Re: [liberationtech] Whatsapp, a Trojan horse for seekers of easy privacy?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 01/16/2015 03:19 PM, Al Billings wrote: The problem is that I am a practical person who lives in the real world. *** The real world is something that belongs to the Past, before the discovery of the Quantum, Max Planck's Constant, and the Principle of Uncertainty of Heisenberg. Your religious belief has nothing to do with reality. Before the car was invented there were people who believed the human body would not resist speeding at 40 mph. Before the plane was invented, there were people who said flying was reserved to things lighter-than-air. Your real world argument belongs to that category of thought, that dismisses reality for the (bad) current state of affairs. According to that logic, Mozilla should implement DRM and provide backdoors to the NSA, because that's what those people are doing in the real world, and heck, why would you change it? You're rationalizing your position instead of being rational about it. Yes people should throw away their Apple and Microsoft, and yes they should abandon the idea that global surveillance is acceptable and that security is made by corporations with trade secrets and non-disclosure agreements, and yes they should throw away their cars powered with inefficient fossil fuel engines. That's impractical, but nonetheless true and necessary. In science it often happens that scientists say, “You know that's a really good argument; my position is mistaken,” and then they would actually change their minds and you never hear that old view from them again. They really do it. It doesn't happen as often as it should, because scientists are human and change is sometimes painful. But it happens every day. -- Carl Sagan == hk -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQJ8BAEBCgBmBQJUuhaNXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRFQ0IyNkIyRTNDNzEyMTc2OUEzNEM4ODU0 ODA2QzM2M0ZDMTg5ODNEAAoJEEgGw2P8GJg9iBcP/iFOWSlqbNAH8d3Us27FzihX d6hGj/flrXYR+yE1pEhArgawCjnseGX1nbBgF54l9hbXc8sap4T92BUAp9Cv9egi plY348KJQYP9TZhVamXnJXK/qIqo0Shqd3ZV1yfdI3krnOeykihKbTrHZh8ckaiQ M1wcU5ld52lQ7lYmjzF6GZJc0JH/Br3vHrYmODaQVPEU1wZguGRuo1o7LA0yGbmM aJJDqE7EMGYj+X1N5h40d0BSipaB4VFOttDmQpUbNyJD86PsJgZBA/q4emMLQwMt R+ySs0hleb8CKzGQ7jbHtcTOTi8n7WBUMUqq0W21Mp4hN32Tg+VRAZHAGzBJX4m/ C1pZif1fVLIqXaUzNXv7KFU1/KsA7QjhO9XIau6U1BspiHE2+yuNcs+czmEA7+WI 1xFQrBtRFxng9XrBgfK5qqGSxcHY6SfIGui6ypIFR2je/Y2hU7YcHjEHuTvxfYAO fRUzi+gvnKgUr8LgJG4g8UT3ytTxwiJ5VHdPsZnMszO5FGXAQ8jD4Sxf8KCQIxn6 w8Kek3IXD64zoFFFKB1u27Bl5uIL3RsHLPux3gFQhhSW5cFpsJ0VR8zHq+IdY+KH OV13BntYNsp7iRWolaxgfbvwdUvtoTlGKBbXyaRkgSUQVoIb74m0NMQXHa5iEilD V7dlCPBRblWArR2cOsEk =wpeh -END PGP SIGNATURE- -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Whatsapp, a Trojan horse for seekers of easy privacy?
Le 16/01/2015 21:18, carlo von lynX a écrit : Al, you may want to deviate the discussion towards the 10.000th debate about proprietary vs free software, but the topic here is the impossibility for a U.S. company to deliver what it promises. My 10 000th comment about this kind of discussion is always the same: js apps inside browsers (or to a certain extent nodejs, ff os), which surprisingly seem to be systematically disconsidered, can solve the application layer issue and related countries specific laws/restrictions, because you cannot hide anything, assuming that you got the right code, which you can check from different third parties. If Whatsapp was a js app, then it would be easy to see what it is doing, and the XXXMM of users would have been updated already. If Whatsapp was a js app, then you would not need to rely on a specific package according to your device. etc... etc... But you still need to trust: the browsers, the OS, the hw... which is quite a lot... -- Peersm : http://www.peersm.com torrent-live: https://github.com/Ayms/torrent-live node-Tor : https://www.github.com/Ayms/node-Tor GitHub : https://www.github.com/Ayms -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Whatsapp, a Trojan horse for seekers of easy privacy?
On Fri, Jan 16, 2015 at 10:19:22AM -0800, Al Billings wrote: The problem is that I am a practical person who lives in the real world. The largest, most successful project in the history of computing has been built entirely on open standards, open protocols, open formats, and open source: you're using it right now to read this message. That seems somewhat practical and real world to me. Meanwhile, the contributions, if I may generously call them that, of the closed-source software vendors of the world constitute in toto a lengthy list of case studies of worst practices in software architecture, design, implementation, and maintenance. Telling people ???Throw away all of your Apple/Microsoft word processing and often software. Throw away all of your games. Throw away all of the software you bought because you can???t trust any of these.??? is going to be met with being ignored or marginalized and with utter derision. I'm a practical person who lives (and works) in the real world, and I've done so quite well for a very long time without any Apple or Microsoft software. (And of course games are, in the context in which we are operating *here*, entirely superfluous. Nobody is going to bring a free press to Egypt or promote women's rights in China by playing The Sims.) I haven't used a closed-source piece of software since sometime the last century (SunOS 4.1, if you must know). This wasn't always easy: but it's gotten far easier and continues to get easier every day. It's really quite difficult, in 2015, to identify a computing task which can't be readily accomplished by using open source software. (The problem these days, sometimes, is a plethora of competing alternatives. But that's a nice problem to have.) I rather expect than in another generation or two the entire obsolete closed-source ecosystem will be viewed as an unfortunate aberration in the evolution of computing. This will happen whether anyone wants it to or not, because it's going to be *necessary* for it to happen in order to ensure privacy, security, and integrity in computation. Anyone who is paying attention and has sufficient background to understand contemporary events can see this happening today, every time there's a discussion about revision histories or deterministics builds or software signing keys or security holes or backdoors/spyware. And again, *in the context we are in here*, it's absurd to even suggest that closed source software should be on the table for consideration. There is a reason Stallman is seen as a crazy wing nut and it isn???t just because he eats his own toe jam. Those who see Stallman as a crazy wing nut have not been paying attention -- or perhaps lack the analytical capabilities required to comprehend what they observe. Haven't you noticed? Things that Stallman says which at the time may seem outlandish have a track record of turning out to be quite prescient in good time. It's happened repeatedly. Sometimes it only takes a few years; sometimes it takes decades. But one need only wait and watch -- and possess at least a rudimentary sense of vision. The greatest shortcoming of the human race is man's inability to understand the exponential function. --- Albert A. Bartlett Stallman isn't often wrong. He's usually just a bit early, and those who lack the ability to extrapolate simply aren't able to process that. ---rsk -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Whatsapp, a Trojan horse for seekers of easy privacy?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/16/15 14:52, Cypher wrote: On 01/15/2015 11:29 AM, carlo von lynX wrote: On Thu, Jan 15, 2015 at 08:49:31AM -0800, Steve Weis wrote: Note you said users will never know if e2e is being used, but as Moxie says we'll be surfacing this into the UI of upgraded clients. There is a systemic legal problem by which neither Facebook, nor Whatsapp, nor Textsecure nor Moxie are in a position to guarantee that whatever is surfaced into the UI actually means what it says. I was under the impression that the government couldn't make you actively lie to someone. For example, if I have a message on my page that says we do not collect any user data and the government makes me collect data on an existing user, that's acceptable. But they could not stop me from changing that sign and force me to lie. I'd assume that would be the case with WhatsApp. Once the visuals are surfaced, each new encrypted connection would be forcing the service to actively tell a lie, which, as I understand it, isn't legal. Of course, IINAL so I don't know. I would like to give a concrete example of commandeering. Something that happened yesterday. I've been saying for a while now that Twitter has been commandeered. There's a great deal of circumstantial evidence pointing this way. I documented my research last March, here: https://medium.com/@toholdaquill/how-the-military-uses-twitter-sock-puppets-to-control-debate-and-suppress-dissent-a4ccba1e6f05 Be sure to read the footnote about @Asher_Wolf. Then yesterday, I logged into Twitter, posted a couple of tweets, and realized that my outgoing tweets had been hacked to include a *different* image than my profile image. The image of a gun: https://twitter.com/toholdaquill/status/556102312494915586 Now, you could argue that someone must have stolen my password and replaced my profile image. But that never happened. My profile photo never changed. Only my outgoing tweets contained a different profile image. To the best of my knowledge, it is not possible for Twitter users to maintain two different profile images at the same time. Additionally, the only operating systems I use are Qubes and Tails. That doesn't make my end points impregnable, but it makes opportunistic hacks rather unlikely. What does this mean? Either: 1) I am a complete liar / fraud / charlatan making this up to annoy everyone (because why?) or 2) Something like this happened: https://firstlook.org/theintercept/2014/02/24/jtrig-manipulation/ Remember? Change their photos on social networking sites Now here's the rub: the Twitter API does not include an optional second profile image parameter. At least not publicly. See: https://dev.twitter.com/rest/reference/post/statuses/update Which means that, at the point of a court order / gun, Twitter has been coerced into putting that parameter into their code, and giving API keys to a thug who works for the FBI / CIA / NSA. And the funny thing? If they were trying to scare me, they failed. All they've done is make me angry. JMP -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBAgAGBQJUupUxAAoJEGrDVsHXOmiEufMP/2RUsZG64bYTgTSwPctjtgbC ki8YMuELXs/VeTFDddWIQagikBgaYJxSY3zV/a/wpt0XPZiaIiQFQsLldZORGDFe zN1CVIGtvd7u5WyV3bly34TAoXTlmqipsHXMBv8uqz2MPZe1fWJ1Vda4JIEegPmj 9MUxfD+SfQaiTkIz/JoxfX0mKtSKf3G+yMhqqgkuYaMU2Xkx6q8PMlczKyuXIOCB Ll2lZ2XZR03jUHdnrnCnoYhvhlGyPlrysNvutanIdhW6OdOBSEWC+JnHCh6vCfRZ UwaMiHXcFLgcECP6JtT4xSmF5pD4+uIixWCC79HteVADUqM+Yu9HeAg0mbu9h1S1 RoXmOuPGqaiFHDqcp1EYEj+GrpePaT0ZEC48d+7M0m5BDV5FqiK7VzvyN6zaul93 JPC8M4EvCnCc+cyLvI6ZwY90YQoj9L80/qsBfk0U0uZjGV0KZcig6EBoVl+Y1lHO VJwg+J3fex7y6KkMA+Cu2XCCk30Nt2hO8dy2To0wb0RwPGNBjveNR82bE6KHLOwU niijVg+//aVJQ8oyspJwNvfbosFvHBGCZbCUYVP2cTVrDiEnE/WA7h31FSQ9Rj+g CpGttn9DECOz1rD/uUhF2neH9n7dNj8vC4dLJavzIgwEp6xukAu8d3WIFwmmtt3u hfIVBGXJf43LsL+9B2j7 =IwE5 -END PGP SIGNATURE- -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Whatsapp, a Trojan horse for seekers of easy privacy?
Hi, Why would anyone bother to change your Twitter image? What do they gain from that? -- Matt Johnson On Sat, Jan 17, 2015 at 9:00 AM, J.M. Porup j...@porup.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/16/15 14:52, Cypher wrote: On 01/15/2015 11:29 AM, carlo von lynX wrote: On Thu, Jan 15, 2015 at 08:49:31AM -0800, Steve Weis wrote: Note you said users will never know if e2e is being used, but as Moxie says we'll be surfacing this into the UI of upgraded clients. There is a systemic legal problem by which neither Facebook, nor Whatsapp, nor Textsecure nor Moxie are in a position to guarantee that whatever is surfaced into the UI actually means what it says. I was under the impression that the government couldn't make you actively lie to someone. For example, if I have a message on my page that says we do not collect any user data and the government makes me collect data on an existing user, that's acceptable. But they could not stop me from changing that sign and force me to lie. I'd assume that would be the case with WhatsApp. Once the visuals are surfaced, each new encrypted connection would be forcing the service to actively tell a lie, which, as I understand it, isn't legal. Of course, IINAL so I don't know. I would like to give a concrete example of commandeering. Something that happened yesterday. I've been saying for a while now that Twitter has been commandeered. There's a great deal of circumstantial evidence pointing this way. I documented my research last March, here: https://medium.com/@toholdaquill/how-the-military-uses-twitter-sock-puppets-to-control-debate-and-suppress-dissent-a4ccba1e6f05 Be sure to read the footnote about @Asher_Wolf. Then yesterday, I logged into Twitter, posted a couple of tweets, and realized that my outgoing tweets had been hacked to include a *different* image than my profile image. The image of a gun: https://twitter.com/toholdaquill/status/556102312494915586 Now, you could argue that someone must have stolen my password and replaced my profile image. But that never happened. My profile photo never changed. Only my outgoing tweets contained a different profile image. To the best of my knowledge, it is not possible for Twitter users to maintain two different profile images at the same time. Additionally, the only operating systems I use are Qubes and Tails. That doesn't make my end points impregnable, but it makes opportunistic hacks rather unlikely. What does this mean? Either: 1) I am a complete liar / fraud / charlatan making this up to annoy everyone (because why?) or 2) Something like this happened: https://firstlook.org/theintercept/2014/02/24/jtrig-manipulation/ Remember? Change their photos on social networking sites Now here's the rub: the Twitter API does not include an optional second profile image parameter. At least not publicly. See: https://dev.twitter.com/rest/reference/post/statuses/update Which means that, at the point of a court order / gun, Twitter has been coerced into putting that parameter into their code, and giving API keys to a thug who works for the FBI / CIA / NSA. And the funny thing? If they were trying to scare me, they failed. All they've done is make me angry. JMP -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBAgAGBQJUupUxAAoJEGrDVsHXOmiEufMP/2RUsZG64bYTgTSwPctjtgbC ki8YMuELXs/VeTFDddWIQagikBgaYJxSY3zV/a/wpt0XPZiaIiQFQsLldZORGDFe zN1CVIGtvd7u5WyV3bly34TAoXTlmqipsHXMBv8uqz2MPZe1fWJ1Vda4JIEegPmj 9MUxfD+SfQaiTkIz/JoxfX0mKtSKf3G+yMhqqgkuYaMU2Xkx6q8PMlczKyuXIOCB Ll2lZ2XZR03jUHdnrnCnoYhvhlGyPlrysNvutanIdhW6OdOBSEWC+JnHCh6vCfRZ UwaMiHXcFLgcECP6JtT4xSmF5pD4+uIixWCC79HteVADUqM+Yu9HeAg0mbu9h1S1 RoXmOuPGqaiFHDqcp1EYEj+GrpePaT0ZEC48d+7M0m5BDV5FqiK7VzvyN6zaul93 JPC8M4EvCnCc+cyLvI6ZwY90YQoj9L80/qsBfk0U0uZjGV0KZcig6EBoVl+Y1lHO VJwg+J3fex7y6KkMA+Cu2XCCk30Nt2hO8dy2To0wb0RwPGNBjveNR82bE6KHLOwU niijVg+//aVJQ8oyspJwNvfbosFvHBGCZbCUYVP2cTVrDiEnE/WA7h31FSQ9Rj+g CpGttn9DECOz1rD/uUhF2neH9n7dNj8vC4dLJavzIgwEp6xukAu8d3WIFwmmtt3u hfIVBGXJf43LsL+9B2j7 =IwE5 -END PGP SIGNATURE- -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Whatsapp, a Trojan horse for seekers of easy privacy?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 01/17/2015 02:24 PM, Matt Johnson wrote: Hi, Why would anyone bother to change your Twitter image? What do they gain from that? *** Confusion, diversion of attention. That's enough. If one spends 5 seconds doing it and 3 spend 5 minutes chatting about it, that's already valuable, isn't it? == hk -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQJ8BAEBCgBmBQJUurIZXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRFQ0IyNkIyRTNDNzEyMTc2OUEzNEM4ODU0 ODA2QzM2M0ZDMTg5ODNEAAoJEEgGw2P8GJg9JVsP/i8iu2JhFqpJKE16BgSCEJN0 Tu8F2WGpbWlKLrZ1wK4E8xXKvWU3QwA1iCog3njP/5Z7O4ZE09/fceB68Q0U0R2s LRH13ZgtElfCuFqmX079Uw4WHXbh/E/jHkEu/6AAL88LEHat//jAuobJEYECAJJd fBExjBgdGErFhB/8FJ2be8eJELWLxDS3hitwm2pRw5lP8Ex5gMuINKQRfFvfoXW0 4YI7KMVLzgyXb7UPnEHCvq6TXGl3OitM5BXE1ytwOU1IWxAKekhIxZUXPNlDp3mh nv0lcykf/XIdaoDlqaDVZcliXNwjHIGolFSyD59uxPz1mecLViXZiOZlU7gwiaHt 0Lj/3r3GxbitAiZKorDdeh9lH2Rmcpekm9lokHR6Q4wgh+HKfV+UMP1rqdnQoCag ChtPYvd6JwhnJbkgdNfvQVs0e8wxU36aYeakyjuQD1MSLqB+GlbTt/Sa0yCY0sTf 94iVRhw9U85fpp5/+wbSXaCxP4552FGnsEJy8C7+KKidFutaJlTqxsxt76LWkUZv y3R9yImoSUpAdx2OA8Qu2+aTCFxGBjGtcLRAA07gasZcndfb6sJtUgEa7mAoOyyb m24j463B351MoVyCfiJ+SA9ffjizwULCnq7Xkb77y/tct4sG0rmrgvd7PcKpJLqe yvgwqzpRKLuNAVrysu5a =uNll -END PGP SIGNATURE- -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Whatsapp, a Trojan horse for seekers of easy privacy?
On 01/17/15 12:24, Matt Johnson wrote: Hi, Why would anyone bother to change your Twitter image? What do they gain from that? Intimidation. https://firstlook.org/theintercept/2014/02/24/jtrig-manipulation/ JMP -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Whatsapp, a Trojan horse for seekers of easy privacy?
On Jan 17, 2015, at 3:08 AM, Aymeric Vitte vitteayme...@gmail.com wrote: My 10 000th comment about this kind of discussion is always the same: js apps inside browsers (or to a certain extent nodejs, ff os), which surprisingly seem to be systematically disconsidered, can solve the application layer issue and related countries specific laws/restrictions, because you cannot hide anything, assuming that you got the right code, which you can check from different third parties. This is exactly what Firefox OS does. It’s also an open source project. I’m surprised more of the folks here aren’t involved in contributing to it. Hell, you can run it on a Raspberry Pi or any of the smaller devices as well with a little work, not just phones. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Whatsapp, a Trojan horse for seekers of easy privacy?
On Thu, Jan 15, 2015 at 02:46:56PM -0800, Al Billings wrote: I thought software freedom and access to the source code was considered a requirement for considering a system secure. According to whom? I think open source (I???ll leave aside whether ???open source??? is ???free software???) is ideal but it is not the only thing worth discussing. Otherwise, we wouldn???t be discussing most mobile applications. According to me, among others. Open source is not merely ideal, open source is MANDATORY. It is not sufficient, of course, but it is necessary. All closed-source software not only may be, but *must be* immediately dismissed as unsuitable for use, with prejudice, as it and anyone pushing it are both unworthy of any further discussion. (Except, perhaps, as examples of fraud.) Please read: https://mailman.stanford.edu/pipermail/liberationtech/2013-March/007499.html Yes, this does mean that most mobile applications are (at best) worthless crap. Some of them, no doubt, have been backdoored deliberately. (Why not? It's just good business. [1]) Others likely have gaping security and privacy holes that will remain largely undiscovered *except* for those with access to the source code, which I hope everyone here realizes probably includes any intelligence agency that can trouble itself to make the effort to acquire it. (It would be extremely naive and appallingly stupid to suggest otherwise.) Of course, their resources, while quite large, are still finite so I'm sure not everything attracts their attention: but certainly anything usable/popular enough to matter will be swept up in due course and subjected to analysis. Such analysis may be shared (as we've seen) and may lead to active attempts to exploit the application, which will, given the available expertise, probably succeed. ---rsk [1] Just like this is good business: http://www.propublica.org/article/zombie-cookie-the-tracking-cookie-that-you-cant-kill -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Whatsapp, a Trojan horse for seekers of easy privacy?
On Jan 16, 2015, at 2:07 AM, Rich Kulawiec r...@gsp.org wrote: Open source is not merely ideal, open source is MANDATORY. It is not sufficient, of course, but it is necessary. All closed-source software not only may be, but *must be* immediately dismissed as unsuitable for use, with prejudice, as it and anyone pushing it are both unworthy of any further discussion. (Except, perhaps, as examples of fraud.) The problem is that I am a practical person who lives in the real world. Telling people “Throw away all of your Apple/Microsoft word processing and often software. Throw away all of your games. Throw away all of the software you bought because you can’t trust any of these.” is going to be met with being ignored or marginalized and with utter derision. There is a reason Stallman is seen as a crazy wing nut and it isn’t just because he eats his own toe jam. Yes, there are people that will only run open source software. Then there is the other 99.999% of the human race. *Those* are the people that need to be helped. Al -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Whatsapp, a Trojan horse for seekers of easy privacy?
Except for the totally unacceptable way you are speaking of a human being here, you aren't saying anything which is incompatible with what I said... so will you return on topic or do you want to produce the impression the Whatsapp issue is about proprietary software in general, which it isn't? On Fri, Jan 16, 2015 at 10:19:22AM -0800, Al Billings wrote: The problem is that I am a practical person who lives in the real world. Telling people “Throw away all of your Apple/Microsoft word processing and often software. Throw away all of your games. Throw away all of the software you bought because you can’t trust any of these.” is going to be met with being ignored or marginalized and with utter derision. There is a reason Stallman is seen as a crazy wing nut and it isn’t just because he eats his own toe jam. Yes, there are people that will only run open source software. Then there is the other 99.999% of the human race. *Those* are the people that need to be helped. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Whatsapp, a Trojan horse for seekers of easy privacy?
On Jan 16, 2015, at 10:43 AM, carlo von lynX l...@time.to.get.psyced.org wrote: so will you return on topic or do you want to produce the impression the Whatsapp issue is about proprietary software in general, which it isn't? The Whatsapp “issue” was addressed at least 15 messages ago. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Whatsapp, a Trojan horse for seekers of easy privacy?
On 01/15/2015 11:29 AM, carlo von lynX wrote: On Thu, Jan 15, 2015 at 08:49:31AM -0800, Steve Weis wrote: Note you said users will never know if e2e is being used, but as Moxie says we'll be surfacing this into the UI of upgraded clients. There is a systemic legal problem by which neither Facebook, nor Whatsapp, nor Textsecure nor Moxie are in a position to guarantee that whatever is surfaced into the UI actually means what it says. I was under the impression that the government couldn't make you actively lie to someone. For example, if I have a message on my page that says we do not collect any user data and the government makes me collect data on an existing user, that's acceptable. But they could not stop me from changing that sign and force me to lie. I'd assume that would be the case with WhatsApp. Once the visuals are surfaced, each new encrypted connection would be forcing the service to actively tell a lie, which, as I understand it, isn't legal. Of course, IINAL so I don't know. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Whatsapp, a Trojan horse for seekers of easy privacy?
Al, you may want to deviate the discussion towards the 10.000th debate about proprietary vs free software, but the topic here is the impossibility for a U.S. company to deliver what it promises. Should the U.S. develop an interest in regaining international trust, they would need to remove several inappropriate laws plus improve the separation of powers. The U.S. is one of the world's oldest democracies and it shows, centuries of special interest politics have convoluted it - most Americans I meet tell me it actually isn't a democracy. I don't like hearing that. And I don't like the influence it is exercising on younger democracies. And New York City will never go back to being as cool as it was in the 80s. On Fri, Jan 16, 2015 at 01:52:57PM -0600, Cypher wrote: I was under the impression that the government couldn't make you actively lie to someone. For example, if I have a message on my page that says we do not collect any user data and the government makes me collect data on an existing user, that's acceptable. But they could not stop me from changing that sign and force me to lie. I'd assume that would be the case with WhatsApp. Once the visuals are surfaced, each new encrypted connection would be forcing the service to actively tell a lie, which, as I understand it, isn't legal. Of course, IINAL so I don't know. I remember reading or hearing that upon reception of an NSL you are not supposed to batter an eye and change anything about the way you interact with the public. Also, your legal theory doesn't match up with what was said in Caspar Bowden's presentation. It's also not at all obvious, that the NSA would openly confront the leadership of a company. If there is any suitable technology administrator, they can require her to cooperate without anyone else in the company knowing - this is in fact very advantageous for the NSA, since they can consult their own data bases for suitable people: not very strong ethically, possibly with documented sins the NSA can blackmail them with. And then there's also the option of accessing the infrastructure the company is using, for instance by controlling the hosts that run any rented VPS systems - but that is unlikely the scenario in the case of Whatsapp. That's more the type of approach they need to use with servers located outside the U.S. That is why the theories the Google employees are exchanging among each other are humbug. Of course the NSA can have a backdoor in order to consult Google data bases and make it look like random Gmail traffic. You may find it funny, but apparently employees at Google want to believe PRISM can't possibly have happened. Anything that serves as an excuse to legitimize staying in that company, earning all that money. I haven't said anything new, just reflecting what I picked up since those dramatic days in June. -- http://youbroketheinternet.org ircs://psyced.org/youbroketheinternet -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Whatsapp, a Trojan horse for seekers of easy privacy?
On Jan 16, 2015, at 12:18 PM, carlo von lynX l...@time.to.get.psyced.org wrote: Al, you may want to deviate the discussion towards the 10.000th debate about proprietary vs free software, but the topic here is the impossibility for a U.S. company to deliver what it promises. And I asked, and got no answer, as to which nation a company could be in and not be just as potentially compromised. I’m still waiting for a substantive answer. Al -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Whatsapp, a Trojan horse for seekers of easy privacy?
On Jan 16, 2015, at 12:18 PM, carlo von lynX l...@time.to.get.psyced.org wrote: You may find it funny, but apparently employees at Google want to believe PRISM can't possibly have happened. Anything that serves as an excuse to legitimize staying in that company, earning all that money. I also see a fundamental hostility here by some list members to people that work in Silicon Valley. I’m curious as to what they think acceptable employment is? Only certain free software companies? -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Whatsapp, a Trojan horse for seekers of easy privacy?
On Fri, Jan 16, 2015 at 01:37:12PM -0800, Al Billings wrote: On Jan 16, 2015, at 12:18 PM, carlo von lynX l...@time.to.get.psyced.org wrote: Al, you may want to deviate the discussion towards the 10.000th debate about proprietary vs free software, but the topic here is the impossibility for a U.S. company to deliver what it promises. And I asked, and got no answer, as to which nation a company could be in and not be just as potentially compromised. I’m still waiting for a substantive answer. Al I did see two answers earlier, Iceland and Switzerland. There are many other countries besides those two where it also seems very unlikely that companies would be subjected to the sort of legal orders that we now know US companies routinely receive. That obviously doesn't mean that TAO or GCHQ's equivalent won't try to compromise them without their knowledge, but that approach is obviously a much riskier and less reliable than the legal means used in the US. As to the proprietary software issue, while I personally recommend using only free software, at least one of the solutions to the problem of targetted malicious software updates applies equally well to both: record hashes of all released binaries in a decentralized append-only log so that users can at least be reasonably sure that they're running the same thing as everyone else. (There are several efforts underway in this direction.) ~leif -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Whatsapp, a Trojan horse for seekers of easy privacy?
On Jan 16, 2015, at 2:07 PM, Leif Ryge l...@synthesize.us wrote: I did see two answers earlier, Iceland and Switzerland. There are many other countries besides those two where it also seems very unlikely that companies would be subjected to the sort of legal orders that we now know US companies routinely receive. That obviously doesn't mean that TAO or GCHQ's equivalent won't try to compromise them without their knowledge, but that approach is obviously a much riskier and less reliable than the legal means used in the US. What makes you think Iceland and Switzerland don’t have security and intelligence services that could have legal orders issued or that occasionally cooperate internationally with other organizations? Is it simply because Wikileaks managed to be in Iceland for quite a while? Al -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Whatsapp, a Trojan horse for seekers of easy privacy?
On Fri, Jan 16, 2015 at 02:12:38PM -0800, Al Billings wrote: On Jan 16, 2015, at 2:07 PM, Leif Ryge l...@synthesize.us wrote: I did see two answers earlier, Iceland and Switzerland. There are many other countries besides those two where it also seems very unlikely that companies would be subjected to the sort of legal orders that we now know US companies routinely receive. That obviously doesn't mean that TAO or GCHQ's equivalent won't try to compromise them without their knowledge, but that approach is obviously a much riskier and less reliable than the legal means used in the US. What makes you think Iceland and Switzerland don’t have security and intelligence services that could have legal orders issued or that occasionally cooperate internationally with other organizations? Is it simply because Wikileaks managed to be in Iceland for quite a while? Al Secret orders requiring technology companies to help spy on their customers are unheard of in many countries, and something that would cause significant public outrage were they found to exist, but they're something we've known about in the US for at least a decade (long before Snowden or Wikileaks). I'm sure similar orders exist in places where we don't know about them, but given the possibility of leaks that each secret order entails I maintain that it seems unlikely it's happening on a large scale in places like Iceland. But, given that we can't prove that negative, it is obviously necessary to remove single-points-of-failure in our software distribution systems. Deterministic builds (with independent signers of each build in many legal jurisdictions) and recording releases in public append-only logs (with notaries in many different legal jurisdictions) are the two ways that I know how to solve this problem. Either is good, and doing both would be better. Hopefully in a few years everything will work that way. Probably the NSA will try to sabotage some standards along the way, but I'm optimisitic that they'll fail. However, until that reality exists, where we don't need to rely on (trust) single entities to authenticate our software updates, I think preferring to rely on 3rd parties in non-US countries is hardly unreasonable. ~leif -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Whatsapp, a Trojan horse for seekers of easy privacy?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 01/15/2015 09:07 PM, Al Billings wrote: You said that I was a “compatriot of that service” *** Oh, sorry, I thought you were an U.S. citizen. == hk -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQJ8BAEBCgBmBQJUuagPXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRFQ0IyNkIyRTNDNzEyMTc2OUEzNEM4ODU0 ODA2QzM2M0ZDMTg5ODNEAAoJEEgGw2P8GJg9wwYP/29gXD1Ch0xF7XLonose0MYZ nRUgy/TiyM0USO5BjWzG+OoVx04rw9NEZ98ex3rDKSZynMLNMChmeTutlwJFMpkE Yiq5pD8GMZ+4p3xMa10u830aUxRYxFyaASPEdRF3aylVahC5DQAk87H0DgJfQ7y2 7424SJpXHxsDb+W5wvwe4Z+2YASd0B17Zp0GIV68w+6RBiFEwuW5TWq1ZULGxf01 HP/wPdtWEy0jH5ilbHna5bJBS7zdomiDZMcknVdQIPs5/aSJLhOrg+bu67+Gx6BA ETAgHQhylwaW3p2qdNCSgCqfe5gBvnW/rz0XIM5EH3tud1p4QQeHdsJtyto4fecM OuCF3tZq6p2+enpP1BKibvxX7PDeKZLiK9ZPe6OC+Eh+R3ZeDQ+01wLLqE06/Nx4 yXUkSpoqriqLJEfnX/zLmZ5cyuiQPDqWCsjWu4Mnd6Ss53KfH5w5HQkUiSSTLw7q ozH6U1SnrRFVi637Q2DUpqV2as8GfLp9IfGV8MjP2KOMs29acujOEhAXpyoMFOM6 h4ghKyz6lF5sbYymvYi+/3amKv1ut3KMyLV21/WxUCY5Xbp1QARzkR+Xvnc5f93z sVPyrfdrHzTpgGMDnf5vGNLv4dpgG5DTmA6z1GbAEHFMI5uz2E7P5lEGjzUjiYoi OeXn0I1zM7WKlGQ5njXz =orI+ -END PGP SIGNATURE- -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Whatsapp, a Trojan horse for seekers of easy privacy?
Hello Carlo. This is about backward compatibility. WhatsApps is running on hundreds of millions of iOS, Android, Windows, Blackberry and Nokia phones. There are even people using it on 8 year old Java ME feature phones. It's not feasible to simultaneously upgrade their installed apps to support end-to-end crypto at once. Upgrading all those clients takes time and there will be a significant fraction of non-e2e clients for a while. Until enough clients are upgraded, senders will need to distinguish which receivers support end-to-end encryption and will need to retain the ability to fallback to transport-only encryption. The original message https://moderncrypto.org/mail-archive/messaging/2014/001133.html you cited by Nadim Kobeissi mentions this: Upgrading [old WhatsApps] clients to Axolotl might be challenging. Moxie Marlinspike also addresses it in one of the replies https://moderncrypto.org/mail-archive/messaging/2014/001140.html: *Clients need to negotiate encryption capability until all clients support encryption. We'll be surfacing this into the UI for each client once protocol support is complete on that client. Rolling something like this out to 600MM+ devices is an incremental process that takes time.* Note you said users will never know if e2e is being used, but as Moxie says we'll be surfacing this into the UI of upgraded clients. On Thu, Jan 15, 2015 at 5:26 AM, carlo von lynX l...@time.to.get.psyced.org wrote: Concerning Whatsapp there is a very interesting clue in a thread on messaging that suggests users will never know if end-to-end encryption is being used, since the server decides whether they are allowed to, and the user is not informed. Knowing the NSA that means that Whatsapp would never encrypt anything end-to-end. Whatsapp should therefore be considered a Trojan horse for people seeking easy to use privacy. Read about that at -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Whatsapp, a Trojan horse for seekers of easy privacy?
On Thu, Jan 15, 2015 at 08:49:31AM -0800, Steve Weis wrote: Note you said users will never know if e2e is being used, but as Moxie says we'll be surfacing this into the UI of upgraded clients. There is a systemic legal problem by which neither Facebook, nor Whatsapp, nor Textsecure nor Moxie are in a position to guarantee that whatever is surfaced into the UI actually means what it says. Still, as long as these systems are operating from U.S. American ground, the current legal situation is such that the President of the U.S. has under the U.S. Constitution the sole and final power of deciding whether companies and individuals in these companies get to implement anything they would like to implement, or not. [1] And the services we have been hearing about a lot operate under direct executive mandate of the POTUS. So, I again express respect to Moxie and everyone involved for trying to improve the lives of everyday users, but I see a terrible risk in promoting any such technology considering the NSA's track record on making use of its given privileges. The chances this is actually happening can only be considered minimal. It would take millions of people running independenlty built clients from source code, and a credible procedure thereof - only then would a hindrance for the NSA exist to exercise its privileges. As we are by now familiar with its inner workings and strategies, the agency will intervene in the process early enough to impede anything like this from happening. Prove me wrong. Give us a way to reproduce the exact client millions of humans are relying on, from source code. And make that information arise to the UI surface. Then we will know that Whatsapp and TextSecure are doing the right thing, and we will have to continue worrying about Google and Apple (the NSA may choose to pick up the TextSecure ratchets or private keys via Android/iOS backdoors). [1] Caspar Bowden, 31c3, http://cdn.media.ccc.de/congress/2014/webm-sd/31c3-6195-en-The_Cloud_Conspiracy_2008-2014_webm-sd.webm.torrent -- http://youbroketheinternet.org ircs://psyced.org/youbroketheinternet -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Whatsapp, a Trojan horse for seekers of easy privacy?
Actually, you also need to have source code for the compilers used and the compiler's compilers... And that ignores the use of hardware trojans. On 01/15/2015 12:29 PM, carlo von lynX wrote: On Thu, Jan 15, 2015 at 08:49:31AM -0800, Steve Weis wrote: Note you said users will never know if e2e is being used, but as Moxie says we'll be surfacing this into the UI of upgraded clients. There is a systemic legal problem by which neither Facebook, nor Whatsapp, nor Textsecure nor Moxie are in a position to guarantee that whatever is surfaced into the UI actually means what it says. Still, as long as these systems are operating from U.S. American ground, the current legal situation is such that the President of the U.S. has under the U.S. Constitution the sole and final power of deciding whether companies and individuals in these companies get to implement anything they would like to implement, or not. [1] And the services we have been hearing about a lot operate under direct executive mandate of the POTUS. So, I again express respect to Moxie and everyone involved for trying to improve the lives of everyday users, but I see a terrible risk in promoting any such technology considering the NSA's track record on making use of its given privileges. The chances this is actually happening can only be considered minimal. It would take millions of people running independenlty built clients from source code, and a credible procedure thereof - only then would a hindrance for the NSA exist to exercise its privileges. As we are by now familiar with its inner workings and strategies, the agency will intervene in the process early enough to impede anything like this from happening. Prove me wrong. Give us a way to reproduce the exact client millions of humans are relying on, from source code. And make that information arise to the UI surface. Then we will know that Whatsapp and TextSecure are doing the right thing, and we will have to continue worrying about Google and Apple (the NSA may choose to pick up the TextSecure ratchets or private keys via Android/iOS backdoors). [1] Caspar Bowden, 31c3, http://cdn.media.ccc.de/congress/2014/webm-sd/31c3-6195-en-The_Cloud_Conspiracy_2008-2014_webm-sd.webm.torrent -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Whatsapp, a Trojan horse for seekers of easy privacy?
On Jan 15, 2015, at 11:20 AM, J.M. Porup j...@porup.com wrote: On 01/15/15 13:45, Al Billings wrote: Insisting that we both can and cannot (at the same time) trust people like Moxie simply because they live in the USA and the NSA exists is stupid. I don’t see a suggestion of what jurisdiction the author thinks people can live within where there won’t be the same issues. From there, the list of demands gets rather high and the list of solutions non-existent. I’m well aware of the Snowden revelations. I’m also well aware that people like Moxie are doing good work to try to counter some of the NSA grabs of Internet data. The post read like crazy person FUD. Which country should people be in where the government isn’t going to try to potentially legally compel them to do things or spy on their communications? Where is your utopia of freedom? There is no utopia of freedom. But we can avoid the dystopia of tyranny the United States is rapidly becoming. By going where? Please do say. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Whatsapp, a Trojan horse for seekers of easy privacy?
Good point, it's unfair to isolate out just the US. Seems like some other nations viewed the Snowden disclosures as prescriptive or aspirational, or were already aligned. Britain, for instance! So tragic what's happening there. There are some countries where the respect for individual sovereignty seems a bit more integral - Switzerland, Iceland perhaps - where government efforts to compell private actors within their borders to compromise security seems unlikely, and where business models typically seem less surveillance-based. But that's a pretty weak foundation, I concede. It's just the US has become such an embarrassingly good example of this. Brian On Thu, 15 Jan 2015, Al Billings wrote: So, which countries exist where we *can* trust the binaries when they’re made within them? On Jan 15, 2015, at 10:38 AM, Brian Behlendorf br...@behlendorf.com wrote: Sadly, given what we know about the current state of play and the actors involved (state-based, non-state, ad-tech companies, etc) it's sadly the case that we can't trust binaries made in the US if the public can't reproduce the build from source. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Whatsapp, a Trojan horse for seekers of easy privacy?
Centralization is the problem. If we assume that all centralized software has been commandeered (as we should), I would rather see that commandeering evenly distributed around the world, competing against each other, than concentrated into the vile, toxic stew that is Silicon Valley in the US. On 01/15/15 14:44, Al Billings wrote: You’re avoiding the question. Please name a nation state in which software can be produced which isn’t subject to the kind of legal pressures or potential requirements as the USA when it comes to national security, spying, and the like. Russia? Nope. The UK? Nope. Germany? Nope. I could go on. So, since you can’t trust any software (so you say) produced in the USA, rather than just making snide comments about “Merkans,” please tell us which nation will not have these problems so we can all make our software there. On Jan 15, 2015, at 11:41 AM, J.M. Porup j...@porup.com wrote: I know it's hard for some Merkans to understand, but there is this magical place called Rest of the World. There are even parts you haven't bombed yet! You might try there. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Whatsapp, a Trojan horse for seekers of easy privacy?
Not by going elsewhere. By changing the direction and/or leadership of the country. I'd like to go back toward the direction of land of the free and home of the brave instead of a place where it's illegal to buy a Big Gulp and it's considered unfair that I work my butt off and earn a lot of money because people who don't want to work aren't satisfied with the level of food stamps they receive or the brand of free cell phone they get from a free government program. ALSO, a place where my last sentence wouldn't be considered racist. It's ridiculous that my 13 year old son feels compelled to apologize every time he uses the word black, even when he's describing the color of a kitchen appliance. Sorry, not tech related, but I had to chime in. Aloha! On 1/15/2015 9:25 AM, Al Billings wrote: On Jan 15, 2015, at 11:20 AM, J.M. Porup j...@porup.com wrote: On 01/15/15 13:45, Al Billings wrote: Insisting that we both can and cannot (at the same time) trust people like Moxie simply because they live in the USA and the NSA exists is stupid. I don’t see a suggestion of what jurisdiction the author thinks people can live within where there won’t be the same issues. From there, the list of demands gets rather high and the list of solutions non-existent. I’m well aware of the Snowden revelations. I’m also well aware that people like Moxie are doing good work to try to counter some of the NSA grabs of Internet data. The post read like crazy person FUD. Which country should people be in where the government isn’t going to try to potentially legally compel them to do things or spy on their communications? Where is your utopia of freedom? There is no utopia of freedom. But we can avoid the dystopia of tyranny the United States is rapidly becoming. By going where? Please do say. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Whatsapp, a Trojan horse for seekers of easy privacy?
On 01/15/15 14:25, Al Billings wrote: On Jan 15, 2015, at 11:20 AM, J.M. Porup j...@porup.com wrote: On 01/15/15 13:45, Al Billings wrote: Insisting that we both can and cannot (at the same time) trust people like Moxie simply because they live in the USA and the NSA exists is stupid. I don’t see a suggestion of what jurisdiction the author thinks people can live within where there won’t be the same issues. From there, the list of demands gets rather high and the list of solutions non-existent. I’m well aware of the Snowden revelations. I’m also well aware that people like Moxie are doing good work to try to counter some of the NSA grabs of Internet data. The post read like crazy person FUD. Which country should people be in where the government isn’t going to try to potentially legally compel them to do things or spy on their communications? Where is your utopia of freedom? There is no utopia of freedom. But we can avoid the dystopia of tyranny the United States is rapidly becoming. By going where? Please do say. I know it's hard for some Merkans to understand, but there is this magical place called Rest of the World. There are even parts you haven't bombed yet! You might try there. JMP -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Whatsapp, a Trojan horse for seekers of easy privacy?
Insisting that we both can and cannot (at the same time) trust people like Moxie simply because they live in the USA and the NSA exists is stupid. I don’t see a suggestion of what jurisdiction the author thinks people can live within where there won’t be the same issues. From there, the list of demands gets rather high and the list of solutions non-existent. I’m well aware of the Snowden revelations. I’m also well aware that people like Moxie are doing good work to try to counter some of the NSA grabs of Internet data. The post read like crazy person FUD. Which country should people be in where the government isn’t going to try to potentially legally compel them to do things or spy on their communications? Where is your utopia of freedom? On Jan 15, 2015, at 10:30 AM, hellekin helle...@gnu.org wrote: Signed PGP part On 01/15/2015 02:35 PM, Al Billings wrote: Pull that tinfoil hat a little tighter. *** Aren't the Snowden leaks enough? What else do you need really? Then go visit the GNU.org section on Malware. Deflecting legitimate criticism with such a tongue-in-cheek comment is not going to change the fact that the USA have been led by tricksters doing whatever in their power to confuse their and other countries citizens in order to serve the short term and strategic interests of the military industrial complex, with impunity and a complete lack of touch with reality and ethics. If by now this is not clear to you, you're delusional or a part of that system. You can certainly criticize lynX's hard position if you like, but dismissing its criticism as lunatic is entirely on you. Frankly, having a security person from Mozilla do this is a bit staggering. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Whatsapp, a Trojan horse for seekers of easy privacy?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 01/15/2015 02:35 PM, Al Billings wrote: Pull that tinfoil hat a little tighter. *** Aren't the Snowden leaks enough? What else do you need really? Then go visit the GNU.org section on Malware. Deflecting legitimate criticism with such a tongue-in-cheek comment is not going to change the fact that the USA have been led by tricksters doing whatever in their power to confuse their and other countries citizens in order to serve the short term and strategic interests of the military industrial complex, with impunity and a complete lack of touch with reality and ethics. If by now this is not clear to you, you're delusional or a part of that system. You can certainly criticize lynX's hard position if you like, but dismissing its criticism as lunatic is entirely on you. Frankly, having a security person from Mozilla do this is a bit staggering. == hk -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQJ8BAEBCgBmBQJUuAchXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRFQ0IyNkIyRTNDNzEyMTc2OUEzNEM4ODU0 ODA2QzM2M0ZDMTg5ODNEAAoJEEgGw2P8GJg910cQALR12wgEKiobl6tRir7agfyE PDLTn+7rUJiTOOcD45+QL+6zaz4+WiGffOebBk9eoYGcJK/gS6mTpgTWokZ/nIW9 BZynEasnKSCz1MiPiVnmH6R3Zkz7ECOeXKJt05YyGiQHsdw/metH4Iti9nBhzf0M L5L3+dlJo2KMCT3U+/+vNM/C4fGFy7Q1s+4sLE/5zoEHYNuugt+ROTyrQbuDGXLP CvGuKWoI0CjWn0g28QQ+lAvnFE4oXYY1ULLgOiSRGRawiT2rRpYDGxYKxbHk5Wq3 aAySlljlmCxCQxoOn5E3ZcY+g/IQiAgaI+l6MSiySr0taLhesDtYAinAFBaZch8T 1mJnVv7HbTkUHAehq2ClDOR5ixKDbYojJ3Fuc4+sk7kLwx09t4UkU/n8ShcI5ixV wueFIerfHDyKTA3Uwx9ITqtTkoRGab/hqifxxD+XcZ24wNY6p1s6LjmcqbnjBshk BIhOmPnEIba9AtLLzBE3gdoqlZVeY6v2OH4u80JL+mW+PlH2lN6/vcPTg4FzxCXj bYnYQx7Mrx1wWn9YZ8vlMimmgyKCsBah2Pqe/KrW6zQiyg1O6gHZx1RoMit2CBtR rUSHVYmriit+nppTY2ArDZSzkHYa8PnRwxYsJiEm0jHRBOaxzUdLvj8qufLXCGw7 /OIVM6SgCGj3t5fkCYk3 =rRWb -END PGP SIGNATURE- -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Whatsapp, a Trojan horse for seekers of easy privacy?
So, which countries exist where we *can* trust the binaries when they’re made within them? On Jan 15, 2015, at 10:38 AM, Brian Behlendorf br...@behlendorf.com wrote: Sadly, given what we know about the current state of play and the actors involved (state-based, non-state, ad-tech companies, etc) it's sadly the case that we can't trust binaries made in the US if the public can't reproduce the build from source. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Whatsapp, a Trojan horse for seekers of easy privacy?
On Thu, 2015-01-15 at 11:44 -0800, Al Billings wrote: You’re avoiding the question. Please name a nation state in which software can be produced which isn’t subject to the kind of legal pressures or potential requirements as the USA when it comes to national security, spying, and the like. Russia? Nope. The UK? Nope. Germany? Nope. I could go on. Hell, none of these choices even get you out from under the NSA's thumb, despite being off USA soil. If you are a communications company with a non-trivial number of users, you will be a target of multiple national security organizations. If you don't have the capability to do regular CIA-level background checks on all your employees and contributors, you can be infiltrated. -- Mathematics is the supreme nostalgia of our time. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Whatsapp, a Trojan horse for seekers of easy privacy?
On Thu, Jan 15, 2015 at 12:50:41PM -0500, Richard Brooks wrote: Actually, you also need to have source code for the compilers used and the compiler's compilers... Yes, we have those. We have systems completely produced from source and others that are working on complete reproduceability. And that ignores the use of hardware trojans. No, it puts things in perspective. Hardware backdoors I think are more likely to be suitable for targeted surveillance, not mass surveillance. Targeted surveillance is not a problem for democracy as much as bulk surveillance, so I consider that progress. Also having to bring backdoors down into the hardware drives up the cost of surveillance. That is good. Surveillance must be expensive if we want democracy to prevail. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Whatsapp, a Trojan horse for seekers of easy privacy?
On Thu, 15 Jan 2015, carlo von lynX wrote: On Thu, Jan 15, 2015 at 12:50:41PM -0500, Richard Brooks wrote: Actually, you also need to have source code for the compilers used and the compiler's compilers... Yes, we have those. We have systems completely produced from source and others that are working on complete reproduceability. If anyone would like a decent intro and overview of why this is important and what the current state is, Mike Perry's and Seth Schoen's presentation from CCC is worth the time: http://media.ccc.de/browse/congress/2014/31c3_-_6240_-_en_-_saal_g_-_201412271400_-_reproducible_builds_-_mike_perry_-_seth_schoen_-_hans_steiner.html#video Sadly, given what we know about the current state of play and the actors involved (state-based, non-state, ad-tech companies, etc) it's sadly the case that we can't trust binaries made in the US if the public can't reproduce the build from source. This is tragic both for users and for US firms in this space. This is not tinfoil-hat terrain. The good news is every incremental step towards that goal - reproduceable builds from public source - brings some benefit. So no need to be cynical or feel helpless. Axolotl seems like a good first step; maybe it'll be a gateway drug to ChatSecure. Brian -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Whatsapp, a Trojan horse for seekers of easy privacy?
On Thu, Jan 15, 2015 at 10:45:16AM -0800, Al Billings wrote: Insisting that we both can and cannot (at the same time) trust people like Moxie simply because they live in the USA and the NSA exists is stupid. You are free to trust him to spend a night at your home. I would if he was my friend, but I never met him. Yet the word trust in politics is the root of most evil, and to entrust a person with the responsability for millions of people whose civil rights may be respected or infringed without them even finding out.. well, that is more than trust. That is irresponsible towards all involved people, including Moxie. I don’t see a suggestion of what jurisdiction the author thinks people can live within where there won’t be the same issues. Similar issues, at times, but not the same. Like Germany has this rule that secret service wants access if you're a communications provider for more than 9'999 users (if I was told correctly). But the way that law is written it would not allow the secret service to impose on the company not to deliver end-to-end encryption to the users. The way laws do not apply on this topic is specific to the U.S, shared only with non-democratic regimes. Only the U.S. Supreme Court or an amendment to the Constitution could rectify the power balance between citizen and president in this matter. [1] You and I know, that no binary distribution should be trusted, no matter where on Earth it was compiled. But that is not a point of view the general public is ready to adopt. The mainstream press and the majority of people out there still believe that companies can have an ethos, can actually do what they market, and that proprietary software could possibly be trustworthy - at least as long as the press says good things about it. To these people it is no viable argumentation to say, you must only use free software (I say that all the time), but it does mean something to them to find out that the laws are such that the promises a company is making are 1. irrelevant and 2. have to be deceptive because that is what is expected from them. That *is* news. At least in other countries this kind of behavior is ILLEGAL. We don't know if it's not happening, but at least it could get some people in trouble if they got caught with their hands in the pudding. Which country should people be in where the government isn’t going to try to potentially legally compel them to do things or spy on their communications? Where is your utopia of freedom? Utopia is nowhere. But you as a U.S. citizen are better off in most democratic countries on Earth: not only do almost all countries respect your civil rights even if you're a foreigner (The U.S. is the only country that treats foreigners as vegetables by law [1]. Other countries at least infringe their own laws when they do this.) Plus, by leaving the U.S. the NSA is still supposed to not spy on you, so it needs the GCHQ to take care of that. It may be hard to prove, but I believe GCHQ is breaching its laws when it does that favor to the U.S. There are more reasons why some countries qualify as less bad but I prefer not to elaborate. [1] as before -- http://youbroketheinternet.org ircs://psyced.org/youbroketheinternet -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Whatsapp, a Trojan horse for seekers of easy privacy?
On Jan 15, 2015, at 2:33 PM, hellekin helle...@gnu.org wrote: Signed PGP part On 01/15/2015 04:44 PM, Al Billings wrote: So, since you can’t trust any software (so you say) produced in the USA *** Not any software: non-free software, and software running on servers subjected to gag orders, as you well know for being a compatriot of the late Lavabit service. ? I’ve never used Lavabit or been associated with it. I’ve met one or two of the folks from it at a security conference, I think. I’ve worked for the same company for 7 1/2 years now, an open source one, in fact. Since when the LiberationTech mailing list discusses non-free software? I thought software freedom and access to the source code was considered a requirement for considering a system secure. According to whom? I think open source (I’ll leave aside whether “open source” is “free software”) is ideal but it is not the only thing worth discussing. Otherwise, we wouldn’t be discussing most mobile applications. Most people don't understand the extent of the compromise and will happily use whatever the experts say is good enough. There's a social responsibility of technicians towards we, the people, that cannot simply be dismissed as lunacy. I applaud what Moxie has been doing, as it provides better-than-nothing for an immediate need of many. But it's patching a sieve with tape: it will slow down the catastrophe but won't solve the bigger issue. And your solution is what? Al -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Whatsapp, a Trojan horse for seekers of easy privacy?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 01/15/2015 04:44 PM, Al Billings wrote: So, since you can’t trust any software (so you say) produced in the USA *** Not any software: non-free software, and software running on servers subjected to gag orders, as you well know for being a compatriot of the late Lavabit service. Since when the LiberationTech mailing list discusses non-free software? I thought software freedom and access to the source code was considered a requirement for considering a system secure. As you also well know, there's no way to either escape NSA's tentacles, nor leave the planet. When you're not subjected to forced silence by terrorist laws of the USA, you're subjected to illegal cracking of machines by the FVEY, as revealed by the FBI's right to consider any foreign system as a potential target. It's very damageable to think that because the reach of NSA and foes is unlimited, although illegal, we cannot criticize the claims to offer am allegedly secure solution to hundreds of millions of people by merging well-intended and paladin code of trusted people with an inherently insecure proprietary system. It's certainly better than nothing at all, but from this to uphold it as an acceptable solution is understating if not dismissing the need to provide technical solutions to effectively thwart global surveillance. Most people don't understand the extent of the compromise and will happily use whatever the experts say is good enough. There's a social responsibility of technicians towards we, the people, that cannot simply be dismissed as lunacy. I applaud what Moxie has been doing, as it provides better-than-nothing for an immediate need of many. But it's patching a sieve with tape: it will slow down the catastrophe but won't solve the bigger issue. And no, there's no nation on Earth that can solve that problem either: global surveillance knows no border, although legally it should. Global surveillance is totalitarianism justified by the conviction the watchers are the good guys defending our values; they decided unilaterally that because it's technically feasible, they can do it, regardless of the rule of Law and ethics. Therefore no technical solution alone can remove their power, but what serious technical solutions can do is to remove the support for such power: centralized services, reliance on servers and proprietary software. Cloud providers in the USA know very well the cost of NSA's abuse of power as foreigners prefer using cloud services outside of the Empire's jurisdiction. But that is not enough, as TPP, TTIP and other upcoming legislations crafted in secret by corporate U.S. and transnational interests of the Northern Hemisphere demonstrate, which are leading to, or more precisely aiming at removing national sovereignty everywhere. If we start taking a beaver's dam for a polder, we're not going anywhere. == hk -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQJ8BAEBCgBmBQJUuEBOXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRFQ0IyNkIyRTNDNzEyMTc2OUEzNEM4ODU0 ODA2QzM2M0ZDMTg5ODNEAAoJEEgGw2P8GJg9K/4P/iHD+CfwIkq8sTBNVf0tS+gj uAYt5TmZ9jGy0HZ8uuuscUYKSegJpKVji7H/f5Jn9rloCFs7RwL0sq038z6I9nEP 3jDRznGMZL9gSdbu29it4J5wc1gPuyKuxUaIpSA9Qq25vDLyqgkiKkn6phwStwUp 9zbfzUy6rseL0kE5oknLPDmzU5iWs34g9uOJWTdrKNO8hKIAbFKmnB2VgAXCb/P+ 4ugXnWfcaA1eg+1UMmj5G6JmE/mzmsrtVuyovIpqyQX2pCp4aqm6H+1a6DObVu3S wctIon0HTj6axgFKDpbPUpWOAK44y2WTgDh4rE64A/XMWuq1PrmlgA5vUyOfO0bn BaNCSL9ou6/lpqUU/B7ETX3iQAxwGXDljDJ6nwi5NNa69e1YQGAGoVi7X9fQ0TnX MZ5LqL6ToX0euvhMizFAWGuTfBuz16o2DGz9HJQnoyYfPP/tW4O5Zxa2lMJ98xoJ slxbXm8ECKr8gzYx2tuiELazR+2OYn0wIXDKPJgMDzxGGU4+ps2HDP59bV10wBs+ V1jbdiHyfUg7KUovutXLrquwjh6tQEg4YJG7bKmKTGdA5WS93lSvGZTWQ6wsyHfP DJUqmR7UTj4juB446JOgy8sGdVeryDPSnhF66vXALYzxRMPKj9v72eenypxxr/AT FAlUUpvFCcCU/1jnMFU/ =ZFnB -END PGP SIGNATURE- -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Whatsapp, a Trojan horse for seekers of easy privacy?
Of course I know about Lavabit. That’s not what you said though. You said that I was a “compatriot of that service” when I have no association with it. You seemed to presuming some kind of involvement with it on my part. I take it that English isn’t your first language though so perhaps this is one of those language things. On Jan 15, 2015, at 4:00 PM, hellekin helle...@gnu.org wrote: I’ve never used Lavabit or been associated with it. *** I certainly hope you know what I'm talking about. If not, the Lavabit owner preferred to close the service instead of being subjected to a gag order and betraying his customers and convictions. Nothing like this happened with other services subjected to such treatment or worse. I won't make you the insult of presuming you didn't hear about PRISM as well. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Whatsapp, a Trojan horse for seekers of easy privacy?
On 01/15/15 13:45, Al Billings wrote: Insisting that we both can and cannot (at the same time) trust people like Moxie simply because they live in the USA and the NSA exists is stupid. I don’t see a suggestion of what jurisdiction the author thinks people can live within where there won’t be the same issues. From there, the list of demands gets rather high and the list of solutions non-existent. I’m well aware of the Snowden revelations. I’m also well aware that people like Moxie are doing good work to try to counter some of the NSA grabs of Internet data. The post read like crazy person FUD. Which country should people be in where the government isn’t going to try to potentially legally compel them to do things or spy on their communications? Where is your utopia of freedom? There is no utopia of freedom. But we can avoid the dystopia of tyranny the United States is rapidly becoming. JMP -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Whatsapp, a Trojan horse for seekers of easy privacy?
You’re avoiding the question. Please name a nation state in which software can be produced which isn’t subject to the kind of legal pressures or potential requirements as the USA when it comes to national security, spying, and the like. Russia? Nope. The UK? Nope. Germany? Nope. I could go on. So, since you can’t trust any software (so you say) produced in the USA, rather than just making snide comments about “Merkans,” please tell us which nation will not have these problems so we can all make our software there. On Jan 15, 2015, at 11:41 AM, J.M. Porup j...@porup.com wrote: I know it's hard for some Merkans to understand, but there is this magical place called Rest of the World. There are even parts you haven't bombed yet! You might try there. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.