Re: [liberationtech] Call for Participants @ Noisy Square - Putting the Resistance back in OHM
Yay, Dutchy pileup. Joining the fray. WARNING : the following lecture contains the word penis. (But it does not have the word fuck. (Can I say fuck on libtech ?)) On 06/26/2013 12:55 PM, Lex van Roon wrote: On 06/26/2013 12:18, groente wrote: Is this the pitch of left unity at any cost? Because no, actually, it turns out that unity isn't the best thing ever. Do you want a big tent that means nothing? Do you think that the OHM orga is united in fighting for the destruction of the power of all governments to oppress their citizens? Their actions indicate otherwise. The pushback you're getting here is that no, we're not all actually on the same side. Thing is, as a dutch citizen, I do not (yet) believe that *all* governments need to be destroyed because they oppress their citizens (your words, not mine). The simple reasoning behind this, is that people The point was, i believe, not to destroy the government per se, but to destroy its power to oppress its citizens. Ok, I thought that Eleanor was pretty explicit in her wording, but I might be mistaking. She was, and you are. Probably because you injected because into your 'quote'. I guess that she can make her wording more explicit and/or clarify them. No need. [...]the power of all governments to oppress their citizens? is perfectly clear. can be 'loosely' divided into two groups: leaders and followers. If we'd follow your plan and destroy all governments, that would imply that all the followers would be without a leader. And you probably also understand what happens next right, the power vaccuum will be filled by someone that will abuse that position. Since we, as a global hacker community, do not have any power structures that we could use to fill this void, every action that takes place to create that void will be detrimental to our cause. And *thats* why I call for unity instead of division. We might not agree on everything, but we will need to have an united voice and an united power structure if we want to make a difference against the big powers. Great idea. We need a leader ! Een leider, un chef, un capo, ein Fuhrer, if you will. And lots of followers preferably. After all, there´s too many of them, and not enough of us. Yay us! Well, the prerequisite for a united voice/power structure is a common goal and methods which are not mutually exclusive. I frankly don't see how players like THTC and Fox-IT fit into that picture. This may lead to awkward social situations where personal friends are suddenly found on the other side of the dividing line between those who empower the people and those who empower the state, but I fail to see how it is useful to unite with players whose daily praxis is the direct opposite of my (and i hope our) goals. The fight we need to fight is a big one. From that perspective, it makes sense to employ military tactics; In this context, Sun Tzu explained the reasoning approx two thousand years ago (translation mistakes come from wikipedia): ~ So it is said that if you know your enemies and know yourself, you can win a hundred battles without a single loss. Ok, we´re going for fortune cookie quotes. Great. Love those. How about Think you can. Think you can't. Either way, you'll be right. Or, Alas! The onion you are eating is someone else’s water lily. Oh oh. How about this one : If you want to fight a war without losing a single battle, fight on both sides. Sound and fury. If you look at the history of warfare, you will have noticed that this statement still holds true and can be applied to all forms of warfare. Nope. Wrong. If the history of war teaches us anything its that “sometimes you go back for your bag, and sometimes you don't It´s a regular quote bonanza! Yay. Look, in the netherlands, we do not yet have or had any upcoming authoritarian / totalitarian government like the us or germany for instance. We know that it Define authoritarian and, while your at it, define had. How far back are you going exactly? Are you restricting a history of authoritarianism to the Dutch European borders post 1839 ? (Well, post 1831, really. But let´s respect king William I´s refusal to recognize Belgium shall we ? I still have a hard time recognizing Belgium, I think even the Belgians do). Sounds perfectly sound. Who cares how the Belgians interpret history, right ? Let´s ignore Dutch colonial rule up until, euh, now. To be clear : rule of Indonesia until 1949, ending after police actions as they were and are euphemistically called. New Guinea in 1963. Suriname in 1975. Granted, the malevolence of the authoritarian nature of the Dutch state declined as the 20th century progressed, but to suggest that Holland is and always has been this haven of blissful innocence is at best an innocent display of ignorance. And while I´m on the subject (those of you not riveted by Dutch history should have stopped reading a while ago. If your still with me, you
Re: [liberationtech] Call for Participants @ Noisy Square - Putting the Resistance back in OHM
Yay, Dutchy pileup. Joining the fray. WARNING : the following lecture contains the word penis. (But it does not have the word fuck. (Can I say fuck on libtech ?)) On 06/26/2013 12:55 PM, Lex van Roon wrote: On 06/26/2013 12:18, groente wrote: Is this the pitch of left unity at any cost? Because no, actually, it turns out that unity isn't the best thing ever. Do you want a big tent that means nothing? Do you think that the OHM orga is united in fighting for the destruction of the power of all governments to oppress their citizens? Their actions indicate otherwise. The pushback you're getting here is that no, we're not all actually on the same side. Thing is, as a dutch citizen, I do not (yet) believe that *all* governments need to be destroyed because they oppress their citizens (your words, not mine). The simple reasoning behind this, is that people The point was, i believe, not to destroy the government per se, but to destroy its power to oppress its citizens. Ok, I thought that Eleanor was pretty explicit in her wording, but I might be mistaking. She was, and you are. Probably because you injected because into your 'quote'. I guess that she can make her wording more explicit and/or clarify them. No need. [...]the power of all governments to oppress their citizens? is perfectly clear. can be 'loosely' divided into two groups: leaders and followers. If we'd follow your plan and destroy all governments, that would imply that all the followers would be without a leader. And you probably also understand what happens next right, the power vaccuum will be filled by someone that will abuse that position. Since we, as a global hacker community, do not have any power structures that we could use to fill this void, every action that takes place to create that void will be detrimental to our cause. And *thats* why I call for unity instead of division. We might not agree on everything, but we will need to have an united voice and an united power structure if we want to make a difference against the big powers. Great idea. We need a leader ! Een leider, un chef, un capo, ein Fuhrer, if you will. And lots of followers preferably. After all, there´s too many of them, and not enough of us. Yay us! Well, the prerequisite for a united voice/power structure is a common goal and methods which are not mutually exclusive. I frankly don't see how players like THTC and Fox-IT fit into that picture. This may lead to awkward social situations where personal friends are suddenly found on the other side of the dividing line between those who empower the people and those who empower the state, but I fail to see how it is useful to unite with players whose daily praxis is the direct opposite of my (and i hope our) goals. The fight we need to fight is a big one. From that perspective, it makes sense to employ military tactics; In this context, Sun Tzu explained the reasoning approx two thousand years ago (translation mistakes come from wikipedia): ~ So it is said that if you know your enemies and know yourself, you can win a hundred battles without a single loss. Ok, we´re going for fortune cookie quotes. Great. Love those. How about Think you can. Think you can't. Either way, you'll be right. Or, Alas! The onion you are eating is someone else’s water lily. Oh oh. How about this one : If you want to fight a war without losing a single battle, fight on both sides. Sound and fury. If you look at the history of warfare, you will have noticed that this statement still holds true and can be applied to all forms of warfare. Nope. Wrong. If the history of war teaches us anything its that “sometimes you go back for your bag, and sometimes you don't It´s a regular quote bonanza! Yay. Look, in the netherlands, we do not yet have or had any upcoming authoritarian / totalitarian government like the us or germany for instance. We know that it Define authoritarian and, while your at it, define had. How far back are you going exactly? Are you restricting a history of authoritarianism to the Dutch European borders post 1839 ? (Well, post 1831, really. But let´s respect king William I´s refusal to recognize Belgium shall we ? I still have a hard time recognizing Belgium, I think even the Belgians do). Sounds perfectly sound. Who cares how the Belgians interpret history, right ? Let´s ignore Dutch colonial rule up until, euh, now. To be clear : rule of Indonesia until 1949, ending after police actions as they were and are euphemistically called. New Guinea in 1963. Suriname in 1975. Granted, the malevolence of the authoritarian nature of the Dutch state declined as the 20th century progressed, but to suggest that Holland is and always has been this haven of blissful innocence is at best an innocent display of ignorance. And while I´m on the subject (those of you not riveted by Dutch history should have stopped reading a while ago. If your still with me, you
Re: [liberationtech] internet blackout in turkey?
We have reports from inside Taksim that yesterday 3G was unavailable in Taksim itself, but telephony was fine. Simple moving to a street near Taksim would reestablish 3G connectivity. It´s unclear if this is intentional or simply the network being overloaded. Also people seem to be removing password protection from wifi access points near Taksim to facilitate connectivity. Webcams overlooking Taksim have been down since yesterday, and as of today webcams overlooking Istiklal (big street leading up to Taksim) are also down. http://tks.ibb.gov.tr/ - Ruben On 06/01/2013 01:46 PM, Andrew Lewis wrote: I heard rumors, on reddit so take this with a grain of salt, that power was being cut off to neighborhoods with protests. As for the capacity to cutoff Internet, I suspect every country to have a contingency for that. -Andrew On Jun 1, 2013, at 10:51 PM, hc voigt sozw...@gmail.com wrote: Everything that is coming through along the hashtags #occupygezi or #direngezipark? is coming from outside Istanbul and lacks any new infos and pictures from within the city; or even from within turkey. After having done so last night, I'm again observing for quite some time now again via twazzup, tumblr, g+, diaspora, ? and it looks to me like we face a complete Internet Blackout in/from Turkey. Does turkey posses the technology, means and skills for that? Am I missing something? -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Looking for collaborators for free-range voting project at Knight News Challenge:
Irrespective of zombies et al. Voting requires the following basic elements : 1. verifiability when casting the vote, i.e. the voter can see that the vote that is cast will be the vote that is counted. This is not possible without a paper trail which is also a valid vote. 2. Counting control. Each step of the electoral process has to be transparent for it to be valid. This means that *anyone* is allowed to observe the counting of the votes, *and* is able to understand that counting process. A printout of a result is not sufficient. Don´t forget that casting the vote is the least important of the process, counting the votes is. 3. Anonimity. There can not be any moment that a vote can be backtracked to the person voting. Again, this can not be based on trusting a system. In many voting laws this anonymity has to be guaranteed, a guarantee that even with paper ballots is problematic, but is practically impossible in the case of electronic voting. When we are discussing voting in its function of the backbone of a democratic system, i.e. the moment when we temporarily delegate our individual power to a representative, deciding who will wield the monopoly on violence, there can be no aspect of this process that is based on trust. If ever there was a system which has distrust at its core, it is voting. The only way to have any form of electronic voting be reliable is when it is seconded by a re-countable paper copy, which means the choice is between one big central printer distributing paper ballots or lots of little little ones printing the ballot on the fly. This excludes online voting completely and makes the entire concept a little silly really. Apart from a child-like enthusiasm for anything with buttons and shiny lights, can anyone here explain to me what the intended benefits of electronic voting over paper voting would be ? Please note that all of the above only applies to political elections, electronic voting is perfectly fine when voting for the X-factor. - Ruben On 02/26/2013 01:35 PM, Rich Kulawiec wrote: It won't work. Until the bot/zombie is solved, online voting is a non-starter, since any election worthy of being stolen can be. It doesn't matter what you do on the server side: you can construct as elaborate and clever and secure an infrastructure as you wish...because on the client side, there is no way to ensure that what the user sees is what's actually happening. (After all: it's not *their* computer any more. Its new owners can, if they wish, cause a vote for candidate A to be sent as a vote for candidate B, and they can prevent the user from knowing that's happened.) And given that (a) we're now about a decade into the zombie problem (b) no significant effort against them has ever been attempted, let alone completed [1] and (c) the problem is already epidemic and continues to get worse [2] [3], there is no reason whatsoever to think it will be mitigated, let alone solved, in the forseeable future. This doesn't just apply to your proposal: it applies to *all* of them. Unless you can propose and execute a viable plan for solving the zombie problem, then whatever you design/build can be undercut whenever someone chooses to make the effort. (And provided they're not foolishly heavy-handed about it, it's unlikely you would be able to detect this. [4]) ---rsk [1] Botnet takedowns are unimportant and irrelevant; their only purpose is to provide a forum for the spokesliars at Microsoft et.al. to trumpet their prowess while a gullible press and public overlook that they *created* this problem. Merely removing CC networks does nothing to remediate the individual members of the botnets, which are still compromised, still vulnerable, and likely to be conscripted into other botnets before the day is out. [2] We're now seeing portable devices zombie'd: phones, tablets, etc. [3] Estimates of zombie population vary, of course, but clearly, any estimate under 100M should be laughed out of the room. Vint Cerf gave an estimate of 150M just about six years ago, and based on my own work as well as that of others in the anti-spam/abuse area, I thought that was on the high side at the time...but it's most certainly not now. I think the number's probably in the 200-300M range at this point. See: http://arstechnica.com/news.ars/post/20070125-8707.html for Cerf's comments. [4] See Schneier's insightful and chilling piece on this here: https://www.schneier.com/crypto-gram-0404.html#4 That piece should be absolutely mandatory reading for anyone even considering voting systems. It not only provides a method for estimating attacker budgets, but it correctly points out that attackers quite often could tip the balance of an election by manipulating a rather small number of votes -- with a corresponding reduction in the probability that the manipulation will be detected. Note that Schneier wrote that in 2004. If you repeat his
Re: [liberationtech] Looking for collaborators for free-range voting project at Knight News Challenge:
On 02/26/2013 03:49 PM, Joseph Lorenzo Hall wrote: (most of the statements I make below can be cited... holler if you want some reading.) On Tue Feb 26 08:15:54 2013, Ruben Bloemgarten wrote: Irrespective of zombies et al. Voting requires the following basic elements : 1. verifiability when casting the vote, i.e. the voter can see that the vote that is cast will be the vote that is counted. This is not possible without a paper trail which is also a valid vote. This is a very complex topic, one that I've worked on for many years and was the central them of my PhD thesis. I think it's important to recognize that there are cryptographic voting systems that do verifiable paperless voting. With out-of-band secret sharing, it gets most of the way to what one would want to see... of course, the client-side malware problem and the general problem of unsupervised voting (people voting outside of an official location with polices that make sure only one person enters the booth, etc.). I mean verifiable by the voter. Using their eyes. Without a PhD in cryptography, preferably. One man. One vote. not One educated man. As a member of the board of directors of the Verified Voting Foundation, I should say that currently a paper trail backed by robust risk-limiting audits are the state-of-the-art for governmental elections. 2. Counting control. Each step of the electoral process has to be transparent for it to be valid. This means that *anyone* is allowed to observe the counting of the votes, *and* is able to understand that counting process. A printout of a result is not sufficient. Don´t forget that casting the vote is the least important of the process, counting the votes is. This is somewhat of a strawman... there is no way that one individual can observe all the steps in an election as complicated as the ones we regularly run in the U.S. (the U.S. is very strange compared to most other countries in terms of the massive requirements we place on the voting process... I would argue for very good public policy reasons). This is why the academic literature on these kinds of topics increasingly uses cryptographic auditing mechanisms to ensure that once a valid ballot enters the system, it can be tracked. (And, believe it or not, RFID-based inventory controls can do a lot.) Not really a strawman. I´m not suggesting that any single individual will be able to observe every step from each voting office, but that all steps are legally allowed to be and can practically be observed by a citizen (a layman), ensuring the likelihood of a significant number of the vote counting being observed, for instance by the cat-lady from a few houses down the street. This is the case for the voting legislation that I do know (the Dutch one), I have no idea what the details of U.S. electoral law are. 3. Anonimity. There can not be any moment that a vote can be backtracked to the person voting. Again, this can not be based on trusting a system. In many voting laws this anonymity has to be guaranteed, a guarantee that even with paper ballots is problematic, but is practically impossible in the case of electronic voting. I wouldn't agree that it's practically impossible... fancy primitives like mix-nets and interactive zero-knowledge proofs have been put to good use to come up with some basic assurances of secrecy. How important is understanding how a person´s secrecy is guaranteed to the person counting on that secrecy ? With practically I do mean practical, I´m sure that its technically possible to reach a similar level of secrecy of a paper ballot, but to achieve both actual secrecy and a common understanding of how that secrecy is guaranteed I would say is ,more likely than not, practically impossible. As I think you imply, there are fundamental limits... e.g., there are a number of small precincts in CA that I'm familiar with where all the cast ballots are virtually identical (this is just to underline that there are fundamental practical limits on ballot secrecy). Yes, quite. It would even be possible to do a massive fingerprint query of the paper ballots, so there are many scenarios, some more obscure than others that would break the secrecy of the ballot. And, as Josh Benaloh from MSR highlighted recently, this can be extended in steps to construct pretty interesting ballot secrecy violations (as one example, if I vote for candidate B and I see that all other ballots were counted for candidate A, I know everyone else's vote with certainty while they don't necessarily have the same level of certainty about others' ballots). When we are discussing voting in its function of the backbone of a democratic system, i.e. the moment when we temporarily delegate our individual power to a representative, deciding who will wield the monopoly on violence, there can be no aspect of this process that is based on trust. If ever there was a system which has distrust at its core
Re: [liberationtech] Another CA Compromise: TurkTrust
Nadim, I think its about time to have CA´s be peer accredited institutes (EFF/tor/access now/my brother´s sister´s cousin/ whoever) issuing free or at least at cost certs. That being said, I don´t think certs are very good at preventing mitm anyway, that might be the case if a majority of users would have the wherewithal for a more realistic reaction than ooh red/green is bad/good, and even then. Love ssl, don´t really care about certs. So yes, lets dump trust me, I´ve been certified in favor of you don´t know who I am, but only we know what we´re telling each other. - Ruben On 01/04/2013 02:09 AM, Nadim Kobeissi wrote: Another CA has been found issuing SSL certificates for Google services. Mozilla has acted on the issue: https://blog.mozilla.org/security/2013/01/03/revoking-trust-in-two-turktrust-certficates/ The weird thing is that it's starting to appear less and less crazy to just get rid of the CA system and replace it with… nothing. What do you guys think? NK -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Another CA Compromise: TurkTrust
On 01/04/2013 02:41 AM, Collin Anderson wrote: On Thu, Jan 3, 2013 at 5:26 PM, Ruben Bloemgarten ru...@abubble.nl mailto:ru...@abubble.nl wrote: you don´t know who I am, but only we know what we´re telling each other. So essentially you and Nadim are arguing that, since CAs fail some of the time, we should get rid of the whole system and end up in the same position -- where there is no trust in validating that the person talking to you is actually who they say they are? Does anyone believe that users will actually understand the difference? Not quite. I´m arguing that the current system is inherently flawed, irrespective of technical failure, that it would be a great improvement if there is no default trust as to whom is spoken to in the context of cloudy services. Is the basic concept of having a form of verification as to the data exchange partner good ? Of course it is. But if that verification is not intuitively verifiable how does it do more than instill a false sense of security ? That can not be better than having an understandable model of default distrust. I´m not even sure whether the concept of combining certification with encryption is such a brilliant idea to begin with, why would this even be required ? Confirmation of a data exchange partner (publicly accredited certification) does not ipso facto require encrypted data exchange, and vice versa. Furthermore I´m arguing that users already don´t understand the difference between http and https in the browser bar, and that for as far as knowing who is being spoken to, there exists merely that unfortunate false sense of security. In the current scheme confidentiality is being combined with trustworthiness based on a willingness and ability to pay, which makes confidentiality prohibitively expensive and trustworthiness sketchy at best. my apologies for the less than comfortable sentence structuring. On Thu, Jan 3, 2013 at 5:26 PM, Ruben Bloemgarten ru...@abubble.nl mailto:ru...@abubble.nl wrote: Nadim, I think its about time to have CA´s be peer accredited institutes (EFF/tor/access now/my brother´s sister´s cousin/ whoever) issuing free or at least at cost certs. That being said, I don´t think certs are very good at preventing mitm anyway, that might be the case if a majority of users would have the wherewithal for a more realistic reaction than ooh red/green is bad/good, and even then. Love ssl, don´t really care about certs. So yes, lets dump trust me, I´ve been certified in favor of you don´t know who I am, but only we know what we´re telling each other. - Ruben On 01/04/2013 02:09 AM, Nadim Kobeissi wrote: Another CA has been found issuing SSL certificates for Google services. Mozilla has acted on the issue: https://blog.mozilla.org/security/2013/01/03/revoking-trust-in-two-turktrust-certficates/ The weird thing is that it's starting to appear less and less crazy to just get rid of the CA system and replace it with… nothing. What do you guys think? NK -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- *Collin David Anderson* averysmallbird.com http://averysmallbird.com | @cda | Washington, D.C. -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech