Thank you for your quick response.
I'm not convinced by your arguements yet. I comment in between.
On 08/12/13 04:13, Francisco Ruiz wrote:
> In your message, you wrote:
>
>>1. I have to *run* it to get the hash of the application from the help
>>page. That is already a leap of faith to run unv
On 11/08/13 at 09:37pm, Francisco Ruiz wrote:
> I still have to read through the references you supply, but I can already
> see a misconception. They refer to the dangers of carrying out cryptography
> with javascript-containing dynamic pages. My previous posting referred to
> _perfectly static_ pa
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 08/11/2013 12:35 AM, h0ost wrote:
> Hi Arjen,
>
> May I ask what Swiss providers would you recommend?
(disclaimer: I am normally very hesitant to 'advertise' for specific
companies since as a consultant I do my very best to remain
independent from
On 11/08/13 22:28, Nadim Kobeissi wrote:
>
> On 2013-08-11, at 10:36 PM, danimoth wrote:
>
>> On 11/08/13 at 01:10pm, Francisco Ruiz wrote:
>>> Twice again, privacy has taken a hit across the land. Lavabit and Silent
>>> Mail are gone, and to quote Phil Zimmermann, “the writing is on the wall”
>
- Forwarded message from coderman -
Date: Sun, 11 Aug 2013 13:28:53 -0700
From: coderman
To: cypherpu...@cpunks.org
Subject: Re: Lavabit and End-point Security
one last cautionary tale:
some time back i used the techniques discussed to harden some Android
phones brought with me into a
- Forwarded message from nettime's secret court staffer
-
Date: Sat, 10 Aug 2013 23:26:02 +0200
From: nettime's secret court staffer
To: nettim...@mx.kein.org
Subject: Interview with Lavabit's Ladar Levison
Reply-To: a moderated mailing list for net criticism
On an phone interview
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 08/11/2013 08:10 PM, Francisco Ruiz wrote:
> There’s no legal action that can shut down PassLok because it
> consist of pure code, and pure code is speech, protected from
> government interference under the 1^st amendment to the US
> Constitution.
On Mon, Aug 12, 2013 at 01:46:26PM +0200, Arjen Kamphuis wrote:
> Client-side encryption means a Free Software code stack running on a
> machine that is physically under your control at all time. Anything
> else is BS.
Indeed. And it can be argued that we even need open, fully inspectable
hardwar
On 12 August 2013 06:14, Ximin Luo wrote:
> On 11/08/13 22:28, Nadim Kobeissi wrote:
>>
>> On 2013-08-11, at 10:36 PM, danimoth wrote:
>>
>>> On 11/08/13 at 01:10pm, Francisco Ruiz wrote:
Twice again, privacy has taken a hit across the land. Lavabit and Silent
Mail are gone, and to quot
On 12/08/13 14:02, Ben Laurie wrote:
> On 12 August 2013 06:14, Ximin Luo wrote:
>> How is it possible to defend against timing attacks in JS? Any language
>> theoretically can be complied into anything, but the JS runtime does not
>> give you much control in what the CPU actually executes. The
Libtech,
A friend passed along little noticed comments by Gen. Hayden in June, which
I would suggest are the most direct elaboration on the differences between
the American security apparatus and piracy development efforts. The actual
interview is long, but there is one statement in particular tha
On Mon, Aug 12, 2013 at 7:53 PM, Collin Anderson
wrote:
> Alright so on the one hand we're fighting anonymity on the other hand
> we're chucking products out there to protect anonymity on the net.
I've been saying that for years. Except...backwards.
--
*Note: *I am slowly extricating myself
On 2013-08-12, at 8:53 PM, Collin Anderson wrote:
> Libtech,
>
> A friend passed along little noticed comments by Gen. Hayden in June, which I
> would suggest are the most direct elaboration on the differences between the
> American security apparatus and piracy development efforts. The actua
Nadim Kobeissi wrote:
> Here's the thing: you ultimately have two types of software that the
> U.S. is interested in funding:
>
> *Software Type A:* Software that protects useful dissidents and anyone
> else from all governments (to an extent), including the U.S. government.
> *Software Type B:* So
From: Katsiaficas, George
I write because my friend and enormously active Bangladeshi human
rights lawyer Adilur Rahman Khan was picked up by unmarked cars/police
and given 5 days remand in Dhaka—equivalent to 5 days torture.
His arrest will no doubt have a chilling effect on all Bangladeshi
act
Thanks for a thoughtful and extensive reply. Let me see if I'm
understanding your position correctly. Running crypto code in a browser is
inherently insecure because we don't really know what the browser is doing
with it, regardless of whether it is communicating with a server. Of
course, we can't
Hey Arjen, you make a huge point. Unfortunately the Netherlands aren't any
better this way, are they? Looking around, it seems the only "safe" place
for a crypto server these days would be Switzerland. I'm ready to move my
stuff over there.
Does anybody know of a good, cheap, SSL-enabled web host
Quick request.
In comments to a recent post, people seemed to agree that publishing a
video of someone reading a hash might be a fairly hard-to-hack way to
deliver that hash to the public, and thus assure the authenticity of a
piece of code, a public key, or whatnot. The problem is that the sample
John Cusack comes to mind - he's on the board of Freedom of the Press
Foundation.
~Griffin
On 08/12/2013 04:32 PM, Francisco Ruiz wrote:
> Quick request.
>
> In comments to a recent post, people seemed to agree that publishing a
> video of someone reading a hash might be a fairly hard-to-hack way
Some idle thoughts:
Edward Snowden
Bradley Manning
Julian Assange
Gen. Hayden
Jacob or Nadim
On 08/12/2013 04:32 PM, Francisco Ruiz wrote:
> Quick request.
>
> In comments to a recent post, people seemed to agree that publishing a
> video of someone reading a hash might be a fairly hard-to-hack
On 2013-08-12 15:32, Francisco Ruiz wrote:
Does any one know of a celebrity who cares
enough about computer security to be persuaded to take one minute of
his/her time to read a hash before a camera?
Hugh Grant has made privacy issues the focus of his Twitter feed.
However, he is more focus
Ashton Kutcher has talked publicly multiple times about the value of
privacy, both in his personal life and as an investor.
On Aug 12, 2013 4:38 PM, "Richard Brooks" wrote:
> Some idle thoughts:
>
> Edward Snowden
> Bradley Manning
> Julian Assange
> Gen. Hayden
> Jacob or Nadim
>
> On 08/12/2013
On 8/12/13 1:45 PM, Sarah A. Downey wrote:
> Ashton Kutcher has talked publicly multiple times about the value of
> privacy, both in his personal life and as an investor.
He made some comments today that were sort of unfortunate in that area.
http://news.moviefone.com/2013/08/12/ashton-kutcher-st
On 12/08/13 at 02:58pm, Francisco Ruiz wrote:
> Thanks for a thoughtful and extensive reply. Let me see if I'm
> understanding your position correctly.
[snip, snip, snip]
> So, trusting the OS but not trusting the browser seems to me a curious case
> of double standard. They are made by the same
Woz
On Tuesday, August 13, 2013, Parker Higgins wrote:
> On 8/12/13 1:45 PM, Sarah A. Downey wrote:
> > Ashton Kutcher has talked publicly multiple times about the value of
> > privacy, both in his personal life and as an investor.
>
> He made some comments today that were sort of unfortunate in
Prior to XKeyscore, the work of the NSA analysts was comparable with "Forrest
Gump on his
shrimping boat off the coast of Alabama," reads the report from Griesheim. From
the ocean
of data, the report reads, the analysts pulled in "a boot, a toilet seat,
seaweed, and,
there they are . three shrim
> On 08/12/2013 04:32 PM, Francisco Ruiz wrote:
>> Quick request.
>>
>> In comments to a recent post, people seemed to agree that
>> publishing a video of someone reading a hash might be a fairly
>> hard-to-hack way to deliver that hash to the public, and thus
>> assure the authenticity of a piece
Dear professor Ruiz.
The real issue is to create an *easy* way to do hash validation
correctly. Reading a hash on youtube is not going to make it.
You use HTTPS without DNSSEC and DANE. Please use those first. It solves
a lot of your server validation issues. At least it allows your users'
brows
Cory Doctorow
- sent from my phone.
On Aug 12, 2013 9:33 PM, "Francisco Ruiz" wrote:
> Quick request.
>
> In comments to a recent post, people seemed to agree that publishing a
> video of someone reading a hash might be a fairly hard-to-hack way to
> deliver that hash to the public, and thus
-Original Message-
From: dewayne-...@warpspeed.com [mailto:dewayne-...@warpspeed.com] On Behalf
Of Dewayne Hendricks
Sent: Tuesday, August 13, 2013 4:32 AM
To: Multiple recipients of Dewayne-Net
Subject: [Dewayne-Net] Are Hackers the Next Bogeyman Used to Scare Americans
Into Giving Up More
I'm sorry but aren't we spending a lot of time conflating code
quality, secure coding practices, software distribution, .. with
~JavaScript in a browser~?
There are alternate pathways, signed and delivered as a Dashboard
widget via the Apple App Store for example.
I'm not proposing ~that~ as *wip
Online Certificate Course - TC105 : Mobiles for International Development
When: September 30 - October 25, 2013
Can mobile technology transform international development?
Mobile technology is everywhere and is being applied in different ways
across the world from financial services, public healt
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi Francisco,
On 08/12/2013 10:04 PM, Francisco Ruiz wrote:
> Hey Arjen, you make a huge point. Unfortunately the Netherlands
> aren't any better this way, are they?
They are not, being a fully signed up member of the Coalition of the
Killing. And t
So re Germany bring the bastion of Internet freedom blah blah, are we all
forgetting about the Staatstrojaner?
Or have we forgiven them for that now?
On Tuesday, August 13, 2013, Arjen Kamphuis wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Hi Francisco,
>
> On 08/12/2013 10:04 PM,
On Mon, Aug 12, 2013 at 3:07 PM, Ali-Reza Anghaie wrote:
> I'm sorry but aren't we spending a lot of time conflating code
> quality, secure coding practices, software distribution, .. with
> ~JavaScript in a browser~?
I think the title of the thread has a lot to do with that. Fixed! ;)
--
Tony
Nice idea. I would use a trusted timestamp instead of a headline, but
anyway. What do you think, should I do this for torservers.net/onion.to?
http://www.rsync.net/resources/notices/canary.txt
rsync.net will also make available, weekly, a "warrant canary" in the
form of a cryptographically signed
Hi,
Thank you EFF for the well-written reminder:
https://www.eff.org/deeplinks/2013/08/google-fiber-continues-awful-isp-tradition-banning-servers
[...] No ISP will come forward with a tighter definition of “server”
because they want to give themselves leeway to ban users and
technologies that the
The problem with occasionally looking at Huffington Post is that I'm
subjected to such things...
Matt Damon:
*"He broke up with me," the "Elysium" star said. "There are a lot of things
that I really question, you know: the legality of the drone strikes, and
these NSA revelations they’re, you know
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 08/13/2013 12:48 AM, Tom O wrote:
> So re Germany bring the bastion of Internet freedom blah blah, are
> we all forgetting about the Staatstrojaner?
No we are not. But the difference between Germany and many other
countries is the outrage and deba
Libtech,
Some of you might be interested in the latest Small Media Infrastructure
report, which covers the time between election day and inauguration. Unlike
the prior report, which was heavily technical, this iteration largely
focuses on the vibrant policy discussion happening around the state
in
That's not a good enough reason to trust Germany.
They had the capability to create it and the audacity to implement it on
their own populace.
You know what the outrage taught them, learn to hide your tracks better.
Ensuring privacy is not a requirement of the state anymore, it's the
responsibil
Francisco, you assume that all browsers will save a static version of the
page identically. This is not the case.
I ran a test using 'wget https://passlok.site44.com' and Chrome's "Save
As". The former will actually match the hash value you've posted, but the
latter does not.
I spotted at least 5
I didn't know LibTech had become the PassLok development mailing list.
On Mon, Aug 12, 2013 at 6:26 PM, Collin Anderson
wrote:
> The problem with occasionally looking at Huffington Post is that I'm
> subjected to such things...
>
> Matt Damon:
>
> "He broke up with me," the "Elysium" star said. "
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 08/13/2013 01:58 AM, Tom O wrote:
> That's not a good enough reason to trust Germany.
And I don't. I trust the German people to stand up when it counts.
Because they know the consequence of failing to do so.
> Ensuring privacy is not a requirement
Penn Jilette
On Mon, Aug 12, 2013 at 1:32 PM, Francisco Ruiz wrote:
> Quick request.
>
> In comments to a recent post, people seemed to agree that publishing a
> video of someone reading a hash might be a fairly hard-to-hack way to
> deliver that hash to the public, and thus assure the authenti
Moritz Bartl:
> Nice idea. I would use a trusted timestamp instead of a headline, but
> anyway. What do you think, should I do this for torservers.net/onion.to?
>
> http://www.rsync.net/resources/notices/canary.txt
>
> rsync.net will also make available, weekly, a "warrant canary" in the
> form o
Moritz Bartl:
> Nice idea. I would use a trusted timestamp instead of a headline, but
> anyway. What do you think, should I do this for torservers.net/onion.to?
>
> http://www.rsync.net/resources/notices/canary.txt
>
> rsync.net will also make available, weekly, a "warrant canary" in the
> form o
On Mon, Aug 12, 2013 at 10:53 PM, adrelanos wrote:
> Awesome! However euphoric I may be about this...
>
> Might there be a chance for getting sued for this?
>
> If this is safe, it would be awesome if all major pages could implement
> this. torservers.net, torproject.org, truecrypt.org, gnupg.org,
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
BBC Blogs (Aug 8) - "BUGGER: Maybe The Real State Secret Is That Spies
Aren't Very Good At Their Jobs and Don't Know Very Much About The
World" by Adam Curtis:
http://www.bbc.co.uk/blogs/adamcurtis/posts/BUGGER
It's really nice to see Adam Curtis we
On Mon, Aug 12, 2013 at 7:53 PM, adrelanos wrote:
> Awesome! However euphoric I may be about this...
> Might there be a chance for getting sued for this?
> If this is safe, it would be awesome if all major pages could implement
> this. torservers.net, torproject.org, truecrypt.org, gnupg.org, etc.
On Tue, Aug 13, 2013 at 2:24 PM, Gregory Maxwell wrote:
> On Mon, Aug 12, 2013 at 7:53 PM, adrelanos wrote:
> > Awesome! However euphoric I may be about this...
> > Might there be a chance for getting sued for this?
> > If this is safe, it would be awesome if all major pages could implement
> >
Spideroak claims to use client-side encryption for desktop client but
doesn't not use zero-knowledge password proof for mobile Apps or website
portal.
In light of Lavabit, spideroak could also forced to intercept password if
users ever use mobile Apps or website login while being gagged . Then all
Percy
>From https://spideroak.com/mobile
"
How Mobile Works with SpiderOak’s Zero Knowledge Policy
Here's the deal: when accessing your data via the SpiderOak website or on a
mobile device you must enter your password. The password will then exist in
the SpiderOak server memory for the duration
On Mon, Aug 12, 2013 at 10:10 PM, Percy Alpha wrote:
> Spideroak claims to use client-side encryption for desktop client but
> doesn't not use zero-knowledge password proof for mobile Apps or website
> portal.
>
SpiderOak (mis)uses the term "zero knowledge" to mean end-to-end (or
client-side) en
@Tom, "For this amount of time your password is stored in encrypted memory"
but to actually use the key, the key has to be in plain-text form for
sometime, during which it can be (forced to )intercepted.
If they can force Lavabit to intercept users' emails, why can't they ask
spideroak to secretly
@Tony, they claim to use zero-knowledge password proof for desktop client,
but not for mobile or website. I wonder why, not accepted by App Store?
--
Liberationtech is a public list whose archives are searchable on Google.
Violations of list guidelines will get you moderated:
https://mailman.sta
On Tue, Aug 13, 2013 at 1:35 AM, Percy Alpha wrote:
> @Tom, "For this amount of time your password is stored in encrypted
> memory" but to actually use the key, the key has to be in plain-text form
> for sometime, during which it can be (forced to )intercepted.
>
> If they can force Lavabit to in
On Mon, Aug 12, 2013 at 10:36 PM, Percy Alpha wrote:
> @Tony, they claim to use zero-knowledge password proof for desktop client,
> but not for mobile or website. I wonder why, not accepted by App Store?
>
Can you please link specifically to what you're talking about? Their
marketing material is
I'm not saying they cant. I'm saying they acknowledge it, althought the way
they do makes it seem as if its a non-issue.
I don't think it is.
I prefer tahoe-lafs
On Tue, Aug 13, 2013 at 3:35 PM, Percy Alpha wrote:
> @Tom, "For this amount of time your password is stored in encrypted
> memory"
@Tony,
"The secret that keeps your data accessible to you alone is your SpiderOak
password, which is never transmitted to SpiderOak in its original form."
https://spideroak.com/engineering_matters
--
Liberationtech is a public list whose archives are searchable on Google.
Violations of list guide
60 matches
Mail list logo