[liberationtech] Naive Question
Hello, I saw this article on The Guardian[1] and it mentioned a librarian who posted a sign that looked like this: http://www.librarian.net/pics/antipat4.gif and would remove it if visited by the FBI. So a naive question comes to mind: If I operated an internet service, and I posted a thing that says "We have not received a request to spy on our users. Watch closely for the removal of this text," what legal risk would be incurred? If the answer is "None" or "Very little", what's stopping people from doing this? Thanks, Scott -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Naive Question
Forgot the URL: http://www.theguardian.com/technology/2013/sep/09/nsa-sabotage-dead-mans-switch On Mon, Sep 9, 2013 at 12:29 PM, Scott Arciszewski wrote: > Hello, > > I saw this article on The Guardian[1] and it mentioned a librarian who > posted a sign that looked like this: > http://www.librarian.net/pics/antipat4.gif and would remove it if visited > by the FBI. So a naive question comes to mind: If I operated an internet > service, and I posted a thing that says "We have not received a request to > spy on our users. Watch closely for the removal of this text," what legal > risk would be incurred? > > If the answer is "None" or "Very little", what's stopping people from > doing this? > > Thanks, > Scott > -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] CFAA Extremism
So, I've been wondering... If the CFAA makes it a felony to violate a website's terms of service, wouldn't the logical way to protest this absurd interpretation of the law to write Terms of Service that forbid members of the US government-- especially Congress and the Department of Justice-- from visiting your page and then file criminal complaints en masse whenever a DoJ employee or congressman visits your site? Just a thought :) Scott -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] SaferScript (Rough draft)
Hey LiberationTech,
I was going to try to polish this idea and develop it, but it's probably
better
off being developed by people with experience developing Firefox addons
and/or
who understand PKI in-and-out. Also, due to complications in my own life, I
do
not have the time or energy to invest in such an undertaking.
I've previously shared this with Micah Lee of the EFF and his friend
Garrett.
This is just a very rough draft. If anyone wants to take this up as a FOSS
project, feel free; I only ask that Taylor and I be mentioned somewhere in
the
credits.
___ _ _ _
/ | / _|/ | (_) | |
| (___ __ _| |_ ___ _ _| (___ ___ _ __ _ _ __ | |_
\___ \ / _` | _/ _ \ '__\___ \ / __| '__| | '_ \| __|
) | (_| | || __/ | ) | (__| | | | |_) | |_
|_/ \__,_|_| \___|_| |_/ \___|_| |_| .__/ \__|
| |
|_| (The name is
negotiable)
___
\
;
\ Making Javascript Safer, Preventing XSS
Payloads ;
\ @voodooKobra (Scott
Arciszewski) ;
\ Further suggestions by @DefuseSec (Taylor
Hornby);
\__;
WHAT IS IT?
An optional way to configure only digitally signed Javascript for websites
set up to use it.
COMPONENTS
o Browser plugin (Firefox at first, eventually Chrome & Opera?)
o Netbeans plugin (for developers)
o CLI Program (integrates with gnupg) for the server
o Source file on the server
o Publicly accessible whitelist file
o Network of notaries which audit the signed whitelists to detect abuse
_
| The Browser Plugin
\__
|
|
| For security-conscious users, the SaferScript browser plugin would
request |
| a whitelist of .js files (and their sha256 checksums), which should
be |
| signed by the developer's GPG private
key. |
|
|
| (Note: In case SHA-256 is ever broken it needs to be able to support
other |
| hash functions, such as the SHA-3 family, Whirlpool, and
RIPEMD.) |
|
|
| If we do not know the public key, we will request it from the server
and |
| check with notaries that the user trusts that they see the same key.
If|
| the website has been queried before, the notary will also compare
the |
| public key it received with the one
archived. |
|
|
| The code will then verify the signature of the whitelist. If it
matches, |
| then each .js file will be downloaded and their checksums will be
verified |
| before they are loaded into memory. If any of their checksums
doesn't |
| match, then that .js file is not loaded and the user is
notified. |
|
|
| For public key verification, The browser will then send an SHA-256
digest |
| of the whitelist to a notary. If the notary does not have a record of
that |
| whitelist, our network will request the whitelist and compare the
digest |
| with the one submitted by the user. If it doesn't match, the user
is |
| notified and they fail back to a copy that was signed and stored in
the|
| public
record. |
|
|
| If the signature matches but it is an updated version of the
Javascript|
| (and the notary has cached a copy of the same whitelist), the user will
be |
| notified of the change and asked if they wish to examine the
differences |
| between the old version and the new version. (This can be turned off
for |
| non-tech-savvy users; all changes that any user experiences should
be |
| mirrored on the notaries, assuming they have opted
in.)|
|
|
| No other Javascript will load. Even inline function calls (onClick=""
etc) |
| will have to be rewritten as $("#objectID").click( function() {
});|
|
|
| If the GPG signature doesn't match, NO Javascript will load for the
entire |
| domain until the developer updates the signed whitelist with new
checksums |
| and an updated
signature. |
|
|
| Two further levels of paranoia will also be available: If a .css file
is |
| specified in the whitelist, no other stylesheet changes (outside of
those |
| made by trusted Javascript) will be registered. Additionally, if a
.png, |
| .jpg, .gif (etc) file is listed, all other images will be
blacklisted. |
| These paranoid modes are entirely optional and suited to
self-contained|
| apps rather than content portals that depend
Re: [liberationtech] SaferScript (Rough draft)
That is /ugly/ as heck. Sorry. https://defuse.ca/b/MQrZXLiE <- link valid for 6 months On Sat, Sep 28, 2013 at 8:28 PM, Scott Arciszewski wrote: > Hey LiberationTech, > > I was going to try to polish this idea and develop it, but it's probably > better > off being developed by people with experience developing Firefox addons > and/or > who understand PKI in-and-out. Also, due to complications in my own life, > I do > not have the time or energy to invest in such an undertaking. > > I've previously shared this with Micah Lee of the EFF and his friend > Garrett. > > This is just a very rough draft. If anyone wants to take this up as a FOSS > project, feel free; I only ask that Taylor and I be mentioned somewhere in > the > credits. > > > > ___ _ _ _ > / | / _|/ | (_) | | > | (___ __ _| |_ ___ _ _| (___ ___ _ __ _ _ __ | |_ > \___ \ / _` | _/ _ \ '__\___ \ / __| '__| | '_ \| __| > ) | (_| | || __/ | ) | (__| | | | |_) | |_ > |_/ \__,_|_| \___|_| |_/ \___|_| |_| .__/ \__| > | | > |_| (The name is > negotiable) > > ___ > \ > ; > \ Making Javascript Safer, Preventing XSS > Payloads ; > \ @voodooKobra (Scott > Arciszewski) ; >\ Further suggestions by @DefuseSec (Taylor > Hornby); > > \__; > > WHAT IS IT? > An optional way to configure only digitally signed Javascript for > websites > set up to use it. > > COMPONENTS > o Browser plugin (Firefox at first, eventually Chrome & Opera?) > o Netbeans plugin (for developers) > o CLI Program (integrates with gnupg) for the server > o Source file on the server > o Publicly accessible whitelist file > o Network of notaries which audit the signed whitelists to detect abuse > > _ > > | The Browser Plugin > \__ > | > | > | For security-conscious users, the SaferScript browser plugin would > request | > | a whitelist of .js files (and their sha256 checksums), which should > be | > | signed by the developer's GPG private > key. | > | > | > | (Note: In case SHA-256 is ever broken it needs to be able to support > other | > | hash functions, such as the SHA-3 family, Whirlpool, and > RIPEMD.) | > | > | > | If we do not know the public key, we will request it from the server > and | > | check with notaries that the user trusts that they see the same key. > If| > | the website has been queried before, the notary will also compare > the | > | public key it received with the one > archived. | > | > | > | The code will then verify the signature of the whitelist. If it > matches, | > | then each .js file will be downloaded and their checksums will be > verified | > | before they are loaded into memory. If any of their checksums > doesn't | > | match, then that .js file is not loaded and the user is > notified. | > | > | > | For public key verification, The browser will then send an SHA-256 > digest | > | of the whitelist to a notary. If the notary does not have a record of > that | > | whitelist, our network will request the whitelist and compare the > digest | > | with the one submitted by the user. If it doesn't match, the user > is | > | notified and they fail back to a copy that was signed and stored in > the| > | public > record. | > | > | > | If the signature matches but it is an updated version of the > Javascript| > | (and the notary has cached a copy of the same whitelist), the user will > be | > | notified of the change and asked if they wish to examine the > differences | > | between the old version and the new version. (This can be turned off > for | > | non-tech-savvy users; all changes that any user experiences should > be | > | mirrored on the notaries, assuming they have opted > in.)| > | > | > | No other Javascript will load. Even inline function calls (onClick="" > etc) | > | will have to be rew
Re: [liberationtech] SaferScript (Rough draft)
I'm giving the idea away. I don't have any code written, just that rough draft. I was hoping to get feedback and suggestions from a few people so I could make a solid idea, then move forward with making it a reality, but life's demands are getting in the way of ambition. Feel free to post it where ever you'd like. I'll probably copy & paste it to pastebin and a few other places for the sake of keeping it accessible. Have you considered putting your notes and code somewhere online, such as GitHub? It would be a lot easier to get feedback and make public changes there. ~Griffin -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] Gpg4win woes
TL;DR - Gpg4win is unusable for the average internet user == Okay, I had a hard drive die on me a couple of weeks ago and I just reinstalled Windows and all the drivers on it last night. This morning when I was installing software, I thought I'd install gpg4win before Tor Browser Bundle and see if I could verify the signature since I've heard complaints that nobody ever does it. And this is what happened: https://twitter.com/voodooKobra/status/388611802923139072/photo/1 @r00tcore was kind enough to point out that there is documentation that basically says "Yes it's OK." Confusing. So I try it with GPA instead, following the instructions on the attached documentation. This is what I get: https://twitter.com/voodooKobra/status/388683362233102336/photo/1 There was no hand-waving in the documentation for this error. So this leads me to believe one of two things: 1) I've somehow found myself at the top of a nation state actor's hit list and am actively being targeted by all sorts of attacks (MITM, rogue certificate, etc.). Or the more likely... 2) I'm doing something terribly wrong, and there is no way for me to figure out what exactly that is. I'm relatively sure that I have more patience than an average internet user (the Facebook addict variant, anyway), and I'm about fed up with it. It's easier to do gpg from the command line on Linux than to do it from a GUI on Windows. Here are the problems I faced when I attempted to perform this simple task: "Verify the signature on the Tor Browser Bundle." 1. Where is the public key used to verify the signature? I couldn't click and find this, I had to actually search on Google. I saw a @matthew_d_green tweet the other day that said something akin to, "Every click of the mouse loses half of your users," when talking about default settings. The Tor project links to the signature for each package on the downloads page, but any reference to their public key is hidden from the public's eye. 2. Kleopatra (the program that pops up when you right click > More GpgEX options > Verify) was perfectly happy to announce that there was no GPG data in the .exe when I attempted to verify it directly. While this might be silly to hackers, users will do this! Adding language that says "Please make sure you select the signature file, not the message or executable," will help move things along. Making a system that intelligently goes, "Oh, you probably meant file.exe.asc not file.exe, since they're both in the same folder," even if it asks the user to verify the correction instead of blindly switching it out, would also be a huge boon for usability. 3. Kleopatra scared me into believing that the signature was invalid, then documentation told me it was OK. Then GPA told me the signature was bad. Now I don't know what to believe or what to do next. I've fallen straight through the cracks. In closing, if the Tor website was designed to make signature verification easier, it was much easier to verify packages on Windows from Explorer, and Kleopatra and GPA used language to help users better troubleshoot issues, I think asking the average user to verify their packages would be a much less daunting task. Since this is long, I'm sticking the TL;DR in the beginning. -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Randomize MAC of Android phone?
A quick Google search turned up this: http://forum.xda-developers.com/showthread.php?t=1385577 https://play.google.com/store/apps/details?id=diewland.changemac&hl=en http://spartacus.store.aptoide.com/app/market/com.electroteam.macchanger/11/3208464/Mac%20Address%20Changer I don't know if any of these solutions are trustworthy or good, but it's a problem that other people have thought about solving before. That's usually good news. -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
