Re: [liberationtech] Wicker: D??j?? vu all over again
On Thu, Jun 12, 2014 at 8:19 AM, Rich Kulawiec wrote: > On Tue, Jun 10, 2014 at 10:08:26AM -0700, Yosem Companys wrote: >> The mention of NDAs by the Wickr founder makes it a non-starter. Their web >> site doesn't have any download link for the source files, nor mention of >> open source, but they do mention patent pending technology. How do they >> expect anyone to trust closed source, proprietary technology to be secure? > > Nobody should trust closed source, ever. No matter the reputation of those > behind it, no matter how sincere they appear to be: if it's not open source, > it's fraud. > > Once again, I'll refer folks to: > > > https://mailman.stanford.edu/pipermail/liberationtech/2013-February/006964.html > > and the rather longer and more explanatory: > > > https://mailman.stanford.edu/pipermail/liberationtech/2013-March/007499.html > > Wickr (and anything like it) can be, should be, and must be immediately > and permanently dismissed with prejudice. Those links are very good, especially the 2nd. One reference for the general principle involved is: http://en.citizendium.org/wiki/Kerckhoffs%27_Principle -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Tech equivalent of Physicians for Social Responsibility?
ACM (assoc for Computing Machinery) are one of the oldest and I think still the largest professional society in the field. They have many SIGs (special interest groups). Try this one: http://www.sigcas.org/ Also try IEEE http://www.ieee.org/index.html I went to one Computers, Freedom & Privacy (CFP) conference and it was great. Both geeks with some social awareness and lawyers or political types with some technical understanding seem to be rather rare types, and this is distinctly unfortunate. That conference had quite a few of both. -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] FW: What the IETF is thinking about Prism these days..
On Fri, Sep 27, 2013 at 11:55 AM, michael gurstein wrote: > Title : Prismatic Reflections >Author(s) : Brian Carpenter > >Filename: > draft-carpenter-prismatic-reflections-00.txt There is at least one other similar draft: http://www.ietf.org/id/draft-hallambaker-prismproof-req-00.txt -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Random number generation being influenced - rumors
Andy Isaacson wrote: > So, I put a lot of credence in distrusting HWRNG black box > implementations. But unfortunately we need a lot more reliable entropy. > A fully open source, nothing up my sleeve hardware entropy source would > be a huge improvement. At least one has been available for a decade or more: http://www.av8n.com/turbid/paper/turbid.htm The paper here discusses several that at least get close: ftp://ftp.cs.sjtu.edu.cn:990/sandy/maxwell/ -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] scrambler
Michael Hicks wrote: > Thank you so much we appreciate your opinion and facts. would you have any > recommendations? Start by reading up on one-time pads. Probably the best source is Marcus Ranum's FAQ: http://www.ranum.com/security/computer_security/papers/otp-faq/ Another, partly my writing: http://en.citizendium.org/wiki/One-time_pad >> The author doesn't understand how to construct one-time pads, and flouts >> the most important rule of using them. Avoid this software like the >> plague. Right. Also, even if you get the OTP part of it right, there are still problems. One is that the system gives no protection against traffic analysis, collection & use of what has being called metadata in recent news stories. Another is that, while an OTP system is provably perfectly secure against simple eavesdropping, it is inherently vulnerable to a rewrite attack: http://en.citizendium.org/wiki/Stream_cipher#Rewrite_attacks Finally, there are a whole lot of questions about things like how you generate the random numbers, how a customer can be sure his java app is not tampered with, etc. Quickly perusing your web site, I do not see answers for those. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] SMS questions
Richard Brooks wrote: > If anyone with an understanding > of SMS, SMS web interfaces, and/or related security issues > would be willing to point me in the right direction > (or discuss potential issues) I (and by extension > they) would be grateful. SMS is basically insecure. Others in the thread have given good advice, which you should heed, but here's my take on it in case a slightly different perspective is also useful. The basic problem is that all SMS messages go through servers which may be monitored. In many countries the service providers are under direct government control. Anywhere else, it may be possible for government to acquire access with some combination of appeals to patriotism, legal (or in some places extra-legal) threats, and promises of rewards such as government contracts, There are plenty of examples of actual monitoring. During the SARS scare, people in Beijing were arrested for "spreading rumors" via SMS. In the US, the NSA has monitoring equipment in AT&T offices: https://www.eff.org/nsa/hepting It gets worse. The US has a Communications Assistance to Law Enforcement Act (CALEA) that basically makes it illegal for anyone to sell phone switches without wiretap capability in the US. As a result nearly all such switches have the capability built in. That includes the switches that various nasty regimes buy. Then there are a whole range of other attacks possible against phone systems. Trojan horse programs can take over a smartphone to record things like passwords or even use the phone's mike to bug whatever room the phone is in. Bogus cell phone towers (in the back of a KGB, NSA or whoever van) can locate a phone with great accuracy. Those are just two that have been reported as commercially available; there are likely more I don't know about. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] safe-mail.net
On Wed, Jul 17, 2013 at 1:03 AM, A.Chukin wrote: > Some of my current partners use safe-mail.net for secure messaging. > Does any of you have any information about maintainers and what is you > opinion about security of this mail service ?? Based on 5 minutes looking at the web site, I see no reason to trust it. " Using SSL (Secure Socket Layer), which is a component of all current browsers, for all data transmissions and strong proprietary encryption for server security, it offers the highest possible protection for all email communications and file attachments. The SSL encryption itself is generally thought to be secure, but it relies on X.509 certificates to identify the players so anyone who can subvert the certificate infrastructure can easily conduct a man-in-the -middle attack. If I can give you a bogus cert that says my machine is safe-mail.net, you will send me your not-yet-encrypted data, I save a copy and send it on to safenet. This is a real threat, at least against some enemies. Common browsers currently trust several hundred Certificate Authorities (CAs). Some have been subverted; a Dutch one was hacked & credentials stolen there used by the Iranian government to attack dissidents. Others having admitted selling bogus certs that let corporate IT monitor employees. Several are controlled by governments I'm not inclined to trust: China, Syria, Then there is: " and strong proprietary encryption for server security, That sets off alarm bells; basically "strong proprietary encryption" is an oxymoron. There's a link earlier in the thread to a Wikipedia explanation. Here's a different link to much the same thing: http://en.citizendium.org/wiki/Kerckhoffs%27_Principle This claim is worrying in two ways. First, it indicates that their system has not been published and independently analyzed, so it should not be trusted. Second, it shows that they are either ignorant of or ignoring a basic principle that has been well--known in the field for 100-odd years, so they should not be relied on to have designed their system well. Even if their proprietary encryption is secure, the encryption is done on their machines and they hold the keys. How safe is that? Not very if you are trying to protect against government agents who might show up with a warrant, or appeals to patriotism, just threats. Or if you are involved in high-stakes litigation where the opponent might use private detectives and large bribes. If they find a safe-mail system administrator who will co-operate, they read all your correspondence. The correct solution is end-to-end encryption such as PGP; encrypt on the sender's machine and decrypt on the receiver's. Even that is easily breakable if one of the machines involved has been subverted (downloaded a trojan horse or someone broke in and installed a key loggger or ...) and it does not stop someone like the NSA from seeing who you are talking to, but except for that it appears secure. -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Metadata Cleanup trough File Format Convertion?
Fabio Pietrosanti (naif) wrote: > i've been thinking about the topic of metadata cleanup of files from an > implementation point of view. > > Regardless the consideration whether it's something useful or not for a > Whistleblowing platform (GlobaLeaks), In general, it is. To be responsible, any such platform must at least look at anything they are going to release and consider whether some of it needs to be redacted. Metadata needs to be considered in that process. There are cases, though, where metadata indicating the source of a document is critical to evaluating it. Consider a document that purports to give US policy on targeting for drone strikes. Does it come from a field commander? Or Washington? Pentagon? CIA? President's office? Or is it, say, analysis by the Pakistani government? Or just speculation by some journalist? -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] WeChat
Sarah Lai Stirland wrote: > Hi everyone -- I'm curious as to whether anyone on here has used WeChat, > what they think of it, ... I would not use any Chinese software if security is a concern. See for example: http://www.businessweek.com/articles/2013-03-08/skypes-been-hijacked-in-china-and-microsoft-is-o-dot-k-dot-with-it There are some products from credible people available. Free, open source software for secure online chat, but (last I looked) not voice or video: http://www.cypherpunks.ca/otr/ A commercial service offering the lot -- email, voice. ... -- and running on smart phones: https://silentcircle.com/ -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Fwd: A hacker's guide to Amsterdam
Jens Christian Hillerup wrote: > ... So I'll be coming to Amsterdam ... > > I'm looking for suggestions for things to see that might be of interest for > hackers -- small or large, well-known or obscure. Have a look at these sites: http://hippies.waag.org/ http://www.hippiesfromhell.org/ -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] One time pad Management system?
Paul Elliott wrote: > Given a secure communications channel for key exchange, > OTPs are absolutely unbreakable. Against some attacks, yes. However, unless authentication is used as well, they have absolutely no resistance to a rewrite attack: http://en.citizendium.org/wiki/Stream_cipher#Rewrite_attacks -- Who put a stop payment on my reality check? -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Random number generator failure in Rasperri Pis?
KheOps wrote: > Just came accross this article, apparently showing the bad quality of > the hardware RNG in Raspberri Pi devices. > > http://scruss.com/blog/2013/06/07/well-that-was-unexpected-the-raspberry-pis-hardware-random-number-generator/ I agree with other posters; you are misreading an article that says the hardware generator on the Pi seems OK. I have implemented something that can provide an alternative or a supplement if necessary, Documentation describes some other choices as well: ftp://ftp.cs.sjtu.edu.cn:990/sandy/maxwell/ -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
