn't enough to solve all of the potential compromises.  But it's still
> a good idea to have open review which will help address a vast number of
> vulnerabilities.
> 
> -andy
> --
> Too many emails? Unsubscribe, change to digest, or change password by 
> emailing moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] DecryptoCat

[Nadim Kobeissi]

On 2013-07-11, at 2:08 PM, Maxim Kammerer  wrote:

> On Thu, Jul 11, 2013 at 9:04 PM, Jonathan Wilkes  wrote:
>> I think the upshot of that is to steer whatever funds Cryptocat has
>> toward the form of peer review that did work, which is the bug
>> hunt (as well as look into other forms of peer review that would
>> be more effective).
> 
> The problem with bug hunting is that, in virtually all cases, the
> reward for an exploitable bug is orders of magnitude lower than what
> can be fetched on the open market. So it is not a replacement for a
> thorough review by experts.

There was a recent article on this:
http://threatpost.com/researchers-find-bug-bounty-programs-pay-economic-rewards/101243

NK

> 
> --
> Maxim Kammerer
> Liberté Linux: http://dee.su/liberte
> --
> Too many emails? Unsubscribe, change to digest, or change password by 
> emailing moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

[liberationtech] How Microsoft handed the NSA access to encrypted messages

[Nadim Kobeissi]

A brand new scoop by Glenn Greenwald:
http://www.guardian.co.uk/world/2013/jul/11/microsoft-nsa-collaboration-user-data

"Microsoft has collaborated closely with US intelligence services to allow 
users' communications to be intercepted, including helping the National 
Security Agency to circumvent the company's own encryption, according to 
top-secret documents obtained by the Guardian.

The files provided by Edward Snowden illustrate the scale of co-operation 
between Silicon Valley and the intelligence agencies over the last three years. 
They also shed new light on the workings of the top-secret Prism program, which 
was disclosed by the Guardian and the Washington Post last month.

The documents show that:

• Microsoft helped the NSA to circumvent its encryption to address concerns 
that the agency would be unable to intercept web chats on the new Outlook.com 
portal;

• The agency already had pre-encryption stage access to email on Outlook.com, 
including Hotmail;

• The company worked with the FBI this year to allow the NSA easier access via 
Prism to its cloud storage service SkyDrive, which now has more than 250 
million users worldwide;

• Microsoft also worked with the FBI's Data Intercept Unit to "understand" 
potential issues with a feature in Outlook.com that allows users to create 
email aliases;

• Skype, which was bought by Microsoft in October 2011, worked with 
intelligence agencies last year to allow Prism to collect video of 
conversations as well as audio;

• Material collected through Prism is routinely shared with the FBI andCIA, 
with one NSA document describing the program as a "team sport"."

More at the link:
http://www.guardian.co.uk/world/2013/jul/11/microsoft-nsa-collaboration-user-data

NK


--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] DecryptoCat

[Nadim Kobeissi]

On 2013-07-11, at 12:38 PM, Maxim Kammerer  wrote:

> On Tue, Jul 9, 2013 at 4:57 PM, Jacob Appelbaum  wrote:
>> While I think Maxim is viewed as exceedingly harsh in how he writes, I
>> think that your response is really the wrong way to deal with him. We
>> should consider that his cultural background is different and that as
>> far as I understand it, he isn't a native english speaker. Between the
>> two things, perhaps we might just ask him to be nicer?
> 
> I am often harsh because I dislike circlejerks. Activists are too
> often completely unable to employ critical thinking when the result of
> that thinking would go contrary to their ideology — even more so when
> said activists lack scientific/technical education. E.g., recall that
> case last year where legal activists on this list finally succeeded in
> (or at least supported, not sure) enhancing export controls of
> software [1]. I was as annoyed as you, but I wasn't surprised. This is
> what these people do: claim they support some idea (e.g., freedom to
> write software), but easily do something to the contrary when the
> result is not aligned with their ideology. There is no critical
> thinking involved — nothing in their life accustomed these people to
> the need to think critically.
> 
> Anyway, back to the topic. I don't care much about Cryptocat, simply
> because I don't care much about web programming. I don't think I
> participated in a discussion about Cryptocat previously. I did
> converse with Nadim when he was going to do something stupid in the
> project once, but got tired quickly when he found it hard to grasp
> simple CS concepts. So he fixed the problem, and I stopped caring,
> fine. But in this thread, I pointed out something very simple:
> Cryptocat paid for professional peer review (audit, whatever you call
> it), and it didn't work. Then, people start to lecture me for some
> reason, as if I have any reason to listen to that chatter. Did
> Cryptocat contact Veracode for a response? I mean, they spent CIA
> money on that, no? Or was that money spent just to be able to write a
> rosy blog post? E.g., I thought about hiring their audit services as
> well before — is that a bad idea? Is the value in such an audit only
> in being able to convince people who don't understand anything about
> programming? So, say, clueless people got happy due to an audit, and
> Cryptocat people were forced to fix a bug due to someone finding and
> widely publishing it — I can understand that. So, where are the
> answers to these questions? Why am I reading useless apologies and
> expressions of support instead?

Wow.

NK

> 
> [1] 
> https://mailman.stanford.edu/pipermail/liberationtech/2012-September/004854.html
> 
> --
> Maxim Kammerer
> Liberté Linux: http://dee.su/liberte
> --
> Too many emails? Unsubscribe, change to digest, or change password by 
> emailing moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Heml.is - "The Beautiful & Secure Messenger"

[Nadim Kobeissi]

Hemlis have posted the answer to whether they will open source their app:

"Will it be Open Source?
We have all intentions of opening up the source as much as possible for 
scrutiny and help! What we really want people to understand however, is that 
Open Source in itself does not guarantee any privacy or safety. It sure helps 
with transparency, but technology by itself is not enough. The fundamental 
benefits of Heml.is will be the app together with our backend infrastructure, 
which is what really makes the system interesting and secure." — 
https://heml.is/

I'm sort of infamous by now for the fusses I make regarding the importance of 
open-sourcing security software. I'm pretty sure people are tired of me so I'm 
going to be quiet. But it's clear to me that Hemlis's answer is not the right 
answer.

NK

On 2013-07-10, at 10:29 AM, Albert López  wrote:

> 
> Hello Wasabee,
> 
> I've used TextSecure but I found that it's like sending encrypted SMS, 
> therefore you have the consequent cost associated to it. I don't know 
> ifHeml.is will be a kind of secure whatsapp or if it will have the same 
> approach of TextSecure.
> 
> Correct me if I'm wrong with the SMS stuff. It was what I thought once I 
> received my bill.
> 
> 
> 
> 
> gpg --keyserver pgp.mit.edu --search-keys EEE5A447
> http://pgp.mit.edu:11371/pks/lookup?search=0xEEE5A447&op=vindex
> 
> 
> 
> Date: Wed, 10 Jul 2013 14:31:53 +0100
> From: wasabe...@gmail.com
> To: liberationtech@lists.stanford.edu
> Subject: Re: [liberationtech] Heml.is - "The Beautiful & Secure Messenger"
> 
> https://whispersystems.org/ already has an open-source secure messaging, 
> voice and more.
> Has anyone reviewed their code?
> Does anyone use it?
> Why not build on top of it?
> 
> 
> On 10/07/13 14:07, Nick wrote:
> noone said it would be closed source. That's peoples guess. Like, your guess, 
> I guess.
> 
> According to their twitter account, the answer is "maybe":
> 
> https://twitter.com/HemlisMessenger/statuses/354927721337470976
> 
> 
> Peter Sunde (one of the people behind it) said "eventually", but
> in my experience promises like that tend to be broken:
> 
> https://twitter.com/brokep/status/354608029242626048
> 
> 
> 
> and the feature 'unlocking' aspect of the project - to be indication of a
> proprietary code base.
> 
> Frankly I can't see how they could get the "feature unlock" funding
> stuff to work well if it's proper open source. As I'd expect people
> to fork it to remove such antifeatures. It's a pity, as several new
> funding models have been successful recently which are compatible with
> free software, but this doesn't look to be one of them.
> --
> Too many emails? Unsubscribe, change to digest, or change password by 
> emailing moderator at 
> compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 
> 
> -- Too many emails? Unsubscribe, change to digest, or change password by 
> emailing moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> --
> Too many emails? Unsubscribe, change to digest, or change password by 
> emailing moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Heml.is - "The Beautiful & Secure Messenger"

[Nadim Kobeissi]

This looks awesome! The more alternatives the better.

NK

On 2013-07-09, at 12:52 PM, Julian Oliver  wrote:

> 
> Suprised to see Peter Sunde, Leif Högberg & Linus Olsson push out their 
> private
> messaging for Android and iOS as closed-source unlock-ware:
> 
>https://heml.is/
> 
> (Warning: Self-ingratiating video. Fun-guy team shots)
> 
> Cheers,
> 
> -- 
> Julian Oliver
> PGP B6E9FD9A
> http://julianoliver.com
> http://criticalengineering.org
> --
> Too many emails? Unsubscribe, change to digest, or change password by 
> emailing moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] DecryptoCat

[Nadim Kobeissi]

On 2013-07-09, at 10:29 AM, Jacob Appelbaum  wrote:

> Patrick Mylund Nielsen:
>> On Tue, Jul 9, 2013 at 9:22 AM, Eugen Leitl  wrote:
>> 
>>> On Tue, Jul 09, 2013 at 09:12:21AM -0400, Patrick Mylund Nielsen wrote:
 If it's so easy, go ahead and produce a more secure alternative that
>>> people
>>> 
>>> You mean something like http://dee.su/ ?
>>> 
>>> And http://dee.su/cables ?
>>> 
>>> 
>> No, I mean an alternative to Cryptocat (i.e. an OTR client with multiparty
>> communication) that is more secure, and as easy to use.
>> 
> 
> While Cryptocat has OTR - the multi-party communication is not the OTR
> protocol.
> 
> Cables is as easy to use as email. Generally it is used with an email
> client.
> 
> If you boot liberte - there is little to no configuration beyond
> establishing communication and verifying that you've done so correctly.
> Once that is done, you do not need to do it again - a key defense
> against active attackers. As I understand things this critical step
> (verification and persistence, or merely verification in a usable
> manner) cannot be done in CryptoCat at the moment. Active attackers will
> win against everyone without verification. The last bug ensured that
> *passive* attackers won against everyone on the main server and they
> would also win against everyone not using forward secret TLS modes. As I
> understand, we do not have numbers on how many users are using the less
> secure TLS modes.
> 
> Please read this page:
> 
>  https://www.ssllabs.com/ssltest/analyze.html?d=crypto.cat
> 
> On three computers near me, I see it using non-forward secret modes
> today - SSL_RSA_WITH_RC4_128_SHA - this isn't good news.

Hi Jacob,
You've said a lot about Cryptocat's SSL configuration — can you recommend a 
better configuration that is similarly compatible?

Thanks,
NK

> 
> This also means that if CryptoCat's security may be reduced to SSL, it
> is now possible to reduce that to plaintext by forcing disclosure of the
> current website's key. This may happen legally or it may happen through
> exploitation. I'm not sure why CryptoCat doesn't just exclusively offer
> everything with forward secret modes, and encourage everyone else to
> upgrade their browser when they use a less secure mode? I suggested this
> to Nadim on another mailing list, I'm not sure if he is working on this
> already? Perhaps so? I hope so...
> 
> In any case, "more secure than CryptoCat" is not a high bar during the
> time of this bug. Any CA could have subverted the very little security
> provided the web browser trust model. Also the security provided by
> non-forward secret TLS connections is a really serious problem.
> 
> If you mean "as easy to use" as a plugin in a browser and that it can be
> as secure as just chatting over HTTPS protected servers without any
> other security, I think that the requirement is not proportional.
> 
> Usability is absolutely critical - but we're not looking to build usable
> software without any security - if we were, we'd all be using Facetime,
> Skype, GChat and so on, without any complaints.
> 
> All the best,
> Jacob
> --
> Too many emails? Unsubscribe, change to digest, or change password by 
> emailing moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] DecryptoCat

[Nadim Kobeissi]

On 2013-07-09, at 12:34 AM, Jonathan Wilkes  wrote:

> On 07/08/2013 07:07 AM, Nadim Kobeissi wrote:
>> On 2013-07-08, at 3:34 AM, Tom Ritter  wrote:
>> 
>>> On 7 July 2013 17:20, Maxim Kammerer  wrote:
>>>> This thread started off with discussion of peer review, so I have
>>>> shown that even expensive, well-qualified peer review (and I am sure
>>>> that Veracode people are qualified) didn't help in this case.
>>> As one of the people on this list who does paid security audits, I
>>> both want to, and feel obligated to, weigh in on the topic.  I don't
>>> work for Veracode, I have done audits for projects in the LibTech
>>> space, I have not done one for Cryptocat.  I would like to, and given
>>> enough free time might get around to it,
>> Just a quick note out of your awesome email:
>> If you don't have enough free time, let me help you make some. I am able to 
>> fund further auditing. Round up a team and get in touch!
> 
> Are you still offering bounty for finding security bugs?  Because that seems 
> to be the system under which a critical bug was revealed, and subsequently 
> fixed.

Absolutely: 
https://crypto.cat/bughunt/

NK

> 
> -Jonathan
> 
>> 
>> I sincerely appreciate the perspective in the rest of your email.
>> 
>> NK
>> 
>>> but like _everyone_ in this
>>> space, doing something publicly and putting your name on it means
>>> holding yourself to a certain standard, and that standard requires
>>> time - a lot of time (on the order of 60-100 hours).
>>> 
>>> 
>>> A good security audit will give you two things.
>>> 
>>> Firstly it will give you bugs.  These bugs are usually constrained to
>>> issues that are security vulnerabilities (but not always depending on
>>> the issue/the auditor/the time available).  We find these bugs through
>>> meticulous testing and reading source code (see the 60-100 hours),
>>> through checklists to make sure we don't omit anything (see
>>> https://github.com/iSECPartners/LibTech-Auditing-Cheatsheet for a
>>> Creative Commons version of mine), and through experience and hunches.
>>> Usually an audit is time boxed so we don't literally read every line
>>> - the 60-100 hours would balloon up considerably if it were the case.
>>> 
>>> We read a lot of code, we see and find a lot of bugs.  The best
>>> auditors are always reading about new bug classes and exploitation
>>> vectors so we can recognise these bugs when they are in new projects.
>>> The Cryptocat bug, using a random string (or decimal digits) instead
>>> of bytes - I've seen before, as most people in my company have.
>>> (Usually it's in the form of using a hexadecimal string instead of
>>> converting the hexadecimal into bytes.)
>>> 
>>> I know Cryptocat has been audited by humans in this fashion before,
>>> I've read their report, and it found good bugs.  Of course, no auditor
>>> is perfect - we never find every single bug that's in an application
>>> and we can never say something is 'safe'.  Which is why we give you
>>> the second thing:
>>> 
>>> We give recommendations for making your codebase better.  In older,
>>> more mature codebases this usually takes the form of recommendations
>>> like "Everywhere you do file handling is wrong, and you need to
>>> centralize it, fix it in the centralized version, and make sure
>>> everyone uses that going forward."  Those are the straightforward
>>> ones.  Sometimes they're more defensive, like "You really like to use
>>> the php system() function for doing stuff like removing files from the
>>> filesystem and chmodding.  You do really meticulous character
>>> escaping, so we couldn't get command execution - but nonetheless, you
>>> should really use the unlink() and chmod() functions, so you can be
>>> sure a bug never makes it's way in."
>>> 
>>> Now those are pretty obvious examples.  In a project where the
>>> developers are making every effort they can to lock things down, where
>>> they're making every effort to do things 'right' - if we still can't
>>> provide examples, we're not doing a very good job.
>>> 
>>> There are a lot of defense in depth measures that can be applied to
>>> web applications.  Request preprocessors can look for global IDs, and
>>> assert that the current session can access that objec

[liberationtech] Anatomy of a Cryptocat bug

[Nadim Kobeissi]

Check out this very well-written "post-mortem" of a related bug that was fixed 
recently in Cryptocat:
http://nakedsecurity.sophos.com/2013/07/09/anatomy-of-a-pseudorandom-number-generator-visualising-cryptocats-buggy-prng/

NK
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] DecryptoCat

[Nadim Kobeissi]

On 2013-07-08, at 2:48 PM, Reed Black  wrote:

> On Mon, Jul 8, 2013 at 11:00 AM, David Goulet  wrote:
>> 
>> Furthermore, looking at those lines of code, there is simply NO comments at 
>> all,
>> nothing to help peer review, to explain why this or that is done that way and
>> nothing linked to any design document. This is in my opinion VERY important 
>> that
>> developers design their system/subsystem beforehand *especially* a crypto 
>> design
>> in a public document. And, if it has to change, the design should be peer
>> reviewed before even making one line of code.
>> 
>> So, the technical critical issue, CryptoCat responded well, quickly but the
>> point here is that there is a problem in terms of how development is done and
>> how *little* the maintainability of the code is.
> 
> I think there is a bigger problem in the commit messages. Looking at
> the history, many are "tweak" "guehh" "update" "FIX THE BUG" and some
> of those are tied to large many-purpose Swiss Army Knife commits.
> 
> Without descriptive commit messages and single-purpose commits,
> community review is highly unlikely. It takes an order of magnitude
> more effort for a reviewer to suss out the intent of a code change.
> The reviewer is also much less likely to ask about suspicious side
> effects if he's starting with infinite possibility of intent on first
> encountering the code. Few volunteers will make a routine effort.
> 
> 
> Remember when someone tried slipping this into the Linux kernel?
> 
> + if ((options == (__WCLONE|__WALL)) && (current->uid = 0))
> + retval = -EINVAL;
> 
> Ask if something that subtle have been spotted so quickly if it were
> one of many Swiss Army Knife "guehh" commits.

I'm sure "guehh" and so on are either exceptions or relate to very irrelevant 
commits.
If they're not, then we definitely have a commit documentation problem!

NK

> 
> 
> I think any project that relies on community review for security needs
> to first stop and ask what would make community review likely. At the
> least, that's some venue for review discussion where the developers
> are reading, single-function commits, and descriptive commit messages.
> Does anyone know if there's something like a "best practices" page to
> point to for maintaining a healthy reviewer community?
> --
> Too many emails? Unsubscribe, change to digest, or change password by 
> emailing moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] DecryptoCat

[Nadim Kobeissi]

On 2013-07-08, at 2:00 PM, David Goulet  wrote:

> Hi everyone,
> 
> Very good post Tom! :)
> 
> I would like to point out something here, no bashing, but rather possible
> improvements from my point of view. As Tom stated, basically if you don't do
> code, you'll have no bugs so in other words there will always be bugs!
> 
> Now, what's troubling me with this disclosure is probably a lack of experience
> of the maintainers especially in open source software. There is 19 commits
> between Jul 9, 2011 and Jun 3, 2013 (see second table of the decryptocat post)
> which basically changes the keying scheme in production. There is 6 of those
> only in October 2011! In terms of peer review, this is just not possible to
> follow such a paste especially with so little testing upstream.
> 
> Furthermore, looking at those lines of code, there is simply NO comments at 
> all,
> nothing to help peer review, to explain why this or that is done that way and
> nothing linked to any design document. This is in my opinion VERY important 
> that
> developers design their system/subsystem beforehand *especially* a crypto 
> design
> in a public document. And, if it has to change, the design should be peer
> reviewed before even making one line of code.
> 
> So, the technical critical issue, CryptoCat responded well, quickly but the
> point here is that there is a problem in terms of how development is done and
> how *little* the maintainability of the code is.

Hold your horses. There is an *Absurd* amount of difference between Cryptocat 
in October 2011 and today. You simply cannot compare the two codebases. They 
are completely different as Cryptocat was rewritten completely from scratch 
twice since 2011.

The current codebase is, even if I do say so myself, modestly maintainable and 
well-documented. But really, bringing up the October 2011 codebase is really 
beside the point.

I appreciate the rest of your post. Thanks for your input, David.

NK

> 
> Those guys (CryptoCat) are learning and getting experience to run such a
> security critical open source project over the year and this episode should 
> be a
> good wake up call to understand what when wrong and how to improve the
> situation. Shit happens, now it's up to them to address this work flow issue 
> and
> the community should help them like Tom did with that post!
> 
> Else, I'm pretty sure we are going to see more and more of those bugs over the
> year if the upstream code is treated like a development branch and is not
> documented explaining the why of things to facilitate peer review and
> maintainability.
> 
> My two cents!
> 
> Cheers!
> David
> 
> Tom Ritter:
>> On 7 July 2013 17:20, Maxim Kammerer  wrote:
>>> This thread started off with discussion of peer review, so I have
>>> shown that even expensive, well-qualified peer review (and I am sure
>>> that Veracode people are qualified) didn't help in this case.
>> 
>> As one of the people on this list who does paid security audits, I
>> both want to, and feel obligated to, weigh in on the topic.  I don't
>> work for Veracode, I have done audits for projects in the LibTech
>> space, I have not done one for Cryptocat.  I would like to, and given
>> enough free time might get around to it, but like _everyone_ in this
>> space, doing something publicly and putting your name on it means
>> holding yourself to a certain standard, and that standard requires
>> time - a lot of time (on the order of 60-100 hours).
>> 
>> 
>> A good security audit will give you two things.
>> 
>> Firstly it will give you bugs.  These bugs are usually constrained to
>> issues that are security vulnerabilities (but not always depending on
>> the issue/the auditor/the time available).  We find these bugs through
>> meticulous testing and reading source code (see the 60-100 hours),
>> through checklists to make sure we don't omit anything (see
>> https://github.com/iSECPartners/LibTech-Auditing-Cheatsheet for a
>> Creative Commons version of mine), and through experience and hunches.
>> Usually an audit is time boxed so we don't literally read every line
>> - the 60-100 hours would balloon up considerably if it were the case.
>> 
>> We read a lot of code, we see and find a lot of bugs.  The best
>> auditors are always reading about new bug classes and exploitation
>> vectors so we can recognise these bugs when they are in new projects.
>> The Cryptocat bug, using a random string (or decimal digits) instead
>> of bytes - I've seen before, as most people in my company have.
>> (Usually it's in the form of using a hexadecimal string instead of
>> converting the hexadecimal into bytes.)
>> 
>> I know Cryptocat has been audited by humans in this fashion before,
>> I've read their report, and it found good bugs.  Of course, no auditor
>> is perfect - we never find every single bug that's in an application
>> and we can never say something is 'safe'.  Which is why we give you
>> the second thing:
>> 
>> We give recommendations for making y

Re: [liberationtech] DecryptoCat

[Nadim Kobeissi]

On 2013-07-08, at 3:34 AM, Tom Ritter  wrote:

> On 7 July 2013 17:20, Maxim Kammerer  wrote:
>> This thread started off with discussion of peer review, so I have
>> shown that even expensive, well-qualified peer review (and I am sure
>> that Veracode people are qualified) didn't help in this case.
> 
> As one of the people on this list who does paid security audits, I
> both want to, and feel obligated to, weigh in on the topic.  I don't
> work for Veracode, I have done audits for projects in the LibTech
> space, I have not done one for Cryptocat.  I would like to, and given
> enough free time might get around to it,

Just a quick note out of your awesome email:
If you don't have enough free time, let me help you make some. I am able to 
fund further auditing. Round up a team and get in touch!

I sincerely appreciate the perspective in the rest of your email.

NK

> but like _everyone_ in this
> space, doing something publicly and putting your name on it means
> holding yourself to a certain standard, and that standard requires
> time - a lot of time (on the order of 60-100 hours).
> 
> 
> A good security audit will give you two things.
> 
> Firstly it will give you bugs.  These bugs are usually constrained to
> issues that are security vulnerabilities (but not always depending on
> the issue/the auditor/the time available).  We find these bugs through
> meticulous testing and reading source code (see the 60-100 hours),
> through checklists to make sure we don't omit anything (see
> https://github.com/iSECPartners/LibTech-Auditing-Cheatsheet for a
> Creative Commons version of mine), and through experience and hunches.
> Usually an audit is time boxed so we don't literally read every line
> - the 60-100 hours would balloon up considerably if it were the case.
> 
> We read a lot of code, we see and find a lot of bugs.  The best
> auditors are always reading about new bug classes and exploitation
> vectors so we can recognise these bugs when they are in new projects.
> The Cryptocat bug, using a random string (or decimal digits) instead
> of bytes - I've seen before, as most people in my company have.
> (Usually it's in the form of using a hexadecimal string instead of
> converting the hexadecimal into bytes.)
> 
> I know Cryptocat has been audited by humans in this fashion before,
> I've read their report, and it found good bugs.  Of course, no auditor
> is perfect - we never find every single bug that's in an application
> and we can never say something is 'safe'.  Which is why we give you
> the second thing:
> 
> We give recommendations for making your codebase better.  In older,
> more mature codebases this usually takes the form of recommendations
> like "Everywhere you do file handling is wrong, and you need to
> centralize it, fix it in the centralized version, and make sure
> everyone uses that going forward."  Those are the straightforward
> ones.  Sometimes they're more defensive, like "You really like to use
> the php system() function for doing stuff like removing files from the
> filesystem and chmodding.  You do really meticulous character
> escaping, so we couldn't get command execution - but nonetheless, you
> should really use the unlink() and chmod() functions, so you can be
> sure a bug never makes it's way in."
> 
> Now those are pretty obvious examples.  In a project where the
> developers are making every effort they can to lock things down, where
> they're making every effort to do things 'right' - if we still can't
> provide examples, we're not doing a very good job.
> 
> There are a lot of defense in depth measures that can be applied to
> web applications.  Request preprocessors can look for global IDs, and
> assert that the current session can access that object (in *addition*
> to the page-level checks on object access).  Database query logging
> can assert that all queries that go into particular tables use a
> certain column in the WHERE clause.  I can go on and on.  A good
> source of these is an ex-coworker's talk "Effective approaches to web
> application security"
> http://www.slideshare.net/zanelackey/effective-approaches-to-web-application-security
> (honestly, Etsy is driving the industry forward with their techniques
> for proactive web app security.)
> 
> Defense in depth lends itself very easily to 'classically' exploitable
> conditions around things like Cross Site Scripting, Direct Object
> Reference, Command Injection, Code Execution.  Weak RNG and
> fundamental protocol flaws are much harder to talk about in terms of
> defense in depth.
> 
> So, not avoid the hard problem, let's take this particular bug.  What
> I would say is MOAR ABSTRACTION.  Now, I'm not actually a fan of
> abstraction, I hate seeing a ton of one-line functions, but in this
> case, to prevent a bug like this from happening again, I would
> structure the code like this (taking into account I'm really bad at
> naming things):
> 
> //rng.ext
> ///This class is a CSPRNG that outputs a stream of r

Re: [liberationtech] DecryptoCat

[Nadim Kobeissi]

On 2013-07-08, at 12:13 PM, Ralph Holz  wrote:

> Hi Tom,
> 
>> If you think this bug could never happen to you or your favorite pet
>> project; if you think there's nothing you can learn from this incident
>> - you haven't thought hard enough about ways it could have been
>> prevented, and thus how you can prevent bugs in your own codebase.
> 
> Amen to that.
> 
> Thanks for the write-up; it was my feeling, too, that too many people
> have been uttering very sharp criticism in this particular case, and
> that wasn't helping anyone.
> 
> There are projects that don't get nearly as much coverage but have a
> very poor security record. I personally know programmers with a hell of
> a global reputation whose code contained bugs found by peers. We should
> keep things in perspective.

Thanks a lot for this kind call for perspective.

The fact remains that we messed up. But I'm sticking to the project and I am 
certain that we will mess up less and less, and evolve. It took exemplary 
projects like Tor and PGP ten+ years to reach the reputable status they're in 
today (where, mind you, critical bugs still happen!) — it may take us even 
longer. But the goals are too important to give up. We're in a situation where 
accessibility has failed to evolve precisely because you're largely barren from 
taking risks. A license to take risks isn't a license to keep messing up, but 
it's still necessary to investigate real problems to which we haven't been able 
to find solutions as a community so far.

If a bug like this happens again in the future, I will follow the same 
procedure of complete transparency and hold myself fully accountable for it. 
All the same, I am redoubling my efforts to bring in more cryptographers and 
auditors to Cryptocat — this is what I just spent my weekend in Germany doing.

But quite frankly, for now, I really think I need a small vacation. :-p

NK

> 
> Ralph
> 
> -- 
> Ralph Holz
> I8 - Network Architectures and Services
> Technische Universität München
> http://www.net.in.tum.de/de/mitarbeiter/holz/
> Phone +49.89.289.18043
> PGP: A805 D19C E23E 6BBB E0C4  86DC 520E 0C83 69B0 03EF
> --
> Too many emails? Unsubscribe, change to digest, or change password by 
> emailing moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] DecryptoCat

[Nadim Kobeissi]

On 2013-07-07, at 2:25 PM, CodesInChaos  wrote:

> > So introductory-level programming course mistakes are right out.
> 
> In my experience it's quite often a really simple mistake that gets you,
> even when you're an experienced programmer. I'm quite afraid of simple 
> off-by-one bug,
> places which I didn't fix in copy&paste, basic logic mistakes etc.
> IMO Nadim's main mistake wasn't the actual bug, mistakes like that can happen 
> to anybody,
> but it was designing a really weird API that invites mistakes. Nobody sane 
> return decimal digits
> from a cryptographic PRNG.

That's not what the CSPRNG does exactly, but we routed it through an 
all-purpose function that wields it to present types of data on demand, be it 
random ASCII lowercase, random ASCII uppercase, random digits, random bytes. 
And then I messed up and asked it to produce random digits instead of random 
bytes and BOOM — security disaster, end of the world etc.

For the record, I feel deeply ashamed about this blunder. But I can't give up 
this project simply because bugs like this are bound to pop up for any project 
with this kind of goals and ambition, and our goals are, in my view, deeply 
necessary.

NK

> 
> For example a really basic cryptography mistake is reusing a nonce in 
> AES-CTR. Still it happens to people experienced
> in both coding and cryptography. For example Tarsnap had since vulnerability 
> for several versions, despite a competent developer.
> http://www.daemonology.net/blog/2011-01-18-tarsnap-critical-security-bug.html
> 
> In my own programs I'm really careful about nonces and randomness, but still 
> I wouldn't be surprised if a trivial bug slipped through in that area.
> Writing tests which detect such mistakes is really hard.
> --
> Too many emails? Unsubscribe, change to digest, or change password by 
> emailing moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] DecryptoCat

[Nadim Kobeissi]

Hello everyone,
I urge you to read our response at the Cryptocat Development Blog, which 
strongly clarifies the situation:

https://blog.crypto.cat/2013/07/new-critical-vulnerability-in-cryptocat-details/

Thank you,
NK

On 2013-07-04, at 12:18 PM, Jens Christian Hillerup  wrote:

> On Thu, Jul 4, 2013 at 11:36 AM, KheOps  wrote:
> Just came accross this:
> http://tobtu.com/decryptocat.php
> 
> Eep!
> 
> It seems like the saying "given enough eyeballs, all bugs are shallow" has 
> become obsolete, huh? Peer review is an integral part to developing secure 
> cryptography implementations, but unfortunately this fundamentally crashes 
> with the hacker mantra of "just do it". It's a shame that this project did 
> not get this kind of attention until after people started relying on 
> it---that could have saved a lot of people from a lot of shouting in any case.
> 
> So what do we do about this? Opening the source code as an argument for 
> security no longer suffices. How can we raise money for rigid and independent 
> quality assurance of software that in this case is designed to potentially 
> saving lives? And how can we make sure that this money flows into the fund 
> and out to the QAers on a regular basis?
> 
> I don't know, sadly, but I'd love to discuss it.
> 
> JC
> --
> Too many emails? Unsubscribe, change to digest, or change password by 
> emailing moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Terry Winograd and Evgeny Morozov

[Nadim Kobeissi]

On 2013-07-02, at 3:06 PM, "Glassman, Michael"  wrote:

> I think I really disagree with this.  I find Morozov's arguments 
> philosophically thin and part of what Stephen Pepper referred to as mindless 
> skepticism.  The fact that he is attempting to communicate to a more general 
> public makes this worse not better.  He feeds I believe in many ways to fit 
> into those with predilections to fear the Internet and its possibilities, 
> ridiculing ideas instead of just letting them fall on their own.  Fads 
> generally don't last while great ideas do.  One of the troubles is that in 
> the beginning we really don't know which is which.  Is it really up to 
> somebody such as Morozov to bestow on himself this ability.  It wouldn't be 
> so bad if it was just him but he is being treated as some type of folk hero 
> simply for saying we must see the Internet as limited capabilities.  It is in 
> my opinion a mindless skepticism that is in some ways dangerous.

> 
> Let me take an example from the article.  Morozov ridicules a 24 year old guy 
> who is trying to develop an app to help with obesity.  Well, why?  There is a 
> good chance it won't work, just as there is a good chance the most well 
> thought out initiatives won't work (the one's Morozov approves of).  But it 
> just may work, or lead to something that does work, so why cut off this 
> person's desire and energy with misplaced skepticism and ridicule.  Maybe it 
> won't solve obesity for everybody.  Maybe it will help with ten people.  
> Maybe it will help me.  The point is I don't know, you don't know and Morozov 
> certainly does not know.  Allow the energy to flourish.  Have any of you ever 
> read the history of Douglas Engelbart's Augmentation Research Center.  How 
> Morozov would have been allowed to ridicule that of course.  And would there 
> be less of a chance of me writing this message on the Internet to a list of 
> people if he had.

This. Evgeny Morozov mostly built his career on the practice of being skeptical 
about anything and everything, and then expressing his scepticism in the most 
provocative and attention-earning manner possible. If he lasts as more than a 
fad, it'll be another example of an issue within this community. Even his 
Twitter bio is "There are idiots, look around."

There are a lot of people who equate someone who regularly and rudely dismisses 
issues, technologies and discussions as someone who is intelligent and 
experienced. And some people just take advantage of this.

NK

> 
> From a philosophical standpoint, what the hell is solutionism?  First, at 
> least from my reading of Foucault it has nothing to do with problematizing (I 
> think a cursory reading of the History of Madness suggests this).  But it 
> also runs directly against Pragmatic philosophy and the work of some of the 
> greatest American philosophers as John Dewey.  The whole point of a 
> progressive approach is the idea that humans are constantly searching for 
> solutions to problems.  Nobody though gets to determine what is a problem.
> 
> I agree that there can be healthy critiques of the Internet.  I think Manuel 
> Castells offers one.  There are I'm certain others.  But mindless skepticism, 
> no that as I said is dangerous.
> 
> Michael
> From: liberationtech-boun...@lists.stanford.edu 
> [liberationtech-boun...@lists.stanford.edu] on behalf of Yosem Companys 
> [compa...@stanford.edu]
> Sent: Tuesday, July 02, 2013 2:08 PM
> To: liberationtech
> Subject: Re: [liberationtech] Terry Winograd and Evgeny Morozov
> 
> Evgeny's critique of Silicon Valley intellectual fads is indeed worthwhile.  
> What's surprising is that he is one of the only journalists to make this 
> critique, considering the large number of people who have said similar things 
> before him, which makes Evgeny's voice even more important.  What is new in 
> Evgeny's work is his desire to communicate these arguments to the larger 
> public and to advance the public interest.  
> 
> Sociologists and historians of science and technology -- along with the field 
> known as science, technology and society studies -- have critiqued the 
> Internet since at least the 1980's, with a larger critique about science and 
> technology since at least the 1950's and 1960's.  
> 
> Meanwhile, most journalists from the 1980's until recently have seemed more 
> interested in promulgating the claims of Silicon Valley, which had a 
> financial interest in their promulgation, than in communicating the problems 
> associated with the Internet, which social scholars spent so much time 
> documenting among themselves.  This is not an indictment of journalism.  
> There were, among other reasons, institutional pressures during this period 
> for journalists to use press-release templates. Moreover, finding out what 
> academics do as a non-academic is a long, arduous process.
> 
> For academics, the problem here, of course, is that their incentive is 
> focused on publishing articles 

Re: [liberationtech] Open Solicitation for Concept Notes: Open Technology Fund

[Nadim Kobeissi]

On 2013-07-02, at 3:07 PM, Griffin Boyce  wrote:

> Nadim Kobeissi  wrote: 
> Frederick did not call OTF a tool of US oppression, but a tool for aiding 
> U.S. foreign policy. I am very pleased that my project is supported by the 
> excellent people at OTF, but let us not kid ourselves and say that U.S. 
> foreign policy has nothing to do with anything. Even if foreign policy 
> considerations are involved, though, they are not necessarily negative or in 
> any way counter to the goals of developing liberation technology. But they 
> simply affect our landscape.
> 
> NK
> 
>   Well, sure.  And I would go so far as to say that various biases within the 
> US government has a serious negative impact when it comes to funding for 
> important projects.  Much of the non-profit grants funding in the US trickle 
> down from the government in some fashion.  (This is true well outside libtech 
> and the leakosphere).  But even if OTF is impacted by these biases, I don't 
> believe that the projects they fund are.  Which was my point.  I know almost 
> nothing about RFA's *other* projects.  But I disagree with FN's statement 
> that they are somehow "propping up US foreign policy."

Yes, that's pretty much it. I'm not sure I would go so far as to say that OTF 
is completely independent from U.S. foreign policy considerations, but their 
support of Cryptocat hasn't affected any of its decisions. With their funding 
or without it, we would be writing the exact same code for the exact same 
purpose (just probably a *lot* more slowly, and without the needed funding to 
hire code auditors).

I assume that the same is true for Tor, GlobaLeaks, RedPhone, and other OTF 
projects.

NK

> 
>   Just my $0.02.
> 
> ~Griffin
> 
> -- 
> Just another hacker in the City of Spies.
> #Foucault / PGP: 0xAE792C97 / OTR: sa...@jabber.ccc.de
> 
> My posts, while frequently amusing, are not representative of the thoughts of 
> my employer. --
> Too many emails? Unsubscribe, change to digest, or change password by 
> emailing moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Open Solicitation for Concept Notes: Open Technology Fund

[Nadim Kobeissi]

On 2013-07-02, at 1:17 PM, Griffin Boyce  wrote:

> Frederick FN Noronha फ्रेड्रिक नोरोन्या *فريدريك نورونيا 
>  wrote:
> For what? Propping up US foreign policy? FN
> 
>   That's an interesting statement, and I'm not sure it's really reflected in 
> the types of projects that OTF funds[1].  GlobaLeaks doesn't really seem like 
> a tool of US oppression or what-have-you.  Neither does Cryptocat, Commotion, 
> Whisper Systems, or any of the others.

Frederick did not call OTF a tool of US oppression, but a tool for aiding U.S. 
foreign policy. I am very pleased that my project is supported by the excellent 
people at OTF, but let us not kid ourselves and say that U.S. foreign policy 
has nothing to do with anything. Even if foreign policy considerations are 
involved, though, they are not necessarily negative or in any way counter to 
the goals of developing liberation technology. But they simply affect our 
landscape.

NK

> 
>   Though it's worth noting, in the interests of full disclosure, that I work 
> on two of those projects. Caveat lector.
> 
> ~Griffin
> [1] https://www.opentechfund.org/projects
> -- 
> Just another hacker in the City of Spies.
> #Foucault / PGP: 0xAE792C97 / OTR: sa...@jabber.ccc.de
> 
> My posts, while frequently amusing, are not representative of the thoughts of 
> my employer.
> --
> Too many emails? Unsubscribe, change to digest, or change password by 
> emailing moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Silent Circle experiences rapid growth in wake of NSA surveillance scandal

[Nadim Kobeissi]

Silent Circle's response to critical security vulnerabilities has been 
*extremely* bad. They recently quietly fixed numerous critical vulnerabilities 
that could lead to a full compromise, without informing their users or 
submitting and advisory in any way.

Pointing to the vulnerable code on their GitHub led to both myself and Arturo 
(from GlobaLeaks) to be censored.

More information: 
https://github.com/SilentCircle/silent-phone-base/issues/5#issuecomment-20232374

NK

On 2013-07-01, at 2:35 PM, Yosem Companys  wrote:

> http://gcn.com/blogs/cybereye/2013/06/agencies-sudden-interest-encrypted-comm.aspx
> 
> Agencies showing sudden interest in encrypted comm
> 
> Silent Circle, the company that provides end-to-end BYOD encryption,
> has introduced a Web-based management console to support large
> deployments of crypto licenses. It was developed largely in response
> to government demand for a tool to manage enterprisewide licensing,
> said CEO Mike Janke.
> 
> Government was always a primary market for Silent Circle, but the
> speed of adoption has caught the company by surprise.
> 
> “We had no idea that government customers would need a thousand
> subscriptions,” said Janke, a former Navy SEAL. “We didn’t see any of
> this coming. We envisioned 10 special ops guys, reporters in Sudan or
> some individuals around the world.”
> 
> Silent Circle’s secure voice, text, mail and video communications have
> gone in less than a year from being a point-to-point solution to an
> enterprise tool. There has been strong adoption in the financial
> industry and with oil companies, but “most of it was from [the Defense
> Department] and other government agencies,” Janke said.
> 
> The company has benefited from current events, particularly recent
> revelations about the National Security Agency’s surveillance of
> Internet and telephone communications. Growth, already a strong 100
> percent month-over-month, rocketed to 420 percent in the last
> two-and-a-half weeks. Agencies that were buying 50 subscriptions now
> are buying hundreds as concerns grow not only about government
> snooping, but also of government leaking.
> 
> Encrypted communications is not new. What Silent Circle has done is
> make it practical for bring-your-own-device environments by harnessing
> the computing power of smart phones for crypto key management, cutting
> the middle man out of the security equation. Keys remain in the hands
> of the end users rather than a server, eliminating the need for trust
> in a third party.
> 
> Secure peer-to-peer connections with Silent Circle Android and iOS
> apps use the Zimmermann Real Time Transport Protocol, a crypto key
> agreement protocol for voice over IP that uses the Diffie-Hellman key
> exchange and the Secure Real Time Transport Protocol. Encryption is
> done with NSA Suite B cryptography, a public interoperable set of
> crypto tools that include the Advanced Encryption Standard, Secure
> Hash Algorithm 2 and elliptic curve digital signature and key
> agreement algorithms. The company operates its own network with SIP
> servers and codecs, but all encryption and security remain on endpoint
> devices.
> 
> Just 35 percent of the company’s business is in North America, with
> the rest of it off-shore in countries where security has long been a
> bigger issue than here. “We look at things in a bit of a bubble here
> compared to the rest of the world,” Janke said. People in Europe and
> Asia not only have to worry about NSA snooping, but also about their
> own intelligence agencies.
> 
> Although it is available in time to take advantage of the post-PRISM
> boom in secure communications, the new console was in the works well
> before the NSA leaks. “It took five months for our team to create
> this,” Janke said, primarily because of the security required for the
> portal. The console is a business management tool only and has nothing
> to do with encryption. It does not hold or manage keys and does not
> have access to message content. “It in no way, shape or form touches
> the technology.”
> 
> Despite the unexpected growth, Janke said Silent Circle is holding to
> its course for releasing new products this year, several of which,
> requested by government customers, now are in beta. These include
> encrypted file transfer from desktops, secure video conference calling
> and encrypted voice mail.
> 
> Posted by William Jackson on Jun 28, 2013 at 9:41 AM
> --
> Too many emails? Unsubscribe, change to digest, or change password by 
> emailing moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

[liberationtech] Multiple vulnerabilities in Silent Circle

[Nadim Kobeissi]

Thanks to Arturo Filastò for pointing this out:
https://github.com/SilentCircle/silent-phone-base/issues/5

Many remotely executable overflows in the ZRTP library used by Silent Circle.

NK
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] DuckDuckGo vs Startpage [was: Help test Tor Browser]

[Nadim Kobeissi]

On 2013-06-24, at 8:20 PM, Mike Perry  wrote:

> Nadim Kobeissi:
>> I'd just like to add that I'm a DuckDuckGo user myself and that I can
>> definitely vouch for the service.
> 
> I've had a number of people tell me that they vouch for DuckDuckGo. What
> does this even mean? Nobody seems to be capable of rationally explaining
> it.
> 
> Have you inspected their datacenter/server security? Have you audited
> their logging mechanisms?

Oh! I see my statement has been applied to a different context than the one I 
originally intended. I simply meant that I vouch for DuckDuckGo as a great 
service with good policies. I was not commenting with regards to their server 
security or logging mechanisms. In fact, how could I? I don't suppose it's easy 
or even possible to, at whim, audit the datacenter of any big search engine. 
Such an endeavour would require facilitation from the DuckDuckGo team. Auditing 
a search engine is not like auditing a git repository.

NK

> 
> Does DuckDuckGo even have an https channel to Bing on the back end?
> 
> 
> Note that I don't vouch for StartPage. I merely think that StartPage
> provides superior search results to DDG.
> 
> In fact, I wish both companies the best of luck business-wise, and I'm
> happy to have both of them at the two top positions in TBB's omnibox.
> 
> This is because right now, there are only two ways to get https web
> search results over Tor. Microsoft allows Tor, but has officially
> refused to support https directly for Bing. Google regularly bans Tor
> nodes entirely, often without the possibility of even entering a Captcha
> or using a valid Gmail account (both of which are non-starters for a
> default engine of course, but would be better than status quo).
> 
> Every time Tor tries to start a conversation with either Google or
> Microsoft on these two topics, they both give us a litany of excuses as
> to why fixing the situation is a "hard problem", even after we present
> potential cost-effective engineering solutions to both problems.
> 
> For this reason, the loss of either DDG or Startpage would scare the
> shit out of me, but right now, neither one has done enough for Tor to
> warrant the default search position**, and since StartPage tends to
> index more of the deep web faster, it is my opinion we should stick with
> them as the top position, and have DDG in second.
> 
> 
> ** Sure, DuckDuckGo runs a hidden service, and also one of the slowest
> Tor relays on the network (rate limited to 50KB/sec or less), but it is
> quite debatable as to if either of these things are actually helpful to
> Tor. In fact, such a slow Tor relay probably harms Tor performance more
> than helps (in the rare event that you actually happen to select it).
> 
> 
> -- 
> Mike Perry
> --
> Too many emails? Unsubscribe, change to digest, or change password by 
> emailing moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Help test the new Tor Browser!

[Nadim Kobeissi]

I'd just like to add that I'm a DuckDuckGo user myself and that I can 
definitely vouch for the service.

NK


On 2013-06-24, at 6:50 PM, Mike Perry  wrote:

> Jacob Appelbaum:
>> Jillian C. York:
>>> +1
>>> 
>>> 
>>> On Mon, Jun 24, 2013 at 2:38 PM, Cooper Quintin
>>> wrote:
>>> 
 Start page also allows you to generate a url that has certain settings,
 for example this one (
 https://startpage.com/do/mypage.pl?prf=c2a9ee9b20d61e980b6f6cce7026bc91
 )has safe search turned off and no caching for video and image search
 results turned on.  It could be useful to put something like this in Tor
 Browser to avoid search filtering.
>> 
>> It would be great if this was the default home page. I'd certainly be
>> happier with that as the default search engine.
> 
> I don't have anything against porn, and do I strongly believe we should
> make it easy for people to search for whatever they want (hence right
> now, I like the idea of adding a "Startpage (unfiltered)" omnibox item
> rather than changing the default), but I am not sure that I like the
> idea of exposing people to porn who are not looking for it. I worry that
> changing the default *might* do this.
> 
> 
> Two things could tip the scales in my mind either way about the default:
> 
> 1. Can anyone provide concrete examples where the image and/or video
> filters of Startpage/Google (I think Startpage just uses Google's
> filters) have inadvertently censored material that is not porn, and this
> error has persisted uncorrected for a significant period of time?
> 
> I think it is important to weigh this against people being provided with
> porn results if they are not actually looking for porn -- which is an
> important issue of consent, IMO. I am sure there are many Muslim users
> of TBB who do not want to see porn at all, and merely want free access
> to information. The possibility of subjecting those people to porn
> potentially against their will weighs on me a bit..
> 
> 
> 2. The converse is that making people in the Islamic world who *are*
> looking for porn potentially signal this via their omnibox choice isn't
> a great option either, since that choice can leak to disk. I don't think
> it is fair to allow these people to potentially subject themselves to
> government persecution via this choice. :/
> 
> 
> I am open to suggestions on how to balance these concerns.
> 
> 
> 
> -- 
> Mike Perry
> --
> Too many emails? Unsubscribe, change to digest, or change password by 
> emailing moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Call for Participants @ Noisy Square - Putting the Resistance back in OHM

[Nadim Kobeissi]

On 2013-06-24, at 6:23 PM, Griffin Boyce  wrote:

>   Not only am I going to be presenting three talks at OHM, I will be 
> presenting talks that are (in many ways) totally dead conversations in the 
> US.  
> 
>   It's interesting how much of the debate centers around the presence of 
> police at OHM, as if American hacker cons didn't have the head of the NSA 
> presenting keynotes. Or congratulating a child for doing things an adult 
> could be prosecuted for.  I find it really hard to pass judgement on OHM 
> organizers when our own ecosystem is so unbelievably toxic.

Hear hear, Griffin.
Also, Micah made some good points.

Adding on what Griffin and Micah have saidI think OHM is an opportunity for 
those discussions to happen between legitimate people at a legitimate and 
exciting event. I myself am presenting a talk and a workshop at OHM and 
NoisySquare.

If you want to focus your ire on something, go take a look at how DEFCON and 
BlackHat are inviting NSA Director Keith Alexander to give the keynote!

NK

> 
>   I guess it's different when the cops are Dutch.
> 
> ~Griffin
> 
> -- 
> Just another hacker in the City of Spies.
> #Foucault / PGP: 0xAE792C97 / OTR: sa...@jabber.ccc.de
> 
> My posts, while frequently amusing, are not representative of the thoughts of 
> my employer. --
> Too many emails? Unsubscribe, change to digest, or change password by 
> emailing moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Help test the new Tor Browser!

[Nadim Kobeissi]

On 2013-06-24, at 3:43 PM, Jacob Appelbaum  wrote:

> Brian Conley:
>> Thanks Dragana,
>> 
>> But wouldn't that mean there is no new browser bundle for recent macs as
>> only 32 is specified at Jacob's link?
> 
> Hi Brian,
> 
> So a few things - one is that if you go into "About this mac" you should
> see a system profiler link or a "details" button of some sort. This
> should allow you to see the details of the hardware. You may also find
> this system profiler application by searching with spotlight, I think it
> is in /Applications/Utilities/ - or something similar.
> 
> Next up - if you have a 64bit mac, I think you can run 32bit mac os x
> programs without any issues at all. Thus if you download the
> TorBrowserBundle-3.0-alpha-1-osx32_en-US.zip file and verify it:
> 
> 
> https://people.torproject.org/~mikeperry/tbb-3.0alpha1-builds/official/TorBrowserBundle-3.0-alpha-1-osx32_en-US.zip

Yup, works on my 64-bit Mac just fine. Should work for you too, Brian.

NK

> 
> Verify it by checking the signature of the hash list and then ensure
> that the hash for your TorBrowserBundle-3.0-alpha-1-osx32_en-US.zip file
> matches:
> 
> https://people.torproject.org/~mikeperry/tbb-3.0alpha1-builds/official/sha256sum.txt.asc
> https://people.torproject.org/~mikeperry/tbb-3.0alpha1-builds/official/sha256sum.txt
> 
> In the case of the OS X build for the English speaking audience, you
> should see a sha256sum of:
> 
> c141e2db01a395bdd480357b1b808691f2a61f4d12e9039806fe0ac538d2e38d
> TorBrowserBundle-3.0-alpha-1-osx32_en-US.zip
> 
> If you download it to your downloads file, I believe on OS X you can see
> the hash by opening Terminal.app, change to the Downloads directory and
> then run the sha256sum command or the openssl command to verify the hash:
> 
>  cd ~/Downloads
>  sha256sum TorBrowserBundle-3.0-alpha-1-osx32_en-US.zip
> 
> Or if that doesn't work, I believe you can just type the following:
> 
>  openssl dgst -sha256
> ~/Downloads/TorBrowserBundle-3.0-alpha-1-osx32_en-US.zip
> 
> The output should look like this:
> 
> SHA256(/Users/x/Downloads/TorBrowserBundle-3.0-alpha-1-osx32_en-US.zip)=
> c141e2db01a395bdd480357b1b808691f2a61f4d12e9039806fe0ac538d2e38d
> 
> Once you have verified that these match the expected value, open the
> .zip file:
> 
>   open ~/Downloads/TorBrowserBundle-3.0-alpha-1-osx32_en-US.zip
> 
> Extract the TBB folder into /Applications/ for example.
> 
> Now run it with the Finder as you would any other application.
> 
> All the best,
> Jacob
> 
> P.S.
> 
> Please upgrade your Mac OS X version; I would not suggest running
> anything less than 10.8.x if I had a desire to stay safe. Apple tends to
> treat older OS X versions differently than the most current version of
> the OS.
> 
>> 
>> Brian
>> On Jun 24, 2013 3:18 PM, "Dragana Kaurin"  wrote:
>> 
>>> On 06/24/2013 02:53 PM, Brian Conley wrote:
>>> 
>>> Hi Jacob,
>>> 
>>> This is great news, do you know when the new version available for
>>> download on torproject.org?
>>> 
>>> Also, I'm not sure how I know whether I'm running 32 or 64 bit OSX 10.6,
>>> since it doesn't tell me in the "About this Mac."
>>> 
>>> 
>>> What kind of processor do you have? Inter Core 2 Duo, Intel Quad-Core
>>> Xeon, or Intel Core i5  and  i7  all are 64 bit.
>>> 
>>> 
>>> While I can certainly figure that out, I'm not sure how many users will
>>> be able to solve this issue, much less be aware it is an issue(I only
>>> recently(2 years back?) realized it exists on Windows, much less Mac). Any
>>> thoughts about this, besides trial and error?
>>> 
>>> B
>>> 
>>> 
>>> On Tue, Jun 18, 2013 at 5:24 AM, Masayuki Hatta  wrote:
>>> 
 Hi,
 
 Now the new TBB works nicely for me, and I love it.  One regret is UI
 messages are not translated into Japanese...actually, the messages seems to
 be already translated(
 https://www.transifex.com/projects/p/torproject/language/ja/), but
 somehow it doesn't show up (messages in the installer is translated, btw).
 Is there anything I can help?
 
 Best regards,
 MH
 
 
 2013/6/17 Jacob Appelbaum 
 
> Hi,
> 
> I'm really excited to say that Tor Browser has had some really important
> changes. Mike Perry has really outdone himself - from deterministic
> builds that allow us to verify that he is honest to actually having
> serious usability improvements. I really mean it - the new TBB is
> actually awesome. It is blazing fast, it no longer has the sometimes
> confusing Vidalia UI, it is now fast to start, it now has a really nice
> splash screen, it has a setup wizard - you name it - nearly everything
> that people found difficult has been removed, replaced or improved.
> Hooray for Mike Perry and all that helped him!
> 
> Here is Mike's email:
> 
> https://lists.torproject.org/pipermail/tor-talk/2013-June/028440.html
> 
> Here is the place to download it:
> 
> https://people.torproject.org/~mikeper

[liberationtech] Cryptocat: Adopting Accessibility and Ease of Use as Security Properties

[Nadim Kobeissi]

Today, with Cryptocat nearing 65,000 regular users, the Cryptocat project 
releases “Cryptocat: Adopting Accessibility and Ease of Use as Security 
Properties,” a working draft which brings together the past year of Cryptocat 
research and development.

We document the challenges we have faced, both cryptographic and social, and 
the decisions we’ve taken in order to attempt to bring encrypted communications 
to the masses.

Paper: http://arxiv.org/abs/1306.5156

Give it a read, and please share it with people who might be interested. 
Feedback and discussion are welcome.

Excerpt from the introduction follows.

———

Cryptocat is a Free and Open Source Software (FL/OSS) browser extension that 
makes use of web technologies in order to provide easy to use, accessible, 
encrypted instant messaging to the general public. We aim to investigate how to 
best leverage the accessibility and portability offered by web technologies in 
order to allow encrypted instant messaging an opportunity to better permeate on 
a social level. We have found that encrypted communications, while in many 
cases technically well-implemented, suffer from a lack of usage due to their 
being unappealing and inaccessible to the “average end-user”.

Our position is that accessibility and ease of use must be treated as security 
properties. Even if a cryptographic system is technically highly qualified, 
securing user privacy is not achieved without addressing the problem of 
accessibility. Our goal is to investigate the feasibility of implementing 
cryptographic systems in highly accessible mediums, and to address the 
technical and social challenges of making encrypted instant messaging 
accessible and portable.

NK
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Brazilian Activists automatically being banned from Facebook

[Nadim Kobeissi]

On 2013-06-22, at 7:58 PM, André Costa  wrote:

> Hello guys 
> 
> Just to let you all know, we have found it possibly was a well-organized 
> deceit. Apparently someone has spammed many messages with words related to 
> the military, and then started to spread a rumor that there was a 
> surveillance scheme going on. Since the combination of those words had 
> already been reported as spam, all messages started to be automatically 
> blocked. 

That sounds credible to me.

> 
> Some fears and rumours about the possibility of an attempt against democracy 
> in Brazil have been circulating here lately, and those dreads are generally 
> projected upon the military. Someone probably took advantage of this 
> situation to spread  misinformation and more fear.

The best thing to do is to adopt a wise security posture and focus more on 
keeping your own communicative safety and ignoring rumours and bait :-)

NK

> 
> Thanks to everyone who tried to help.
> André
> 
> Sorry for the confusion. This is not the only case of the infowar that's 
> happening here, since journalists from independent media outlets received 
> attacks on their webpages lately.
> 2013/6/22 André Costa 
> Hello guys
> 
> I cannot say exactly what's going on in Brazil, but we have just revealed 
> what seems to be the tip of a surveillance strategy related to the military. 
> We have found that, when you send the message "Meu amigo general disse que a 
> Força Nacional tá mega bem equipada, pra qualquer emergência."   on the chat, 
> this content is automatically reported as abusive and the account is 
> automatically suspended. 
> 
> For those who do not understand Portuguese, this sentence would translate as 
> "My General-of-the-army friend said that the National Security Forces are 
> very well equipped, for the case of any emergence". At least five friends 
> needed to reconfirm their account, whereas I have not been able to come back.
> 
> I suspect that this system of aumotically banning probably works outside 
> Brazil as well, so you may try it yourselves, but take care, because it may 
> not let you get you accounts back. 
> 
> Could you try to put some light on this? Any idea of what it may be?
> 
> Thank you very much for any help
> Andre
> 
> 
> --
> Too many emails? Unsubscribe, change to digest, or change password by 
> emailing moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Brazilian Activists automatically being banned from Facebook

[Nadim Kobeissi]

Hello Andre,
For what it's worth, I tried sending this message on my Facebook (I am in 
Canada) and nothing happened. So the blocking, if factual, is probably limited 
to a certain number of accounts.

>From personal experience, I don't recall hearing about this sort of thing 
>happening in the past. Facebook Chat anti-abuse is usually triggered by URLs, 
>not by regular messages, as far as I know.

NK

On 2013-06-22, at 4:54 PM, André Costa  wrote:

> Hello guys
> 
> I cannot say exactly what's going on in Brazil, but we have just revealed 
> what seems to be the tip of a surveillance strategy related to the military. 
> We have found that, when you send the message "Meu amigo general disse que a 
> Força Nacional tá mega bem equipada, pra qualquer emergência."   on the chat, 
> this content is automatically reported as abusive and the account is 
> automatically suspended. 
> 
> For those who do not understand Portuguese, this sentence would translate as 
> "My General-of-the-army friend said that the National Security Forces are 
> very well equipped, for the case of any emergence". At least five friends 
> needed to reconfirm their account, whereas I have not been able to come back.
> 
> I suspect that this system of aumotically banning probably works outside 
> Brazil as well, so you may try it yourselves, but take care, because it may 
> not let you get you accounts back. 
> 
> Could you try to put some light on this? Any idea of what it may be?
> 
> Thank you very much for any help
> Andre
> --
> Too many emails? Unsubscribe, change to digest, or change password by 
> emailing moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Any thoughts on this?

[Nadim Kobeissi]

Yeah, this is completely nuts. You're sending the service's owner(s) your 
password and plaintext in the clear. The person(s) operating this service 
get(s) all the passwords, all the plaintext, and even which IP address is 
sending/receiving plain texts at what time with each password. It's terrifying.

For what it's worth, I've tweeted at the author asking him to take it down. He 
seems to be just a well-meaning guy:
https://twitter.com/kaepora/status/348530356317741056

NK

On 2013-06-22, at 2:45 PM, Julian Oliver  wrote:

> ..on Sat, Jun 22, 2013 at 09:15:45AM -0700, Yosem Companys wrote:
>> From: Dewald Pretorius, owner of SocialOomph.com
>> 
>> The alarming revelations of the extent to which our privacy is being
>> invaded by governments have inspired me to create a free encryption service
>> that is for everyone. It is gratis, it's extremely easy to use, and it's
>> anonymous (no need to sign up).
>> 
>> https://www.encryptfree.com
>> 
>> Essentially, you use the free service to encrypt the text you want to
>> protect, paste the encrypted version into an email, tweet, Facebook post,
>> Google+ post, etc., and give the decryption password to the intended
>> recipient. The recipient uses the site to decrypt the text using the
>> password you chose (only someone who knows the password can decrypt the
>> text).
> 
> It's done server-side and so the owner of that service is in the sweet spot,
> getting everyone's text in the clear. Whether he actually does delete the text
> as he says begs far too much trust. Who says he wouldn't sell out if offered a
> ton of money for a back door? I certainly wouldn't use it for anything 
> remotely
> important. 
> 
> PGP/GNUPG is a better way to go, done locally on the user's machine. PGP 
> Desktop
> clients can be used for encrypting text, independently of email. 
> 
> Here's one for OS X:
> 
>https://gpgtools.org/
> 
> Windows:
> 
>http://gpg4win.org/
> 
> Us GNU/Linux users can just use the command line or a GUI like:
> 
>http://utils.kde.org/projects/kgpg/
>http://projects.gnome.org/seahorse/
> 
> Cheers,
> 
> -- 
> Julian Oliver
> http://julianoliver.com
> http://criticalengineering.org
> --
> Too many emails? Unsubscribe, change to digest, or change password by 
> emailing moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] to encrypt or not to encrypt?

[Nadim Kobeissi]

On 2013-06-21, at 12:57 PM, Joseph Lorenzo Hall  wrote:

> 
> 
> On Fri Jun 21 12:51:11 2013, phryk wrote:
>> On Fri, 21 Jun 2013 11:55:57 -0400
>> Nadim Kobeissi  wrote:
>> 
>>> The solution to this is to make encryption more and more widely used.
>>> By increasing the number of people with access to encryption
>>> technology for their communications, we dilute this threat.
>> 
>> My thought exactly, just encrypt ALL THE THINGS and let those people
>> deal with humungous amounts of data, most of which will be completely
>> useless even if decrypted.
> 
> What about the theory that by encrypting all the things we are feeding 
> some massively large NSA cryptanalysis project that uses different 
> flavors of ciphertext to find weaknesses? Very conspiracy theorist-y, 
> but I've heard a few people say that maybe we shouldn't "donate" 
> unnecessary ciphertext to such a project. :/

Just to me personally, this really doesn't sound credible at all. The NSA 
doesn't need people to generate ciphertext. Ciphertext generation is 
inexpensive.

NK

> 
> best, Joe
> 
> --
> Joseph Lorenzo Hall
> Senior Staff Technologist
> Center for Democracy & Technology
> 1634 I ST NW STE 1100
> Washington DC 20006-4011
> (p) 202-407-8825
> (f) 202-637-0968
> j...@cdt.org
> PGP: https://josephhall.org/gpg-key
> fingerprint: BE7E A889 7742 8773 301B 4FA1 C0E2 6D90 F257 77F8
> 
> 
> 
> --
> Too many emails? Unsubscribe, change to digest, or change password by 
> emailing moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

[liberationtech] PRISM Op-ed for NewInt

[Nadim Kobeissi]

I wanted to share this small piece I wrote for the The New Internationalist on 
PRISM:
http://newint.org/blog/2013/06/21/prism-surveillance-nsa-software/

Feedback welcome! :-)


___


Thursday 6 June, the day the PRISM story broke, was a good day to be a 
cryptographer. The sudden prospect of mass, unwarranted surveillance delivered 
an electric shock to thousands who were now looking for ways to protect their 
privacy online. At Cryptocat, we saw nearly 5,000 new individuals starting to 
use our free encrypted chat software. Other privacy and encryption services saw 
a rise of as much as 3,000 per cent in new users.

People increasingly want to believe that technology has the answers, and the 
PRISM scandal only made this want more desperate. While giving a recent 
interview to Al Jazeera, I was met with a combative interviewer who insisted 
that I, as a privacy software developer, focus on how privacy software can 
fight PRISM. But the mass surveillance the world is facing at the hands of the 
NSA (US National Security Agency) is not something that can be treated with the 
help of a handful of open software projects. Like all epidemics, the solution 
lies with preventing it before the outbreak, and not relying on nimble, 
narrowly-targeted medicine after the disaster has occurred. This prevention can 
only be at the hands of political, legal, and civil discourse.

Just as it is tempting for privacy-seekers to believe that the solution against 
PRISM is as easy as downloading an app, it is also tempting for privacy 
technologists to ride on the wave of new demand for privacy. But this is not a 
technological problem — it’s a social, political issue that stems from the 
permission given to intelligence apparatuses to rise above the law. It’s a 
fallaciously upheld threat to a healthy international democratic mindset.

When I say that this surveillance is an international problem, I do so under 
the premise that we increasingly belong in a world where our workforce has been 
raised with the internet having the monopoly over the proliferation of culture 
and communication. It is in this world that we are seeing the NSA asking 
lawmakers to give immunity to private entities should they inadvertently break 
the law in order to satisfy the NSA’s surveillance requests, effectively and 
literally putting surveillance above the law. The NSA, which has also long 
argued using a so-called distinction between domestic and foreign surveillance, 
has seen this distinction completely lose its legitimacy in front of the 
revelations surrounding the PRISM program. In today’s strongly globalized 
world, this surveillance, free from discernment, affects everyone, be they 
American, Canadian or Egyptian. The centralization of Internet capital within 
the US aids this: it means that your private data is fair game when you use the 
services of any of the companies established there, such as Facebook, Google or 
Skype, no matter your location.

These secret programs enjoy strong co-operation from Silicon Valley. Skype, 
which in 2008 boasted that its strong privacy architecture prevents it from 
handing data to law enforcement, formed the secretive Project Chess program in 
2009 which was tasked with doing just that. Apple, which still holds that it 
maintains customer privacy at all costs, has been implicated in more than one 
government surveillance and law enforcement request program. It is only now, 
post-PRISM, and years after these programs have been enacted, that we see these 
revelations discussed in the Guardian, Washington Post, New York Times and 
other big press. But privacy technologists and encryption software developers 
have long known that this kind of surveillance is likely to exist.

The argument for national security does not have to come accompanied with the 
violation of the privacy rights of the entire global community. It doesn’t have 
to come with the undermining of democratic and legislative values. But this is 
exactly what is happening: surveillance interests have been allowed to operate 
above the law and the spirit of democratic discourse. The resulting problems 
are far too serious to be addressed with the use of privacy tools and software, 
which can at most act as shims. The problem is rather more human, political and 
ultimately historical.

- See more at: 
http://newint.org/blog/2013/06/21/prism-surveillance-nsa-software/#sthash.2m5dUyZA.dpuf

NK
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] to encrypt or not to encrypt?

[Nadim Kobeissi]

The solution to this is to make encryption more and more widely used. By 
increasing the number of people with access to encryption technology for their 
communications, we dilute this threat.

NK

On 2013-06-21, at 11:52 AM, Michael Rogers  wrote:

> Signed PGP part
> It's unfortunate that Ars Technica has chosen that angle, since I
> believe it misrepresents the situation: if you use encryption, the NSA
> may indeed retain your encrypted traffic, but won't be able to read
> it. If you don't use encryption, the NSA will be able to read your
> traffic, and will retain it if it contains anything interesting, or if
> you're not an American. So encryption is still a net gain for privacy.
> 
> Blending in is a red herring in my opinion - metadata (which isn't
> subject to the restrictions discussed in the Ars Technica article)
> reveals who talks to whom and when. That's sufficient to identify
> persons of interest, regardless of whether they use encryption. Any
> activist or journalist should assume they're already a person of
> interest, thanks to their job and the people they talk to. Not to be
> subject to surveillance would be something of a professional
> embarrassment. ;-) So forget about blending in. Assume you're subject
> to surveillance, and think about what steps you're going to take in
> response.
> 
> Cheers,
> Michael
> 
> On 21/06/13 16:41, dan mcquillan wrote:
> > a few people who came to our university cryptoparty asked whether 
> > they're just going to draw attention to themselves by encrypting
> > email.
> > 
> > the latest leaks seems to give a firm 'yes', as the NSA
> > specifically keeps encrypted comms indefinitely.
> > 
> > sample news item:
> > http://www.techdirt.com/articles/20130620/15390323549/nsa-has-convinced-fisa-court-that-if-your-data-is-encrypted-you-might-be-terrorist-so-itll-hang-onto-your-data.shtml
> >
> > 
> 
> > 
> > how would list members answer the question 'to encrypt or not to
> > encrypt'?
> > 
> > cheers dan
> > 
> > 
> > 
> > -- Too many emails? Unsubscribe, change to digest, or change
> > password by emailing moderator at compa...@stanford.edu or changing
> > your settings at
> > https://mailman.stanford.edu/mailman/listinfo/liberationtech
> > 
> 
> 
> --
> Too many emails? Unsubscribe, change to digest, or change password by 
> emailing moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Help test the new Tor Browser!

[Nadim Kobeissi]

This is a really awesome improvement. I tried the new Tor Browser yesterday (OS 
X) and loved it. Did not encounter any problems.

Really glad to see such drastic usability improvements for Tor.

NK

On 2013-06-17, at 9:45 AM, Jacob Appelbaum  wrote:

> Hi,
> 
> I'm really excited to say that Tor Browser has had some really important
> changes. Mike Perry has really outdone himself - from deterministic
> builds that allow us to verify that he is honest to actually having
> serious usability improvements. I really mean it - the new TBB is
> actually awesome. It is blazing fast, it no longer has the sometimes
> confusing Vidalia UI, it is now fast to start, it now has a really nice
> splash screen, it has a setup wizard - you name it - nearly everything
> that people found difficult has been removed, replaced or improved.
> Hooray for Mike Perry and all that helped him!
> 
> Here is Mike's email:
> 
> https://lists.torproject.org/pipermail/tor-talk/2013-June/028440.html
> 
> Here is the place to download it:
> 
> https://people.torproject.org/~mikeperry/tbb-3.0alpha1-builds/official/
> 
> Please test it and please please tell us how we might improve it!
> 
> All the best,
> Jacob
> --
> Too many emails? Unsubscribe, change to digest, or change password by 
> emailing moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

[liberationtech] Spy stoppers: meet the companies benefiting from the PRISM privacy scare

[Nadim Kobeissi]

"The world is still reeling from the leaked details of the NSA's PRISM program, 
reported to give the government's top spies access to personal user data 
collected by Google, Apple, Microsoft, and other services. But while the 
mainstream is fighting over the precise nature of PRISM, the world of 
cryptography is feeling strangely validated"

http://www.theverge.com/2013/6/12/4422480/is-prism-good-news-for-cryptographers

NK
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Guardian reporter delayed e-mailing NSA source because crypto is a pain

[Nadim Kobeissi]

On 2013-06-12, at 6:20 AM, Eugen Leitl  wrote:

> On Wed, Jun 12, 2013 at 06:15:30AM -0400, Sheila Parks wrote:
>> Why not use "her" instead of "his"?
>> 
>> Using "his" in 2013 is, indeed,  misogyny
> 
> List moderator, please control this before it completely goes out of hand.

+1

NK

> 
> People are trying to get work done here, and this is not helping.
> --
> Too many emails? Unsubscribe, change to digest, or change password by 
> emailing moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

[liberationtech] Guardian reporter delayed e-mailing NSA source because crypto is a pain

[Nadim Kobeissi]

This story really solidifies why I believe that we need to make privacy 
technologies accessible to journalists, instead of simply focusing on the other 
way around.

Glenn Greenwald had to substantially delay his communications with Edward 
Snowden due to how inaccessible a lot of privacy and encryption software is to 
use.

Our main and primary goal at Cryptocat has been to focus on making encrypted 
communications accessible, easier to use and fun and attractive. We've always 
believed that accessibility is a security feature, and this idea is at the core 
of our project.

http://arstechnica.com/security/2013/06/guardian-reporter-delayed-e-mailing-nsa-source-because-crypto-is-a-pain/

NK
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptocat: Translation Volunteers Needed

[Nadim Kobeissi]

I would sincerely like to apologize to the LibTech community for this 
incredibly embarrassing episode.

NK

On 2013-06-11, at 6:56 PM, Catherine Roy  wrote:

> On 11/06/2013 5:54 PM, Andy Isaacson wrote:
>> The amount of work you're demanding (and yes, your first public post did 
>> come across as, arguably, demanding; and you doubled down when Nadim pushed 
>> back)
> 
> I suggest you read my first email again. I did not "demand" anything. I asked 
> why Opera was not supported. If someone had bothered to give me the reasons 
> that you offered in your message instead of a) ignoring me, b) insulting me 
> off-list, c) claiming that n% of users (roughly over 200 million) was not 
> worth the trouble and/or d) telling me to just contribute code (as if 
> everyone can just do that in the real world), this discussion would likely 
> have gone very differently.
> 
> I feel that this discussion has become quite off-topic and much too personal 
> so I will not be commenting again on this subject. I am however available for 
> discussions off-line, provided that they are respectful and constructive.
> 
> Best regards,
> 
> 
> Catherine
> 
> -- 
> Catherine Roy
> http://www.catherine-roy.net
> 
> --
> Too many emails? Unsubscribe, change to digest, or change password by 
> emailing moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptocat: Translation Volunteers Needed

[Nadim Kobeissi]

On 2013-06-11, at 7:31 AM, Eugen Leitl  wrote:

> On Mon, Jun 10, 2013 at 08:21:40PM -0400, Catherine Roy wrote:
>> On 10/06/2013 7:37 PM, Travis McCrea wrote:
>>> Opera is being released now on Webkit, though I am sure you will still have 
>>> legacy opera users... I think you could put this issue a little further 
>>> down on your list.
>> 
>> I guess using Cryptocat will also be further down my list.
> 
> You will find that proprietary systems will receive less (frequently
> none) support. This is due to difficulties developing for proprietary
> systems, but also due to effective impossibility to varify
> security of proprietary systems. So open source is at a distinct
> advantage here.
> 
> For an end user interested in secure communication it is always a
> good idea to pick the most supported platform. In case of browsers,
> that will be Firefox and Chromium (not Chrome), in that order of 
> precedence.
> 
> In general, browsers have giant vulnerability surfaces, and should
> not be used for anything serious. A little security is a dangerous thing.

This has been getting a lot better very quickly, to a point where I'm 
optimistic about the future. Specifically I'm very excited about the situation 
with Chrome OS on Chromebooks. Chrome OS is currently (I believe) one of the 
most secure operating systems out there that still manages to be very highly 
functional and usable. That's why we make sure Cryptocat is specifically 
compatible and usable on it.

I would trust Cryptocat on a Chromebook more than Pidgin-OTR on 
Windows/Mac/Linux any day of the week. (Of course this is only my preference, 
but Pidgin-OTR's sheer number of un-patched 0days and lack of auditing is still 
a real issue.)

NK

> --
> Too many emails? Unsubscribe, change to digest, or change password by 
> emailing moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptocat: Translation Volunteers Needed

[Nadim Kobeissi]

On 2013-06-10, at 8:21 PM, Catherine Roy  wrote:

> On 10/06/2013 6:18 PM, Nadim Kobeissi wrote:
>> Catherine,
>> Opera is not "shut out". It's simply difficult to develop for Opera due to 
>> its limited browser extension API. Your email made it sound as if Cryptocat 
>> had something against the Opera browser.
> 
> My email is simply stating that Opera is shut out. How else should I 
> interpret this message : "Cryptocat is not available for your browser".
> 
> See screenshot : http://www.flickr.com/photos/zazie/9010759541/
> 
> I sent you a message off-list to inquire about this and received no response.
> 
> 
>> We have a ticket open for Opera compatibility in our code base. If you'd 
>> like to, you can contribute to Cryptocat for Opera development here:
>> https://github.com/cryptocat/cryptocat/issues/190
> 
> I am not a developer. Must we all be developers to have a significant 
> influence on these types of issues ?

No, you can also repeatedly send me blandly demanding emails and then take the 
issue to the public when I don't answer immediately, and expect me to change 
Cryptocat's development roadmap to accommodate for you and the 1% that use a 
browser with a highly limited third-party development API.

Seriously, you're really frustrating.

NK

> 
> Best regards,
> 
> 
> Catherine
> 
> -- 
> Catherine Roy
> http://www.catherine-roy.net
> 
> 
> 
>> 
>> NK
>> 
>> On 2013-06-10, at 6:10 PM, Catherine Roy  wrote:
>> 
>>> Congrats. But, as I asked in a private email to which I got not response, 
>>> is there any reason why Opera is shut out ?
>>> 
>>> Best,
>>> 
>>> 
>>> Catherine
>>> 
>>> -- 
>>> Catherine Roy
>>> http://www.catherine-roy.net
>>> 
> 
> --
> Too many emails? Unsubscribe, change to digest, or change password by 
> emailing moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Boundless Informant: the NSA's secret tool to track global surveillance data

[Nadim Kobeissi]

On 2013-06-10, at 6:26 PM, Yosem Companys  wrote:

> The distinction between direct or indirect access is semantic, not 
> substantive, and likely irrelevant to most Americans.  What Americans want to 
> know is whether there is access to their personal data, and I would bet focus 
> groups would show that's the key takeaway of this incident.

Hear hear. And not just Americans want to know this — due to the fact that most 
Big Data is centred in the US, these secret programs affect the privacy of 
world citizens as well, just as much, and in the same way, as they affect 
Americans

NK

> 
> As I said, a recent NY Times article spoke specifically of the embedding of 
> NSA employees at US tech firms via firms' corporate legal departments, and we 
> know how it happened at AT&T, with the employee getting cart blanche to do 
> whatever he wanted at the firm and take as much data as he wanted with no 
> questions asked.  
> 
> On Mon, Jun 10, 2013 at 3:09 PM, Jacob Appelbaum  wrote:
> x z:
> > @Jacob, I agree with your points regarding American exceptionalism.
> > @Eugen, to prepare for the worst scenario is one thing, to advocate some
> > shady rumor as fact is another.
> > @Rich, those are good movie scripts :-). But it does not work for 9 firms,
> > and hundreds of execs all with diverse values and objectives.
> > @Nadim, when you say "we all always 'knew' this was happening", I don't
> > know what "this" refers to. Is it NSA surveillance, or is it the "direct
> > access" bit?
> >
> > To me, the crucial point is the "*direct access*", and also Guardian's
> > claim of these firms "willingly participating" in PRISM. I argued that
> > "direct access" is untrue in my previous email, but none of your replies
> > (except Rich's) are relevant to my arguments.
> 
> What would you call a FISA API for government agents to query a system
> and return data on a target? Would you call that direct access or an
> indirect access? If Google runs the FISA API server, does that make it
> more or less direct than if the FISA API server is a blackbox run by the
> NSA?
> 
> >
> > The "direct access" bit is what made this story sensational. Without this
> > bit, the story would be much less juicy but more true. In the long run,
> > truth gives more power than lies. Washington Post has backed down to
> > reality, for which I applaud their judgment. Guardian has not, and keeps on
> > defending their misinformation and bad reporting, for which I resent deeply.
> >
> 
> You don't know the truth and you seem to think you do. The story that is
> important is that Google makes one claim, while the NSA slide makes
> another. Note that the law doesn't allow Google to even tell the press
> the whole truth.
> 
> > If Snowden and Greenwald do not mislead the world on 'direct access" and
> > just report it rationally, I'd applaud their courage. Now I think Snowden
> > is not more than a self-aggrandizing douche.
> >
> 
> I'm sorry, did you watch his video interview? On what grounds to you
> call him a self-aggrandizing douche exactly?
> 
> > I hope internet freedom can advance with accurate awareness, not by public
> > paranoia.
> 
> You take issue with a very weird semantic bit of the larger story. How
> does such semantic nitpicking, where you don't actually even know the
> facts behind your speculations, help advance any cause, anywhere?
> 
> All the best,
> Jacob
> --
> Too many emails? Unsubscribe, change to digest, or change password by 
> emailing moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 
> --
> Too many emails? Unsubscribe, change to digest, or change password by 
> emailing moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Boundless Informant: the NSA's secret tool to track global surveillance data

[Nadim Kobeissi]

On 2013-06-10, at 6:09 PM, Jacob Appelbaum  wrote:

> x z:
>> @Jacob, I agree with your points regarding American exceptionalism.
>> @Eugen, to prepare for the worst scenario is one thing, to advocate some
>> shady rumor as fact is another.
>> @Rich, those are good movie scripts :-). But it does not work for 9 firms,
>> and hundreds of execs all with diverse values and objectives.
>> @Nadim, when you say "we all always 'knew' this was happening", I don't
>> know what "this" refers to. Is it NSA surveillance, or is it the "direct
>> access" bit?
>> 
>> To me, the crucial point is the "*direct access*", and also Guardian's
>> claim of these firms "willingly participating" in PRISM. I argued that
>> "direct access" is untrue in my previous email, but none of your replies
>> (except Rich's) are relevant to my arguments.
> 
> What would you call a FISA API for government agents to query a system
> and return data on a target? Would you call that direct access or an
> indirect access? If Google runs the FISA API server, does that make it
> more or less direct than if the FISA API server is a blackbox run by the
> NSA?
> 
>> 
>> The "direct access" bit is what made this story sensational. Without this
>> bit, the story would be much less juicy but more true. In the long run,
>> truth gives more power than lies. Washington Post has backed down to
>> reality, for which I applaud their judgment. Guardian has not, and keeps on
>> defending their misinformation and bad reporting, for which I resent deeply.
>> 
> 
> You don't know the truth and you seem to think you do. The story that is
> important is that Google makes one claim, while the NSA slide makes
> another. Note that the law doesn't allow Google to even tell the press
> the whole truth.
> 
>> If Snowden and Greenwald do not mislead the world on 'direct access" and
>> just report it rationally, I'd applaud their courage. Now I think Snowden
>> is not more than a self-aggrandizing douche.
>> 
> 
> I'm sorry, did you watch his video interview? On what grounds to you
> call him a self-aggrandizing douche exactly?

I can't believe I was actually feeling bad for this guy yesterday. Dismissing 
one of the greatest whistleblowers of century as a "self-aggrandizing douche" 
is just beyond words. Maybe we're being trolled.

NK

> 
>> I hope internet freedom can advance with accurate awareness, not by public
>> paranoia.
> 
> You take issue with a very weird semantic bit of the larger story. How
> does such semantic nitpicking, where you don't actually even know the
> facts behind your speculations, help advance any cause, anywhere?
> 
> All the best,
> Jacob
> --
> Too many emails? Unsubscribe, change to digest, or change password by 
> emailing moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptocat: Translation Volunteers Needed

[Nadim Kobeissi]

Catherine,
Opera is not "shut out". It's simply difficult to develop for Opera due to its 
limited browser extension API. Your email made it sound as if Cryptocat had 
something against the Opera browser.

We have a ticket open for Opera compatibility in our code base. If you'd like 
to, you can contribute to Cryptocat for Opera development here:
https://github.com/cryptocat/cryptocat/issues/190

NK

On 2013-06-10, at 6:10 PM, Catherine Roy  wrote:

> Congrats. But, as I asked in a private email to which I got not response, is 
> there any reason why Opera is shut out ?
> 
> Best,
> 
> 
> Catherine
> 
> -- 
> Catherine Roy
> http://www.catherine-roy.net
> 
> 
> 
> On 2013-06-10 17:44, Nadim Kobeissi wrote:
>> Thanks so much to everyone who helped! The translations are now all up to 
>> date.
>> 
>> I'd like to extend special thanks to Dragana Kaurin from OpenITP. OpenITP is 
>> launching a localization management platform soon, too, so I hope working 
>> with them will make this stuff easier in the future. :-)
>> 
>> NK
>> 
>> 
>> On 2013-05-24, at 10:23 PM, Buddhadeb Halder  wrote:
>> 
>>> Hi Nadim,
>>> I have done with the Bengali translation.
>>> Thanks,
>>> Buddha
>>> 
>>> 
>>> 
>>> On Fri, May 24, 2013 at 6:36 PM, Nadim Kobeissi  wrote:
>>> Hi everyone,
>>> An entire Cryptocat translation is less than 300 words.
>>> 
>>> You can view translations here. There is an easy-to-use interface that can 
>>> help you input your translations:
>>> https://www.transifex.com/projects/p/Cryptocat/resource/cryptocat/
>>> 
>>> Priority lies with the following languages. The rest is good to go:
>>> • Czech
>>> • Estonian
>>> • Urdu
>>> • Tibetan
>>> • Khmer
>>> • Uighur
>>> • Chinese (Hong Kong)
>>> • Bengali
>>> • Latvian
>>> 
>>> Thanks again to everyone who already helped! :-)
>>> 
>>> 
>>> 
>>> NK
>>> 
>>> 
>>> On Fri, May 24, 2013 at 6:53 AM, Moritz Bartl  wrote:
>>> On 24.05.2013 11:09, Sjoerd de Vries wrote:
>>>> About how much is needed to translate. Are you talking about 1.000 words
>>>> or more about 1.000.000 words. If it isn't to much I'm willing to help
>>>> you translate to Dutch
>>> Nadim should have made this more clear: All translations and texts are
>>> readily available. Anyone can add or refine translations of sentences.
>>> There's no need to send anything else, everything is at the following link:
>>> 
>>> https://www.transifex.com/projects/p/Cryptocat/resource/cryptocat/
>>> 
>>> To work on a translation, just create a Transifex account and add
>>> yourself to the translation team.
>>> 
>>> --
>>> Moritz Bartl
>>> https://www.torservers.net/
>>> --
>>> Too many emails? Unsubscribe, change to digest, or change password by 
>>> emailing moderator at compa...@stanford.edu or changing your settings at 
>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>> 
>>> 
>>> --
>>> Too many emails? Unsubscribe, change to digest, or change password by 
>>> emailing moderator at compa...@stanford.edu or changing your settings at 
>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>> 
>>> --
>>> Too many emails? Unsubscribe, change to digest, or change password by 
>>> emailing moderator at compa...@stanford.edu or changing your settings at 
>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>> --
>> Too many emails? Unsubscribe, change to digest, or change password by 
>> emailing moderator at compa...@stanford.edu or changing your settings at 
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 
> 
> --
> Too many emails? Unsubscribe, change to digest, or change password by 
> emailing moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptocat: Translation Volunteers Needed

[Nadim Kobeissi]

Thanks so much to everyone who helped! The translations are now all up to date.

I'd like to extend special thanks to Dragana Kaurin from OpenITP. OpenITP is 
launching a localization management platform soon, too, so I hope working with 
them will make this stuff easier in the future. :-)

NK


On 2013-05-24, at 10:23 PM, Buddhadeb Halder  wrote:

> Hi Nadim,
> I have done with the Bengali translation.
> Thanks,
> Buddha
> 
> 
> 
> On Fri, May 24, 2013 at 6:36 PM, Nadim Kobeissi  wrote:
> Hi everyone,
> An entire Cryptocat translation is less than 300 words.
> 
> You can view translations here. There is an easy-to-use interface that can 
> help you input your translations:
> https://www.transifex.com/projects/p/Cryptocat/resource/cryptocat/
> 
> Priority lies with the following languages. The rest is good to go:
>   • Czech
>   • Estonian
>   • Urdu
>   • Tibetan
>   • Khmer
>   • Uighur
>   • Chinese (Hong Kong)
>   • Bengali
>   • Latvian
> 
> Thanks again to everyone who already helped! :-)
> 
> 
> 
> NK
> 
> 
> On Fri, May 24, 2013 at 6:53 AM, Moritz Bartl  wrote:
> On 24.05.2013 11:09, Sjoerd de Vries wrote:
> > About how much is needed to translate. Are you talking about 1.000 words
> > or more about 1.000.000 words. If it isn't to much I'm willing to help
> > you translate to Dutch
> 
> Nadim should have made this more clear: All translations and texts are
> readily available. Anyone can add or refine translations of sentences.
> There's no need to send anything else, everything is at the following link:
> 
> https://www.transifex.com/projects/p/Cryptocat/resource/cryptocat/
> 
> To work on a translation, just create a Transifex account and add
> yourself to the translation team.
> 
> --
> Moritz Bartl
> https://www.torservers.net/
> --
> Too many emails? Unsubscribe, change to digest, or change password by 
> emailing moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 
> 
> --
> Too many emails? Unsubscribe, change to digest, or change password by 
> emailing moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 
> --
> Too many emails? Unsubscribe, change to digest, or change password by 
> emailing moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

[liberationtech] Canadian phone and Internet surveillance program revealed

[Nadim Kobeissi]

Some news in Canada similar to the NSA revelations in the US:

Defence Minister Peter MacKay approved a secret electronic eavesdropping 
program that scours global telephone records and Internet data trails – 
including those of Canadians – for patterns of suspicious activity.

Mr. MacKay signed a ministerial directive formally renewing the government’s 
“metadata” surveillance program on Nov. 21, 2011, according to records obtained 
by The Globe and Mail. The program had been placed on a lengthy hiatus, 
according to the documents, after a federal watchdog agency raised concerns 
that it could lead to warrantless surveillance of Canadians.

http://www.theglobeandmail.com/news/national/data-collection-program-got-green-light-from-mackay-in-2011/article12444909/

NK
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] NSA whistleblower revealed

[Nadim Kobeissi]

On 2013-06-09, at 8:40 PM, Raven Jiang CX  wrote:

> He did work in the intelligence community so maybe he has a better idea than 
> us. My guess is that asylum in Iceland is ideal if everything worked out, but 
> he doesn't think it is strong enough to resist U.S. pressure.
> 
> Hong Kong is stable and modern, so he is less likely to be killed or 
> kidnapped by local criminals on CIA payroll, and at the same time the Chinese 
> government is less likely to cooperate with the U.S. than most other stable 
> governments around the world.
> 
> It's definitely a risky choice, but it's not like there is really any safe 
> ones. I think the gamble boils down to whether China sees more value in 
> trading him off for some other diplomatic concession or keep him safe as a 
> constant reminder of U.S. hypocrisy.

Very intelligent analysis there as to why he picked Hong Kong.

NK

> 
> 
> 
> 
> On 9 June 2013 17:17, Matt Johnson  wrote:
> Snowden says he wants asylum in Iceland. Why not go there directly?
> 
> Going to Hong Kong makes him vulnerable to accusations of working for the PRC.
> 
> None of that makes sense to me, but what do I know. I will watch, and learn.
> 
> --
> Matt
> 
> On Sun, Jun 9, 2013 at 3:52 PM, Raven Jiang CX  wrote:
> > There is a strong resistance against Chinese strong-arming in Hong Kong,
> > plus I am not sure that it is actually in the interest of the Chinese
> > government to help the US do anything about this. I think you can make a
> > case for why it's a better choice, though it is definitely debatable.
> >
> >
> > On 9 June 2013 15:10, Sheila Parks  wrote:
> >>
> >> I agree with what you say about Hong Kong
> >>
> >> He does say he would like to end up in Iceland
> >>
> >> Wonder why he did not go there in the first place
> >>
> >> Such an immensely brave and honest person
> >>
> >> Sheila
> >>
> >>
> >> At 06:04 PM 6/9/2013, you wrote:
> >>>
> >>> On 06/09/2013 04:43 PM, Matt Johnson wrote:
> >>> > I have to say going to Hong Kong for free speech and safety seems like
> >>> > a very odd choice to me. What was he thinking?
> >>>
> >>> Actually, and I think this is pointed out in either the video or an
> >>> article somewhere, Hong Kong doesn't generally suffer the speech
> >>> restrictions mainland China does. Sure, they aren't completely free but
> >>> protests and unpopular political speech happen quite frequently and are
> >>> generally well tolerated by the government.
> >>>
> >>> Still, I have to wonder why he didn't go somewhere like Iceland. To me,
> >>> that would have been a no-brainer.
> >>>
> >>> Anthony
> >>>
> >>>
> >>>
> >>> --
> >>> Anthony Papillion
> >>> Phone:   1.918.533.9699
> >>> SIP: sip:cajuntec...@iptel.org
> >>> iNum:+883510008360912
> >>> XMPP:cypherpun...@jit.si
> >>>
> >>> www.cajuntechie.org
> >>> --
> >>> Too many emails? Unsubscribe, change to digest, or change password by
> >>> emailing moderator at compa...@stanford.edu or changing your settings at
> >>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> >>
> >>
> >> Sheila Parks, Ed.D.
> >> Founder
> >> Center for Hand-Counted Paper Ballots
> >> Watertown, MA  02472
> >> 617 744 6020
> >> DEMOCRACY IN OUR HANDS
> >> www.handcountedpaperballots.org
> >> she...@handcountedpaperballots.org
> >>
> >> --
> >> Too many emails? Unsubscribe, change to digest, or change password by
> >> emailing moderator at compa...@stanford.edu or changing your settings at
> >> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> >
> >
> >
> > --
> > Too many emails? Unsubscribe, change to digest, or change password by
> > emailing moderator at compa...@stanford.edu or changing your settings at
> > https://mailman.stanford.edu/mailman/listinfo/liberationtech
> --
> Too many emails? Unsubscribe, change to digest, or change password by 
> emailing moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 
> --
> Too many emails? Unsubscribe, change to digest, or change password by 
> emailing moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] NSA whistleblower revealed

[Nadim Kobeissi]

Check out this screenshot of the front page of the New York Times right now. 
Unbelievable:

https://twitter.com/kaepora/status/343888967554457600

NK

On 2013-06-09, at 8:17 PM, Matt Johnson  wrote:

> Snowden says he wants asylum in Iceland. Why not go there directly?
> 
> Going to Hong Kong makes him vulnerable to accusations of working for the PRC.
> 
> None of that makes sense to me, but what do I know. I will watch, and learn.
> 
> --
> Matt
> 
> On Sun, Jun 9, 2013 at 3:52 PM, Raven Jiang CX  wrote:
>> There is a strong resistance against Chinese strong-arming in Hong Kong,
>> plus I am not sure that it is actually in the interest of the Chinese
>> government to help the US do anything about this. I think you can make a
>> case for why it's a better choice, though it is definitely debatable.
>> 
>> 
>> On 9 June 2013 15:10, Sheila Parks  wrote:
>>> 
>>> I agree with what you say about Hong Kong
>>> 
>>> He does say he would like to end up in Iceland
>>> 
>>> Wonder why he did not go there in the first place
>>> 
>>> Such an immensely brave and honest person
>>> 
>>> Sheila
>>> 
>>> 
>>> At 06:04 PM 6/9/2013, you wrote:
 
 On 06/09/2013 04:43 PM, Matt Johnson wrote:
> I have to say going to Hong Kong for free speech and safety seems like
> a very odd choice to me. What was he thinking?
 
 Actually, and I think this is pointed out in either the video or an
 article somewhere, Hong Kong doesn't generally suffer the speech
 restrictions mainland China does. Sure, they aren't completely free but
 protests and unpopular political speech happen quite frequently and are
 generally well tolerated by the government.
 
 Still, I have to wonder why he didn't go somewhere like Iceland. To me,
 that would have been a no-brainer.
 
 Anthony
 
 
 
 --
 Anthony Papillion
 Phone:   1.918.533.9699
 SIP: sip:cajuntec...@iptel.org
 iNum:+883510008360912
 XMPP:cypherpun...@jit.si
 
 www.cajuntechie.org
 --
 Too many emails? Unsubscribe, change to digest, or change password by
 emailing moderator at compa...@stanford.edu or changing your settings at
 https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>> 
>>> 
>>> Sheila Parks, Ed.D.
>>> Founder
>>> Center for Hand-Counted Paper Ballots
>>> Watertown, MA  02472
>>> 617 744 6020
>>> DEMOCRACY IN OUR HANDS
>>> www.handcountedpaperballots.org
>>> she...@handcountedpaperballots.org
>>> 
>>> --
>>> Too many emails? Unsubscribe, change to digest, or change password by
>>> emailing moderator at compa...@stanford.edu or changing your settings at
>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>> 
>> 
>> 
>> --
>> Too many emails? Unsubscribe, change to digest, or change password by
>> emailing moderator at compa...@stanford.edu or changing your settings at
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> --
> Too many emails? Unsubscribe, change to digest, or change password by 
> emailing moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] NSA whistleblower revealed

[Nadim Kobeissi]

Wow.

NK

On 2013-06-09, at 5:14 PM, Kate Krauss  wrote:

> "I had been looking for leaders, but I realised that leadership is about 
> being the first to act." - Edward Snowden
> 
> This is the moment to show this person big public support. And keep showing 
> it.
> 
> Katie Krauss
> AIDS Policy Project
> www.AIDSPolicyProject.org
> 
> Why AIDS Activists (and You) Should Care about the NSA
> (a short blog post base on Griffin's post here)
> 
> On Sun, Jun 9, 2013 at 3:44 PM, James S. Tyre  wrote:
> >
> > "His allegiance to internet freedom is reflected in the stickers on his 
> > laptop: "I support Online Rights: Electronic
> > Frontier Foundation," reads one. Another hails the online organisation 
> > offering anonymity, the Tor Project."
> >
> > Heh.
> >
> > --
> > James S. Tyre
> > Law Offices of James S. Tyre
> > 10736 Jefferson Blvd., #512
> > Culver City, CA 90230-4969
> > 310-839-4114/310-839-4602(fax)
> > jst...@jstyre.com
> > Policy Fellow, Electronic Frontier Foundation
> > https://www.eff.org
> >
> >
> > > -Original Message-
> > > From: liberationtech-boun...@lists.stanford.edu [mailto:liberationtech-
> > > boun...@lists.stanford.edu] On Behalf Of Yosem Companys
> > > Sent: Sunday, June 09, 2013 12:31 PM
> > > To: Liberation Technologies
> > > Subject: [liberationtech] NSA whistleblower revealed
> > >
> > > Edward Snowden: the whistleblower behind revelations of NSA surveillance
> > > http://www.guardian.co.uk/world/2013/jun/09/edward-snowden-nsa-whistleblower-surveillance
> > >
> > > The individual responsible for one of the most significant leaks in US 
> > > political history
> > > is Edward Snowden, a 29-year-old former technical assistant for the CIA 
> > > and current
> > > employee of the defence contractor Booz Allen Hamilton. Snowden has been 
> > > working at the
> > > National Security Agency for the last four years as an employee of 
> > > various outside
> > > contractors, including Booz Allen and Dell.
> > >
> > > The Guardian, after several days of interviews, is revealing his identity 
> > > at his request.
> > > From the moment he decided to disclose numerous top-secret documents to 
> > > the public, he was
> > > determined not to opt for the protection of anonymity. "I have no 
> > > intention of hiding who
> > > I am because I know I have done nothing wrong," he said.
> > > --
> > > Too many emails? Unsubscribe, change to digest, or change password by 
> > > emailing moderator
> > > at compa...@stanford.edu or changing your settings at
> > > https://mailman.stanford.edu/mailman/listinfo/liberationtech
> >
> > --
> > Too many emails? Unsubscribe, change to digest, or change password by 
> > emailing moderator at compa...@stanford.edu or changing your settings at 
> > https://mailman.stanford.edu/mailman/listinfo/liberationtech
> --
> Too many emails? Unsubscribe, change to digest, or change password by 
> emailing moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Boundless Informant: the NSA's secret tool to track global surveillance data

[Nadim Kobeissi]

It seems Europe isn't safe either from data mining, due to overreach:
http://www.zdnet.com/blog/igeneration/google-admits-patriot-act-requests-handed-over-european-data-to-u-s-authorities/12191

NK

On 2013-06-09, at 1:22 PM, Jacob Appelbaum  wrote:

> Nadim Kobeissi:
>> 
>> On 2013-06-09, at 1:02 PM, Jacob Appelbaum 
>> wrote:
>> 
>>> Nadim Kobeissi:
>>>> Jake, I don't agree with x z (and rather agree with you), but
>>>> I'm really tired of just how aggressive and rude you always are
>>>> on Libtech. And it doesn't appear to just be towards me. I'm not
>>>> the only person who feels like this.
>>>> 
>>>> Even if you're right, tone your ego knob down already. Be nice. I
>>>> can barely read through threads anymore. Thank you.
>>> 
>>> Dear Nadim,
>>> 
>>> I'm sorry that your felt that I was aggressive and rude. It wasn't
>>> my intention. Nor do I think that my last email had anything to do
>>> with my ego.
>>> 
>>> I was defending Glenn's reputation and his findings - which seem 
>>> absolutely solid from where I'm standing.
>> 
>> What a nice thing to say! Thank you! :-) I think Glenn Greenwald is a
>> wonderful journalist who really revealed a hugely meaningful story.
>> Maybe not the story of the decade overall, but perhaps the story of
>> the decade when it comes to computer and information security and
>> privacy.
>> 
>> The thing is, I agree with you almost all the time. But you alienate
>> me (and I think others too) because of the ruthlessness in which you
>> express yourself. Even well-known members of a community do not
>> obtain a license to talk down to others.
>> 
> 
> I'm sorry that you think I am rutheless. I feel that I actually have
> quite a lot of compassion and I regularly express it. I do not generally
> feel pity - to feel pity, generally one must place oneself above others
> - which isn't useful or productive.
> 
>> I think it's super nice of you to be this considerate and I think
>> this is a solid contribution to improving the mood of this list. I
>> hope "x z" also appreciates this clarification! Hurray for Jake!
>> 
> 
> Do you suppose you might reply to the points that I made?
> 
> You asserted that I was aggressive and rude. I contested it. Did you
> decide that my previous emails were not so, after clarification, or what?
> 
> All the best,
> Jake
> --
> Too many emails? Unsubscribe, change to digest, or change password by 
> emailing moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] PRISM: NSA/FBI Internet data mining project

[Nadim Kobeissi]

A new slide has just been leaked from the PRISM powerpoint. It's very 
interesting, check it out:
http://www.theverge.com/2013/6/8/4410358/leaked-slide-from-prism-presentation-supports-directly-collecting-data

NK

On 2013-06-07, at 4:01 PM, Kyle Maxwell  wrote:

> FWIW, Google has issued a similar blanket (and kinda funny) denial.
> 
> http://googleblog.blogspot.com/2013/06/what.html
> 
> On Fri, Jun 7, 2013 at 2:20 PM, Andy Isaacson  wrote:
>> Apologies for replying out of thread and the wide CC list.
>> 
>> On Fri, Jun 07, 2013 at 06:41:32PM +0200, Eugen Leitl wrote:
>>> - Forwarded message from Matthew Petach  -
>>> 
>>> Date: Fri, 7 Jun 2013 09:32:53 -0700
>>> From: Matthew Petach 
>>> Cc: NANOG 
>>> Subject: Re: PRISM: NSA/FBI Internet data mining project
>>> 
>>> Speaking just for myself, and if you quote me on this
>>> as speaking on anyone else's behalf, you're a complete
>>> fool, if the government was able to build infrastructure
>>> that could listen to all the traffic from a major provider
>>> for a fraction of what it costs them to handle that traffic
>>> in the first place, I'd be truly amazed--and I'd probably
>>> wonder why the company didn't outsource their infrastruture
>>> to the government, if they can build and run it so much
>>> more cheaply than the commercial providers.  ;P
>>> 7 companies were listed; if we assume the
>>> burden was split roughly evenly between them, that's
>>> 20M/7, about $2.85M per company per year to tap in,
>>> or about $238,000/month per company listed, to
>>> supposedly snoop on hundreds of gigs per second
>>> of data.  Two ways to handle it: tap in, and funnel
>>> copies of all traffic back to distant monitoring posts,
>>> or have local servers digesting and filtering, just
>>> extracting the few nuggets they want, and sending
>>> just those back.
>> 
>> That's not what PRISM is claimed to do, in the WaPo/Gu slide deck.  The
>> deck claims that PRISM provides a way for an analyst at NSA to request
>> access to a specific target (gmail account, Skype account, Y! messenger,
>> etc) and get a dump of data in that account, plus realtime access to the
>> activity on the account.  The volume is quoted to be on the order of
>> 10k-100k of requests annually.  The implication is that data production
>> is nearly immediate (measured in minutes or hours at most), not enough
>> time for a rubber-stamp FISA warrant, implying a fully automated system.
>> 
>> At these volumes we're talking one, or a few, boxes at each provider;
>> plus the necessary backdoors in the provider's storage systems (easy,
>> since the provider already has those backdoors in place for their own
>> maintenance/legal/abuse systems); and trusted personnel on staff at the
>> providers to build and maintain the systems.  Add a VPN link back to
>> Fort Meade and you're done.
>> 
>> That's obviously a much easier system (compared to your 200 GBps
>> sniffer) to build at the $2M/yr budget, and given that $2M is just the
>> government's part -- the company engineering time to do it is accounted
>> separately -- it seems like a reasonable ballpark for an efficient
>> government project.  (There are plenty such, and the existence of
>> inefficient government projects doesn't change that fact.)
>> 
>> It's even possible that executive/legal at the providers actually aren't
>> aware that their systems are compromised in this manner.  NatSec claims
>> will open many doors, especially with alumni of the DoD who have
>> reentered the civilian workforce:
>> https://financialcryptography.com/mt/archives/001431.html
>> 
>> -andy
>> --
>> Too many emails? Unsubscribe, change to digest, or change password by 
>> emailing moderator at compa...@stanford.edu or changing your settings at 
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> --
> Too many emails? Unsubscribe, change to digest, or change password by 
> emailing moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Boundless Informant: the NSA's secret tool to track global surveillance data

[Nadim Kobeissi]

On 2013-06-09, at 1:02 PM, Jacob Appelbaum  wrote:

> Nadim Kobeissi:
>> Jake, I don't agree with x z (and rather agree with you), but I'm
>> really tired of just how aggressive and rude you always are on
>> Libtech. And it doesn't appear to just be towards me. I'm not the
>> only person who feels like this.
>> 
>> Even if you're right, tone your ego knob down already. Be nice. I can
>> barely read through threads anymore. Thank you.
> 
> Dear Nadim,
> 
> I'm sorry that your felt that I was aggressive and rude. It wasn't my
> intention. Nor do I think that my last email had anything to do with my ego.
> 
> I was defending Glenn's reputation and his findings - which seem
> absolutely solid from where I'm standing.

What a nice thing to say! Thank you! :-)
I think Glenn Greenwald is a wonderful journalist who really revealed a hugely 
meaningful story. Maybe not the story of the decade overall, but perhaps the 
story of the decade when it comes to computer and information security and 
privacy.

The thing is, I agree with you almost all the time. But you alienate me (and I 
think others too) because of the ruthlessness in which you express yourself. 
Even well-known members of a community do not obtain a license to talk down to 
others.

I think it's super nice of you to be this considerate and I think this is a 
solid contribution to improving the mood of this list. I hope "x z" also 
appreciates this clarification! Hurray for Jake!

NK

> 
> All the best,
> Jake
> --
> Too many emails? Unsubscribe, change to digest, or change password by 
> emailing moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Boundless Informant: the NSA's secret tool to track global surveillance data

[Nadim Kobeissi]

On 2013-06-09, at 11:49 AM, Katrin Verclas  wrote:

> +1000 on Nadim's comment who is not always that civil either.

It's absolutely right that I also sometimes can get riled up or passionate.But 
they key word there is "sometimes".  Some on this list are just almost *always* 
like that like it's an acceptable form of behaviour. It's not — it's bullying 
and oppression. It's stepping on people's throats. And it has to stop.

The amount of abuse I took as a new professional in information security a 
year+ ago was so intense that I had to start seeing a shrink. Many of the 
people behind that abuse are on this list. Some need to understand the limits 
between productive discourse and debate and what, quite frankly, amounts to 
nothing more than wagging your genitals at others.

I am neither white or from a privileged background. I actually immigrated to 
Canada due to my family losing its livelihood thanks to Israeli bombings. And 
yet even though I've been through a lot, even I still find the abuse and 
disrespect propagated by some in this community to be hard to handle, even when 
it's directed at others.

When I sent my first email complaining about this, I got many encouragements in 
private from people who didn't speak out in public because they were afraid of 
having "their throats jumped" upon. I wish they would join me in making their 
concerns public. Why do I always have to be the one to say what's on everyone's 
mind?

This list isn't about shaming stupidity. It's about educating stupidity. It's 
not about teaching people the "guts" they need to be "up to the task of 
liberating". No one here has the authority to teach strangers about what they 
can and can't handle. Stop being so arrogant, egotistical, apathetic and 
near-sighted. It's about damn time this list, and this community, started being 
professional and respectful.

I'm sick and tired! Those who continue being abusive bullies should be called 
out. I understand a lot of them still contribute a lot of valuable information 
and debate (and I admire them for it,) but we need to separate the two facets.

NK

> If you notice who speaks on this list- it's geeky men. And not just speak but 
> flame at times and engage in silly meta discussions best filtered out. 
> 
> The discourse on this list, in general, does not encourage truly thoughtful 
> discussion nor does it invite diverse voices. That might be lost on people 
> like RK but it's not lost on the many "others" here who are not speaking.  
> Liberation isn't just for and by the few white men spouting off here more 
> often than not. Might be worth keeping in mind when posting. 
> 
> On Jun 9, 2013, at 10:08, Rich Kulawiec  wrote:
> 
>> On Sun, Jun 09, 2013 at 09:45:31AM -0400, Nadim Kobeissi wrote:
>>> I don't agree with x z (and rather agree with you), but I'm really tired of 
>>> just how aggressive and rude you always are on Libtech. 
>> 
>> First: you've got to be kidding.  I've never seen a single message on
>> this list that goes past about 2 on a 10 scale.  (Not that I'd mind
>> seeing things that go higher: I really do enjoy quality flamage.)
>> 
>> Second: stupidity, in all forms, fully deserves to be slapped down --
>> hard.  I expect that if I say something stupid here (and if I haven't
>> already, eventually I will) that I'll get hammered for it.  Good.
>> I should be.  Because I would rather endure the pummelling and the
>> possible embarassment than persist in being wrong.  (Or worse,
>> making someone else be wrong too because they think I'm right when
>> I'm most certainly not.)
>> 
>> Third: anyone who can't handle the exceedingly gentle discussions here
>> (which are, generally speaking, held between people who are *all on the
>> same side*, at least in a philosophical sense), is really, really not
>> up to the task of "liberating" anything.  Because doing so will require
>> going up against people who will do far more than just type a few mildly
>> caustic words in an email message from time to time.
>> 
>> Jacob's contributions here are among the most cogent and useful.  I don't
>> care how "aggressive" and "rude" he is (and I don't think he is at all,
>> by the way), I care if he's right -- and he has an excellent track record
>> of being so.
>> 
>> ---rsk
>> --
>> Too many emails? Unsubscribe, change to digest, or change password by 
>> emailing moderator at compa...@stanford.edu or changing your settings at 
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> --
> Too many emails? Unsubscribe, change to digest, or change password by 
> emailing moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Boundless Informant: the NSA's secret tool to track global surveillance data

[Nadim Kobeissi]

On 2013-06-09, at 10:08 AM, Rich Kulawiec  wrote:

> On Sun, Jun 09, 2013 at 09:45:31AM -0400, Nadim Kobeissi wrote:
>> I don't agree with x z (and rather agree with you), but I'm really tired of 
>> just how aggressive and rude you always are on Libtech. 
> 
> First: you've got to be kidding.  I've never seen a single message on
> this list that goes past about 2 on a 10 scale.  (Not that I'd mind
> seeing things that go higher: I really do enjoy quality flamage.)
> 
> Second: stupidity, in all forms, fully deserves to be slapped down --

This is where I stop reading.

NK

> hard.  I expect that if I say something stupid here (and if I haven't
> already, eventually I will) that I'll get hammered for it.  Good.
> I should be.  Because I would rather endure the pummelling and the
> possible embarassment than persist in being wrong.  (Or worse,
> making someone else be wrong too because they think I'm right when
> I'm most certainly not.)
> 
> Third: anyone who can't handle the exceedingly gentle discussions here
> (which are, generally speaking, held between people who are *all on the
> same side*, at least in a philosophical sense), is really, really not
> up to the task of "liberating" anything.  Because doing so will require
> going up against people who will do far more than just type a few mildly
> caustic words in an email message from time to time.
> 
> Jacob's contributions here are among the most cogent and useful.  I don't
> care how "aggressive" and "rude" he is (and I don't think he is at all,
> by the way), I care if he's right -- and he has an excellent track record
> of being so.
> 
> ---rsk
> --
> Too many emails? Unsubscribe, change to digest, or change password by 
> emailing moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Boundless Informant: the NSA's secret tool to track global surveillance data

[Nadim Kobeissi]

Jake,
I don't agree with x z (and rather agree with you), but I'm really tired of 
just how aggressive and rude you always are on Libtech. And it doesn't appear 
to just be towards me. I'm not the only person who feels like this.

Even if you're right, tone your ego knob down already. Be nice. I can barely 
read through threads anymore. Thank you.

NK

On 2013-06-09, at 9:15 AM, Jacob Appelbaum  wrote:

> x z:
>> 2013/6/8 Jacob Appelbaum 
>> 
>>> Oh man, Glenn Greenwald is my hero and a hero to us all.
>> 
>> 
>> Do you still believe Glenn's reporting that NSA has "direct access to
>> servers of firms including Google, Apple and Facebook"? 
> 
> 
> Yeah, I think it is clearly a FISA interface or API of some kind. Either
> that or it is pwnage of the server. Probably one or the other in some cases.
> 
>> In my view, he
>> misled the world intentionally (the few prism training slides published did
>> not seem to claim this). Glenn is at best a wacky journalist without common
>> sense.
> 
> He just broke the story of the decade, good to know your views on him.
> 
>> 
>> His reporting on the Verizon case was good, but I think his credibility
>> bankrupted after the PRISM one.
> 
> We disagree, obviously. You'll see soon enough and when you're eating
> crow, I'm sure we'll have another discussion.
> 
>> 
>> Everyone on
>>> this list who was looking for 'some evidence' about global surveillance
>>> and previously ignored all other evidence, well, here you go!
>>> 
>>> "Revealed: The NSA's powerful tool for cataloguing data – including
>>> figures on US collection"
>>> 
>>> 
>>> http://www.guardian.co.uk/world/2013/jun/08/nsa-boundless-informant-global-datamining
>>> 
>>> This screenshot from the program is very web 2.0:
>>> 
>>> 
>>> 
>>> http://static.guim.co.uk/sys-images/Guardian/Pix/pictures/2013/6/8/1370715185657/boundless-heatmap-large-001.jpg
>>> 
>>> The NSA is spying on the US and on the rest of the planet. There is no
>>> ability to deny this anymore. Anyone who denies it is a complete moron.
>>> 
>>> I don't understand why this "evidence" is significant in any way. NSA
>> certainly has lots of information, and a web2.0'ish tool is nothing
>> surprising. It's rather moot to state "anyone who denies it is a complete
>> moron". It's like the highway patrol keeping my driving record.
>> 
> 
> Why does it matter if you are surprised?
> 
> Also, your analogy is tired and boring. This is nothing like a highway
> patrol.
> 
>> Again, I'm not rooting for NSA. I think its power need to be limited and it
>> needs more transparency. But I hate using misinformation or hyperbole to
>> achieve that goal. This hurts the credibility of all the pro-privacy groups
>> in general.
> 
> I don't see any misinformation or hyperbole from Glenn. I see
> contradicting claims between governments and corporations. I also see
> that he wanted to ensure everyone understood what each side claimed.
> Note the very carefully worded denials all around.
> 
> All the best,
> Jacob
> --
> Too many emails? Unsubscribe, change to digest, or change password by 
> emailing moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

[liberationtech] OSS Devs: Talk about metadata!

[Nadim Kobeissi]

I want to encourage all the open source, communication and security software 
developers on this list to start talking about metadata.

1. Start raising awareness on what metadata is given to your software and how 
it's handled.
2. Don't limit your privacy policy to content but also clarify what's done with 
metadata.

[Shameless plug] We've already done this at Cryptocat. Our table can serve as a 
template:
https://blog.crypto.cat/2013/06/cryptocat-who-has-your-metadata/

I wonder if we're sort of entering a new era.

NK
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Want to shield text, photos from government? Wickr says it has an app for that | SiliconBeat

[Nadim Kobeissi]

http://www.youtube.com/watch?v=HIWHMb3JxmE

No, really — there's nothing else I can say in a conversation where we're 
supposed to discuss proprietary software not only as secure, but as 
"military-grade" and "government-proof".

NK

On 2013-06-08, at 2:22 PM, Yosem Companys  wrote:

> http://www.siliconbeat.com/2013/06/07/want-to-shield-text-photos-from-government-wickr-says-it-has-an-app-for-that/
> 
> The U.S. government has acknowledged — with President Obama saying this 
> morning in San Jose that it’s all in the name of security — that its agencies 
> are spying on Americans’ phone calls and Internet communications in some 
> fashion. There are tech tools that claim they can get around such 
> surveillance, and one of them is Wickr, an app made by a San Francisco 
> startup.
> 
> Wickr is similar to Snapchat, the popular app that allows users to destroy 
> messages and photos sent on mobile phones after a certain time. But the 
> 1-year-old company’s app is “military grade,” founder Nico Sell said in a 
> phone interview this morning.
> 
> Sell says Wickr users can “send text messages, videos, documents that 
> self-destruct — all encrypted, and it exceeds NSA top-level encryption on the 
> device before it goes out on network with a key that only you have.”
> 
> “Very few people in the world can do what we’ve done,” Sell said. She says 
> she has advocated for the annual Defcon hacking conference for more than a 
> decade. The company’s other founders include a team of privacy and security 
> experts, according to a spokeswoman.
> 
> If the government comes knocking with a subpoena, Wickr could turn over its 
> database, but the information would be “useless,” Sell said, because the 
> company doesn’t collect personal information about its users. It claims to 
> have no call logs or location data. This also means such information is 
> inaccessible to wireless providers, advertisers and other companies that 
> usually collect it.
> 
> Sell touts Wickr as an alternative to messaging offered by Whatsapp and 
> Skype. Skype, the service owned by Microsoft, has long been thought as 
> secure. But experts quoted by CNNMoney and others have warned that no tech 
> tool is immune to tracking, and Skype looks to be no exception. Ars Technica 
> recently reported that Microsoft regularly scans messages. 
> 
> Could Wickr do something similar? “This is a big thing with us. It was a huge 
> requirement that we never collected private information, period,” Sell said.
> 
> The app is free for iOS users only for now. Sell said an Android version, and 
> voice calling, are due out this summer.
> 
> --
> Too many emails? Unsubscribe, change to digest, or change password by 
> emailing moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Stop promoting Skype

[Nadim Kobeissi]

On 2013-06-07, at 5:18 PM, Rich Kulawiec  wrote:

> On Fri, Jun 07, 2013 at 10:18:25AM -0400, Griffin Boyce wrote:
>>  I'm also going to go against the grain and say that most services
>> don't *need* to be integrated with each other.
> 
> I'll join you in that.  I'll go one step further and say that in many
> cases, integration is a very bad idea.  Interoperability?  Sure.
> But not integration.
> 
> I suppose this is because I very much buy into the "Software Tools"
> philosophy of Kernighan and Plauger: a tool should do one thing and
> do it well; tools should play nice with each other.  That's why, for
> example, sort(1), cut(1), grep(1), tr(1), and wc(1) are all different
> tools, even though they could be combined into one -- and why they work
> beautifully when used together.

I agree there. I've yet to see tools that deviate from that philosophy succeed 
half as easily.

NK

> And that's why, as a counterexample,
> Exchange is a bag of crap.  (To be precise: a *big* bag of crap.)
> 
> ---rsk
> --
> Too many emails? Unsubscribe, change to digest, or change password by 
> emailing moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Stop promoting Skype

[Nadim Kobeissi]

On 2013-06-07, at 2:06 PM, Griffin Boyce  wrote:

> micah  wrote:
>> What about when someone from Riseup promotes Riseup services? :o
> 
> Riseup isn't evil, I'm just amused by people who say "no third-party
> services!" and then launch into why people should use their
> third-party provider of choice.  If one wants to say "no
> corporate-owned services," that's a bit of a different argument =)

There's a lot of distasteful side effects with Internet freedom becoming so 
politicized due to the inauguration of so many nonprofits dependent on grants, 
bureaucracy and professional reputation to survive. A lot of the time people 
get to cherry-pick what to attack and what to support based only partially on 
security concerns.

NK

> 
>> It only has been recent that companies such as google and twitter have
>> been doing something more interesting than just handing over things when
>> the police ask, that was nice to see, we felt very alone out
>> there... but now I'm not sure what to think when I see those companies
>> involved in the dragnet, I guess we feel alone again because I didn't
>> notice Riseup or Mayfirst's logo in that Prism powerpoint!
> 
> You should be really proud! =D Being a pain in the ass is underrated.
> 
> best,
> Griffin
> 
> 
> -- 
> Just another hacker in the City of Spies.
> #Foucault / PGP: 0xAE792C97 / OTR: sa...@jabber.ccc.de
> 
> My posts, while frequently amusing, are not representative of the
> thoughts of my employer.
> --
> Too many emails? Unsubscribe, change to digest, or change password by 
> emailing moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Cryptocat Seeking Estonian, Tibetan, Uighur and Latvian Translations

[Nadim Kobeissi]

We now only have Uighur left to go! If you know anyone who can contribute, 
please do.

This is the only translation remaining before we can push a big update.

You can contribute to the Uighur translation here:
https://www.transifex.com/projects/p/Cryptocat/language/ug/

NK

On 2013-06-05, at 3:39 PM, Nadim Kobeissi  wrote:

> Dear LibTech,
> We're on the verge of releasing a major update to Cryptocat, but we still 
> need four translations finished.
> 
> All four translations are very much complete but only lack one or two 
> sentences each.
> 
> You can contribute towards the translations here:
> Estonian: https://www.transifex.com/projects/p/Cryptocat/language/et/
> Tibetan: https://www.transifex.com/projects/p/Cryptocat/language/bo/
> Uighur: https://www.transifex.com/projects/p/Cryptocat/language/ug/
> Latvian: https://www.transifex.com/projects/p/Cryptocat/language/lv/
> 
> Your help with this is immensely appreciated.
> 
> Thank you,
> NK

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Question about otr.js

[Nadim Kobeissi]

On 2013-06-07, at 1:09 PM, Anthony Papillion  wrote:

> On 06/06/2013 07:00 PM, Nadim Kobeissi wrote:
>> Speaking as the lead developer for Cryptocat:
>> OTR.js actually has had some vetting. We're keeping it experimental simply 
>> due to the experimental nature of web cryptography as a whole. It's a handy 
>> library that has had a lot of consideration put into it, but it really 
>> depends on your use case and threat model. If you want to use it to keep 
>> conversations private in moderate situations, go ahead. If you want to use 
>> it to keep conversations private against an authoritarian regime/sprawling 
>> surveillance mechanism, think twice. Overall I find it really hard to tell 
>> whether it's safe enough without knowing your threat model. For example, if 
>> your threat model includes a likelihood of someone backdooring your 
>> hardware, pretty much nothing can help you.
>> 
>> If you're considering building your own app and using OTR.js as a library, I 
>> beseech you to be careful regarding code delivery mechanisms and XSS 
>> considerations. Specifically, please use signed browser plugins as a code 
>> delivery mechanism and make sure the rest of your app, including outside of 
>> OTR.js, is audited against XSS, code injection, and so on. Those kind of 
>> threats tend to be far more common than library bugs.
>> 
>> NK
> 
> Thank you for the excellent feedback on OTR.js. It really clears some
> stuff up and makes me much more confident in the library.
> 
> I'm considering using OTR.js as a basis for an OTR plugin for
> Thunderbird chat. I suppose, in theory, people *could* decide to use it
> in life and death situations under sprawling surveillance regimes, I'd
> try to make it clear how unwise this is and provide alternatives. For
> example, I'd point them to Pidgin with its OTR instead.

I would never suggest Pidgin — Pidgin has never received an audit and is full 
of vulnerabilities that the development team is reluctant to fix. Cryptocat has 
actually received far more audits than Pidgin, although I'm not sure how to 
compare the two since the platforms are totally different.

NK

> 
> Thanks again!
> 
> Anthony
> 
> 
> -- 
> Anthony Papillion
> Phone:   1.918.533.9699
> SIP: sip:cajuntec...@iptel.org
> iNum:+883510008360912
> XMPP:cypherpun...@jit.si
> 
> www.cajuntechie.org
> --
> Too many emails? Unsubscribe, change to digest, or change password by 
> emailing moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Stop promoting Skype

[Nadim Kobeissi]

On 2013-06-07, at 8:31 AM, Yishay Mor  wrote:

> "If all this already exists, why isn’t everybody doing it? Well, simply 
> because there is no integration at all among all those objects. "
> 
> No. we don't need no software bundles. we don't need no sleek installers. 
> How long does it take me to set up a gmail account? facebook account? flickr 
> account? 20 seconds. how much does it cost me to set up? how much does it 
> cost me to maintain? (ok, skype is an exception, I do need to install).

Interestingly, we've been getting some emails since the NSA/PRISM story 
regarding people switching to Cryptocat.

It's a really encouraging and awesome trend to see people care about 
privacy-enabling technologies that are accessible and easy to use. To an 
extent, we've succeeded here because we've made it as easy as Facebook or Skype 
to have private conversations using free and open source software. So if 
someone is switching from Facebook or Skype to Cryptocat, it's a really 
positive thing.

The big challenge, though, so far is delineating the use cases and threat 
models. I have no problem seeing a lot of regular people flock to Cryptocat 
just for common-sense privacy concerns. But catering to that, and catering to 
activists/human rights workers in Mission Impossible situations, are two 
different stories. Concerning the latter, considering the outrageous nature of 
the PRISM story, I may have not been joking when I said "STOP PROMOTING THE 
INTERNET" to activists after all. :P

NK

> 
> See that's the standard you're competing with. Most users don't own server 
> space, physical or virtual, and would not in a million years be convinced to 
> buy any.
> 
> Yishay
> 
> ___
>http://www.yishaymor.org
> () ascii ribbon campaign - against html e-mail 
> /\www.asciiribbon.org - against proprietary attachments
> 
> 
> On 7 June 2013 09:47, M. Fioretti  wrote:
> On Fri, Jun 07, 2013 09:16:32 AM +0200, Eduardo Robles Elvira wrote:
> > Stop promoting google hangout and hotmail, yahoo, gmail, outlook.com... =)
> 
> and start promoting their replacement via user-friendly bundling of
> Free Software that already exist and may run in a portable way on any
> cheap VPS:
> 
> http://stop.zona-m.net/2013/01/the-alternatives-to-apple-facebook-c-already-exist-shall-we-package-them/
> 
> --
> M. Fioretti http://mfioretti.com   http://stop.zona-m.net
> 
> Your own civil rights and the quality of your life heavily depend on how
> software is used *around* you
> --
> Too many emails? Unsubscribe, change to digest, or change password by 
> emailing moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 
> --
> Too many emails? Unsubscribe, change to digest, or change password by 
> emailing moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Stop promoting Skype

[Nadim Kobeissi]

STOP PROMOTING THE INTERNET

NK

On 2013-06-07, at 3:16 AM, Eduardo Robles Elvira  wrote:

> Stop promoting google hangout and hotmail, yahoo, gmail, outlook.com... =)
> 
> On Fri, Jun 7, 2013 at 8:17 AM, Jacob Appelbaum  wrote:
>> Hi,
>> 
>> "Top secret PRISM program claims direct access to servers of firms
>> including Google, Facebook and Apple and others.
>> 
>> "Some of the world's largest internet brands are claimed to be part of
>> the information-sharing program since its introduction in 2007.
>> Microsoft – which is currently running an advertising campaign with the
>> slogan "Your privacy is our priority" – was the first, with collection
>> beginning in December 2007.
>> 
>> "It was followed by Yahoo in 2008; Google, Facebook and PalTalk in 2009;
>> YouTube in 2010; Skype and AOL in 2011; and finally Apple, which joined
>> the program in 2012. The program is continuing to expand, with other
>> providers due to come online.
>> 
>> "Collectively, the companies cover the vast majority of online email,
>> search, video and communications networks.
>> 
>> Read about it here:
>> 
>> http://www.guardian.co.uk/world/2013/jun/06/us-tech-giants-nsa-data
>> 
>> http://static.guim.co.uk/sys-images/Guardian/Pix/audio/video/2013/6/6/1370553948414/Prism-001.jpg
>> 
>> http://static.guim.co.uk/sys-images/Guardian/Pix/pictures/2013/6/6/1370554726437/PRISM-slide-crop-001.jpg
>> 
>> The next person that recommends Skype to human rights activists is
>> completely discredited. Stop it and stop it now.
>> 
>> Ta ta,
>> Jake
>> --
>> Too many emails? Unsubscribe, change to digest, or change password by 
>> emailing moderator at compa...@stanford.edu or changing your settings at 
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 
> 
> 
> -- 
> Eduardo
> --
> Too many emails? Unsubscribe, change to digest, or change password by 
> emailing moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

[liberationtech] Montreal Journalists: Privacy and Security Workshop

[Nadim Kobeissi]

Dear LibTech,
In case there are any Montreal-based journalists on the list:
I just wanted to quickly share that I'm hosting a privacy and operational 
security workshop for journalists here in Montreal, sponsored by The Link 
newspaper.

https://www.facebook.com/events/167915566718007/

It's all for free, I'm just doing it in light of the insane surveillance news 
storm this week.

Please share if you know someone in Montreal who can benefit!

NK
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech