subject:"Some legal trouble with TOR in France \+"

-BEGIN PGP SIGNED MESSAGE-
Hash: RIPEMD160

User 165 wrote:
> On May 15, 2006, at 5:37 PM, Anthony DiPierro wrote:
>
>>
>> Remember that by default Tor *does* censor.  Port 25 is blocked
>> by default.  Why is this?
>
> I don't think that deciding which ports to allow has anything to do
>  with censorship.  Censorship refers to content, not method.
I think this line of discussion is irrelevant anyway, because saying
'we don't censor' yet you are censoring censorship? The bigger issue
is that there is so many zombie machines, this is not about censorship
of email but simply a defense against a very large attacker whose
activities would impact the exit nodes.

And this is why I think that it should not be regarded as censorship
(and I should add, this should be at the discretion of any exit node
operator suffering from law enforcement attention) for a tor user to
block traffic to the IP address(es) related to their enquiry, nor
should it be regarded as spying if the exit node operator wishes to
plug on a forwarder for traffic coming out of the server going to a
specific IP address. I think that tor needs friends in the law
enforcement scene. As I discussed in one of my previous posts, it
would demonstrate to the relevant authority that people using tor are
against the use of their systems for carrying despicable stuff (As I
said just before, this should be at the discretion of the exit node
operator) if they were willing to participate in apprehending the
criminals.

Unfortunately, regardless of either of these things, when it comes
down to it, driving these types away from tor will not stop them using
anonymity systems of some other type, possibly even illegal ones. I
would say that, just like what the french police did to our friend
running an exit in france, they will see it simply as a dead lead and
not prosecute anyone for it.

Last time I recall looking into it, the police don't go after the big
backbone routers... These large network infrastructure systems most
definitely are neutral to the content. I think it could be argued that
anyone providing content-neutral network services should be treated
the same way.

The crux of the matter is, tor exit nodes, as eugene explained in a
response to my set of ideas post, don't use locality to select exit
points. This means that tor exit nodes could carry traffic for these
low-lifes from any country in the world. It's not possible, given the
architecture, to trace anything through tor, nor is it possible to
even be sure that anyone whose traffic comes out of an exit node, is
even in their jurisdiction.

I think this last point is the most important point. Any tor exit node
operator can use this as a defense - The traffic could be originating,
literally, anywhere in the world, and thus this puts it in this funny
little grey area where they cannot assert the traffic is even in their
jurisdiction. It is my opinion that this will be quickly surmised by
the law enforcement folks anyway. Not even tapping or hacking the
server or taking its crypto will help them in the slightest in their
investigations.

Will this cause them to look upon tor in a negative light? I don't
know. I would hope not. If there's one thing that cops don't like
doing, that is stepping on the toes of someone in another
jurisdiction. Mainly because of the whoopass can that usually gets
opened on them.However, one thing the law enforcement *could* do is
interdict at the hosting provider of the site they are trying to get
both it and its users nailed, make the isp block traffic from tor exit
nodes, without the site operator's awareness of this, and this would
drive the users onto non-tor connections or other proxy systems, and
increase the effectiveness of their honeypot type operation on the
site. And this is something that the exit node operator can
practically make any impact on, since as I pointed out earlier in this
post, it is just as likely that the suspect could emerge out of any
tor exit node on the network.

And this could be a way to get around any possible issues with the
outlawing of tor. Put this idea out there, of blocking tor exits to
honeypot sites. Simple solution. Doesn't affect anyone except those
they are trying to catch out. Tor is not the problem. I don't think
the police will even see it as a problem, cos I'm sure it's obvious to
them the potential tor has for their undercover online work. This is
something talked about in the faq and on the website, and any efforts
to inform the law enforcement of its potential uses, if there isn't
already knowledge of this, will make them unwilling to accept it being
outlawed in their jurisdiction if it is a critical and low-cost way
for them to provide anonymity to their undercover agents. Police are,
despite what they show on stupid cop shows, averse to wasting money on
anything that they don't have to waste their money on. The NSA is a
whole different kettle of fish, but cops don't put taps on lines
unless they are very confide

Re: Some legal trouble with TOR in France +

2006-05-15 Thread User 165


On May 15, 2006, at 5:37 PM, Anthony DiPierro wrote:



Remember that by default Tor *does* censor.  Port 25 is blocked by
default.  Why is this?


I don't think that deciding which ports to allow has anything to do  
with censorship.  Censorship refers to content, not method.

Re: Some legal trouble with TOR in France

-BEGIN PGP SIGNED MESSAGE-
Hash: RIPEMD160
 
Anthony DiPierro wrote:
> On 5/15/06, Mike Perry <[EMAIL PROTECTED]> wrote:
>> Thus spake Ringo Kamens ([EMAIL PROTECTED]):
>>
>> > Also, they can put you on grand jury and give you obstruction of
>> justice for
>> > refusing to talk.
>>
>> According to wikipedia (http://en.wikipedia.org/wiki/Grand_jury):
>>
>> "In all U.S. jurisdictions retaining the grand jury, the defendant has
>> the right under the Fifth Amendment not to give self-incriminating
>> testimony. []"
>>
> OK, that covers the defendant, but what if the person in question is
> not a defendant?
>
> Unfortunately, the First Amendment does not seem to apply to
> questioning by a court (or Congress, for that matter).  The Fifth
> Amendment protects you from being a witness against yourself, but it
> doesn't protect you from being a witness against someone else.
>
> Anthony
Doesn't their questioning of you make you a witness to your own
'complicity'? Accomplices are treated much the same as the primary
defendant I'm pretty sure.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (MingW32)
 
iD8DBQFEaR7bGkOzwaes7JsRA+GGAKCOvOvDHfAXZ3JYNNOSjr9gZwfaCgCgpomI
AW6lDLw3RNfa4WL2ZC8vW/k=
=rAhA
-END PGP SIGNATURE-

Re: Some legal trouble with TOR in France +

2006-05-15 Thread Anthony DiPierro


On 5/15/06, Ben Wilhelm <[EMAIL PROTECTED]> wrote:

The line is drawn. The line is that Tor does not censor. That's the only
line that makes sense, because everything else requires subjective
judgement that many would not be able to agree on.


There's always the possibility of letting each exit node decide for
itself what subjective judgement to make.  And in fact that's what is
being done.  Some exit nodes allow port 25, some don't.  Some allow
6667, others don't.  Some exit nodes only allow port 80.  You can
likewise filter by IP address.

The only real problem is that it's not feasible to effectively filter
out the type of traffic you don't want (especially in a way which can
be described in an exit policy).

Remember that by default Tor *does* censor.  Port 25 is blocked by
default.  Why is this?

Anthony

Re: Some legal trouble with TOR in France +

2006-05-15 Thread User 165


<$0.02>

On May 15, 2006, at 11:27 PM, [EMAIL PROTECTED] wrote:



We are paying with "fear" (if you run a Tor EXIT) of arrest and  
prosecution, for many more mere accusation, just for even running a  
Tor server or a Tor client is enough to keep many away from the Tor  
network. Just take a look at the mail for our French EXIT server  
raided last week.


	I think if there was some sort of Exit node filter list in use, with  
whoever (or whatever) providing the block lists, then the owner would  
be in a much worse position because there could be a claim that he  
didn't do all that was possible to disallow the use of his exit node  
for nefarious purposes.  Once you say that you are going to provide  
that level of "protection" (i don't agree that it is protection, or  
even a morally good thing to try and do), then you become liable for  
the failure of that protection.




I believe we should take a lead, and offer the EXIT servers  
protection from some mis-use of this variety and the users  
protection from possible "walking into" or being "tricked into"  
UNKNOWINGLY downloading a web page wtih this subject matter on it.


	Thanks for watching out for my well being, but really, YOU  
SHOULDN'T.  (REALLY!)



This is WHY I suggested the use of EXIT node filter lists, whatever  
the EXIt node wants, and with clients getting the option to specify  
the EXIt node also protects them by using specified list(s) at  
minimum to protect them.


	I don't like the idea of filter lists.  I don't even like the fact  
that ip ranges and addresses can be entered in the ExitPolicy - I  
would rather just see the private nets blocked automatically.  (I do  
understand why they are there, and understand their necessity in  
private tor nets, though).  I don't like the RedirectExit parameter  
either (but I understand the reason, just the same).  When you start  
using exit filters for whatever reason, however "good" you think the  
reason is, it allows someone else to use it for a reason that you  
won't consider "good".



I do understand the difficulties we will be getting ourselves into.  
But it is cheaper for us ALL if the police get to give us a set of  
block lists for child porn than them chasing us all, all over the  
network. Ok so they will come back with more than just child  
porn... thats when we have to draw the line! Our EXIt servers just  
refuse to allow them to be used.


Appeasement has been tried before, and usually doesn't get the  
desired result, just ask Neville Chamberlain...


Wouldnt it have been better in the first place to have censored out  
the child porn, then hold the fort? Then the incentive (as  
publically expressed by politicians) to attempt to intercept  
eveything would be VERY much reduced.


No, and no it would not.




User 165
[EMAIL PROTECTED]




PGP.sig
Description: This is a digitally signed message part

Re: Some legal trouble with TOR in France +

2006-05-15 Thread Nick Mathewson

[reformatted, snipped, and top-posting fixed.]

On 15 May 2006 23:59, Nick Mathewson wrote:
> > I typically argue this from the "can't" point of view, not the
> > "won't".  If it were possible detect block evil activities through
> > programmatic means, I *would* be in favor of blocking them.
> > Unfortunately, evil-detection isn't automatable (RFC3514
> > notwithstanding), and most schemes for blocking are both over-broad
> > _and_ easy to circumvent.

On Mon, May 15, 2006 at 11:59:37PM +0100, Tony wrote:
> Please define 'evil activities'

Murder, child abuse, top-posting, and posting one-line replies to long
messages without snipping irrelevant portions. ;)

No, seriously, I can't do any better than your dictionary or your
favorite ethicist.  That's the point I was trying to make.  Right and
wrong are not things that a single person or groups can decide for the
rest of the world, and they're certainly not something that software
can detect.  That doesn't mean that there's no such thing as right and
wrong; it means that you shouldn't enforce moral judgments at the
network layer.

Sorry if I wasn't clear, or if it seemed like I was advocating
censorship.

And we have now drifted completely away from Tor.  For penance, I
resolve that my next posts will be technical or project-related.  If I
ignore future political stuff, that's why. :)

yrs,
-- 
Nick Mathewson

pgp7vhPMdW2mK.pgp
Description: PGP signature

Re: Some legal trouble with TOR in France +

2006-05-15 Thread Ringo Kamens

In addition, censoring child porn, death threats, etc. is impossible and you're dedicating yourself to a job that you will have to do 24/7 and never finish. You block a site, they make a new one. You block a file hash, they modify a file. You block a keyword, they use encryption. You block message topics, they use stenography. The line has been drawn and needs to continue to be drawn at:

No Censorship
You can't say that stopping child porn isn't censorship. You might want to censor child porn because it's bad for society. Under the same logic, you can censor profanities. Then it goes further, people want to censor "radical views" as is happening with terrorism because it's bad for society, then it goes to censoring conversation topics, political views, and BAM you live in a police state.

Ringo
On 5/15/06, Ben Wilhelm <[EMAIL PROTECTED]> wrote:
[EMAIL PROTECTED] wrote:> Ok so they will come back with more than just child porn... thats when we have to draw the line!
"Yeah, so we disabled child porn like you asked, but we're not willingto do anything about piracy, death threats to government officials,cybercrime, or that mob ring running all their communications through
our system. Yeah yeah, I know, the mob ring is responsible for the deathof a dozen officers. Can't do anything. Well, I mean, we could,obviously. But we don't want to. Sorry! Let me know if you find any more
child porn sites though!"That will go over *real* well.The line is drawn. The line is that Tor does not censor. That's the onlyline that makes sense, because everything else requires subjective
judgement that many would not be able to agree on.If you don't want your internet connection to be used anonymously, for*anything*, then don't run a Tor exit node. It's impossible to blocksubjects on a case-by-case basis anyway - the exact thing Tor was built
to prove! - and I'd rather not waste our coders' time on that.-Ben

RE: Some legal trouble with TOR in France +

Please define 'evil activities'

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Nick Mathewson
Sent: 15 May 2006 23:59
To: or-talk@freehaven.net
Subject: Re: Some legal trouble with TOR in France +

On Mon, May 15, 2006 at 03:36:59PM -0700, Ben Wilhelm wrote:
 [...]
> The line is drawn. The line is that Tor does not censor. That's the
only 
> line that makes sense, because everything else requires subjective 
> judgement that many would not be able to agree on.

I typically argue this from the "can't" point of view, not the
"won't".  If it were possible detect block evil activities through
programmatic means, I *would* be in favor of blocking them.
Unfortunately, evil-detection isn't automatable (RFC3514
notwithstanding), and most schemes for blocking are both over-broad
_and_ easy to circumvent.

Non-automated schemes, as you say, fall for different reasons: you
can't make one without putting human judgment in the loop, and once
you've done that, you've appointed somebody as a censor, and you've
created a mechanism for someone else to take the reigns of censorship
in the future.

Also, there's the jurisdictional arbitrage problem: which local
standards does your hypothetical censor try to comply with?  China's?
France's?

> If you don't want your internet connection to be used anonymously, for

> *anything*, then don't run a Tor exit node.

Rather, if you're not willing to accept that people may use your
Internet connection to do stuff you don't like, don't run an exit
node.  You don't have to like everything that people do.  I don't
*want* people to use my software for any number of things, but I
believe that the benefits it provides do outweigh the problems.

> It's impossible to block 
> subjects on a case-by-case basis anyway - the exact thing Tor was
built 
> to prove! - and I'd rather not waste our coders' time on that.

Hm?  I don't think Tor was built to prove anything; I think it was
built to further usable online privacy for everyone. :)

As for wasting the coders' time, don't worry.  We have a long history
of ignoring bad ideas. 

yrs,
-- 
Nick Mathewson

Re: Some legal trouble with TOR in France +

2006-05-15 Thread Nick Mathewson

On Mon, May 15, 2006 at 03:36:59PM -0700, Ben Wilhelm wrote:
 [...]
> The line is drawn. The line is that Tor does not censor. That's the only 
> line that makes sense, because everything else requires subjective 
> judgement that many would not be able to agree on.

I typically argue this from the "can't" point of view, not the
"won't".  If it were possible detect block evil activities through
programmatic means, I *would* be in favor of blocking them.
Unfortunately, evil-detection isn't automatable (RFC3514
notwithstanding), and most schemes for blocking are both over-broad
_and_ easy to circumvent.

Non-automated schemes, as you say, fall for different reasons: you
can't make one without putting human judgment in the loop, and once
you've done that, you've appointed somebody as a censor, and you've
created a mechanism for someone else to take the reigns of censorship
in the future.

Also, there's the jurisdictional arbitrage problem: which local
standards does your hypothetical censor try to comply with?  China's?
France's?

> If you don't want your internet connection to be used anonymously, for 
> *anything*, then don't run a Tor exit node.

Rather, if you're not willing to accept that people may use your
Internet connection to do stuff you don't like, don't run an exit
node.  You don't have to like everything that people do.  I don't
*want* people to use my software for any number of things, but I
believe that the benefits it provides do outweigh the problems.

> It's impossible to block 
> subjects on a case-by-case basis anyway - the exact thing Tor was built 
> to prove! - and I'd rather not waste our coders' time on that.

Hm?  I don't think Tor was built to prove anything; I think it was
built to further usable online privacy for everyone. :)

As for wasting the coders' time, don't worry.  We have a long history
of ignoring bad ideas. 

yrs,
-- 
Nick Mathewson

pgpiJcfBc4WJi.pgp
Description: PGP signature

Re: Some legal trouble with TOR in France +

2006-05-15 Thread Ben Wilhelm


[EMAIL PROTECTED] wrote:

Ok so they will come back with more than just child porn... thats when we have 
to draw the line!


"Yeah, so we disabled child porn like you asked, but we're not willing 
to do anything about piracy, death threats to government officials, 
cybercrime, or that mob ring running all their communications through 
our system. Yeah yeah, I know, the mob ring is responsible for the death 
of a dozen officers. Can't do anything. Well, I mean, we could, 
obviously. But we don't want to. Sorry! Let me know if you find any more 
child porn sites though!"


That will go over *real* well.

The line is drawn. The line is that Tor does not censor. That's the only 
line that makes sense, because everything else requires subjective 
judgement that many would not be able to agree on.


If you don't want your internet connection to be used anonymously, for 
*anything*, then don't run a Tor exit node. It's impossible to block 
subjects on a case-by-case basis anyway - the exact thing Tor was built 
to prove! - and I'd rather not waste our coders' time on that.


-Ben

RE: Some legal trouble with TOR in France

Yes apparently it's not in force yet. I'm sure its coming though. 

Although as currently written there seem to be a few loop holes - e.g.
you can give up 'any' key and you can choose which key just so long it
meets stated the requirements of the request. There isn't a requirement
to give up 'all keys'. You can also destroy the key before receiving the
request if you think a request is coming. 

Giving up dummy keys that unlock dummy volumes would make it very hard
to prove you didn't meet the request unless the specific information
that they were looking for was already named on the request.

Or as I read it, you can destroy a key even after the request is
received if you can prove you no longer have it in your 'possession'



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Mike Perry
Sent: 15 May 2006 00:16
To: or-talk@freehaven.net
Subject: Re: Some legal trouble with TOR in France

Thus spake Eric H. Jung ([EMAIL PROTECTED]):

> > Tony's point was that you could arrange not to have the 
> authentication
> > tokens anymore. You better hope they believe you when you say you
> > don't have it, though.
> 
> >Not having the authentication tokens counts as refusing to surrender
> >them.
> 
> Per US law, if a judge subpoenas you to hand them over and you refuse
> and/or remain silent, it means indefinite jail time (until you hand
> over the tokens) and/or fines.

Where is your source on this? As I understand it, there are a few
fundamental principles of the US legal system that should render this
statement completely false. One is Habeas Corpus.. You can't just
throw someone in jail indefinitely without a criminal charge and a
trial. http://en.wikipedia.org/wiki/Writ_of_habeas_corpus 

Though it seems Bush&Co are violating it with "enemy combatant"
charges, I do not think they have the political power (at least
anymore) to name an anonymity provider as an "enemy combatant"
(especially if they are a natural born US citizen). The same applies
to the 72 hour warrant deal, at least as far as I can tell from
http://www.fff.org/comment/com0601c.asp

Second, if it is a criminal charge, you are not under any obligation
to testify against yourself in a criminal court of law (5th
ammendment). There are various exceptions to this, main one being if
you are not the person charged of the crime (though I think you can
still claim that such testimony may incriminate you for unrelated
matters). I suppose it could also be argued that the passphrase does
not count as testimony, but it sure seems like it is.

Finally, some googling on subpoena compliance seems to indicate that
punishment for subpoena non-compliance is 'contempt of court' charge
and fines.

http://www.rcfp.org/cgi-local/privilege/item.cgi?i=questions

That page advises you not to answer any subpoenas without challenging
them first, among other things (ie one state's court cannot usually
subpoena someone from another state). Contempt of court charges for
non-compliance may be repeated, but any contempt law I can find on
the web has some form of maximum limit. The longest I've seen so far
is North Carolina, which is a max of 1yr in 90 day increments:
http://www.rosen.com/ppf/cat/statco/laws.asp


Also, dunno how accurate it is, but Wikipedia seems to claim that the
key disclosure provisions of the RIPA (Part III) are not yet in force
in the UK:

http://en.wikipedia.org/wiki/Regulation_of_Investigatory_Powers_Act_2000




We seriously have to watch our paranoia on this one. This is one of
those situations that if we believe we have no rights, it will be very
easy to knock us over, simply by playing off our fears and demanding
keys without any legitimate basis to do so.

If any Tor operator is arrested/detained in the US, they would do well
to refuse to surrender any passphrase until they are actually in court
and ordered to do so by a Judge (and then only after voicing protest,
to allow for clear appeal to a higher court). Cops will probably just
lie to you and try to convince you that you are required on the spot.
Ask for a lawyer immediately. 

This is not just to protect the Tor network either. With computer laws
as crazy as they are, and with the IPPA coming down the road, soon
simply having something like an Open Source DVD player or archiver on
your machine will be enough to land you in jail for a while, if it's
not already...

-- 
Mike Perry
Mad Computer Scientist
fscked.org evil labs

Re: Some legal trouble with TOR in France

2006-05-15 Thread Anthony DiPierro

On 5/15/06, Mike Perry <[EMAIL PROTECTED]> wrote:

Thus spake Ringo Kamens ([EMAIL PROTECTED]):

> Also, they can put you on grand jury and give you obstruction of justice for
> refusing to talk.

According to wikipedia (http://en.wikipedia.org/wiki/Grand_jury):

"In all U.S. jurisdictions retaining the grand jury, the defendant has
the right under the Fifth Amendment not to give self-incriminating
testimony. []"

OK, that covers the defendant, but what if the person in question is
not a defendant?

Unfortunately, the First Amendment does not seem to apply to
questioning by a court (or Congress, for that matter).  The Fifth
Amendment protects you from being a witness against yourself, but it
doesn't protect you from being a witness against someone else.

Anthony

Re: Some legal trouble with TOR in France +

2006-05-15 Thread crackedactor


"Ringo Kamens" <[EMAIL PROTECTED]> wrote,

>"I want to add my two cents about child porn. Censorship is censorship, it 
>>doesn't matter what you censor or by what logic you censor. Banning child 
>>porn is censorship, copyright is censorship, and stopping people from 
>>speaking who have opposing political views is censrorship. It seems to be >a 
>well known fact that freenet is filled with pedophilia, yet freenet is just 
>>fine and dandy. If pedophilia was a real threat to privacy services, then 
>>proxies wouldn't exist."


I can understand your concern with my suggestion from a "censorship" viewpoint, 
but we have to be PRACTICAL, if not moral.

The failure of other systems (networks etc) to be practical about child porn is 
one of the main reasons we have so much spying on us today.

And we, the public, are picking up the bill for this spying (taxes) and we are 
paying in many other ways as well.

We are paying with "fear" (if you run a Tor EXIT) of arrest and prosecution, 
for many more mere accusation, just for even running a Tor server or a Tor 
client is enough to keep many away from the Tor network. Just take a look at 
the mail for our French EXIT server raided last week.  

I believe we should take a lead, and offer the EXIT servers protection from 
some mis-use of this variety and the users protection from possible "walking 
into" or being "tricked into" UNKNOWINGLY downloading a web page wtih this 
subject matter on it.

This is WHY I suggested the use of EXIT node filter lists, whatever the EXIt 
node wants, and with clients getting the option to specify the EXIt node also 
protects them by using specified list(s) at minimum to protect them.

Also my suggestions protect from general censorship. In this way, we rid 
ourselves of the thin end of the wedge. We declare this is being done to 
protect ourselves and children, and that this is ALL the censorship we are 
willing to allow.

I do understand the difficulties we will be getting ourselves into. But it is 
cheaper for us ALL if the police get to give us a set of block lists for child 
porn than them chasing us all, all over the network. Ok so they will come back 
with more than just child porn... thats when we have to draw the line! Our EXIt 
servers just refuse to allow them to be used.

I assume that the reason its not done already is the same one specified by the 
open networks, cnesorship... but they said it was coz the system couldnt do it 
(a lie). Now the open networks having to log and provide hidden trace 
facilitities (Lawful intercept) inside even the operating systems.

Wouldnt it have been better in the first place to have censored out the child 
porn, then hold the fort? Then the incentive (as publically expressed by 
politicians) to attempt to intercept eveything would be VERY much reduced. 

Do we have any networks that have agreed to this anywhere that we can see as an 
exmple of what happens if you censor child porn out of your network? If so, it 
might help our discussions. 

Thats my lot on this.. 

-- 
Message sent with Supanet E-mail

Signup to supanet at 
https://signup.supanet.com/cgi-bin/signup?_origin=sigwebmail

RE: Some legal trouble with TOR in France

They send you to prison if you don't give up the information.


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Matej Kovacic
Sent: 15 May 2006 07:57
To: or-talk@freehaven.net
Subject: Re: Some legal trouble with TOR in France

Hi,

> Under the British "Regulation of Investigatory Powers Act", they would
> simply confiscate the entire machine, demand any authentication tokens
> required to access it, and lock you up if you refused to surrender
them.
> I believe similar laws exist in most EU jurisdictions now.

What about the priviledge of non self-accusation?

It is expensive, but you can just piss 'em off and buy new hardware...

bye, Matej

RE: Some legal trouble with TOR in France +

I have to agree there. Any porn is just
pictures. Why shouldn’t you look at pictures? Who says it not ‘art’.
When does art stop and porn begin?

In the UK what is considered ‘porn’
that you can only subscribe to on a private satellite channel that only
broadcasts after midnight is ridiculously soft. They cant even show entry
shots. Supposedly to protect children from seeing it – when it would be
legal if sold as a sex education video!. If you start censoring things then its
hard to stop and you end up with ridiculous situations like this.

The problem with certain types of pictures
is what is required to produce them, rather than the pictures themselves…And
even then it’s a point of view as to where the limits are.

From:
owner-or-talk@freehaven.net
[mailto:owner-or-talk@freehaven.net]
On Behalf Of Ringo Kamens
Sent: 15 May 2006 22:20
To: or-talk@freehaven.net
Subject: Re: Some legal trouble
with TOR in France
+

I want to add my two
cents about child porn. Censorship is censorship, it doesn't matter what you
censor or by what logic you censor. Banning child porn is censorship, copyright
is censorship, and stopping people from speaking who have opposing political views
is censrorship. It seems to be a well known fact that freenet is filled with
pedophilia, yet freenet is just fine and dandy. If pedophilia was a real threat to privacy services,
then proxies wouldn't exist.

On 5/15/06, Marko
Sihvo <[EMAIL PROTECTED]>
wrote: 

[EMAIL PROTECTED]
wrote:
> Child porn is a different matter, it threatens the Tor network! 
> It is best handled easier by a url/site/ip block list on the EXIT nodes.
to protect itself Torland should put a site uo tp create this block list and
Tor EXIt servers use it if they wish.
> Eg <16+,<18+,<21+ lists, then EXIT servers put on the lists
approprate tio theuir region. 
> Also the client side of Tor could be have a user configuration to NOT
"obtain" pages/images/etc from URL/IP on these list according ot the
confugration they set. This protects them from that.
> Police could even add to this list and child protection/free speech groups
could double check to stop speech "censorship". 
>
Porn. Sex. Illegal porn. Blahblahblah. Total crap.

http://62.142.11.7/pziteorg/VA-The.Best.Of.Jihad.Snuff.Videos.Wmv.Real-20050207-PZ/

27x the.best.of.jihad.snuff beheading&shooting format: wmv/real 5125028
505.wmv  -- iraqi police officers in iraq (shooting) 3294790
american2.wmv  -- jack hensley in iraq
1085798 amil.WMV  -- unknown in 
iraq 6545968 amraky.WMV  --
eugene armstrong in iraq 8231054
ciaamil.wmv  -- unknown in iraq 2200551
cj_9833.RAM  -- daniel pearl in
pakistan 369937
fas.wmv  -- russian in chechnya 4187566 Intikhabat.wmv
-- unknown in iraq 5566007
iraq2vediom.wmv  -- nick berg in iraq 1998520
iraqiarmymanf.wmv  -- iraqi officer hussein shanun in iraq 1084964
italywaturky.wmv  -- unknown in iraq (shooting) 5357890
KenBigley.rm  --
kenneth bigley in iraq
1421286 koria1.wmv  -- south korean kim sun-il in
iraq 1028476
lazof.wmv  -- unknown in iraq 4730704
masseer.WMV  --
unknown in iraq 7210324
mokh.wmv  -- unknown in iraq 4171087 murtad.wmv
-- unknown in iraq 2416030
Musil.wmv   -- unknown in iraq 310
nepal.wmv  -- nepalese in iraq 6180949 nz.rm  --
paul johnson in saudi
arabia 5617330 pog0078.WMV  -- shosei koda in iraq 1644245
sh_1.WMV  --
unknown in iraq 725224
russian.wmv  -- russian in chechnya
4324945 
russian3.asx  -- russian in chechnya 2995840
turken.wmv  -- murat yuce
in iraq
(shooting) 3212062 turky2.wmv  -- turkish driver durmus
kumdereli in iraq 5687788
yahudi.rm  -- unknown in iraq

---

Real murder/torture beheading videos from Iraq
& Chechnya
presented by 
Al-Zarqawi & Merry Men.

And I don't even need Tor/Hidden Services to distribute them. An regular
webspace account on my own name, own country, own ISP, normal
unencrypted FTP and a very public site.

RE: Some legal trouble with TOR in France

No they didn't. That was refuted long ago. The key in question simply
allows signing of cryptographic modules for Windows as meeting NSA
crypto export requirements so that they load in non US Windows versions.
Because it was referred to as the 'NSA key' someone drew obvious (and
wrong) conclusions.

The NSA having their own key to do that would be of minimal benefit to
them when there are so many more direct methods of getting data from a
PC they can change code on.

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of glymr
Sent: 14 May 2006 22:52
To: or-talk@freehaven.net
Subject: Re: Some legal trouble with TOR in France

-BEGIN PGP SIGNED MESSAGE-
Hash: RIPEMD160

Tony wrote:
>
> Yes they could get code signed in theory, but it makes it that much
>  harder - im sure Microsoft wouldn't be very keen on signing code
> for government organisations to spy on people - imagine the impact
> on their sales if it became public knowledge. Anyway, you can spot
> any changes in your boot config checksums and be immediately
> alerted to a change.

and it should be pointed out that microsoft has already been roasted
publicly for putting a government key into some version of windows, i
can't remember which, they've done it once, i doubt they'd dare to do
it again though because people know they did it and would be looking
for evidence of it now.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (MingW32)

iD8DBQFEZ6ZoGkOzwaes7JsRA6BVAJ966ok03emE4fpaRCB7ImOyMujVVQCcD8II
0VZ2I+3AD1gL/0Wc45Q+ezY=
=p9SM
-END PGP SIGNATURE-

Re: Some legal trouble with TOR in France +

2006-05-15 Thread Ringo Kamens

I want to add my two cents about child porn. Censorship is censorship, it doesn't matter what you censor or by what logic you censor. Banning child porn is censorship, copyright is censorship, and stopping people from speaking who have opposing political views is censrorship. It seems to be a well known fact that freenet is filled with pedophilia, yet freenet is just fine and dandy. If pedophilia was a 
real threat to privacy services, then proxies wouldn't exist.
On 5/15/06, Marko Sihvo <[EMAIL PROTECTED]> wrote:
[EMAIL PROTECTED] wrote:> Child porn is a different matter, it threatens the Tor network!
> It is best handled easier by a url/site/ip block list on the EXIT nodes. to protect itself Torland should put a site uo tp create this block list and Tor EXIt servers use it if they wish.> Eg <16+,<18+,<21+ lists, then EXIT servers put on the lists approprate tio theuir region.
> Also the client side of Tor could be have a user configuration to NOT "obtain" pages/images/etc from URL/IP on these list according ot the confugration they set. This protects them from that.> Police could even add to this list and child protection/free speech groups could double check to stop speech "censorship".
>Porn. Sex. Illegal porn. Blahblahblah. Total crap.http://62.142.11.7/pziteorg/VA-The.Best.Of.Jihad.Snuff.Videos.Wmv.Real-20050207-PZ/
27x the.best.of.jihad.snuff beheading&shooting format: wmv/real 5125028505.wmv  -- iraqi police officers in iraq (shooting) 3294790american2.wmv  -- jack hensley in iraq 1085798 amil.WMV  -- unknown in
iraq 6545968 amraky.WMV  -- eugene armstrong in iraq 8231054ciaamil.wmv  -- unknown in iraq 2200551 cj_9833.RAM  -- daniel pearl inpakistan 369937 fas.wmv  -- russian in chechnya 4187566 Intikhabat.wmv-- unknown in iraq 5566007 
iraq2vediom.wmv  -- nick berg in iraq 1998520iraqiarmymanf.wmv  -- iraqi officer hussein shanun in iraq 1084964italywaturky.wmv  -- unknown in iraq (shooting) 5357890 KenBigley.rm  --kenneth bigley in iraq 1421286 
koria1.wmv  -- south korean kim sun-il iniraq 1028476 lazof.wmv  -- unknown in iraq 4730704 masseer.WMV  --unknown in iraq 7210324 mokh.wmv  -- unknown in iraq 4171087 murtad.wmv-- unknown in iraq 2416030 Musil.wmv
  -- unknown in iraq 310nepal.wmv  -- nepalese in iraq 6180949 nz.rm  -- paul johnson in saudiarabia 5617330 pog0078.WMV  -- shosei koda in iraq 1644245 sh_1.WMV  --unknown in iraq 725224 russian.wmv  -- russian in chechnya 4324945
russian3.asx  -- russian in chechnya 2995840 turken.wmv  -- murat yucein iraq (shooting) 3212062 turky2.wmv  -- turkish driver durmuskumdereli in iraq 5687788 yahudi.rm  -- unknown in iraq---Real murder/torture beheading videos from Iraq & Chechnya presented by
Al-Zarqawi & Merry Men.And I don't even need Tor/Hidden Services to distribute them. An regularwebspace account on my own name, own country, own ISP, normalunencrypted FTP and a very public site.

Re: Some legal trouble with TOR in France

2006-05-15 Thread Matthias Fischmann

> On Sat, May 13, 2006 at 09:09:06AM -0700, Ringo Kamens wrote:
> 
> > If it's the JAP I'm thinking of, you shouldn't trust it. The german
> > government ordered JAP top put in a backdoor to the program to catch one
> > solitary JAP user even though it was against german law. The backdoor was
> > released as an urgent security update and the guy was nabbed.

i don't want to play the JAP advocacy game, but your information is
false.

if you check the press releases on anon.inf.tu-dresden.de, you will
learn that nobody was 'nabbed'.  there was a single IP address
recovered for a single http request before the project's lawyers put
an end to the data collection, and the german authorities where
requested to delete that IP address in court a little later.  so it is
impossible to use the address for anything, and there is no evidence
that the IP address was ever mapped on a true identity (it might have
been one in internet cafe, or one of those ISPs that delete the
mapping in compliance with german privacy legislation).  certainly
nobody was put to court for accidently retrieving a single offensive
web page before moving on to other places on the web.

i find it very instructive to personally know and trust the JAP
project team, and compare what i experience with my own senses to what
is considered The Truth by the public.

> Yes, you probably shouldn't use JAP if you plan to assassinate the president.

should you use tor, then?  hum, i honestly don't know which risks i
would find harder to accept.  they are probably both too weak.

> > As for the tor server, I suggest that you completely wipe those drives
> > securely, reformat, and reinstall everything. The best thing to do would be
> > to sell those drives and buy new ones because it could be that they put taps
> > in them. Also, they could have installed a keylogger. If I were you, I
> > wouldn't use any of that equipment again. At the very minimum, you need to
> > reinstall windows/linux/etc. and tor with a reformat because they probably
> > put in a trojaned version of tor.

... and you should give up sleeping, or they might bug your skull and
tap *all* your private conversations.  (-:

sorry,
m.

signature.asc
Description: Digital signature

Re: Some legal trouble with TOR in France

2006-05-15 Thread Eugen Leitl

On Sat, May 13, 2006 at 10:02:41AM -0700, Eric H. Jung wrote:

> Given the recent enlightenments about the US National Security Agency's
> illegal activities (gathering millions of telephone records from
> average citizens, etc), what is the technical feasibility of the NSA or
> other governmentt organizations establishing modified tor nodes/servers
> which track activity and use?

Why do you have to modify anything if you tap upstream, and do
full traffic analysis? Or install a rootkit which phones home,
though that is detectable in principle (not something I could
detect, but again: remember the threat model Tor was designed
for).

If your node runs outside your control (and not even
on tamper-proof hardware) clearly anyone who cares enough
can get at the data. But this comes at a cost, and if someone
spends a lot of effort to decipher what turns out perfectly
legitimate traffic then Tor's already fully validated in my book.

-- 
Eugen* Leitl http://leitl.org";>leitl http://leitl.org
__
ICBM: 48.07100, 11.36820http://www.ativel.com
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE

signature.asc
Description: Digital signature

Re: Some legal trouble with TOR in France

2006-05-15 Thread Eugen Leitl

On Sat, May 13, 2006 at 09:09:06AM -0700, Ringo Kamens wrote:

> If it's the JAP I'm thinking of, you shouldn't trust it. The german
> government ordered JAP top put in a backdoor to the program to catch one
> solitary JAP user even though it was against german law. The backdoor was
> released as an urgent security update and the guy was nabbed.

Yes, you probably shouldn't use JAP if you plan to assassinate the president.
 
> As for the tor server, I suggest that you completely wipe those drives
> securely, reformat, and reinstall everything. The best thing to do would be
> to sell those drives and buy new ones because it could be that they put taps
> in them. Also, they could have installed a keylogger. If I were you, I
> wouldn't use any of that equipment again. At the very minimum, you need to
> reinstall windows/linux/etc. and tor with a reformat because they probably
> put in a trojaned version of tor.

Whoa, way too much paranoia in your morning coffee. You gotta
to titrate that to keep operational.

-- 
Eugen* Leitl http://leitl.org";>leitl http://leitl.org
__
ICBM: 48.07100, 11.36820http://www.ativel.com
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE


signature.asc
Description: Digital signature

Re: Some legal trouble with TOR in France

2006-05-15 Thread Eugen Leitl

On Sat, May 13, 2006 at 05:03:53PM +0200, Joe Knall wrote:

> I clearly do not dare to run a tor server in Germany for reasons like 
> these :(

The thought police has been notified. Expect them shortly.

> So my question is: does anyone know about or have experience with the 
> implications when founding an organisation (Verein in german, 
> incorporated society) of two or more people to run tor?

Why do you think you will get a visit from the police
if you're running a server in a colo? The ISP will bend
over backwards to give them a root console.

Now what would be interesting is whether they will
tap the line for traffic analysis, or install a rootkit
(latter's too risky, probably).

> The server/exit node would be run by the organisation, not a human 

You could try forming a Ltd.
It's reasonably cheap and quick in Germany.

> being. Could this approach keep the members' private lives private?

-- 
Eugen* Leitl http://leitl.org";>leitl http://leitl.org
__
ICBM: 48.07100, 11.36820http://www.ativel.com
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE

signature.asc
Description: Digital signature

Re: Some legal trouble with TOR in France +

2006-05-15 Thread Marko Sihvo


[EMAIL PROTECTED] wrote:

Child porn is a different matter, it threatens the Tor network!
It is best handled easier by a url/site/ip block list on the EXIT nodes. to 
protect itself Torland should put a site uo tp create this block list and Tor 
EXIt servers use it if they wish.
Eg <16+,<18+,<21+ lists, then EXIT servers put on the lists approprate tio 
theuir region.
Also the client side of Tor could be have a user configuration to NOT "obtain" 
pages/images/etc from URL/IP on these list according ot the confugration they set. This 
protects them from that.
Police could even add to this list and child protection/free speech groups could double check to stop speech "censorship".  
  

Porn. Sex. Illegal porn. Blahblahblah. Total crap.

http://62.142.11.7/pziteorg/VA-The.Best.Of.Jihad.Snuff.Videos.Wmv.Real-20050207-PZ/

27x the.best.of.jihad.snuff beheading&shooting format: wmv/real 5125028 
505.wmv  -- iraqi police officers in iraq (shooting) 3294790 
american2.wmv  -- jack hensley in iraq 1085798 amil.WMV  -- unknown in 
iraq 6545968 amraky.WMV  -- eugene armstrong in iraq 8231054 
ciaamil.wmv  -- unknown in iraq 2200551 cj_9833.RAM  -- daniel pearl in 
pakistan 369937 fas.wmv  -- russian in chechnya 4187566 Intikhabat.wmv  
-- unknown in iraq 5566007 iraq2vediom.wmv  -- nick berg in iraq 1998520 
iraqiarmymanf.wmv  -- iraqi officer hussein shanun in iraq 1084964 
italywaturky.wmv  -- unknown in iraq (shooting) 5357890 KenBigley.rm  -- 
kenneth bigley in iraq 1421286 koria1.wmv  -- south korean kim sun-il in 
iraq 1028476 lazof.wmv  -- unknown in iraq 4730704 masseer.WMV  -- 
unknown in iraq 7210324 mokh.wmv  -- unknown in iraq 4171087 murtad.wmv  
-- unknown in iraq 2416030 Musil.wmv  -- unknown in iraq 310 
nepal.wmv  -- nepalese in iraq 6180949 nz.rm  -- paul johnson in saudi 
arabia 5617330 pog0078.WMV  -- shosei koda in iraq 1644245 sh_1.WMV  -- 
unknown in iraq 725224 russian.wmv  -- russian in chechnya 4324945 
russian3.asx  -- russian in chechnya 2995840 turken.wmv  -- murat yuce 
in iraq (shooting) 3212062 turky2.wmv  -- turkish driver durmus 
kumdereli in iraq 5687788 yahudi.rm  -- unknown in iraq


---

Real murder/torture beheading videos from Iraq & Chechnya presented by 
Al-Zarqawi & Merry Men.


And I don't even need Tor/Hidden Services to distribute them. An regular 
webspace account on my own name, own country, own ISP, normal 
unencrypted FTP and a very public site.

Re: Some legal trouble with TOR in France

2006-05-15 Thread Jacob Yocom-Piatt

 Original message 
>Date: Mon, 15 May 2006 18:52:38 +1000
>From: glymr <[EMAIL PROTECTED]>  
>Subject: Re: Some legal trouble with TOR in France  
>To: or-talk@freehaven.net
>
>-BEGIN PGP SIGNED MESSAGE-
>Hash: RIPEMD160
>
>Matej Kovacic wrote:
>> Hi,
>> 
>> this could also be a good idea:
>> http://www.ubuntuforums.org/showthread.php?t=120097&highlight=cryptsetup
>> 
>> encryption of harddrives from the scratch.
>> 
>> However, I would create a small partition where there will be keys
>> (files) for decryptig root and home partitions. This small partition
>> would be encrypted by passphrase. That means you can easily (well...
>> :-//) change your passphrase for the system (just re-encrypt this small
>> partition with keyfiles againg).
>> 

i am to understand that it's a bit of a mess to have the root partition of any
*nix machine encrypted. netbsd's cgd is pretty solid, provided one only puts
sensitive data on it post cgd setup. cgd only works for non-root partitions.

>> The only critical software part is then /boot partition. But you can
>> always fill the /boot up to 100% with random data and run Tripwire
>> integrity checking on it. If it is full, it is hard to write additional
>> code on it. And if you do integrity checking, you can easily discover if
>> something changed.
>> 
>> I am planning to write a small setup guide for cryptsetup on Dapper
>> version of Ubuntu Linux.
>> 
>> bye, Matej
>
>ever heard of cryptfs_luks?

Re: Some legal trouble with TOR in France +

-BEGIN PGP SIGNED MESSAGE-
Hash: RIPEMD160
 

>
> 2.
>
> Well most people using Tor, aint running a server at ALL. They are just
the users, running Tor in Client only mode.
>
> And the "middlemen" are gonna be needed, if you want to have more hops!
maybe i am misinformed, but i was under the impression that middleman
mode only stops the circuit from ending at the node, all other 'exit'
nodes also carry middleman traffic
> Not everyone can run an EXIT server, but there are lots who can run a
middleman server, not everyone can find, nor afford an ISP willing to
allow them to run an EXIt server.
> But most ISP's "dont grieve about what the eye dont see" so running a
"middleman" is no problem.
yes but you completely missed my point, more exit nodes means less
chance that any one node is picked on by the law.
> My advice would be take advantage of their bandwidth, its free.
what am i paying my isp for if it's not bandwidth? i don't see your point
> And get EXIT servers to only run limited "middleman" capability and
stop trying to make them "Do-It-All".
>
> If "EXIT servers" gave, at maximum, 20% of currently "spare" bandwidth
to "middleman" traffic, and get in as many middlemen as possible, then
that might speed the whole Tor system up.
segregating exit and middlemen nodes more distinctly - how is this
going to help... do you want to stand at the top of the tower with
only 100 other people or would you prefer there was 300 with you? I
think you could look to a simple natural phenomenon to give an example
of why we, the small people, need to see this as a 'all for one, one
for all' - herds of grazing animals. Sure, there may be some at the
edges who will get eaten by the lions more, but the size of the
group... what happens if a lion foolishly gets himself into a pocket
at the edge and then finds himself surrounded by a sea of horns?
> 3.
>
> The only "Free-Riders" would appear to be ordinary Tor users who dont
run in server mode, but thats why we have Tor!
> Yes, Tor is a FREE SERVICE!
it is not a 'free service' at all, it is a group of people all
agreeing to do something for each other. your idea about segregating
makes it more dangerous for the end points than my idea of making all
nodes endpoints. the worse the ratio between exit nodes and client
only users gets, the more chance there is of exit nodes coming under fire.
> What about a system of service classes - different classes of service
for different classes of Tor user/service provider!
>
> More on that later...
>
> 4.
>
> No... they'll just run Tor in client mode only!
what if the software does not permit this? i think perhaps you are not
aware of how common it is for people to just install things and not
think about going into the source and modifying it. the sort of people
who would do this are the sort of people we DON'T want using tor, and
this should be something that should be incorporated into the default
configuration. Making it so all nodes are carrying traffic via the
verification mechanisms i described would help eliminate both free
riders and those wishing to exploit. Just like my metaphor of the herd
making pockets and luring the lions in, they can't win if they are
surrounded on all sides by the less powerful but organised and hostile
adversary. Lets face it, if you think tor is a good idea you are
hostile to something. And you are not powerful. It is only through
solidarity that tor even has a hope of surviving, let alone providing
a decent service to its members.
> Child porn is a different matter, it threatens the Tor network!
> It is best handled easier by a url/site/ip block list on the EXIT
nodes. to protect itself Torland should put a site uo tp create this
block list and Tor EXIt servers use it if they wish.
> Eg <16+,<18+,<21+ lists, then EXIT servers put on the lists approprate
tio theuir region.
> Also the client side of Tor could be have a user configuration to NOT
"obtain" pages/images/etc from URL/IP on these list according ot the
confugration they set. This protects them from that.
> Police could even add to this list and child protection/free speech
groups could double check to stop speech "censorship". 
well, the problem here is that what you are suggesting is essentially
saying that you should permit some level of censorship. you are
talking about a slippery slope here. There is nothing stopping any tor
user from running software such as peerguardian with a custom
blocklist. This should not be encouraged, however it should not be
prohibited. what you are talking about doing is adding a blacklisting
system to tor. Do you want to put the freedom to choose at risk? Who
can you trust to implement such a blacklist? Surely it would make more
sense, to, for example in the case of our french friend who has been
frisked by the police, for THEM to implement a blacklist, in
co-operation with those police, not only to show that we are on their
side, but to make it clear that the server operator is not interested
in being

Re: Tor bandwidth requirements (was: Some legal trouble with TOR in France)

2006-05-15 Thread phobos

On Mon, May 15, 2006 at 10:04:56AM +0100, [EMAIL PROTECTED] wrote 0.7K bytes in 
18 lines about:
: The Tor documentation states that 20k/sec each way is the minimum

This is 20 KB/sec, aka 160 Kilobits per second.

-- 
Andrew

Re: Some legal trouble with TOR in France +

2006-05-15 Thread crackedactor


glymr wrote...

1.
>"I personally have stopped trying to use tor because latency has gone far
>beyond my patience. Something needs to be done about tor's bandwidth
>capability. Of course more bandwidth will mean more users...

2.
> and I have
>said this before and I will say it again - Tor needs to run a minimal
>server capability by default, even a 2kb/s, and no more of this
>middleman only business, the more people doing it, the less isolated
>those who get targeted become, and the greater the pool of possible
>'suspects'...


3.
>I think it's a classic example of an opportunity for 'free riders' that
>tor not being a pure p2p application that there is this bandwidth
>problem, and this also makes those who have the intestinal fortitude to
>run servers, especially exit nodes, have a much greater risk of getting
>caught up in a legal problem. IMHO, the concept of middlemen nodes and
>client-only connections needs to be done away with because it decreases
>the 'lost in the crowd' solidarity that really SHOULD be a part of the
>tor philosophy, I think there is a little too much pandering to the
>lowest common denominator.


4.
>If those bad guys, eg terrorists and child pornographers, were not able
>to use the tor network for risk of being caught in a legal problem
>originating from an entirely different bad guy that would be better for
>everyone. This would be simple to implement too, as a peer verification.
>Before a node would accept traffic from another node, it would look up
>the node's ip address in the directory, if it didn't find it, it would
>refuse to carry traffic for it, and as a second test, it would attempt
>to push a test packet through the node in a double-back loop (onion
>route via a second known good node back to itself)... And to add more to
>this, a peer-bandwidth reporting system, where nodes measure the traffic
>they send through each different node, and report this back to the
>servers (as opposed to self-reporting) and this would further make the
>process of using tor without exposing yourself to some other bad guy's
>traffic.


5.
>Now I know that this would probably rattle a lot of people but we must
>be serious about this. If you really care about your legal safety and
>the anonymity of the network, you should be contributing, even if only
>enough to permit half of a 56k dialup connection (ie 1-2kb/s) to relay
>traffic. The random hop length is also a very good idea,

6.
>I don't think
>that random delays are neccessary, this is naturally introduced by
>random hop lengths.

7.
>Having the nodes construct a big number of circuit
>paths would be good too, every http object request, for example, could
>be sent out on a different circuit which may or may not be a different
>length, it would certainly make the global adversary much more work to
>try and track the endpoints. Another side point is that this reinforces
>the value of such detachable persisting stream protocols as silc, which
>allow the user to close the stream and reestablish it transparently.




>my 2c"


By the numbers..

1.

I have no problems with latency of Tor for obtaining a web page via IE.
But for Firefox, all I ever get is time-outs, even though I increased the 
available time-out settings to huge values.
Maybe the problem is the brower you are using. I use privoxy with IE and it 
seems to do a good job.

Ocassionally, I have a slow link (usually on Fridays +22:00GMT etc), when this 
happens I often change my IE settings to stop downloading images. That works a 
treat.

As a middleman server I see huge periods (3-4 hours) of NO traffic (even when 
I'm not running other stuff), so overall there is little "COVER" for me in 
running this service.   

More on this later...

2.

Well most people using Tor, aint running a server at ALL. They are just the 
users, running Tor in Client only mode. 

And the "middlemen" are gonna be needed, if you want to have more hops!

Not everyone can run an EXIT server, but there are lots who can run a middleman 
server, not everyone can find, nor afford an ISP willing to allow them to run 
an EXIt server.
But most ISP's "dont grieve about what the eye dont see" so running a 
"middleman" is no problem.

My advice would be take advantage of their bandwidth, its free. 
And get EXIT servers to only run limited "middleman" capability and stop trying 
to make them "Do-It-All".

If "EXIT servers" gave, at maximum, 20% of currently "spare" bandwidth to 
"middleman" traffic, and get in as many middlemen as possible, then that might 
speed the whole Tor system up.
 
3.

The only "Free-Riders" would appear to be ordinary Tor users who dont run in 
server mode, but thats why we have Tor!
Yes, Tor is a FREE SERVICE! 
 
What about a system of service classes - different classes of service for 
different classes of Tor user/service provider!

More on that later... 

4.

No... they'll just run Tor in client mode only!

Child porn is a different matter, it threatens the Tor network!
It is best

Tor bandwidth requirements (was: Some legal trouble with TOR in France)

2006-05-15 Thread Dave Page

On Mon, May 15, 2006 at 02:11:15PM +1000, glymr wrote:

> If you really care about your legal safety and the anonymity of the
> network, you should be contributing, even if only enough to permit
> half of a 56k dialup connection (ie 1-2kb/s) to relay traffic.

The Tor documentation states that 20k/sec each way is the minimum
requirement for a Tor server. If that documentation is wrong, and lower
bandwidth would still be useful, I'd be happy to run a server.

I could definitely offer 10k, perhaps 15k. I think it'd be useful if Tor
would be happy with 5k, since that will make running Tor servers on the
increasingly popular (in the UK) 128kbit upstreams feasible.

Dave
-- 
Dave Page <[EMAIL PROTECTED]>
Jabber: [EMAIL PROTECTED]

Re: Some legal trouble with TOR in France

-BEGIN PGP SIGNED MESSAGE-
Hash: RIPEMD160

Matej Kovacic wrote:
> Hi,
> 
> this could also be a good idea:
> http://www.ubuntuforums.org/showthread.php?t=120097&highlight=cryptsetup
> 
> encryption of harddrives from the scratch.
> 
> However, I would create a small partition where there will be keys
> (files) for decryptig root and home partitions. This small partition
> would be encrypted by passphrase. That means you can easily (well...
> :-//) change your passphrase for the system (just re-encrypt this small
> partition with keyfiles againg).
> 
> The only critical software part is then /boot partition. But you can
> always fill the /boot up to 100% with random data and run Tripwire
> integrity checking on it. If it is full, it is hard to write additional
> code on it. And if you do integrity checking, you can easily discover if
> something changed.
> 
> I am planning to write a small setup guide for cryptsetup on Dapper
> version of Ubuntu Linux.
> 
> bye, Matej

ever heard of cryptfs_luks?
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (MingW32)

iD8DBQFEaEFVGkOzwaes7JsRA1YAAKCrEiBr19FhyOWbFH1jR9qx6ILPegCbBzJz
/xTN2T8C4dQLrGU7pwGkXps=
=DaHk
-END PGP SIGNATURE-

Re: Some legal trouble with TOR in France

2006-05-15 Thread Mike Perry

Thus spake Ringo Kamens ([EMAIL PROTECTED]):

> Also, they can put you on grand jury and give you obstruction of justice for
> refusing to talk.

According to wikipedia (http://en.wikipedia.org/wiki/Grand_jury):

"In all U.S. jurisdictions retaining the grand jury, the defendant has
the right under the Fifth Amendment not to give self-incriminating
testimony. However, the prosecutor can call the defendant to testify
and require the defendant to assert the right on a
question-by-question basis, which is prohibited in jury trials unless
the defendant has voluntarily testified on his own behalf."

A meandering writeup of the 5th ammendment at
http://en.wikipedia.org/wiki/Fifth_Amendment_to_the_U.S._Constitution
states:

"If the government gives an individual immunity, then that individual
may be compelled to testify. Immunity may be "transactional immunity"
or "use immunity"; in the former, the witness is immune from
prosecution for offenses related to the testimony; in the latter, the
witness may be prosecuted, but his testimony may not be used against
him. The Supreme Court has held that the government need only grant
use immunity to compel testimony. The use immunity, however, must
extend not only to the testimony made by the witness, but also to all
evidence derived therefrom."

So it would seem then that granting immunity to you to divulge your
passwords should protect you from anything found. This is probably the
most likely scenario if you are asked to provide (non-existent)
evidence against a Tor user and you have asserted your rights up to
the point of a court hearing. If you make the mistake of divulging
passwords/data to an officer before immunity was granted, you're
screwed.

> On 5/14/06, Eric H. Jung <[EMAIL PROTECTED]> wrote:
> >
> >I don't have the time to respond to all the points of your email except
> >the first/
> >
> >Federal Contempt of Court
> >http://www.bafirm.com/articles/federalcontempt.html
> >
> >"Although there is no statutory maximum limit regulating the amount of
> >time a contemnor can be ordered to spend in confinement (United States
> >v. Carpenter, 91 F.3d 1282, 1283 (9th Cir. 1996)), the requirement that
> >a jury trial be granted in criminal contempt cases involving sentences
> >over six months in jail acts as a check on this power." 67-79

Ah, thanks for the clarification. At least there is some check though.

> >> We seriously have to watch our paranoia on this one. This is one
> >> of those situations that if we believe we have no rights, it will
> >> be very easy to knock us over, simply by playing off our fears
> >> and demanding keys without any legitimate basis to do so.
> >>
> >> If any Tor operator is arrested/detained in the US, they would do
> >> well to refuse to surrender any passphrase until they are
> >> actually in court and ordered to do so by a Judge (and then only
> >> after voicing protest, to allow for clear appeal to a higher
> >> court). Cops will probably just lie to you and try to convince
> >> you that you are required on the spot.  Ask for a lawyer
> >> immediately.

I should also add that they will probably tell you that if you just
let them see what they want, you can be out of there much quicker.
They usually will also ask you why you have anything to hide. This
has happened to friends of mine. It makes it very hard to say no to
search or interrogation.

In our case, the best response is "What you claim to be looking for is
not recorded by Tor. Furthermore, I have a lot of personal material on
that computer such as emails, pictures of my significant other, and
other private material that I do not believe you have the right to
look at simply because you want to. I would like to speak with a
lawyer."

A more general response probably would be something like "I resent the
idea that the police should be allowed to look through my personal
belongings simply because I have nothing to hide. I find this
offensive, and I feel it violates me personally. I do not consent to
search."

I do not think that Tor operators really have to worry about the
government using the full powers of the Patriot Act against us. The
amount of effort (and monetary expense!) required to do so simply does
not make sense, particularly because it accomplishes so little in the
context of a legitimate investigation against a Tor user.

Key word being legitimate.

I agree that the Patriot Act is a horrible thing, and makes an
excellent tool for the government to use to silence opposition. But I
like to think that Tor is a high enough profile project, and that the
administration is so completely unpopular now that a full
roving-wiretap, sneak and peek search, wireless keylogger, laser-mic
surveillance, CIA mind control attack on a Tor operator would be
political suicide, and would only serve as further example to the
unconstitutional nature of the act. At least this is how I sleep at
night ;)

The main danger is exactly what happened here. Some local cops show up
and try to take a

Re: Some legal trouble with TOR in France

2006-05-15 Thread Matej Kovacic

Hi,

> Not that some powers haven't been known to first interrogate you as
> "unrelated witness" (neither you, nor your family, is accused), where
> remaining silent is obstruction of justice and punishable, and _then_
> charge you with the information thus gleaned.

Now I am talking only for Slovenia, but I belive in other european
countries it's similar or the same.

Well, remaining silent is violation only if you are silent AS A WITTNES
(not as accused person) and it it is on the court.

You can always be silent when talking to the police. In SLovenia police
can ask you to came to the police station to give a statement. You must
gothere, but youn can ALWAYS say: I "came here, but I don't want to talk
about that. Googbye". And if they ask you to stay, you can ask them: "Am
I accused of sometnihg". And they MUST answer yes or no. If "no", you
are free to go. If "yes", you have the right to lawyer.

And you can always refuse to answer to a question which could lead to
prosecution of you, or bring you to a great shame.

It could be that some "new, antiterrorist" legislations abandon this
rights in some (less democratic :-)) ) countries. But there is European
Court of Human Rights. And if you live in Europe it is great to know
about it.

bye, Matej

Re: Some legal trouble with TOR in France

2006-05-15 Thread Eric H. Jung

--- Matej Kovacic <[EMAIL PROTECTED]> wrote:

> It is interesting, because we are talking about letters from/to
> prison
> and not letters of free innocent citizens. If Court found cenzorship
> of
> prisonner's writings (to his wife and international institutuions)
> illegal, then restrictions to writings of innocent citizens must be
> illegal too.

That is interesting! My wife has worked in the prison system of the
U.S. (federal and state) for some years now. I call tell you without a
doubt that prisoners' outbound letters are most definitely censored and
screened here in the US--with their knowledge, but not necessarily with
their consent.

Re: Some legal trouble with TOR in France

2006-05-14 Thread Matej Kovacic

Hi,

> Under the British "Regulation of Investigatory Powers Act", they would
> simply confiscate the entire machine, demand any authentication tokens
> required to access it, and lock you up if you refused to surrender them.
> I believe similar laws exist in most EU jurisdictions now.

What about the priviledge of non self-accusation?

It is expensive, but you can just piss 'em off and buy new hardware...

bye, Matej

Re: Some legal trouble with TOR in France

2006-05-14 Thread Matej Kovacic

Hi,

this could also be a good idea:
http://www.ubuntuforums.org/showthread.php?t=120097&highlight=cryptsetup

encryption of harddrives from the scratch.

However, I would create a small partition where there will be keys
(files) for decryptig root and home partitions. This small partition
would be encrypted by passphrase. That means you can easily (well...
:-//) change your passphrase for the system (just re-encrypt this small
partition with keyfiles againg).

The only critical software part is then /boot partition. But you can
always fill the /boot up to 100% with random data and run Tripwire
integrity checking on it. If it is full, it is hard to write additional
code on it. And if you do integrity checking, you can easily discover if
something changed.

I am planning to write a small setup guide for cryptsetup on Dapper
version of Ubuntu Linux.

bye, Matej

Re: Some legal trouble with TOR in France

2006-05-14 Thread Matej Kovacic

Hi,

> However I might get bad news about this in a few weeks/monthes,
> depending of  what the justice wants to do with me. Unauthorised
> cryptographic programs are illegal in france, since the "len" law
> adopted two years ago but I believe there is not much precedent
> equivalent case so they must be thinking twice before they get me
> into trouble.

Well, France has signed Convention on Human Rights and Fundamental
Freedoms (adopted by Council of Europe in 1950).

Article 8 says:

   1. Everyone has the right to respect for his private and family life,
his home and his correspondence.
   2. There shall be no interference by a public authority with the
exercise of this right except such as is in accordance with the law and
is necessary in a democratic society in the interests of national
security, public safety or the economic well-being of the country, for
the prevention of disorder or crime, for the protection of health or
morals, or for the protection of the rights and freedoms of others.

There are some legal opinions, that banning cryptography or anonymous
remailers is disproportional interference with privacy.

I looked up in the European Court fo Human Rights database, and have
found this case: CASE OF PUZINAS v. LITHUANIA, 14 March 2002

It about a prisoner, who complained because his letters were subject to
cenzorship. Lithuanian law stated that any letters containing
“cryptography [and] cynical or threatening statements shall not be sent
to the addressee”, and also written “suggestions, applications or
complaints containing insults, jargon or obscenities shall not be sent,
[and that] disciplinary penalties may be imposed on the persons who have
signed” such papers.

Court ruled that the interference complained of was not necessary in a
democratic society within the meaning of Article 8, and therefore there
is a violation of Article 8.

It is interesting, because we are talking about letters from/to prison
and not letters of free innocent citizens. If Court found cenzorship of
prisonner's writings (to his wife and international institutuions)
illegal, then restrictions to writings of innocent citizens must be
illegal too.

bye, Matej

Re: Some legal trouble with TOR in France

2006-05-14 Thread Jeffrey F. Bloss

On Sun, 14 May 2006 18:21:04 -0400
Adam Shostack <[EMAIL PROTECTED]> wrote:

> Nope.  I think they'd be making different statements than they're
> making, and I think that they'd have avoided the subject in private.

Or they'd do everything in their power to make you believe as much
anyway. What better way to garner someone's trust than by emphatically
denying something and habitually chatting up some premise contrary the
the breaching of that trust?

The point is, you can't really know for sure one way or the other.
Someone claiming they'll allow back doors only upon their death is
actually a little bit too bombastic for my tastes. A sane person would
probably relent long before they expired, and hope for the best. And an
ultimately honest person would be more inclined to admit that, than
deny it.

Just my $.02 worth. Something to consider. 

> 
> Adam
> 
> On Sun, May 14, 2006 at 03:10:07PM -0700, Ringo Kamens wrote:
> | If somebody was forced to implement backdoors for the government,
> do you think | they would be allowed to tell you?
> | 
> | On 5/14/06, Adam Shostack <[EMAIL PROTECTED]> wrote:
> | 
> | Niels Ferguson says "over my dead body:"
> | http://blogs.msdn.com/si_team/archive/2006/03/02/542590.aspx
> He's | also said as much to me in person, as has Peter Biddle.
> | 
> | Adam
> | 
> | 
> | On Sun, May 14, 2006 at 10:43:22AM -0700, Ringo Kamens wrote:
> | | I'm not saying the AES is weak. I'm saying that Microsoft

-- 
Hand Crafted on Mon. May 15, 2006 at 01:49 

Outside of a dog, a book is a man's best friend. 
Inside of a dog, it's too dark to read.
 -- Groucho Marx

Re: data remanence (was: Some legal trouble with TOR in France)

2006-05-14 Thread Jeffrey F. Bloss

On Mon, 15 May 2006 07:15:55 +0200
cesare VoltZ <[EMAIL PROTECTED]> wrote:

> What do you think about to start TOR with Knoppix Linux booted from a
> CD/Rom?

There's something similar to this (but better in my opinion) built
around OpenBSD. It routes all external TCP traffic through Tor, and
even spoofs aNY subtle OS "fingerprints" to look like something else
to the outside world. 

http://sourceforge.net/projects/anonym-os/

-- 
Hand Crafted on Mon. May 15, 2006 at 01:41 

Outside of a dog, a book is a man's best friend. 
Inside of a dog, it's too dark to read.
 -- Groucho Marx

Re: data remanence (was: Some legal trouble with TOR in France)

2006-05-14 Thread Lionel Elie Mamane

On Sun, May 14, 2006 at 08:29:06PM -0400, Michael Holstein wrote:
>> There are methods (and they are used) to read data from a overwritten
>> disk.

> Has anyone tried creating a (ro) flash-boot linux system for TOR
> with all the (rw) stuff mounted in RAM ?

Flash is writable, so can be tampered. The critical secret (the
server's key) is in the ro part. So what good is it?

Really, guys. If it is protection against governments you want, you
are barking up the wrong tree. Too difficult.

-- 
Lionel

Re: data remanence (was: Some legal trouble with TOR in France)

2006-05-14 Thread cesare VoltZ

What do you think about to start TOR with Knoppix Linux booted from a CD/Rom?

CesareOn 5/15/06, Michael Holstein <[EMAIL PROTECTED]> wrote:
 > There are methods (and they are used) to read data from a overwritten > disk.Has anyone tried creating a (ro) flash-boot linux system for TOR withall the (rw) stuff mounted in RAM ?Such a device would raise the bar quite a bit, no? (AFIK, there is no
data remanence problem with DRAM .. unless $they can stop the clock andkeep power applied).(seeing the $agency come in with a UPS and trying to splice the A/Cwithout shutting it off, and then carrying out the server on battery
power conjures up memories of a certian Seinfield episode)./mike.

Re: Some legal trouble with TOR in France

2006-05-14 Thread glymr

-BEGIN PGP SIGNED MESSAGE-
Hash: RIPEMD160

I personally have stopped trying to use tor because latency has gone far
beyond my patience. Something needs to be done about tor's bandwidth
capability. Of course more bandwidth will mean more users... and I have
said this before and I will say it again - Tor needs to run a minimal
server capability by default, even a 2kb/s, and no more of this
middleman only business, the more people doing it, the less isolated
those who get targeted become, and the greater the pool of possible
'suspects'...

I think it's a classic example of an opportunity for 'free riders' that
tor not being a pure p2p application that there is this bandwidth
problem, and this also makes those who have the intestinal fortitude to
run servers, especially exit nodes, have a much greater risk of getting
caught up in a legal problem. IMHO, the concept of middlemen nodes and
client-only connections needs to be done away with because it decreases
the 'lost in the crowd' solidarity that really SHOULD be a part of the
tor philosophy, I think there is a little too much pandering to the
lowest common denominator.

If those bad guys, eg terrorists and child pornographers, were not able
to use the tor network for risk of being caught in a legal problem
originating from an entirely different bad guy that would be better for
everyone. This would be simple to implement too, as a peer verification.
Before a node would accept traffic from another node, it would look up
the node's ip address in the directory, if it didn't find it, it would
refuse to carry traffic for it, and as a second test, it would attempt
to push a test packet through the node in a double-back loop (onion
route via a second known good node back to itself)... And to add more to
this, a peer-bandwidth reporting system, where nodes measure the traffic
they send through each different node, and report this back to the
servers (as opposed to self-reporting) and this would further make the
process of using tor without exposing yourself to some other bad guy's
traffic.

Now I know that this would probably rattle a lot of people but we must
be serious about this. If you really care about your legal safety and
the anonymity of the network, you should be contributing, even if only
enough to permit half of a 56k dialup connection (ie 1-2kb/s) to relay
traffic. The random hop length is also a very good idea, I don't think
that random delays are neccessary, this is naturally introduced by
random hop lengths. Having the nodes construct a big number of circuit
paths would be good too, every http object request, for example, could
be sent out on a different circuit which may or may not be a different
length, it would certainly make the global adversary much more work to
try and track the endpoints. Another side point is that this reinforces
the value of such detachable persisting stream protocols as silc, which
allow the user to close the stream and reestablish it transparently.

my 2c

glymr

Ringo Kamens wrote:
> Also, they can put you on grand jury and give you obstruction of justice
> for refusing to talk.
> 
> On 5/14/06, *Eric H. Jung* <[EMAIL PROTECTED]
> > wrote:
> 
> Mike,
> 
> I don't have the time to respond to all the points of your email except
> the first/
> 
> Federal Contempt of Court
> http://www.bafirm.com/articles/federalcontempt.html
> 
> "Although there is no statutory maximum limit regulating the amount of
> time a contemnor can be ordered to spend in confinement (United States
> v. Carpenter, 91 F.3d 1282, 1283 (9th Cir. 1996)), the requirement that
> a jury trial be granted in criminal contempt cases involving sentences
> over six months in jail acts as a check on this power." 67-79
> 
> 
> 
> --- Mike Perry <[EMAIL PROTECTED] > wrote:
> 
> > Thus spake Eric H. Jung ( [EMAIL PROTECTED]
> ):
> >
> > > > Tony's point was that you could arrange not to have the
> > > authentication
> > > > tokens anymore. You better hope they believe you when you say you
> > > > don't have it, though.
> > >
> > > >Not having the authentication tokens counts as refusing to
> > surrender
> > > >them.
> > >
> > > Per US law, if a judge subpoenas you to hand them over and you
> > refuse
> > > and/or remain silent, it means indefinite jail time (until you hand
> > > over the tokens) and/or fines.
> >
> > Where is your source on this? As I understand it, there are a few
> > fundamental principles of the US legal system that should render this
> > statement completely false. One is Habeas Corpus.. You can't just
> > throw someone in jail indefinitely without a criminal charge and a
> > trial. http://en.wikipedia.org/wiki/Writ_of_habeas_corpus
> >
> > Though it seems Bush&Co are violating it with "enemy combatant"
> > charges, I do no

Re: Some legal trouble with TOR in France

Also, they can put you on grand jury and give you obstruction of justice for refusing to talk.
On 5/14/06, Eric H. Jung <[EMAIL PROTECTED]> wrote:
Mike,I don't have the time to respond to all the points of your email exceptthe first/
Federal Contempt of Courthttp://www.bafirm.com/articles/federalcontempt.html"Although there is no statutory maximum limit regulating the amount of
time a contemnor can be ordered to spend in confinement (United Statesv. Carpenter, 91 F.3d 1282, 1283 (9th Cir. 1996)), the requirement thata jury trial be granted in criminal contempt cases involving sentences
over six months in jail acts as a check on this power." 67-79--- Mike Perry <[EMAIL PROTECTED]> wrote:> Thus spake Eric H. Jung (
[EMAIL PROTECTED]):>> > > Tony's point was that you could arrange not to have the> > authentication> > > tokens anymore. You better hope they believe you when you say you
> > > don't have it, though.> >> > >Not having the authentication tokens counts as refusing to> surrender> > >them.> >> > Per US law, if a judge subpoenas you to hand them over and you
> refuse> > and/or remain silent, it means indefinite jail time (until you hand> > over the tokens) and/or fines.>> Where is your source on this? As I understand it, there are a few
> fundamental principles of the US legal system that should render this> statement completely false. One is Habeas Corpus.. You can't just> throw someone in jail indefinitely without a criminal charge and a
> trial. http://en.wikipedia.org/wiki/Writ_of_habeas_corpus>> Though it seems Bush&Co are violating it with "enemy combatant"
> charges, I do not think they have the political power (at least> anymore) to name an anonymity provider as an "enemy combatant"> (especially if they are a natural born US citizen). The same applies
> to the 72 hour warrant deal, at least as far as I can tell from> http://www.fff.org/comment/com0601c.asp>> Second, if it is a criminal charge, you are not under any obligation
> to testify against yourself in a criminal court of law (5th> ammendment). There are various exceptions to this, main one being if> you are not the person charged of the crime (though I think you can
> still claim that such testimony may incriminate you for unrelated> matters). I suppose it could also be argued that the passphrase does> not count as testimony, but it sure seems like it is.>
> Finally, some googling on subpoena compliance seems to indicate that> punishment for subpoena non-compliance is 'contempt of court' charge> and fines.>> 
http://www.rcfp.org/cgi-local/privilege/item.cgi?i=questions>> That page advises you not to answer any subpoenas without challenging> them first, among other things (ie one state's court cannot usually
> subpoena someone from another state). Contempt of court charges for> non-compliance may be repeated, but any contempt law I can find on> the web has some form of maximum limit. The longest I've seen so far
> is North Carolina, which is a max of 1yr in 90 day increments:> http://www.rosen.com/ppf/cat/statco/laws.asp>>> Also, dunno how accurate it is, but Wikipedia seems to claim that the
> key disclosure provisions of the RIPA (Part III) are not yet in force> in the UK:>>http://en.wikipedia.org/wiki/Regulation_of_Investigatory_Powers_Act_2000
> We seriously have to watch our paranoia on this one. This is one of> those situations that if we believe we have no rights, it will be> very> easy to knock us over, simply by playing off our fears and demanding
> keys without any legitimate basis to do so.>> If any Tor operator is arrested/detained in the US, they would do> well> to refuse to surrender any passphrase until they are actually in
> court> and ordered to do so by a Judge (and then only after voicing protest,> to allow for clear appeal to a higher court). Cops will probably just> lie to you and try to convince you that you are required on the spot.
> Ask for a lawyer immediately.>> This is not just to protect the Tor network either. With computer> laws> as crazy as they are, and with the IPPA coming down the road, soon> simply having something like an Open Source DVD player or archiver on
> your machine will be enough to land you in jail for a while, if it's> not already...>> --> Mike Perry> Mad Computer Scientist> fscked.org evil labs
>

Re: data remanence (was: Some legal trouble with TOR in France)

2006-05-14 Thread Eric H. Jung

--- Michael Holstein <[EMAIL PROTECTED]> wrote:

> AFIK, there is no data remanence problem with DRAM

Not apparently. I sent one of these links earlier in this thread IIRC.
These papers are by Peter Gutman himself.

"7. Methods of Recovery for Data stored in Random-Access Memory"
"8. Erasure of Data stored in Random-Access Memory"
http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html

Data Remanence in Semiconductor Devices -- all 19 pages
http://www.cypherpunks.to/~peter/usenix01.pdf

It's been a few years since I've read these articles personally.

Re: Some legal trouble with TOR in France

2006-05-14 Thread Eric H. Jung

Mike,

I don't have the time to respond to all the points of your email except
the first/

Federal Contempt of Court
http://www.bafirm.com/articles/federalcontempt.html

"Although there is no statutory maximum limit regulating the amount of
time a contemnor can be ordered to spend in confinement (United States
v. Carpenter, 91 F.3d 1282, 1283 (9th Cir. 1996)), the requirement that
a jury trial be granted in criminal contempt cases involving sentences
over six months in jail acts as a check on this power." 67-79



--- Mike Perry <[EMAIL PROTECTED]> wrote:

> Thus spake Eric H. Jung ([EMAIL PROTECTED]):
> 
> > > Tony's point was that you could arrange not to have the 
> > authentication
> > > tokens anymore. You better hope they believe you when you say you
> > > don't have it, though.
> > 
> > >Not having the authentication tokens counts as refusing to
> surrender
> > >them.
> > 
> > Per US law, if a judge subpoenas you to hand them over and you
> refuse
> > and/or remain silent, it means indefinite jail time (until you hand
> > over the tokens) and/or fines.
> 
> Where is your source on this? As I understand it, there are a few
> fundamental principles of the US legal system that should render this
> statement completely false. One is Habeas Corpus.. You can't just
> throw someone in jail indefinitely without a criminal charge and a
> trial. http://en.wikipedia.org/wiki/Writ_of_habeas_corpus 
> 
> Though it seems Bush&Co are violating it with "enemy combatant"
> charges, I do not think they have the political power (at least
> anymore) to name an anonymity provider as an "enemy combatant"
> (especially if they are a natural born US citizen). The same applies
> to the 72 hour warrant deal, at least as far as I can tell from
> http://www.fff.org/comment/com0601c.asp
> 
> Second, if it is a criminal charge, you are not under any obligation
> to testify against yourself in a criminal court of law (5th
> ammendment). There are various exceptions to this, main one being if
> you are not the person charged of the crime (though I think you can
> still claim that such testimony may incriminate you for unrelated
> matters). I suppose it could also be argued that the passphrase does
> not count as testimony, but it sure seems like it is.
> 
> Finally, some googling on subpoena compliance seems to indicate that
> punishment for subpoena non-compliance is 'contempt of court' charge
> and fines.
> 
> http://www.rcfp.org/cgi-local/privilege/item.cgi?i=questions
> 
> That page advises you not to answer any subpoenas without challenging
> them first, among other things (ie one state's court cannot usually
> subpoena someone from another state). Contempt of court charges for
> non-compliance may be repeated, but any contempt law I can find on
> the web has some form of maximum limit. The longest I've seen so far
> is North Carolina, which is a max of 1yr in 90 day increments:
> http://www.rosen.com/ppf/cat/statco/laws.asp
> 
> 
> Also, dunno how accurate it is, but Wikipedia seems to claim that the
> key disclosure provisions of the RIPA (Part III) are not yet in force
> in the UK:
> 
>
http://en.wikipedia.org/wiki/Regulation_of_Investigatory_Powers_Act_2000
> 
> 
> 
> 
> We seriously have to watch our paranoia on this one. This is one of
> those situations that if we believe we have no rights, it will be
> very
> easy to knock us over, simply by playing off our fears and demanding
> keys without any legitimate basis to do so.
> 
> If any Tor operator is arrested/detained in the US, they would do
> well
> to refuse to surrender any passphrase until they are actually in
> court
> and ordered to do so by a Judge (and then only after voicing protest,
> to allow for clear appeal to a higher court). Cops will probably just
> lie to you and try to convince you that you are required on the spot.
> Ask for a lawyer immediately. 
> 
> This is not just to protect the Tor network either. With computer
> laws
> as crazy as they are, and with the IPPA coming down the road, soon
> simply having something like an Open Source DVD player or archiver on
> your machine will be enough to land you in jail for a while, if it's
> not already...
> 
> -- 
> Mike Perry
> Mad Computer Scientist
> fscked.org evil labs
>

data remanence (was: Some legal trouble with TOR in France)

2006-05-14 Thread Michael Holstein


> There are methods (and they are used) to read data from a overwritten
> disk.

Has anyone tried creating a (ro) flash-boot linux system for TOR with 
all the (rw) stuff mounted in RAM ?


Such a device would raise the bar quite a bit, no? (AFIK, there is no 
data remanence problem with DRAM .. unless $they can stop the clock and 
keep power applied).


(seeing the $agency come in with a UPS and trying to splice the A/C 
without shutting it off, and then carrying out the server on battery 
power conjures up memories of a certian Seinfield episode).


/mike.

Re: Some legal trouble with TOR in France

2006-05-14 Thread Michael Holstein

Not to mention that whereas a passphrase in your head requires your 
cooperation to divulge (although torture can be used to provide that) .. 
there's nothing stopping someone from knocking you unconscious and using 
your finger/eye/whatever on the reader.


/mike.

glymr wrote:

Tony wrote:


just wanted to suggest that biometrics are not wise for encryption
whatsoever. for one thing, they use a software mechanism to 'unlock'
and this lock can be bypassed. voiceprint, retina/iris scan,
fingerprints, dna, all of these things do not constitute a proper
password or lock for any data, for one thing you can't change them,
for a second thing, none of them generate a data stream which can be
used as a passphrase, it all goes through an identification process
and that only generates a yes/no answer. the usb key and the microwave
are the best way to go. a smart card would probably be just as good,
but not so cheap to implement.

Re: Some legal trouble with TOR in France

2006-05-14 Thread Cat Okita


On Mon, 15 May 2006, glymr wrote:

just wanted to suggest that biometrics are not wise for encryption
whatsoever. for one thing, they use a software mechanism to 'unlock'
and this lock can be bypassed. voiceprint, retina/iris scan,
fingerprints, dna, all of these things do not constitute a proper
password or lock for any data, for one thing you can't change them,
for a second thing, none of them generate a data stream which can be
used as a passphrase, it all goes through an identification process
and that only generates a yes/no answer. the usb key and the microwave
are the best way to go. a smart card would probably be just as good,
but not so cheap to implement.


... and biometrics also give new meaning to 'crippleware'.

cheers!
==
"A cat spends her life conflicted between a deep, passionate and profound
desire for fish and an equally deep, passionate and profound desire to
avoid getting wet.  This is the defining metaphor of my life right now."

Re: Some legal trouble with TOR in France

2006-05-14 Thread Adam Shostack

Nope.  I think they'd be making different statements than they're
making, and I think that they'd have avoided the subject in private.

Adam

On Sun, May 14, 2006 at 03:10:07PM -0700, Ringo Kamens wrote:
| If somebody was forced to implement backdoors for the government, do you think
| they would be allowed to tell you?
| 
| On 5/14/06, Adam Shostack <[EMAIL PROTECTED]> wrote:
| 
| Niels Ferguson says "over my dead body:"
| http://blogs.msdn.com/si_team/archive/2006/03/02/542590.aspx  He's
| also said as much to me in person, as has Peter Biddle.
| 
| Adam
| 
| 
| On Sun, May 14, 2006 at 10:43:22AM -0700, Ringo Kamens wrote:
| | I'm not saying the AES is weak. I'm saying that Microsoft might have
| | implemented a back-door for governments. They could store the private
| keys and
| | passwords in videocard memory or in the boot sector or something like
| that.
| |
| | On 5/14/06, Tony < [EMAIL PROTECTED]> wrote:
| |
| |
| | 2. The restrictions on encryption were removed some years ago. The
| best
| | encryption software comes from outside the USA anyway so it was
| always a
| | pointless exercise in futility.
| |
| |
| |
| | Unless a vulnerability is found in 256 bit AES it would take them
| longer
| | than the ages of the universe to crack a key by brute force no 
matter
| how
| | many terraflops of power they have to task on your key (not to
| mention the
| | many others they might want to crack)
| |
| |
| |
| | 3. Filtering content is not quite the same as signing code and
| pretending
| | it comes from Microsoft. Such a piece of code would have a changed
| checksum
| | would likely be spotted and then analysed. I can't see Microsoft
| doing that
| | unless required by law.
| |
| |
| |
| | 4. TPM is part of the trusted computing concept. It just makes it
| much
| | harder. Not impossible.
| |
| |
| |
| |
| 
---
| |
| | From: [EMAIL PROTECTED] [mailto:
| [EMAIL PROTECTED] On
| | Behalf Of Ringo Kamens
| | Sent: 14 May 2006 18:31
| |
| |
| |     To: or-talk@freehaven.net
| | Subject: Re: Some legal trouble with TOR in France
| |
| |
| |
| | There are a few key points that you are overlooking.
| |
| |
| |
| | 1. In support of the photocopying money scandal, most printers have
| yellow
| | dots imprinted on them that track date printed, serial number, etc.
| |
| |
| |
| | 2. By US export law, US companies are not allowed to export
| encryption
| | larger than 56 bit (although it might have jumped to 128 a few years
| ago),
| | unless it has been certified by the government.  That means unless 
it
| has a
| | backdoor. Plus, governments have thousands of teraflops of idle
| computer
| | cycles waiting to crack your keys.
| |
| |
| |
| | 3. How can you honestly think Microsoft wouldn't bend over for the 
US
| | government. They bent over for China. Look at PGP. They moved to
| closed
| | source after version 6.0 with no valid reason. The reason is 
probably
| the
| | government.
| |
| |
| |
| | 4. In terms of using checksums to ensure your system hasn't been
| tampered
| | with, the computer hardware could have a defense system against that
| such
| | as trusted computing.
| |
| |
| |
| | Ringo Kamens
| |
| |
| |
| | On 5/14/06, Mike Zanker < [EMAIL PROTECTED]> wrote:
| |
| | On 14/5/06 15:10, Tony wrote:
| |
| | > Nb- failure to disclose keys is up to two years in prison. Not 10.
| | >
| | > (5) A person guilty of an offence under this section shall be
| liable-
| | >
| | >   (a) on conviction on indictment, to imprisonment for a term not
| | > exceeding two years or to a fine, or to both;
| | >   (b) on summary conviction, to imprisonment for a term not
| exceeding
| | > six months or to a fine not exceeding the statutory maximum, or to
| both.
| |
| | Furthermore, that's part III of RIPA which hasn't been enacted yet.
| |
| | Mike.
| |
| |
| |
| | This message has been scanned for viruses by MailController -
| | www.MailController.altohiway.com
| |
| |
| |
| |
| 
|

Re: Some legal trouble with TOR in France

2006-05-14 Thread Mike Perry

Thus spake Eric H. Jung ([EMAIL PROTECTED]):

> > Tony's point was that you could arrange not to have the 
> authentication
> > tokens anymore. You better hope they believe you when you say you
> > don't have it, though.
> 
> >Not having the authentication tokens counts as refusing to surrender
> >them.
> 
> Per US law, if a judge subpoenas you to hand them over and you refuse
> and/or remain silent, it means indefinite jail time (until you hand
> over the tokens) and/or fines.

Where is your source on this? As I understand it, there are a few
fundamental principles of the US legal system that should render this
statement completely false. One is Habeas Corpus.. You can't just
throw someone in jail indefinitely without a criminal charge and a
trial. http://en.wikipedia.org/wiki/Writ_of_habeas_corpus 

Though it seems Bush&Co are violating it with "enemy combatant"
charges, I do not think they have the political power (at least
anymore) to name an anonymity provider as an "enemy combatant"
(especially if they are a natural born US citizen). The same applies
to the 72 hour warrant deal, at least as far as I can tell from
http://www.fff.org/comment/com0601c.asp

Second, if it is a criminal charge, you are not under any obligation
to testify against yourself in a criminal court of law (5th
ammendment). There are various exceptions to this, main one being if
you are not the person charged of the crime (though I think you can
still claim that such testimony may incriminate you for unrelated
matters). I suppose it could also be argued that the passphrase does
not count as testimony, but it sure seems like it is.

Finally, some googling on subpoena compliance seems to indicate that
punishment for subpoena non-compliance is 'contempt of court' charge
and fines.

http://www.rcfp.org/cgi-local/privilege/item.cgi?i=questions

That page advises you not to answer any subpoenas without challenging
them first, among other things (ie one state's court cannot usually
subpoena someone from another state). Contempt of court charges for
non-compliance may be repeated, but any contempt law I can find on
the web has some form of maximum limit. The longest I've seen so far
is North Carolina, which is a max of 1yr in 90 day increments:
http://www.rosen.com/ppf/cat/statco/laws.asp


Also, dunno how accurate it is, but Wikipedia seems to claim that the
key disclosure provisions of the RIPA (Part III) are not yet in force
in the UK:

http://en.wikipedia.org/wiki/Regulation_of_Investigatory_Powers_Act_2000




We seriously have to watch our paranoia on this one. This is one of
those situations that if we believe we have no rights, it will be very
easy to knock us over, simply by playing off our fears and demanding
keys without any legitimate basis to do so.

If any Tor operator is arrested/detained in the US, they would do well
to refuse to surrender any passphrase until they are actually in court
and ordered to do so by a Judge (and then only after voicing protest,
to allow for clear appeal to a higher court). Cops will probably just
lie to you and try to convince you that you are required on the spot.
Ask for a lawyer immediately. 

This is not just to protect the Tor network either. With computer laws
as crazy as they are, and with the IPPA coming down the road, soon
simply having something like an Open Source DVD player or archiver on
your machine will be enough to land you in jail for a while, if it's
not already...

-- 
Mike Perry
Mad Computer Scientist
fscked.org evil labs

Re: Some legal trouble with TOR in France

If somebody was forced to implement backdoors for the government, do you think they would be allowed to tell you?
On 5/14/06, Adam Shostack <[EMAIL PROTECTED]> wrote:
Niels Ferguson says "over my dead body:"
http://blogs.msdn.com/si_team/archive/2006/03/02/542590.aspx  He'salso said as much to me in person, as has Peter Biddle.AdamOn Sun, May 14, 2006 at 10:43:22AM -0700, Ringo Kamens wrote:| I'm not saying the AES is weak. I'm saying that Microsoft might have
| implemented a back-door for governments. They could store the private keys and| passwords in videocard memory or in the boot sector or something like that.|| On 5/14/06, Tony <
[EMAIL PROTECTED]> wrote:||| 2. The restrictions on encryption were removed some years ago. The best| encryption software comes from outside the USA anyway so it was always a| pointless exercise in futility.
 Unless a vulnerability is found in 256 bit AES it would take them longer| than the ages of the universe to crack a key by brute force no matter how| many terraflops of power they have to task on your key (not to mention the
| many others they might want to crack) 3. Filtering content is not quite the same as signing code and pretending| it comes from Microsoft. Such a piece of code would have a changed checksum
| would likely be spotted and then analysed. I can't see Microsoft doing that| unless required by law. 4. TPM is part of the trusted computing concept. It just makes it much| harder. Not impossible.
 ---|| From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On| Behalf Of Ringo Kamens| Sent: 14 May 2006 18:31||| To: or-talk@freehaven.net|     Subject: Re: Some legal trouble with TOR in France
 There are a few key points that you are overlooking. 1. In support of the photocopying money scandal, most printers have yellow| dots imprinted on them that track date printed, serial number, etc.
 2. By US export law, US companies are not allowed to export encryption| larger than 56 bit (although it might have jumped to 128 a few years ago),| unless it has been certified by the government.  That means unless it has a
| backdoor. Plus, governments have thousands of teraflops of idle computer| cycles waiting to crack your keys. 3. How can you honestly think Microsoft wouldn't bend over for the US
| government. They bent over for China. Look at PGP. They moved to closed| source after version 6.0 with no valid reason. The reason is probably the| government. 4. In terms of using checksums to ensure your system hasn't been tampered
| with, the computer hardware could have a defense system against that such| as trusted computing. Ringo Kamens On 5/14/06, Mike Zanker < 
[EMAIL PROTECTED]> wrote:|| On 14/5/06 15:10, Tony wrote:|| > Nb- failure to disclose keys is up to two years in prison. Not 10.| >| > (5) A person guilty of an offence under this section shall be liable-
| >| >   (a) on conviction on indictment, to imprisonment for a term not| > exceeding two years or to a fine, or to both;| >   (b) on summary conviction, to imprisonment for a term not exceeding
| > six months or to a fine not exceeding the statutory maximum, or to both.|| Furthermore, that's part III of RIPA which hasn't been enacted yet.|| Mike. This message has been scanned for viruses by MailController -
| www.MailController.altohiway.com

Re: Some legal trouble with TOR in France

2006-05-14 Thread Adam Shostack

Niels Ferguson says "over my dead body:"
http://blogs.msdn.com/si_team/archive/2006/03/02/542590.aspx  He's
also said as much to me in person, as has Peter Biddle.

Adam


On Sun, May 14, 2006 at 10:43:22AM -0700, Ringo Kamens wrote:
| I'm not saying the AES is weak. I'm saying that Microsoft might have
| implemented a back-door for governments. They could store the private keys and
| passwords in videocard memory or in the boot sector or something like that.
| 
| On 5/14/06, Tony <[EMAIL PROTECTED]> wrote:
| 
| 
| 2. The restrictions on encryption were removed some years ago. The best
| encryption software comes from outside the USA anyway so it was always a
| pointless exercise in futility.
| 
|  
| 
| Unless a vulnerability is found in 256 bit AES it would take them longer
| than the ages of the universe to crack a key by brute force no matter how
| many terraflops of power they have to task on your key (not to mention the
| many others they might want to crack)
| 
|  
| 
| 3. Filtering content is not quite the same as signing code and pretending
| it comes from Microsoft. Such a piece of code would have a changed 
checksum
| would likely be spotted and then analysed. I can't see Microsoft doing 
that
| unless required by law.
| 
|  
| 
| 4. TPM is part of the trusted computing concept. It just makes it much
| harder. Not impossible.
| 
|  
| 
| 
---
|
| From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
| Behalf Of Ringo Kamens
| Sent: 14 May 2006 18:31
| 
| 
| To: or-talk@freehaven.net
| Subject: Re: Some legal trouble with TOR in France
| 
|  
| 
| There are a few key points that you are overlooking.
| 
|  
| 
| 1. In support of the photocopying money scandal, most printers have yellow
| dots imprinted on them that track date printed, serial number, etc.
| 
|  
| 
| 2. By US export law, US companies are not allowed to export encryption
| larger than 56 bit (although it might have jumped to 128 a few years ago),
| unless it has been certified by the government.  That means unless it has 
a
| backdoor. Plus, governments have thousands of teraflops of idle computer
| cycles waiting to crack your keys.
| 
|  
| 
| 3. How can you honestly think Microsoft wouldn't bend over for the US
| government. They bent over for China. Look at PGP. They moved to closed
| source after version 6.0 with no valid reason. The reason is probably the
| government.
| 
|  
| 
| 4. In terms of using checksums to ensure your system hasn't been tampered
| with, the computer hardware could have a defense system against that such
| as trusted computing.
| 
|  
| 
| Ringo Kamens
| 
|  
| 
| On 5/14/06, Mike Zanker < [EMAIL PROTECTED]> wrote:
| 
| On 14/5/06 15:10, Tony wrote:
| 
| > Nb- failure to disclose keys is up to two years in prison. Not 10.
| >
| > (5) A person guilty of an offence under this section shall be liable-
| >
| >   (a) on conviction on indictment, to imprisonment for a term not
| > exceeding two years or to a fine, or to both;
| >   (b) on summary conviction, to imprisonment for a term not exceeding
| > six months or to a fine not exceeding the statutory maximum, or to both.
| 
| Furthermore, that's part III of RIPA which hasn't been enacted yet.
| 
| Mike.
| 
| 
| 
| This message has been scanned for viruses by MailController -
| www.MailController.altohiway.com
| 
|  
| 
|

Re: Some legal trouble with TOR in France

Some angry users aren't going to stop Microsoft from obeying the government. When the government orders something to be done, it gets done, regardless of how many people ask for it. I know the win2k source got leaked a while back, did anybody conduct a formal review of it?

On 5/14/06, glymr <[EMAIL PROTECTED]> wrote:
-BEGIN PGP SIGNED MESSAGE-Hash: RIPEMD160Tony wrote:>> Yes they could get code signed in theory, but it makes it that much
>  harder - im sure Microsoft wouldn't be very keen on signing code> for government organisations to spy on people - imagine the impact> on their sales if it became public knowledge. Anyway, you can spot
> any changes in your boot config checksums and be immediately> alerted to a change.and it should be pointed out that microsoft has already been roastedpublicly for putting a government key into some version of windows, i
can't remember which, they've done it once, i doubt they'd dare to doit again though because people know they did it and would be lookingfor evidence of it now.-BEGIN PGP SIGNATURE-Version: GnuPG 
v1.4.3 (MingW32)iD8DBQFEZ6ZoGkOzwaes7JsRA6BVAJ966ok03emE4fpaRCB7ImOyMujVVQCcD8II0VZ2I+3AD1gL/0Wc45Q+ezY==p9SM-END PGP SIGNATURE-

Re: Some legal trouble with TOR in France

2006-05-14 Thread glymr

-BEGIN PGP SIGNED MESSAGE-
Hash: RIPEMD160
 
Tony wrote:
>
> Yes they could get code signed in theory, but it makes it that much
>  harder - im sure Microsoft wouldn't be very keen on signing code
> for government organisations to spy on people - imagine the impact
> on their sales if it became public knowledge. Anyway, you can spot
> any changes in your boot config checksums and be immediately
> alerted to a change.

and it should be pointed out that microsoft has already been roasted
publicly for putting a government key into some version of windows, i
can't remember which, they've done it once, i doubt they'd dare to do
it again though because people know they did it and would be looking
for evidence of it now.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (MingW32)
 
iD8DBQFEZ6ZoGkOzwaes7JsRA6BVAJ966ok03emE4fpaRCB7ImOyMujVVQCcD8II
0VZ2I+3AD1gL/0Wc45Q+ezY=
=p9SM
-END PGP SIGNATURE-

Re: Some legal trouble with TOR in France

2006-05-14 Thread glymr

-BEGIN PGP SIGNED MESSAGE-
Hash: RIPEMD160
 
Tony wrote:


just wanted to suggest that biometrics are not wise for encryption
whatsoever. for one thing, they use a software mechanism to 'unlock'
and this lock can be bypassed. voiceprint, retina/iris scan,
fingerprints, dna, all of these things do not constitute a proper
password or lock for any data, for one thing you can't change them,
for a second thing, none of them generate a data stream which can be
used as a passphrase, it all goes through an identification process
and that only generates a yes/no answer. the usb key and the microwave
are the best way to go. a smart card would probably be just as good,
but not so cheap to implement.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (MingW32)
 
iD8DBQFEZ6TdGkOzwaes7JsRAzCwAJ98kch1Nt68W5gH+aemfunJbbcF+ACfQ+BV
PaRgi/bpwXXUbBzgdbccXIA=
=/nGI
-END PGP SIGNATURE-

Re: Some legal trouble with TOR in France

While i would eventually be spotted, it could probably be blamed on a
programming errror, worm, virus,  etc. Who is to say that something
like the wmf exploit wasn't a government backdoor? History has shown
us that the government has good experience in creating backdoors, why
should we give them the benefit of the doubt on windows?
Ringo

On 5/14/06, Tony <[EMAIL PROTECTED]> wrote:

Again it is very unlikely. There are many options to get the keys - like
forcing you to divulge them or wire tapping your keyboard.

If such a backdoor was included than it would likely be spotted. Here
are some comments on a similar accusation a few years ago:
http://www.cnn.com/TECH/computing/9909/13/backdoor.idg/

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Ringo Kamens
Sent: 14 May 2006 18:43
To: or-talk@freehaven.net
Subject: Re: Some legal trouble with TOR in France

I'm not saying the AES is weak. I'm saying that Microsoft might have
implemented a back-door for governments. They could store the private
keys and passwords in videocard memory or in the boot sector or
something like that.

On 5/14/06, Tony <[EMAIL PROTECTED]> wrote:

2. The restrictions on encryption were removed some years ago. The best
encryption software comes from outside the USA anyway so it was always a
pointless exercise in futility.

Unless a vulnerability is found in 256 bit AES it would take them longer
than the ages of the universe to crack a key by brute force no matter
how many terraflops of power they have to task on your key (not to
mention the many others they might want to crack)

3. Filtering content is not quite the same as signing code and
pretending it comes from Microsoft. Such a piece of code would have a
changed checksum would likely be spotted and then analysed. I can't see
Microsoft doing that unless required by law.

4. TPM is part of the trusted computing concept. It just makes it much
harder. Not impossible.

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Ringo Kamens
Sent: 14 May 2006 18:31

To: or-talk@freehaven.net
Subject: Re: Some legal trouble with TOR in France

There are a few key points that you are overlooking.

1. In support of the photocopying money scandal, most printers have
yellow dots imprinted on them that track date printed, serial number,
etc.

2. By US export law, US companies are not allowed to export encryption
larger than 56 bit (although it might have jumped to 128 a few years
ago), unless it has been certified by the government.  That means unless
it has a backdoor. Plus, governments have thousands of teraflops of idle
computer cycles waiting to crack your keys.

3. How can you honestly think Microsoft wouldn't bend over for the US
government. They bent over for China. Look at PGP. They moved to closed
source after version 6.0 with no valid reason. The reason is probably
the government.

4. In terms of using checksums to ensure your system hasn't been
tampered with, the computer hardware could have a defense system against
that such as trusted computing.

Ringo Kamens

On 5/14/06, Mike Zanker < [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> >
wrote:

On 14/5/06 15:10, Tony wrote:

> Nb- failure to disclose keys is up to two years in prison. Not 10.
>
> (5) A person guilty of an offence under this section shall be liable-
>
>   (a) on conviction on indictment, to imprisonment for a term not
> exceeding two years or to a fine, or to both;
>   (b) on summary conviction, to imprisonment for a term not exceeding
> six months or to a fine not exceeding the statutory maximum, or to
both.

Furthermore, that's part III of RIPA which hasn't been enacted yet.

Mike.

This message has been scanned for viruses by MailController -
www.MailController.altohiway.com
<http://www.mailcontroller.altohiway.com/>

RE: Some legal trouble with TOR in France

Again it is very unlikely. There are many options
to get the keys - like forcing you to divulge them or wire tapping your
keyboard.

If such a backdoor was included than it
would likely be spotted. Here are some comments on a similar accusation a few
years ago: http://www.cnn.com/TECH/computing/9909/13/backdoor.idg/

From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ringo Kamens
Sent: 14 May 2006 18:43
To: or-talk@freehaven.net
Subject: Re: Some legal trouble
with TOR in France

I'm not saying the AES is
weak. I'm saying that Microsoft might have implemented a back-door for
governments. They could store the private keys and passwords in videocard
memory or in the boot sector or something like that. 

On 5/14/06, Tony
<[EMAIL PROTECTED]> wrote:

2. The restrictions on encryption were removed some years
ago. The best encryption software comes from outside the USA anyway so
it was always a pointless exercise in futility. 

Unless a vulnerability is found in 256 bit AES it would take
them longer than the ages of the universe to crack a key by brute force no
matter how many terraflops of power they have to task on your key (not to
mention the many others they might want to crack) 

3. Filtering content is not quite the same as signing code
and pretending it comes from Microsoft. Such a piece of code would have a
changed checksum would likely be spotted and then analysed. I can't see
Microsoft doing that unless required by law. 

4. TPM is part of the trusted computing concept. It just
makes it much harder. Not impossible.

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Ringo Kamens
Sent: 14 May 2006 18:31

To: or-talk@freehaven.net
Subject: Re: Some
legal trouble with TOR in France

There are
a few key points that you are overlooking.

1. In
support of the photocopying money scandal, most printers have yellow dots
imprinted on them that track date printed, serial number, etc. 

2. By US export law,
US companies are not allowed to export encryption larger than 56 bit (although
it might have jumped to 128 a few years ago), unless it has been certified by the government.  That
means unless it has a backdoor. Plus, governments have thousands of teraflops
of idle computer cycles waiting to crack your keys. 

3. How can
you honestly think Microsoft wouldn't bend over for the US government.
They bent over for China.
Look at PGP. They moved to closed source after version 6.0 with no valid
reason. The reason is probably the government. 

4. In
terms of using checksums to ensure your system hasn't been tampered with, the
computer hardware could have a defense system against that such as trusted
computing. 

Ringo
Kamens

On
5/14/06, Mike Zanker < [EMAIL PROTECTED]> wrote: 

On
14/5/06 15:10, Tony wrote:

> Nb-
failure to disclose keys is up to two years in prison. Not 10. 
>
> (5) A person guilty of an offence under this section shall be liable- 
>
>   (a) on conviction on indictment, to imprisonment for a term
not
> exceeding two years or to a fine, or to both; 
>   (b) on summary conviction, to imprisonment for a term not
exceeding
> six months or to a fine not exceeding the statutory maximum, or to both. 

Furthermore, that's part III of RIPA which hasn't been enacted yet. 

Mike.

This message has been scanned for viruses by MailController - www.MailController.altohiway.com

Re: Some legal trouble with TOR in France

I'm not saying the AES is weak. I'm saying that Microsoft might have implemented a back-door for governments. They could store the private keys and passwords in videocard memory or in the boot sector or something like that.

On 5/14/06, Tony <[EMAIL PROTECTED]> wrote:




2. The restrictions on encryption were removed some years ago. The best encryption software comes from outside the USA anyway so it was always a pointless exercise in futility.

 
Unless a vulnerability is found in 256 bit AES it would take them longer than the ages of the universe to crack a key by brute force no matter how many terraflops of power they have to task on your key (not to mention the many others they might want to crack)

 
3. Filtering content is not quite the same as signing code and pretending it comes from Microsoft. Such a piece of code would have a changed checksum would likely be spotted and then analysed. I can't see Microsoft doing that unless required by law.

 
4. TPM is part of the trusted computing concept. It just makes it much harder. Not impossible.
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
On Behalf Of Ringo KamensSent: 14 May 2006 18:31
To: or-talk@freehaven.net
Subject: Re: Some legal trouble with TOR in France


 


There are a few key points that you are overlooking.



 

1. In support of the photocopying money scandal, most printers have yellow dots imprinted on them that track date printed, serial number, etc. 


 

2. By US export law, US companies are not allowed to export encryption larger than 56 bit (although it might have jumped to 128 a few years ago), unless it has been 
certified by the government.  That means unless it has a backdoor. Plus, governments have thousands of teraflops of idle computer cycles waiting to crack your keys. 


 

3. How can you honestly think Microsoft wouldn't bend over for the US government. They bent over for China. Look at PGP. They moved to closed source after version 
6.0 with no valid reason. The reason is probably the government. 

 

4. In terms of using checksums to ensure your system hasn't been tampered with, the computer hardware could have a defense system against that such as trusted computing.


 

Ringo Kamens 

On 5/14/06, Mike Zanker <
[EMAIL PROTECTED]> wrote: 
On 14/5/06 15:10, Tony wrote:> Nb- failure to disclose keys is up to two years in prison. Not 10. >> (5) A person guilty of an offence under this section shall be liable-
>>   (a) on conviction on indictment, to imprisonment for a term not> exceeding two years or to a fine, or to both; >   (b) on summary conviction, to imprisonment for a term not exceeding> six months or to a fine not exceeding the statutory maximum, or to both.
Furthermore, that's part III of RIPA which hasn't been enacted yet. Mike.This message has been scanned for viruses by MailController - 
www.MailController.altohiway.com

RE: Some legal trouble with TOR in France

2. The restrictions on encryption were
removed some years ago. The best encryption software comes from outside the USA anyway so
it was always a pointless exercise in futility.

Unless a vulnerability is found in 256 bit
AES it would take them longer than the ages of the universe to crack a key by
brute force no matter how many terraflops of power they have to task on your
key (not to mention the many others they might want to crack)

3. Filtering content is not quite the same
as signing code and pretending it comes from Microsoft. Such a piece of code would
have a changed checksum would likely be spotted and then analysed. I can’t
see Microsoft doing that unless required by law.

4. TPM is part of the trusted computing
concept. It just makes it much harder. Not impossible.

From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ringo Kamens
Sent: 14 May 2006 18:31
To: or-talk@freehaven.net
Subject: Re: Some legal trouble
with TOR in France

There are a few key points that you are overlooking.

1. In support of the photocopying money scandal, most printers have
yellow dots imprinted on them that track date printed, serial number, etc. 

2. By US
export law, US companies are not allowed to export encryption larger than 56
bit (although it might have jumped to 128 a few years ago), unless it has been certified by the government.  That
means unless it has a backdoor. Plus, governments have thousands of teraflops
of idle computer cycles waiting to crack your keys. 

3. How can you honestly think Microsoft wouldn't bend over for the US government.
They bent over for China.
Look at PGP. They moved to closed source after version 6.0 with no valid
reason. The reason is probably the government. 

4. In terms of using checksums to ensure your system hasn't been
tampered with, the computer hardware could have a defense system against that
such as trusted computing.

Ringo Kamens

On 5/14/06, Mike
Zanker <[EMAIL PROTECTED]>
wrote: 

On 14/5/06 15:10, Tony wrote:

> Nb-
failure to disclose keys is up to two years in prison. Not 10. 
>
> (5) A person guilty of an offence under this section shall be liable-
>
>   (a) on conviction on indictment, to imprisonment for a term
not
> exceeding two years or to a fine, or to both; 
>   (b) on summary conviction, to imprisonment for a term not
exceeding
> six months or to a fine not exceeding the statutory maximum, or to both.

Furthermore, that's part III of RIPA which hasn't been enacted yet. 

Mike.

This message has been scanned for viruses by MailController - www.MailController.altohiway.com

Re: Some legal trouble with TOR in France

There are a few key points that you are overlooking.

1. In support of the photocopying money scandal, most printers have yellow dots imprinted on them that track date printed, serial number, etc. 

2. By US export law, US companies are not allowed to export encryption larger than 56 bit (although it might have jumped to 128 a few years ago), unless it has been certified by the government.  That means unless it has a backdoor. Plus, governments have thousands of teraflops of idle computer cycles waiting to crack your keys.

3. How can you honestly think Microsoft wouldn't bend over for the US government. They bent over for China. Look at PGP. They moved to closed source after version 6.0 with no valid reason. The reason is probably the government.

4. In terms of using checksums to ensure your system hasn't been tampered with, the computer hardware could have a defense system against that such as trusted computing.

Ringo Kamens 
On 5/14/06, Mike Zanker <[EMAIL PROTECTED]> wrote:
On 14/5/06 15:10, Tony wrote:> Nb- failure to disclose keys is up to two years in prison. Not 10.
>> (5) A person guilty of an offence under this section shall be liable->>   (a) on conviction on indictment, to imprisonment for a term not> exceeding two years or to a fine, or to both;
>   (b) on summary conviction, to imprisonment for a term not exceeding> six months or to a fine not exceeding the statutory maximum, or to both.Furthermore, that's part III of RIPA which hasn't been enacted yet.
Mike.This message has been scanned for viruses by MailController - www.MailController.altohiway.com

Re: Some legal trouble with TOR in France

2006-05-14 Thread Mike Zanker

On 14/5/06 15:10, Tony wrote:

> Nb- failure to disclose keys is up to two years in prison. Not 10.
> 
> (5) A person guilty of an offence under this section shall be liable- 
>   
>   (a) on conviction on indictment, to imprisonment for a term not
> exceeding two years or to a fine, or to both; 
>   (b) on summary conviction, to imprisonment for a term not exceeding
> six months or to a fine not exceeding the statutory maximum, or to both.

Furthermore, that's part III of RIPA which hasn't been enacted yet.

Mike.



This message has been scanned for viruses by MailController - 
www.MailController.altohiway.com

Re: Some legal trouble with TOR in France

2006-05-14 Thread Lionel Elie Mamane

On Sun, May 14, 2006 at 02:59:52PM +0100, Dave Page wrote:
> On Sun, May 14, 2006 at 03:58:06PM +0200, Lionel Elie Mamane wrote:
>> On Sun, May 14, 2006 at 02:32:50PM +0100, Dave Page wrote:

>>> Under the British "Regulation of Investigatory Powers Act", they
>>> would simply confiscate the entire machine, demand any
>>> authentication tokens required to access it, and lock you up if
>>> you refused to surrender them.  I believe similar laws exist in
>>> most EU jurisdictions now.

>> Tony's point was that you could arrange not to have the
>> authentication tokens anymore. You better hope they believe you
>> when you say you don't have it, though.

> Not having the authentication tokens counts as refusing to surrender
> them.

That's preposterous. What *might* count is wilfully destroying them on
suspecting they will ask them. Simply not having them? Won't stand in
any reasonable court. Else they could ask *me* for *your* keys. I
don't have them. And put me in jail?

-- 
Lionel

RE: Some legal trouble with TOR in France

The whole point is that you ensure any keys are destroyed before you
receive a formal request. It not 'evidence' until its requested by the
authorities.

It is believed there is code in all major manufacturer colour copiers
and high end printers that can identify the printer serial number. It is
done via a faint yellow pattern on every print out.

The stated target is currency forgery but of course it has many other
uses.



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Eric H. Jung
Sent: 14 May 2006 16:28
To: or-talk@freehaven.net
Subject: Re: Some legal trouble with TOR in France


> > Before they realise that they need a key you can microwave the
> token.
> > You can then surrender it when required and still meet your legal
> > obligations... 'It must have been static damage officer...you need
> to
> > be more careful with my equipment'
> 
> Which in the UK at least could land you in prison for up to 10 years.
> 


Evidence tampering is a severe crime in the United States, too.


> I wouldn't be surprised if the US Government at least *mandated*
> TPM-level access.


Don't any of you remember the Xerox scandal?
http://www.schneier.com/blog/archives/2005/10/secret_forensic.html

There's also code in high-end color Xerox copiers which prevents and/or
mangles copying of US currency. This was reported a few years ago IIRC.


Do you think Xerox decided to put these measures into their machinery
themselves? Or do you think they were asked/coaxed into doing it by The
Man


> Tony's point was that you could arrange not to have the 
authentication
> tokens anymore. You better hope they believe you when you say you
> don't have it, though.

>Not having the authentication tokens counts as refusing to surrender
>them.

Per US law, if a judge subpoenas you to hand them over and you refuse
and/or remain silent, it means indefinite jail time (until you hand
over the tokens) and/or fines.

Re: Some legal trouble with TOR in France

2006-05-14 Thread Eric H. Jung


> > Before they realise that they need a key you can microwave the
> token.
> > You can then surrender it when required and still meet your legal
> > obligations... 'It must have been static damage officer...you need
> to
> > be more careful with my equipment'
> 
> Which in the UK at least could land you in prison for up to 10 years.
> 


Evidence tampering is a severe crime in the United States, too.


> I wouldn't be surprised if the US Government at least *mandated*
> TPM-level access.


Don't any of you remember the Xerox scandal?
http://www.schneier.com/blog/archives/2005/10/secret_forensic.html

There's also code in high-end color Xerox copiers which prevents and/or
mangles copying of US currency. This was reported a few years ago IIRC.


Do you think Xerox decided to put these measures into their machinery
themselves? Or do you think they were asked/coaxed into doing it by The
Man


> Tony's point was that you could arrange not to have the 
authentication
> tokens anymore. You better hope they believe you when you say you
> don't have it, though.

>Not having the authentication tokens counts as refusing to surrender
>them.

Per US law, if a judge subpoenas you to hand them over and you refuse
and/or remain silent, it means indefinite jail time (until you hand
over the tokens) and/or fines.

RE: Some legal trouble with TOR in France

Sounds like a format and key replacement is required as discussed then.
Thanks for the info.

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of [EMAIL PROTECTED]
Sent: 14 May 2006 16:11
To: or-talk@freehaven.net
Subject: Re: Some legal trouble with TOR in France

I am living in France and working for some French security agency.
Please understand that I may not identify myself. Working for a security
agency does not mean that I approve all their actions, even those that I
MUST do.

Since about 5 years, French services are trying to control the
"anonymous" French based services. It includes TOR, and some remailers.

About 4 years ago (I don't remember exactly, and I am at home now, I
haven't my documents with me), we visited the operator of the remailers
FROG and AZERTY. We suspected him to be also the webmaster  of the
website CAMELEON, but it is another story.
We seized his computers, disks of course, etc, and arrested the man.
Then we told him "You have a choice between 2 options: You accept to
work for us, it means concretely to give us your remailers' keys and to
forward the remailer emails to us, or you will go to prison for threat
against the national security. Just a few months, the time we check all
your computers, make an audit on your disks, etc".

After 30 minutes, the guy gave us his remailers' keys, and accepted our
offer. He then re-installed his remailers, and all the traffic was sent
to us too. I remember that we asked him to NOT send us the garbage that
the remailers automatically send! Then our computers processed the
messages, using the remailers' keys. Of course we could not decypher
all, if Frog/Azerty was :"in the middle" we couldn't do anything. But
when these remailers where the first or the last one, it was very very
interesting...
I don't know now if these remailers are still operated, I am working in
another service.

About TOR now: I MAY not say all what I know, as the case is currently
investigated by our services and I don't want to get into trouble! Just
know that France's policy is to NOT allow ANY remailer or anonymous
service run from France, UNLESS the French special services can control
it. This is a NO exception rule.

The only recommendations that I can do to the TOR users, is to NOT use
any French-based TOR servers in entry ou exit.

People here and there are generally against the US gov and say that he
"violates their rights". I don't know a lot about the US gov. But what I
know about the French gov, and the instructions our services receive a
few times by week, make me sure that the French citizens' rights are
perpetually violated, about phone tapping and internet.

Re: Some legal trouble with TOR in France

2006-05-14 Thread france-info

I am living in France and working for some French security agency. Please 
understand that I may not identify myself. Working for a security agency does 
not mean that I approve all their actions, even those that I MUST do.

Since about 5 years, French services are trying to control the "anonymous" 
French based services. It includes TOR, and some remailers.

About 4 years ago (I don't remember exactly, and I am at home now, I haven't my 
documents with me), we visited the operator of the remailers FROG and AZERTY. 
We suspected him to be also the webmaster  of the website CAMELEON, but it is 
another story.
We seized his computers, disks of course, etc, and arrested the man. Then we 
told him "You have a choice between 2 options: You accept to work for us, it 
means concretely to give us your remailers' keys and to forward the remailer 
emails to us, or you will go to prison for threat against the national 
security. Just a few months, the time we check all your computers, make an 
audit on your disks, etc".

After 30 minutes, the guy gave us his remailers' keys, and accepted our offer. 
He then re-installed his remailers, and all the traffic was sent to us too. I 
remember that we asked him to NOT send us the garbage that the remailers 
automatically send! Then our computers processed the messages, using the 
remailers' keys. Of course we could not decypher all, if Frog/Azerty was :"in 
the middle" we couldn't do anything. But when these remailers where the first 
or the last one, it was very very interesting...
I don't know now if these remailers are still operated, I am working in another 
service.


About TOR now: I MAY not say all what I know, as the case is currently 
investigated by our services and I don't want to get into trouble! Just know 
that France's policy is to NOT allow ANY remailer or anonymous service run from 
France, UNLESS the French special services can control it. This is a NO 
exception rule.

The only recommendations that I can do to the TOR users, is to NOT use any 
French-based TOR servers in entry ou exit.

People here and there are generally against the US gov and say that he 
"violates their rights". I don't know a lot about the US gov. But what I know 
about the French gov, and the instructions our services receive a few times by 
week, make me sure that the French citizens' rights are perpetually violated, 
about phone tapping and internet.

RE: Some legal trouble with TOR in France

Nb - an interesting question arises with the use of TrueCrypt, etc. that
have passkeys that can unlock different levels of data. If you have
dummy volumes and provide the passkeys to just those have you met your
legal requirements?

The implication under the RIP act is that you have.

 (2) A person subject to a requirement under subsection (1)(b) to
make a disclosure of any information in an intelligible form shall be
taken to have complied with that requirement if- (a) he makes, instead,
a disclosure of any key to the protected information that is in his
possession; and

  (b) that disclosure is made, in accordance with the notice imposing
the requirement, to the person to whom, and by the time by which, he was
required to provide the information in that form.

So unless the notice specified exactly what data they wanted access to
(which presumably they would already have a record of to request it),
then providing that the notice only requires access to a specified Disk
or volume then it would seem you have met those obligations by providing
a dummy volume passkey.

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Dave Page
Sent: 14 May 2006 15:00
To: or-talk@freehaven.net
Subject: Re: Some legal trouble with TOR in France

On Sun, May 14, 2006 at 03:58:06PM +0200, Lionel Elie Mamane wrote:
> On Sun, May 14, 2006 at 02:32:50PM +0100, Dave Page wrote:

> > Under the British "Regulation of Investigatory Powers Act", they
> > would simply confiscate the entire machine, demand any
> > authentication tokens required to access it, and lock you up if you
> > refused to surrender them.  I believe similar laws exist in most EU
> > jurisdictions now.

> Tony's point was that you could arrange not to have the authentication
> tokens anymore. You better hope they believe you when you say you
> don't have it, though.

Not having the authentication tokens counts as refusing to surrender
them.

Dave
-- 
Dave Page <[EMAIL PROTECTED]>
Jabber: [EMAIL PROTECTED]

RE: Some legal trouble with TOR in France

Not if you didn't have them prior to receiving the notice and can prove
it.

e.g. after taking away your PC and realising it is encrypted they return
with a notice. You then hand over token and say by the way I previously
destroyed the data on it so I don't have the keys. You have met your
legal obligations. There is no offence of 'suspecting a notice might be
served and destroying the keys in advance of receipt' that I am aware
of.

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Dave Page
Sent: 14 May 2006 15:00
To: or-talk@freehaven.net
Subject: Re: Some legal trouble with TOR in France

On Sun, May 14, 2006 at 03:58:06PM +0200, Lionel Elie Mamane wrote:
> On Sun, May 14, 2006 at 02:32:50PM +0100, Dave Page wrote:

> > Under the British "Regulation of Investigatory Powers Act", they
> > would simply confiscate the entire machine, demand any
> > authentication tokens required to access it, and lock you up if you
> > refused to surrender them.  I believe similar laws exist in most EU
> > jurisdictions now.

> Tony's point was that you could arrange not to have the authentication
> tokens anymore. You better hope they believe you when you say you
> don't have it, though.

Not having the authentication tokens counts as refusing to surrender
them.

Dave
-- 
Dave Page <[EMAIL PROTECTED]>
Jabber: [EMAIL PROTECTED]

RE: Some legal trouble with TOR in France

Unfortunately you no longer have a right to remain silent in the UK.

Even for general offences they can interpret it as evidence of guilt in
court.

Hopefully EU / Human Rights legislation will resolve that at some point.

You could however find other ways to get round the requirement. For
instance you could provide a USB token that contained the keys, but also
contained a bootable image that on inserting into your PC wiped your TPM
and then wiped the key. You have then met your requirement to provide
the key...

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Lionel Elie Mamane
Sent: 14 May 2006 14:58
To: or-talk@freehaven.net
Subject: Re: Some legal trouble with TOR in France

On Sun, May 14, 2006 at 02:32:50PM +0100, Dave Page wrote:
> On Sun, May 14, 2006 at 01:34:51PM +0100, Tony wrote:

>> So if for instance they take your disks away as per the French TOR
>> node, then you could destroy your hardware key (wipe TPM module,
>> destroy motherboard chipset or USB dongle) and they are not going
>> to be reading anything, ever. Even if they do take the whole system
>> away then they wont be able to login to access your data even if
>> they can boot unless they have your password (and biometrics or USB
>> token, etc.)

> Under the British "Regulation of Investigatory Powers Act", they
> would simply confiscate the entire machine, demand any
> authentication tokens required to access it, and lock you up if you
> refused to surrender them.  I believe similar laws exist in most EU
> jurisdictions now.

Tony's point was that you could arrange not to have the authentication
tokens anymore. You better hope they believe you when you say you
don't have it, though. And under at least some EU registrations, some
people have a right to remain silent. Like the accused person, for
example. And people that have a right to remain silent can refuse to
hand over cryptographic keys.

Not that some powers haven't been known to first interrogate you as
"unrelated witness" (neither you, nor your family, is accused), where
remaining silent is obstruction of justice and punishable, and _then_
charge you with the information thus gleaned.

-- 
Lionel

RE: Some legal trouble with TOR in France

Nb- failure to disclose keys is up to two years in prison. Not 10.

(5) A person guilty of an offence under this section shall be liable- 

  (a) on conviction on indictment, to imprisonment for a term not
exceeding two years or to a fine, or to both; 
  (b) on summary conviction, to imprisonment for a term not exceeding
six months or to a fine not exceeding the statutory maximum, or to both.

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Dave Page
Sent: 14 May 2006 14:51
To: or-talk@freehaven.net
Subject: Re: Some legal trouble with TOR in France

On Sun, May 14, 2006 at 02:45:01PM +0100, Tony wrote:

> Before they realise that they need a key you can microwave the token.
> You can then surrender it when required and still meet your legal
> obligations... 'It must have been static damage officer...you need to
> be more careful with my equipment'

Which in the UK at least could land you in prison for up to 10 years.

> Yes they could get code signed in theory, but it makes it that much
> harder - im sure Microsoft wouldn't be very keen on signing code for
> government organisations to spy on people - imagine the impact on
> their sales if it became public knowledge.

Virtually nil? Let's face it, anybody who really understands TPM won't
be using Vista anyway, and those who don't will just fall for marketing:

"Microsoft are commited to helping the Government fight the War on
Terror and to this end have installed TPM software to protect our users
against terrorists and e-hackers"

I wouldn't be surprised if the US Government at least *mandated*
TPM-level access.

> Anyway, you can spot any changes in your boot config checksums and be
> immediately alerted to a change.

You can, can you?

Dave
-- 
Dave Page <[EMAIL PROTECTED]>
Jabber: [EMAIL PROTECTED]

RE: Some legal trouble with TOR in France

Not if you destroy keys before you are required to disclose them as I
thought I made clear. 


A notice under this section imposing a disclosure requirement in respect
of any protected information- 
  
  (a) must be given in writing or (if not in writing) must be given in a
manner that produces a record of its having been given; 
  (b) must describe the protected information to which the notice
relates; 
  (c) must specify the matters falling within subsection (2)(b)(i) or
(ii) by reference to which the notice is given; 
  (d) must specify the office, rank or position held by the person
giving it; 
  (e) must specify the office, rank or position of the person who for
the purposes of Schedule 2 granted permission for the giving of the
notice or (if the person giving the notice was entitled to give it
without another person's permission) must set out the circumstances in
which that entitlement arose; 
  (f) must specify the time by which the notice is to be complied with;
and 
  (g) must set out the disclosure that is required by the notice and the
form and manner in which it is to be made;

And yes I can already tell if my boot file checksums change. TPM code
integrity checks will just make it easier for Joe Public.


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Dave Page
Sent: 14 May 2006 14:51
To: or-talk@freehaven.net
Subject: Re: Some legal trouble with TOR in France

On Sun, May 14, 2006 at 02:45:01PM +0100, Tony wrote:

> Before they realise that they need a key you can microwave the token.
> You can then surrender it when required and still meet your legal
> obligations... 'It must have been static damage officer...you need to
> be more careful with my equipment'

Which in the UK at least could land you in prison for up to 10 years.

> Yes they could get code signed in theory, but it makes it that much
> harder - im sure Microsoft wouldn't be very keen on signing code for
> government organisations to spy on people - imagine the impact on
> their sales if it became public knowledge.

Virtually nil? Let's face it, anybody who really understands TPM won't
be using Vista anyway, and those who don't will just fall for marketing:

"Microsoft are commited to helping the Government fight the War on
Terror and to this end have installed TPM software to protect our users
against terrorists and e-hackers"

I wouldn't be surprised if the US Government at least *mandated*
TPM-level access.

> Anyway, you can spot any changes in your boot config checksums and be
> immediately alerted to a change.

You can, can you?

Dave
-- 
Dave Page <[EMAIL PROTECTED]>
Jabber: [EMAIL PROTECTED]

Re: Some legal trouble with TOR in France

2006-05-14 Thread Dave Page

On Sun, May 14, 2006 at 03:58:06PM +0200, Lionel Elie Mamane wrote:
> On Sun, May 14, 2006 at 02:32:50PM +0100, Dave Page wrote:

> > Under the British "Regulation of Investigatory Powers Act", they
> > would simply confiscate the entire machine, demand any
> > authentication tokens required to access it, and lock you up if you
> > refused to surrender them.  I believe similar laws exist in most EU
> > jurisdictions now.

> Tony's point was that you could arrange not to have the authentication
> tokens anymore. You better hope they believe you when you say you
> don't have it, though.

Not having the authentication tokens counts as refusing to surrender
them.

Dave
-- 
Dave Page <[EMAIL PROTECTED]>
Jabber: [EMAIL PROTECTED]

Re: Some legal trouble with TOR in France

2006-05-14 Thread Lionel Elie Mamane

On Sun, May 14, 2006 at 02:32:50PM +0100, Dave Page wrote:
> On Sun, May 14, 2006 at 01:34:51PM +0100, Tony wrote:

>> So if for instance they take your disks away as per the French TOR
>> node, then you could destroy your hardware key (wipe TPM module,
>> destroy motherboard chipset or USB dongle) and they are not going
>> to be reading anything, ever. Even if they do take the whole system
>> away then they wont be able to login to access your data even if
>> they can boot unless they have your password (and biometrics or USB
>> token, etc.)

> Under the British "Regulation of Investigatory Powers Act", they
> would simply confiscate the entire machine, demand any
> authentication tokens required to access it, and lock you up if you
> refused to surrender them.  I believe similar laws exist in most EU
> jurisdictions now.

Tony's point was that you could arrange not to have the authentication
tokens anymore. You better hope they believe you when you say you
don't have it, though. And under at least some EU registrations, some
people have a right to remain silent. Like the accused person, for
example. And people that have a right to remain silent can refuse to
hand over cryptographic keys.

Not that some powers haven't been known to first interrogate you as
"unrelated witness" (neither you, nor your family, is accused), where
remaining silent is obstruction of justice and punishable, and _then_
charge you with the information thus gleaned.

-- 
Lionel

Re: Some legal trouble with TOR in France

2006-05-14 Thread Dave Page

On Sun, May 14, 2006 at 02:45:01PM +0100, Tony wrote:

> Before they realise that they need a key you can microwave the token.
> You can then surrender it when required and still meet your legal
> obligations... 'It must have been static damage officer...you need to
> be more careful with my equipment'

Which in the UK at least could land you in prison for up to 10 years.

> Yes they could get code signed in theory, but it makes it that much
> harder - im sure Microsoft wouldn't be very keen on signing code for
> government organisations to spy on people - imagine the impact on
> their sales if it became public knowledge.

Virtually nil? Let's face it, anybody who really understands TPM won't
be using Vista anyway, and those who don't will just fall for marketing:

"Microsoft are commited to helping the Government fight the War on
Terror and to this end have installed TPM software to protect our users
against terrorists and e-hackers"

I wouldn't be surprised if the US Government at least *mandated*
TPM-level access.

> Anyway, you can spot any changes in your boot config checksums and be
> immediately alerted to a change.

You can, can you?

Dave
-- 
Dave Page <[EMAIL PROTECTED]>
Jabber: [EMAIL PROTECTED]

RE: Some legal trouble with TOR in France

Correct that they can demand physical keys or passwords - but only if
they realise that they exist. As you say they will usually turn up and
just seize your hardware - you might not even be home! Before they
realise that they need a key you can microwave the token. You can then
surrender it when required and still meet your legal obligations... 'It
must have been static damage officer...you need to be more careful with
my equipment'

Yes they could get code signed in theory, but it makes it that much
harder - im sure Microsoft wouldn't be very keen on signing code for
government organisations to spy on people - imagine the impact on their
sales if it became public knowledge. Anyway, you can spot any changes in
your boot config checksums and be immediately alerted to a change.

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Dave Page
Sent: 14 May 2006 14:33
To: or-talk@freehaven.net
Subject: Re: Some legal trouble with TOR in France

On Sun, May 14, 2006 at 01:34:51PM +0100, Tony wrote:

> So if for instance they take your disks away as per the French TOR
node,
> then you could destroy your hardware key (wipe TPM module, destroy
> motherboard chipset or USB dongle) and they are not going to be
reading
> anything, ever. Even if they do take the whole system away then they
> wont be able to login to access your data even if they can boot unless
> they have your password (and biometrics or USB token, etc.) 

Under the British "Regulation of Investigatory Powers Act", they would
simply confiscate the entire machine, demand any authentication tokens
required to access it, and lock you up if you refused to surrender them.
I believe similar laws exist in most EU jurisdictions now.

> Another advantage of this is that they can't easily trojan or root kit
> your OS at a low level - it would fail the signed code integrity
checks
> and would not boot.

You're assuming that the police are not colluding with the DRM
manufacturers. If they have access to a signing key which the TPM
module will trust, they can put any trojan or rootkit they want on your
machine, assuming that Microsoft haven't done so already ;)

Remember, the point of restrictions management systems like TPM is that
Intel, Microsoft and other members of the TPM Alliance get to control
who has access to your computer, not you.

More reading:
http://www.schneier.com/blog/archives/2006/05/bitlocker.html

Dave
-- 
Dave Page <[EMAIL PROTECTED]>
Jabber: [EMAIL PROTECTED]

Re: Some legal trouble with TOR in France

2006-05-14 Thread Dave Page

On Sun, May 14, 2006 at 01:34:51PM +0100, Tony wrote:

> So if for instance they take your disks away as per the French TOR node,
> then you could destroy your hardware key (wipe TPM module, destroy
> motherboard chipset or USB dongle) and they are not going to be reading
> anything, ever. Even if they do take the whole system away then they
> wont be able to login to access your data even if they can boot unless
> they have your password (and biometrics or USB token, etc.) 

Under the British "Regulation of Investigatory Powers Act", they would
simply confiscate the entire machine, demand any authentication tokens
required to access it, and lock you up if you refused to surrender them.
I believe similar laws exist in most EU jurisdictions now.

> Another advantage of this is that they can't easily trojan or root kit
> your OS at a low level - it would fail the signed code integrity checks
> and would not boot.

You're assuming that the police are not colluding with the DRM
manufacturers. If they have access to a signing key which the TPM
module will trust, they can put any trojan or rootkit they want on your
machine, assuming that Microsoft haven't done so already ;)

Remember, the point of restrictions management systems like TPM is that
Intel, Microsoft and other members of the TPM Alliance get to control
who has access to your computer, not you.

More reading: http://www.schneier.com/blog/archives/2006/05/bitlocker.html

Dave
-- 
Dave Page <[EMAIL PROTECTED]>
Jabber: [EMAIL PROTECTED]

RE: Some legal trouble with TOR in France

Talking of Microsoft; it is a claimed advantage of the new OS versions
coming out such as Longhorn server - they include 'Bitlocker' encryption
that is apparently highly secure and integrates with motherboard
chipsets (TPM modules) to provide end to end code authentication and
hardware security. If any one thing required to unlock it is missing -
e.g. original hardware, TPM or pass code, USB dongle, etc. then no one
is going to reading your data unless a compromise is found in 256 bit
AES encryption. 

So if for instance they take your disks away as per the French TOR node,
then you could destroy your hardware key (wipe TPM module, destroy
motherboard chipset or USB dongle) and they are not going to be reading
anything, ever. Even if they do take the whole system away then they
wont be able to login to access your data even if they can boot unless
they have your password (and biometrics or USB token, etc.) 

You can login using a USB token and then store the token away from the
PC. If the PC is taken then you can destroy the token (one minute in a
microwave oven is pretty effective). Then even if you are later required
by law to give up your 'passwords' you can show that is no longer
possible.

See http://www.microsoft.com/technet/windowsvista/security/bittech.mspx
and http://www.microsoft.com/technet/windowsvista/security/bitlockr.mspx

Another advantage of this is that they can't easily trojan or root kit
your OS at a low level - it would fail the signed code integrity checks
and would not boot.

I recommend not securing it with your finger prints though.
http://news.bbc.co.uk/1/hi/world/asia-pacific/4396831.stm

I wonder how law enforcement organisations and even organisations that
don't care about international (or even their own) laws such as the US
government will react to the increasing future common use of secure
encryption. Even our phone calls can now be secured from their
monitoring: http://www.philzimmermann.com/EN/zfone/index.html

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Landorin
Sent: 14 May 2006 01:45
To: or-talk@freehaven.net
Subject: Re: Some legal trouble with TOR in France

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I'd say if you can register a server with the required data given you
can unregister it the same way imho. Just contact the adress for
registering.
Speaking of cloned hard drives and having his keys... that's where
"Truecrypt" kicks in. ;) Nicely encrypted files with hidden volumes
within the file. ;)

By the way, if you even want to melt the hardisk then you need to go
to the Mount Doom and drop it there, that's the safest way and since
you're already on it, that way you can make the Microsoft Tower of
Evil and its virtual armies collapse, too. ;) I doubt the normal
police has such good programs that survive melting and formating. ;)
In the end, it's up to you to decide what is necessary to trust your
hardisks again. Yet if I were the police I wouldn't waste my time on
someone who obviously had nothing to do with the crime, I'd rather
concentrate on finding criminals that can be traced back (and if they
listened to you then they know it's a waste of time in any case
because they can't track anyone back with your PC).

Sincerely,
Landorin

Anthony DiPierro schrieb:
> On 5/13/06, Ringo Kamens <[EMAIL PROTECTED]> wrote:
>> He has a good point. They surely have a clone of your drive which
>> means they
>> have the private keys to the server which could destroy the user's
>> anonymity.
>>
> If I understand things correctly then the name of the node should be
> told to someone who can permanently take it out of the directory
> servers.  Is this possible/necessary?  Or does everyone have to add an
> excludenodes?
>
> Anthony
>
>

- --
Accelerate cancer research with your PC:
http://www.chem.ox.ac.uk/curecancer.html

GPG key ID: 4096R/E9FD5518
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2.1 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIVAwUBRGZ9ni4XdI7p/VUYAQJ7nRAA23sfYnBQ5kka8PtX5ubnKz784KS+MoY0
Dl3GbcNHuIxGRUPVrPlsg5kmYLXocuUPHzUBiHsl20bWMNn6BWE4/rjPaZZaEz6I
KgxMUx9PmQhZQOH9r+1gNoJnfB2VM2J8coms1g0O3zlwK6H9bTwCc0DPgGVcLkWI
BhaS6YWuPPLgIUMi+DVYGJar6Lj/Ke1i/nYnVCc0u+F5MIi8vweuTui0tDQOg29E
9mMX1FhQTsEIeb2G4VsFt04Ye3voMVHXhf4kyOaI77PwLAm1grA4Dg2uHo4Lspb0
RbLoKxQBnExQCkPHWadxwqEyb6tOBibWaF/OA5mEsW27Dh0SlpW351uJ90Jxiun6
IPbIRx3KkE+5W3hppXqIPKMezIrubX4sxJ2P6ONTHwm3il9qRBMB8eUJzBZMbx4F
UsB1Wt6y9wVoeCwkc4uaUpnNozbhlyWMQxIr5fpjJ0f8QYgJ/BsqWoxmoaGJ6kSA
ukdN93g5mxhQ4R3D5zBU/jpAvv3zLEcNoFlg9HnotYBYK/x3u6n/d03B0TeKd1s8
nM4iOTDvIc2jISNtV1hMxzd9tX4CkIsVSz7aCUiTJnHFnngeGdqCu+7x6sDQB6t5
4vPUpfJFnGp+P/TnTu0diOaYCdiCkeyVhisCZX7+cy6z+7UIHZEtkGTZD4NC3ugd
FKjerbzR/kg=
=J51j
-END PGP SIGNATURE-

RE: Some legal trouble with TOR in France

Not to mention that under Bush, meeting the requirements of US law is
not required either. And they have certainly never worried about other
countries laws.

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Eric H. Jung
Sent: 14 May 2006 03:33
To: or-talk@freehaven.net
Subject: Re: Some legal trouble with TOR in France

--- Mike Perry <[EMAIL PROTECTED]> wrote:
> A US judge exercising proper
> dilligence should be able to realize that the search was not likely
> to
> produce relevant evidence to the case in question, or so one would
> hope.

LOL. Where have you been for the past 6 months with regards to the Bush
administration. Warrants in the US are no longer required.

Re: Some legal trouble with TOR in France

2006-05-13 Thread glymr

-BEGIN PGP SIGNED MESSAGE-
Hash: RIPEMD160
 
yeah, i think if i were you, i'd sell all of the hardware they had
their hands on for that time asap and get new hardware. there's way
too many routes that could be used to compromise the server once it's
been in the hands of untrusted people. A fresh installation of the
server is absolutely essential in any case because they almost
certainly nabbed the secret keys of the server and would be able to
use this to decrypt your traffic - they wouldn't even have to mess
with your hardware to achieve this, i'm sure they could get a judge to
approve a wiretap at the isp for your server on the basis that it has
been a conduit for criminal activity.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (MingW32)
 
iD8DBQFEZrmcGkOzwaes7JsRAyAzAJ9ZcYMttl/ZailVC7WaWHqRFEpY2QCgsA+5
cJFL0QFrlhY0KQCJqj54z/Q=
=Kl8x
-END PGP SIGNATURE-

Re: Some legal trouble with TOR in France

2006-05-13 Thread phobos

On Sat, May 13, 2006 at 10:22:33PM -0500, [EMAIL PROTECTED] wrote 1.3K bytes in 
30 lines about:
: this sort of search? In the US they should require a warrant, and some
: judge would have to approve that. A US judge exercising proper
: dilligence should be able to realize that the search was not likely to

The keyword there is "should".  Under the PATRIOT Act, warrants
are not required until something like 72 hours AFTER they've
searched your home.  In fact, secret warrants can be used to
search your residence without your knowledge.  Yet, this data
collected secretly can be used against you in courts.

I'm not a lawyer, consult one for accurate legal advice.  A good
starting point for all of this, in the USA, can be found at
http://www.epic.org/privacy/terrorism/usapatriot/foia/
-- 
Andrew

Re: Some legal trouble with TOR in France

--- Mike Perry <[EMAIL PROTECTED]> wrote:
> A US judge exercising proper
> dilligence should be able to realize that the search was not likely
> to
> produce relevant evidence to the case in question, or so one would
> hope.

LOL. Where have you been for the past 6 months with regards to the Bush
administration. Warrants in the US are no longer required.

Re: Some legal trouble with TOR in France

2006-05-13 Thread Mike Perry

Thus spake Olivier Barbut ([EMAIL PROTECTED]):

> Hello dear tor talkers,
> 
> I'm running the tor router "mini", located in paris, france, and I 
> believe I have to share with you what happened to me last wednesday,the 
> 10th of May. My router was an outside gateway, doing request for tor 
> anonymous users.
> 
> Last wednesday morning, at 7:45, three cops did knock at my door. They 
> suspected me to have downloaded some child porn videos. As I was waking 
> up, I understood it was tor-related. I did explain them I was a TOR 
> outside gateway, but they didn't knew about it. They searched everywhere 
> in my small home and took every support they could find: hard drives 
> they removed from computers, cds, disks, and then they took me to the 
> police station, at the child protection service, jailing me the whole 
> day while they was searching my hard drives and cds for traces of the 
> video they was looking for.

Do french police need a warrant or some form of approval to conduct
this sort of search? In the US they should require a warrant, and some
judge would have to approve that. A US judge exercising proper
dilligence should be able to realize that the search was not likely to
produce relevant evidence to the case in question, or so one would
hope.

-- 
Mike Perry
Mad Computer Scientist
fscked.org evil labs

Re: Some legal trouble with TOR in France

2006-05-13 Thread Kelda Sholdice

Agreed, any data on the disk will have been compromised and any
private keys for example cannot be trusted.  The install can't be
trusted as some sort of rootkit could be trivially installed by
forensics types.

Other than wiping the drives and starting with a fresh install and
fresh keys, I would be less concerned about getting new drives than
about the keyboard and motherboard (which it sounds like they did not
touch, at least not to take with them).  If it is a common motherboard
in particular, a bios flash could have been done.  Also, the keyboard
could have been popped open and a keylogger installed.

Either of these keyboard / motherboard attacks could have been made
quickly and while the individual was detained for the day or in
another room during the search.  If someone high enough up was
interested, an arrest and taking the disks away seems like an awfully
strong heads up to me - I would expect someone who would be messing
with the drive physically would have been more subtle.

Even if they only took the disks, I personally would be replacing my
keyboard first, before disks.

Best of luck, and sorry you had to go through this.

Kelda

--- Landorin <[EMAIL PROTECTED]> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> I'd say if you can register a server with the required data given you
> can unregister it the same way imho. Just contact the adress for
> registering.
>
> In the end, it's up to you to decide what is necessary to trust your
> hardisks again. Yet if I were the police I wouldn't waste my time on
> someone who obviously had nothing to do with the crime, I'd rather
> concentrate on finding criminals that can be traced back (and if they
> listened to you then they know it's a waste of time in any case
> because they can't track anyone back with your PC).
>
> Sincerely,
> Landorin
>

Re: Some legal trouble with TOR in France

FWIW, I've bought a number of hard drives from ebay. It's pretty
amazing the sensitive data I could recover from them with the simplest
of freeware. Luckily for them, I'm a good person. A simple wipe with
DBAN would have prevented all that. Oh well.


--- Landorin <[EMAIL PROTECTED]> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>  
> I'd say if you can register a server with the required data given you
> can unregister it the same way imho. Just contact the adress for
> registering.
> Speaking of cloned hard drives and having his keys... that's where
> "Truecrypt" kicks in. ;) Nicely encrypted files with hidden volumes
> within the file. ;)
> 
> By the way, if you even want to melt the hardisk then you need to go
> to the Mount Doom and drop it there, that's the safest way and since
> you're already on it, that way you can make the Microsoft Tower of
> Evil and its virtual armies collapse, too. ;) I doubt the normal
> police has such good programs that survive melting and formating. ;)
> In the end, it's up to you to decide what is necessary to trust your
> hardisks again. Yet if I were the police I wouldn't waste my time on
> someone who obviously had nothing to do with the crime, I'd rather
> concentrate on finding criminals that can be traced back (and if they
> listened to you then they know it's a waste of time in any case
> because they can't track anyone back with your PC).
> 
> Sincerely,
> Landorin
> 
> Anthony DiPierro schrieb:
> > On 5/13/06, Ringo Kamens <[EMAIL PROTECTED]> wrote:
> >> He has a good point. They surely have a clone of your drive which
> >> means they
> >> have the private keys to the server which could destroy the user's
> >> anonymity.
> >>
> > If I understand things correctly then the name of the node should
> be
> > told to someone who can permanently take it out of the directory
> > servers.  Is this possible/necessary?  Or does everyone have to add
> an
> > excludenodes?
> >
> > Anthony
> >
> >
> 
> 
> - --
> Accelerate cancer research with your PC:
> http://www.chem.ox.ac.uk/curecancer.html
> 
> GPG key ID: 4096R/E9FD5518
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.2.1 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>  
> iQIVAwUBRGZ9ni4XdI7p/VUYAQJ7nRAA23sfYnBQ5kka8PtX5ubnKz784KS+MoY0
> Dl3GbcNHuIxGRUPVrPlsg5kmYLXocuUPHzUBiHsl20bWMNn6BWE4/rjPaZZaEz6I
> KgxMUx9PmQhZQOH9r+1gNoJnfB2VM2J8coms1g0O3zlwK6H9bTwCc0DPgGVcLkWI
> BhaS6YWuPPLgIUMi+DVYGJar6Lj/Ke1i/nYnVCc0u+F5MIi8vweuTui0tDQOg29E
> 9mMX1FhQTsEIeb2G4VsFt04Ye3voMVHXhf4kyOaI77PwLAm1grA4Dg2uHo4Lspb0
> RbLoKxQBnExQCkPHWadxwqEyb6tOBibWaF/OA5mEsW27Dh0SlpW351uJ90Jxiun6
> IPbIRx3KkE+5W3hppXqIPKMezIrubX4sxJ2P6ONTHwm3il9qRBMB8eUJzBZMbx4F
> UsB1Wt6y9wVoeCwkc4uaUpnNozbhlyWMQxIr5fpjJ0f8QYgJ/BsqWoxmoaGJ6kSA
> ukdN93g5mxhQ4R3D5zBU/jpAvv3zLEcNoFlg9HnotYBYK/x3u6n/d03B0TeKd1s8
> nM4iOTDvIc2jISNtV1hMxzd9tX4CkIsVSz7aCUiTJnHFnngeGdqCu+7x6sDQB6t5
> 4vPUpfJFnGp+P/TnTu0diOaYCdiCkeyVhisCZX7+cy6z+7UIHZEtkGTZD4NC3ugd
> FKjerbzR/kg=
> =J51j
> -END PGP SIGNATURE-
> 
>

Re: Some legal trouble with TOR in France

2006-05-13 Thread Landorin

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I'd say if you can register a server with the required data given you
can unregister it the same way imho. Just contact the adress for
registering.
Speaking of cloned hard drives and having his keys... that's where
"Truecrypt" kicks in. ;) Nicely encrypted files with hidden volumes
within the file. ;)

By the way, if you even want to melt the hardisk then you need to go
to the Mount Doom and drop it there, that's the safest way and since
you're already on it, that way you can make the Microsoft Tower of
Evil and its virtual armies collapse, too. ;) I doubt the normal
police has such good programs that survive melting and formating. ;)
In the end, it's up to you to decide what is necessary to trust your
hardisks again. Yet if I were the police I wouldn't waste my time on
someone who obviously had nothing to do with the crime, I'd rather
concentrate on finding criminals that can be traced back (and if they
listened to you then they know it's a waste of time in any case
because they can't track anyone back with your PC).

Sincerely,
Landorin

Anthony DiPierro schrieb:
> On 5/13/06, Ringo Kamens <[EMAIL PROTECTED]> wrote:
>> He has a good point. They surely have a clone of your drive which
>> means they
>> have the private keys to the server which could destroy the user's
>> anonymity.
>>
> If I understand things correctly then the name of the node should be
> told to someone who can permanently take it out of the directory
> servers.  Is this possible/necessary?  Or does everyone have to add an
> excludenodes?
>
> Anthony
>
>

- --
Accelerate cancer research with your PC:
http://www.chem.ox.ac.uk/curecancer.html

GPG key ID: 4096R/E9FD5518
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2.1 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIVAwUBRGZ9ni4XdI7p/VUYAQJ7nRAA23sfYnBQ5kka8PtX5ubnKz784KS+MoY0
Dl3GbcNHuIxGRUPVrPlsg5kmYLXocuUPHzUBiHsl20bWMNn6BWE4/rjPaZZaEz6I
KgxMUx9PmQhZQOH9r+1gNoJnfB2VM2J8coms1g0O3zlwK6H9bTwCc0DPgGVcLkWI
BhaS6YWuPPLgIUMi+DVYGJar6Lj/Ke1i/nYnVCc0u+F5MIi8vweuTui0tDQOg29E
9mMX1FhQTsEIeb2G4VsFt04Ye3voMVHXhf4kyOaI77PwLAm1grA4Dg2uHo4Lspb0
RbLoKxQBnExQCkPHWadxwqEyb6tOBibWaF/OA5mEsW27Dh0SlpW351uJ90Jxiun6
IPbIRx3KkE+5W3hppXqIPKMezIrubX4sxJ2P6ONTHwm3il9qRBMB8eUJzBZMbx4F
UsB1Wt6y9wVoeCwkc4uaUpnNozbhlyWMQxIr5fpjJ0f8QYgJ/BsqWoxmoaGJ6kSA
ukdN93g5mxhQ4R3D5zBU/jpAvv3zLEcNoFlg9HnotYBYK/x3u6n/d03B0TeKd1s8
nM4iOTDvIc2jISNtV1hMxzd9tX4CkIsVSz7aCUiTJnHFnngeGdqCu+7x6sDQB6t5
4vPUpfJFnGp+P/TnTu0diOaYCdiCkeyVhisCZX7+cy6z+7UIHZEtkGTZD4NC3ugd
FKjerbzR/kg=
=J51j
-END PGP SIGNATURE-

Re: Some legal trouble with TOR in France

2006-05-13 Thread Anthony DiPierro


On 5/13/06, Ringo Kamens <[EMAIL PROTECTED]> wrote:

He has a good point. They surely have a clone of your drive which means they
have the private keys to the server which could destroy the user's
anonymity.


If I understand things correctly then the name of the node should be
told to someone who can permanently take it out of the directory
servers.  Is this possible/necessary?  Or does everyone have to add an
excludenodes?

Anthony

Re: Some legal trouble with TOR in France

2006-05-13 Thread Ringo Kamens

He has a good point. They surely have a clone of your drive which means they have the private keys to the server which could destroy the user's anonymity.
On 5/13/06, Joe Knall <[EMAIL PROTECTED]> wrote:
On Sonntag, 14. Mai 2006 00:03 Ringo Kamens wrote:> Well burning it doesn't do is completely (unless it's molten and then
> mixed with other stuff). You should securely wipe it with a magnet> and then melt it. In this case, just wipe it about 100 times and then> sell it.Hey people... why not commit suicide and let them have the crap...
but back to serious:Darik's Boot&Nuke (dban.sourceforge.net) seems to be a sufficientsolution to wipe a disk.What surprises me is that they let Olivier go that quickly and even gave
him back his equipment, maybe there's really something fishy about it.I keep the prejudice that cops aren't that open-minded and learn whattor is in just one day.But I'd worry more about them having made copies of everything and hold
my gpg and ssh keys now, and who knows what else...Joe

Re: Some legal trouble with TOR in France

2006-05-13 Thread Joe Knall

On Sonntag, 14. Mai 2006 00:03 Ringo Kamens wrote:
> Well burning it doesn't do is completely (unless it's molten and then
> mixed with other stuff). You should securely wipe it with a magnet
> and then melt it. In this case, just wipe it about 100 times and then
> sell it.

Hey people... why not commit suicide and let them have the crap...
but back to serious: 
Darik's Boot&Nuke (dban.sourceforge.net) seems to be a sufficient 
solution to wipe a disk.

What surprises me is that they let Olivier go that quickly and even gave 
him back his equipment, maybe there's really something fishy about it. 
I keep the prejudice that cops aren't that open-minded and learn what 
tor is in just one day.
But I'd worry more about them having made copies of everything and hold 
my gpg and ssh keys now, and who knows what else...

Joe

Re: Some legal trouble with TOR in France

Wiping with a magnet is absolutely useless unless you own a
professional degausser (which are large and expensive--we have one
where I work).

For some more reading on the matter:

http://en.wikipedia.org/wiki/Degauss
http://en.wikipedia.org/wiki/Data_remanence

--- Ringo Kamens <[EMAIL PROTECTED]> wrote:

> Well burning it doesn't do is completely (unless it's molten and then
> mixed
> with other stuff). You should securely wipe it with a magnet and then
> melt
> it. In this case, just wipe it about 100 times and then sell it.
> 
> On 5/13/06, Alexandru ARMEAN <[EMAIL PROTECTED]> wrote:
> >
> > There are methods (and they are used) to read data from a
> overwritten
> > disk.
> >
> > It has to do with the age of data that has been written in a single
> > place on the disk . The process, of what i remember , involves some
> more
> > hardware methods like taking of a very small layer of the disks
> surface
> > and then try to read data.
> >
> >
> > The only 100% solution of disposing your data is to burn the disc
> (and
> > then maybe melt it). But selling it maybe also be effective in the
> given
> > case...
> >
> >
> >
> > Alex
> >
> >
> > On Sat, 2006-05-13 at 23:55 +0200, Landorin wrote:
> > > -BEGIN PGP SIGNED MESSAGE-
> > > Hash: SHA1
> > >
> > > I don't get it. Why buy a new one anyway? From what I know, any
> and
> > > every data will be lost if you format your hardisk with a safe
> method
> > > (can't remember the name right now but that method keeps writing
> > > random data to your entire hardisk to overwrite existing files
> and it
> > > does it for 10 times or more to ensure all old data is lost)?
> > >
> > > Sincerely,
> > > Landorin
> > >
> > >
> > > Eric H. Jung schrieb:
> > > > If you can't afford a new hard drive, be sure to wipe it using
> DBAN
> > > > http://dban.sourceforge.net/
> > > > (open-source, free)
> > > >
> > > >
> > > > --- Ringo Kamens <[EMAIL PROTECTED]> wrote:
> > > >
> > > >> Chances are it would be internal and couldn't hold much data.
> I
> > > >> really think
> > > >> you should sell your rig and buy a used one that's comprable
> and cut
> > > >> the
> > > >> losses. It's too risky to keep it.
> > > >>
> > > >> On 5/13/06, Olivier Barbut <[EMAIL PROTECTED]> wrote:
> > > >>> thanks for the advice. I will for shure reformat everything
> and
> > > >>> reinstall linux when I get time for this. Changing hard
> drives
> > > >> would be
> > > >>> nice but I have not enough money for this right now.
> > > >>>
> > > >>> Do you know what a hard drive tap could look like ?
> > >  As for the tor server, I suggest that you completely wipe
> those
> > > >> drives
> > >  securely, reformat, and reinstall everything. The best thing
> to
> > > >> do
> > >  would be to sell those drives and buy new ones because it
> could
> > > >> be
> > >  that they put taps in them. Also, they could have installed
> a
> > >  keylogger. If I were you, I wouldn't use any of that
> equipment
> > > >> again.
> > >  At the very minimum, you need to reinstall
> windows/linux/etc. and
> > > >> tor
> > >  with a reformat because they probably put in a trojaned
> version
> > > >> of tor.
> > > >
> > > >
> > >
> > >
> > > - --
> > > Accelerate cancer research with your PC:
> > > http://www.chem.ox.ac.uk/curecancer.html
> > >
> > > GPG key ID: 4096R/E9FD5518
> > > -BEGIN PGP SIGNATURE-
> > > Version: GnuPG v1.4.2.1 (MingW32)
> > > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> > >
> > > iQIVAwUBRGZV7C4XdI7p/VUYAQKcsg//VKwTiM70FAWxnqpZG+bDgWguHztRjFd4
> > > 2SbsfOmKlLq3JZOxj5QgGZT/LDIvIbROhg7fgPQ5Ko9Dk3odwWBbLTeoo6vzqLEV
> > > IVNht+MNPK5M9kOCQxQhlfi6H4SkwVgmUhanu9Y1TZK6ZrtVPRwmKq3F/LIE56Yp
> > > apTja6o6gE4hgiwHLHiqwxQY8SXgFi4QYdvtDKVL9/bQHiE7h5nxKK1ZZZEEhOpx
> > > 9WShBH5c8GOU3dwrRJwhbkbPwM0zyRR3gh2eE3vYZm9ZLgu+SUnv/FqY1KVZGSc8
> > > 4ubV72IRbgzind8Q1btf2mzPBm1spxN04BkoqMG8OKR274LkLN496Pw8w1O1K6uE
> > > KEuub0ilwNiccFJ+//xMBZg691012ddMd6wwqDuiMF3TCcH+nO8JnPWPQRLZ3mct
> > > cJLF6pldawabH1EVZ1WqmuhOnmOmRfbVQG22AKcfsTgku7geTyrLSw1PctKph9gm
> > > i//ookWGJvR1zRl1V2LkVOmiQfN2KbjTHZFWaxdIC5M+b2/8kXAagP9u6gAluZi+
> > > WatIzdRgU6eYJLD46q6Hs6jDv6yXIdpQtsFtlZ3SMilOVJOU5SahZauVVF7rqH14
> > > KIXdYCi+Ltg1uYOllED0bHnRXpgqNlphwt4tU892eRPhRiBX1XuX7vPBGPESi9ib
> > > oaV3AHk+Lpc=
> > > =Z0Oc
> > > -END PGP SIGNATURE-
> > >
> >
> >
> > -BEGIN PGP SIGNATURE-
> > Version: GnuPG v1.2.6 (GNU/Linux)
> >
> > iD8DBQBEZlc0iUtZaH/sZSURAvbBAJ9SeZN1hX39foDTMeHLkEfv7OGSiQCfbjfv
> > y4SDn0GrX6CbL6M6l5b/LG4=
> > =3IPs
> > -END PGP SIGNATURE-
> >
> >
> >
>

Re: Some legal trouble with TOR in France

2006-05-13 Thread Ben Wilhelm

I will admit that I'm not quite sure what the fear is with this - 
reformatting it makes sense in case they installed evil software, but 
there's no reason to burn it or securely wipe it or whatever if you 
think that's all that's wrong with it.

I suppose they could technically have installed a hardware monitoring 
device, but I find it very *very* unlikely that they will have bothered. 
What's the chance that they'd have that kind of an expert on staff? I'd 
say, open it up, disconnect cables, see if they've added anything to the 
cables, reconnect it all, reformat the hard drive, and stop worrying 
about it.

I mean, okay, they *could* have installed a new hard drive controller 
chip with a built-in cellular antenna to broadcast your credit card 
details to the Illuminati. But they could also hire a ninja to break 
into your house at night, steal your cat's food, and hide your TV 
remote. (Or, for that matter, install a new controller chip.) At some 
point you just have to say "this is silly" and stop being paranoid.

-Ben

Ringo Kamens wrote:
Well burning it doesn't do is completely (unless it's molten and then 
mixed with other stuff). You should securely wipe it with a magnet and 
then melt it. In this case, just wipe it about 100 times and then sell it.

On 5/13/06, *Alexandru ARMEAN* <[EMAIL PROTECTED] 
> wrote:

There are methods (and they are used) to read data from a overwritten
disk.

It has to do with the age of data that has been written in a single
place on the disk . The process, of what i remember , involves some more
hardware methods like taking of a very small layer of the disks surface
and then try to read data.

The only 100% solution of disposing your data is to burn the disc (and
then maybe melt it). But selling it maybe also be effective in the given
case...

Alex

On Sat, 2006-05-13 at 23:55 +0200, Landorin wrote:
 > -BEGIN PGP SIGNED MESSAGE-
 > Hash: SHA1
 >
 > I don't get it. Why buy a new one anyway? From what I know, any and
 > every data will be lost if you format your hardisk with a safe method
 > (can't remember the name right now but that method keeps writing
 > random data to your entire hardisk to overwrite existing files and it
 > does it for 10 times or more to ensure all old data is lost)?
 >
 > Sincerely,
 > Landorin
 >
 >
 > Eric H. Jung schrieb:
 > > If you can't afford a new hard drive, be sure to wipe it using DBAN
 > > http://dban.sourceforge.net/
 > > (open-source, free)
 > >
 > >
 > > --- Ringo Kamens <[EMAIL PROTECTED]
> wrote:
 > >
 > >> Chances are it would be internal and couldn't hold much data. I
 > >> really think
 > >> you should sell your rig and buy a used one that's comprable
and cut
 > >> the
 > >> losses. It's too risky to keep it.
 > >>
 > >> On 5/13/06, Olivier Barbut < [EMAIL PROTECTED]
> wrote:
 > >>> thanks for the advice. I will for shure reformat everything and
 > >>> reinstall linux when I get time for this. Changing hard drives
 > >> would be
 > >>> nice but I have not enough money for this right now.
 > >>>
 > >>> Do you know what a hard drive tap could look like ?
 >  As for the tor server, I suggest that you completely wipe those
 > >> drives
 >  securely, reformat, and reinstall everything. The best thing to
 > >> do
 >  would be to sell those drives and buy new ones because it could
 > >> be
 >  that they put taps in them. Also, they could have installed a
 >  keylogger. If I were you, I wouldn't use any of that equipment
 > >> again.
 >  At the very minimum, you need to reinstall
windows/linux/etc. and
 > >> tor
 >  with a reformat because they probably put in a trojaned version
 > >> of tor.
 > >
 > >
 >
 >
 > - --
 > Accelerate cancer research with your PC:
 > http://www.chem.ox.ac.uk/curecancer.html
 >
 > GPG key ID: 4096R/E9FD5518
 > -BEGIN PGP SIGNATURE-
 > Version: GnuPG v1.4.2.1 (MingW32)
 > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
 >
 > iQIVAwUBRGZV7C4XdI7p/VUYAQKcsg//VKwTiM70FAWxnqpZG+bDgWguHztRjFd4
 > 2SbsfOmKlLq3JZOxj5QgGZT/LDIvIbROhg7fgPQ5Ko9Dk3odwWBbLTeoo6vzqLEV
 > IVNht+MNPK5M9kOCQxQhlfi6H4SkwVgmUhanu9Y1TZK6ZrtVPRwmKq3F/LIE56Yp
 > apTja6o6gE4hgiwHLHiqwxQY8SXgFi4QYdvtDKVL9/bQHiE7h5nxKK1ZZZEEhOpx
 > 9WShBH5c8GOU3dwrRJwhbkbPwM0zyRR3gh2eE3vYZm9ZLgu+SUnv/FqY1KVZGSc8
 > 4ubV72IRbgzind8Q1btf2mzPBm1spxN04BkoqMG8OKR274LkLN496Pw8w1O1K6uE
 > KEuub0ilwNiccFJ+//xMBZg691012ddMd6wwqDuiMF3TCcH+nO8JnPWPQRLZ3mct
 > cJLF6pldawabH1EVZ1WqmuhOnmOmRfbVQG22AKcfsTgku7geTyrLSw1PctKph9gm
 > i//ookWGJvR1zRl1V2LkVOmiQfN2KbjTHZFWaxdIC5M+b2/8kXAagP9u6gAluZi+
 > Wa

Re: Some legal trouble with TOR in France