July 2018 - cypherpunks-legacy

EDRI-gram newsletter - Number 5.3, 14 February 2007
by EDRI-gram newsletter 06 Jul '18

06 Jul '18

============================================================ EDRI-gram biweekly newsletter about digital civil rights in Europe Number 5.3, 14 February 2007 ============================================================ Contents ============================================================ 1. Online police searches found illegal in Germany 2. MEPs support again the rules on defamation in Rome II 3. The ORG and FIPR week of e-voting events 4. Towards a committee for French on-line services regulation ? 5. European Central Bank found accountable in the SWIFT case 6. Belgium court backs decision against Google 7. European institutions try to impose a stronger position in the PNR debate 8. Bulgaria fails to protect citizen's personal data 9. House of Lords produces report against the AVMS directive 10. French Court decides on the sequel of Les Miserables 11. Recommended reading 12. Agenda 13. About ============================================================ 1. Online police searches found illegal in Germany ============================================================ The German Federal Supreme Court (BGH) in Karlsruhe ruled, on 5 February, that, according to the German Code of Criminal Procedure (StPO), online police snooping was illegal. As the court argued, StPO had no provisions to allow the authorities to perform online snooping, the code allowing only overt searches. Magistrate Ulrich Hebenstreit had already ruled against house searches arguing that such searches had to take place in the presence of the person affected. He emphasized that the data stored on computers could often be confidential and compared online spying measures to electronic eavesdropping. The Protection of the Constitution Act on the German federal state of North Rhine-Westphalia has recently included a provision that allows online PC searches against which a complaint of unconstitutionality is presently being prepared. Consequently, Federal Minister of the Interior Wolfgang Schduble, is now asking the legislators to create a legal basis for the criminal prosecutors to perform online searches ,that he considers indispensable. Jvrg Crozier, President of the German Criminal Police Office, asked also for new legislation to support these actions and stated "We have to be able to keep up with new technologies when unscrupulous criminals hide on the Internet, where they can plan their attacks and prepare their criminal actions." At the same time, he wanted to assure the German citizens that they shouldn't worry about the Government monitoring them in a way that would violate their rights. "These measures will not even affect 99.9 percent of the population." Ziercke stated that the Internet was playing a major part in the war against terrorism, child pornography, neo-Nazi propaganda and other types of crimes but can also play an important role in committing those crimes. "The Internet is the criminal platform of the future. In fact, it is the criminal platform of today." On the other hand, Burkhard Hirsch, the former vice president of the lower chamber of Germany's Federal Parliament and a member of the opposition Free Democratic Party (FDP), considers online search by the police of a PC as "worse than a major eavesdropping operation." He declared to the German newsmagazine DerSpiegel that spying a computer through the Internet is a "more brutal form of intrusion" than previous criminal investigation methods. Surreptitious online searches of PCs are illegal (6.02.2007) http://www.heise.de/english/newsticker/news/84867 German criminology czar believes that online searches are urgently needed (7.02.2007) http://www.heise.de/english/newsticker/news/84908 Germany outlaws secret police snooping (6.02.2007) http://www.out-law.com/page-7737 EDRI-gram: Proposal of computers online searching in Germany (20.12.2006) http://www.edri.org/edrigram/number4.24/computer-online-searching ============================================================ 2. MEPs support again the rules on defamation in Rome II ============================================================ The European Parliament has voted in its second reading on the Rome II Regulation to reintroduce the rules regarding the defamation by media or publications via the Internet and other electronic networks. The Rome II regulation is establishing the rules on the applicable law to non-contractual obligations. . The member states and media organizations wanted a simple formula to be introduced and not to apply the general principle - the applicable law to be that of the country in which the defamed person lives. That would practically mean that every media company would have to know the privacy and defamation laws of every European country. At the first reading in July 2005, MEPs had approved a compromise amendment that regulated the violation of privacy by a printed or audiovisual media. The Council decided to delete this provision from its Common Position. In the vote in plenary, MEPs decided to reintroduce the same rules, as adopted at the first reading. The Parliament's amendment suggests that in the case of print or broadcast media the law which should apply in disputes is the law of the country to which the publication or broadcast is most directed. That must be determined in particular by the language of the publication or broadcast or by sales or audience size in a given country as a proportion of total sales or audience size or by a combination of those factors. If that is not an easy fact to determine, the relevant law will be the one of the country where editorial control is exercised. This provision will apply also to publications via the Internet and other electronic networks. Regarding the right to reply, the applicable law should be the law of the country in which the publisher or broadcaster has its habitual residence. Strong disagreemnts between the Council and the Parliament still exist especially on the defamantion rules. According to Commission Vice-President Franco Frattini, who spoke before the vote, on the approved rules on defamation, "there is no way they will get through" in the Council. MEP Diana Wallis stated her satisfaction on the result of the vote, but also warned: "We may not have reached the end of the story of Rome II; by again passing these amendments there will almost certainly have to be a conciliation process to iron out the final difficulties between the European law-making institutions." The text adopted by the Parliament should go now through the conciliation procedure, where Member States and MEPs, equally represented, will have to debate further to find a compromise and approve the Regulation. Rome II: MEPs reintroduce rules on defamation (18.01.2006) http://www.europarl.europa.eu/news/expert/infopress_page/008-1942-015-01-03… 01-20070112IPR01917-15-01-2007-2007-false/default_en.htm European Parliament stands firm on cross-border defamation law(2.02.2007) http://www.out-law.com/page-7726 EDRI-gram: Rome II: Applicable law and freedom of expression (29.06.2005) http://www.edri.org/edrigram/number3.13/RomeII EP Legislative Observatory Rome II file http://www2.europarl.eu.int/oeil/file.jsp?id=235142 ============================================================ 3. The ORG and FIPR week of e-voting events ============================================================ Last week there were three e-voting events hosted in London by EDRI members, the Open Rights Group (ORG) and the Foundation for Information Policy Research (FIPR). On 6 February guests saw a screening of the documentary film "Hacking Democracy" which reveals in detail the failings of e-voting and e-counting systems in the United States. After the film a lively panel, chaired by ORG's e-voting co-ordinator Jason Kitcat, discussed the film's implications particularly given e-voting pilots planned in the UK for May 2007. On the panel were John Pugh MP (Liberal Democrat); Russell Michaels, one of the film's co-directors and Dr Rebecca Mercuri, an e-voting expert from the United States. On 8 February there were two events which gathered, for the first time, a wide array of e-voting experts and activists from around the world. In the afternoon the European e-Voting Activism Workshop was started with a keynote by Harri Hursti, a Finnish security expert who has demonstrated a number of major security flaws in US election systems. Mr Hursti discussed how he compromised an optical counting system to provide the finale for "Hacking Democracy". He also shared his views on the wide variety of ways in which e-voting and e-counting systems are vulnerable to fraud and error. Subsequently experts from Belgium, France, Germany, Ireland, The Netherlands and the United States presented the problems they were experiencing with the introduction of e-voting in their countries. Attendees were struck by the strong similarities between all the presentations: - Governments would, with extremely weak standards in place, contract the running and monitoring of elections to private companies; - These companies would do minimal testing and withhold the results of those tests; - Problems and possible indications of fraud would arise during and after elections. Further investigation would be impossible due to failings in the technology and/or due to obstruction by vendors and government. After the workshop's broad overview of e-voting, the evening event "e-Voting: A challenge to democracy?" provided time for more detailed presentations. Margaret McGaley, the founder of Irish Citizens for Trustworthy e-Voting, reported on the thus-far abortive attempts to introduce e-voting machines to the Republic of Ireland. She noted that early in the process experts had offered advice but weren't listened to. After pushing on at great expense the Irish government were forced to create an Independent Commission on Electronic Voting which found serious flaws in the Nedap voting machines and software purchased. Dr Anne-Marie Oostveen, a founder of the Dutch "We don't trust voting computers" foundation, reported how in the Netherlands the government position went from 'trust us' to uncertainty. "We don't trust voting computers" demonstrated on national TV several important hacks on the Nedap machines used in the majority of Dutch municipalities. The result was the withdrawal of SDU machines from elections and the creation of an independent commission to examine the voting process. Colm MacCarthaigh, a founding member of Irish Citizens for Trustworthy e-voting, now following the Dutch situation since it has become resident in The Netherlands, tied together the Dutch and Irish stories. He commented on how the Irish independent commission's report had provided information on the Nedap machines which had helped the Dutch activists find flaws more quickly. The successful Dutch hacks, in their turn, helped apply more pressure on the Irish government. Dr Rebecca Mercuri presented the latest developments concerning voting technology in the United States. She noted how vendors, when forced to create voter-verified paper audit trails, had created unreliable, barely usable systems which had created new problems of their own. In place of e-voting machines Ms Mercuri advocated the use of paper ballots, perhaps optically or barcode scanned. To conclude Ms Mercuri argued that Internet voting, as proposed for the UK's 2007 pilots, was an inherently flawed technology that should not be pursued. One question which kept being asked after every one of our events was, why are governments pushing so hard for e-voting technology when the problems are so evident? We just don't understand it. The events ended with the activists resolved to meet more often and collaborate through a newly formed umbrella grouping, 'Europeans for Verifiable Elections'. The Open Rights Group will continue its campaign against e-voting in the UK and our sister organisations will carry on their work across Europe. Audio, video and slides from the events will be available soon http://www.openrightsgroup.org Europeans for Verifiable Elections http://www.efve.eu (Contribution by Jason Kitcat - EDRI-member Open Rights Group) ============================================================ 4. Towards a committee for French on-line services regulation ? ============================================================ French Internet regulation history seems to repeat itself, as shows a recently unveiled administrative decree project, which aims at creating a "National Commission for the deontology of on-line public communication services". The Commission would be in charge of elaborating "deontological recommendations" towards professional on- line communication services, including fixed and mobile telecom operators, ISPs, publishing and distributing services. The Commission would also be in charge of attributing "quality labels" to these services. However, these recommendations would also indirectly apply to the users of these services, through subscribing contractual clauses, especially since a "quality label" may be withdrawn by the Commission when it is found that "deontological recommendations" are not respected. The Commission should include of 23 members nominated by the French Prime minister for 5 years. Besides representatives of different ministries, one magistrate and one member of the French Conseil d'Etat, the Commission should include 14 members representing both - and in parity - online communication services users and professionals. French digital rights organizations have soon denounced this new attempt of censorship. EDRI member IRIS notes that this proposal sounds very similar to the first attempt of Internet regulation in France in... 1996, through what was popularly called the "Fillon Amendment" to the Telecom law. This amendment was found unconstitutional in July 1996, and then its major provisions were censored since, according to article 34 of the Constitution, fundamental freedoms may only be limited by the legislator, while in this case there were no specified binding principles for recommendations to be made by an administrative Commission, with strong impact on freedom of expression. IRIS reminds that these arguments from the Constitutional council examining the 1996 law still apply and may well be reused against a 2007 administrative decree before the competent jurisdiction. Draft of administrative decree (in French only, 07.02.2007) http://odebi.org/docs/Projetdecretcommissiondeontologie.pdf Polemics on the regulation of French Internet (in French only, 09.02.2007) http://www.01net.com/editorial/341006/legislation/polemique-autour-de-la-re… lation-de-l-internet-francais/ APRIL Press release - Internet Regulation : always the good old methods...(in French only, 12.02.2007) http://www.april.org/articles/communiques/pr-20070212.html IRIS Press release - + Fillon Amendment ; 2.0 : help, the public expression +deontology ; returns ! (in French only, 14.02.2007) http://www.iris.sgdg.org/info-debat/comm-deontologie0207.html (Contribution by Meryem Marzouki, EDRI-member IRIS - France) ============================================================ 5. European Central Bank found accountable in the SWIFT case ============================================================ On 1 February, Peter Hustinx, the European Data Protection Supervisor (EDPS) gave his opinion on the role of the European Central Bank (ECB) in the SWIFT case, considering the bank as accountable along with SWIFT for failing compliance with the European privacy laws in the secret US investigation into terrorist finances. By using SWIFT's services in its own payment operations, the ECB has become a joint controller being thus co-responsible in ensuring compliance with data protection rules, meaning observing the purpose limitation principle, informing to data subjects, and ensuring guarantees at the transfer of personal data to third countries. "Just as other banks, the ECB can not escape some responsibilities in the SWIFT case which has breached the trust and private lives of many millions of people. Secret, routine and massive access of third country authorities to banking data is unacceptable. The financial community should therefore provide payment systems which do not violate European data protection laws" affirmed Hustinx in a written statement. He gave the ECB until April to demonstrate that it complies with data protection laws. However, the ECB does not admit any responsibility in the matter considering data protection was not its concern but financial stability was. It also considers the legislators should have given clearer guidance. "The monitoring of SWIFT activities that do not affect financial stability is not a matter for central bank oversight and, therefore, the US Treasury subpoenas of SWIFT were outside the purview of central bank oversight. The Oversight Group has no authority to oversee SWIFT with regard to compliance with data protection laws," was ECB statement. The bank said it would notify the organisations for whom it conducts transactions and ask for their consent before sharing their data. It also appreciated the initative of the EU and US data protection authorities, intelligence agencies and financial regulators to find a way to properly monitor international organisations like SWIFT. The EDPS also addressed the ECB asking them to transfer data to third parties only when they can guarantee the privacy protection of the owners of the data transferred. The punitive actions that Hustinx could take against ECB are limited. As SWIFT has no credible alternative, asking the ECB to stop using their services would not be a reasonable measure. EDPS calls on ECB to ensure that European payment systems comply with data protection law - Press release (1.02.2007) http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/EDPS/… essNews/Press/2007/EDPS-2007-1-EN_SWIFT.pdf ECB blamed (again) for SWIFT privacy debacle (1.02.2007) http://www.theregister.co.uk/2007/02/01/ecb_swift_edps/ Hands off our bank data, Europe tells US (23.11.2006) http://www.theregister.co.uk/2006/11/23/ec_swift_ruling/ EDRI-gram: SWIFT found in breach of Belgian laws (11.10.2006) http://www.edri.org/edrigram/number4.19/swift ============================================================ 6. Belgium court backs decision against Google ============================================================ In the case brought by Copiepresse, a trade group representing 17 Belgium newspapers, against Google for publishing links to newspaper articles without permission, the Brussels Tribunal upheld its previous decision and ruled that Google violated the copyright law. Google was ordered to remove Belgian newspaper content from its search engine results. The search engine is no longer allowed to refer to articles, pictures or drawings of Copiepress members without previous agreements that are to be negociated, non-compliance being fined by 25 000 Euros per day. The ruling also says that any other copyright holder could get in touch with Google and notify its copyright infringement. In this case Google has to remove the content within 24 hours or pay a 1 000 euros a day fine. Google will appeal the judgment as it considers that making reference to a page is no violation of the law and is actually in favour of the Belgian newspapers by sending Internet users to their websites. "Search tools such as Google Web Search and Google News are of real benefit to publishers because they drive valuable traffic to their websites and connect them to a wider global audience," said the Google spokeswoman. Some Belgian journalists have also considered that the court ruling will lead to newspapers loosing readers as the traditional print newspapers are in decline. "We want more readers, not less readers. Belgian newspapers will not make the internet work by trying to stand against the tide of global change," said a journalist. The Belgium press plays at who gains looses with Google (Only in French13.02.2007) http://www.lemonde.fr/web/article/0,1-0@2-651865,36-866673@51-837044,0.html Google must respect copyright (Only in French 13.02.2007) http://www.rtbf.be/info/societe/ARTICLE_070337 Google to pay #2.4m over 'copyright breach' (13.02.2007) http://www.telegraph.co.uk/news/main.jhtml?xml=/news/2007/02/13/wgoogle113.… l Google will appeal Copiepresse decision (13.02.2007) http://www.out-law.com/page-7758 Belgian Court Decision (13.02.2007) http://www.copiepresse.be/copiepresse_google.pdf EDRI-gram : Belgium says no to Google News (26.09.2006) http://www.edri.org/edrigram/number4.18/google_be ============================================================ 7. European institutions try to impose a stronger position in the PNR debate ============================================================ The European Parliament intends to strengthen its opposition to the US demands related to the transfer of European air passenger data (PNR). Following the debate that took place on 31 January 2007 in the European Parliament, the vote on the position that EU should have concerning the new PNR agreement to be signed with USA on 31 July 2007 was delayed. The end of the temporary agreement with the US gets closer and the US maintain their threat to fine non-compliant airlines and deny them the landing rights in the US. The American authorities already indicated that they had no intention of changing the terms of the agreement to a better data protection and privacy standards. The Commission and the Council of Ministers have come to join the EP in its position to this matter and they are very likely to ask for a shorter list of data categories and the limitation of the access to these data only to US immigration officers. Very strong positions were expressed during the session by Guenther Gloser, Germany's deputy foreign minister and the European commissioner in charge of justice and home affairs issues, Franco Frattini. "There is therefore the need to negotiate a very solid and stable legal framework which will enable the exchange of PNR data with the United States with full respect of data protection and privacy rights." said Frattini. He expressed his concern related to the U.S. Automated Targeting System, system by means of which millions of people have been assessed since 2002, information made public only recently. The system is considered illegal even in US by the Congress and some privacy advocates. The Commissioner also added: "I have said on a number of occasions that the right to privacy is for me non-negotiable. It has to be respected, fully and completely. Legal certainty is also an important element for air-carriers. It must be taken into account, as it has been from the very beginning. ..the Commission is committed to continuing to give due consideration to privacy on the one hand and legal security on the other, as they form key principles of this file, without forgetting the importance of preventing and fighting terrorism and related transnational crimes." He also stressed the fact that the negotiations would be very challenging requiring imagination and effort both from EU institutions as well as from the US "in order to reach a very robust, solid solution." In the absence of an agreement, the airlines will be placed in a very delicate situation between being fined by US for failing to provide the data or sued for non-complying with European data protection laws in case they do so. New developments in this matter will probably occur during this week's EP session. Data transfer to US: MEPs raise pressure (1.02.2007) http://www.euractiv.com/en/justice/data-transfer-us-meps-raise-pressure/art… le-161367 Europe preps for battle with U.S. over traveller data (1.02.2007) http://www.infoworld.com/article/07/02/01/HNbattleontravelerdata_1.html European Parliament: Joint debate on a new agreement on Passenger Name Records (PNR) and on SWIFT data (31.01.2007) http://www.euractiv.com/29/images/PNR+SWIFT_tcm29-161379.pdf EDRI-gram : EU-US PNR agreement formally adopted by the EU Council (25.10.2006) http://www.edri.org/edrigram/number4.20/pnr ============================================================ 8. Bulgaria fails to protect citizen's personal data ============================================================ A recent report made public by the Bulgarian National Audit Office about the activity of the Commission for Personal Data Protection (CPDP) in Bulgaria in the period 1 January 2003 - 31 December 2005 shows that CPDP has failed in achieving its main purpose - to protect the citizen's personal data. Parts of the National Audit Office report have been translated by Bulgarian NGO Access to Information Programme and published on Statewatch. According to the report, the CDPD has spent approx. 1.35 million Euro for its activities, but has completed only 17 investigations at citizens' complaints. The Commission has failed in creating the mandatory registry of personal data processors and hasn't imposed any sanction so far. Moreover, there is no policy in place, strategy or established goals for the personal data protection field. The National Audit Office has considered that CPDP did not function as a permanent working body since the main part of its staff has predominantly maintained working relations with other employers. The report noted that no legal provisions regulates the registration procedure, and the CPDP had not adopted written rules, procedures and methodology for exercising control over the activities of the administrators. The objects of control, the types of control activities and their scope are not explicitly defined, the powers of the controllers are defined vaguely and incompletely. The flaws of the present data protection legislation and its implementation have been highlighted by Access to Information Programme. The insufficient protection of personal data in Bulgaria was criticized in the European Commission monitoring reports in the pre-accession process, as well. Bulgaria: The Commission for Personal Data Protection in Bulgaria has done little for the protection of personal data - 1.35 million. Euro were spent instead (01.02.2007) http://www.statewatch.org/news/2007/feb/01bulgaria-dp.htm Audit Report of the CDPD (only in Bulgarian, 30.01.2007) http://www.bulnao.government.bg/pages.html?catID=18 Access to Information Programme - Bulgaria http://www.aip-bg.org ============================================================ 9. House of Lords produces report against the AVMS directive ============================================================ A report of the Lords European Union Committee offered new reasons to oppose the Commission's draft Audiovisual Media Services Directive (AVMS), successor of the Television Without Frontiers Directive, that will extend television regulation to some Internet video services. The Directive was approved in its first reading by the Parliament in December 2006 and should be backed now by the Council of Ministers. The Directive, as it is now drafted, applies only to commercial TV-like services, but concerns still exist on the vagueness of what this would cover and the fear that the regulation might be wrongly applied to other content such as that of blogs. Lord Freeman, chairman of the Lords European Union Committee stated: "Such an attempt risks damaging the new media industry, which is a vibrant and important sector of the UK's economy." The report warned that the Directive might cause production companies outside of the EU to try and escape the regulation, considering UK would be one of the main victims of this action. The Lords committee considers that EU as regulator should not help to preserve the dominance of the players already established on the market and does not see the necessity to introduce "quantitative restrictions on advertising in a market which is now clearly open to competition". "We are concerned that the identification of some of media services as 'television-like', may lead some to conclude that eventually 'like services' should be regulated in a 'like-manner', i.e. a perfectly 'level playing field'," said the report. "If these services are to be included at all we agree that they must be regulated differently, but the wording and definitions in the latest versions of the text may encourage the idea that they can and should be regulated in the same way as television. We would consider such a move now or in the future to be a grave error." The EU presidency, presently hold by Germany, expressed its wish to finalise the Directive by June 2007. The new act should be implemented within 2 years into the national legislations of the member countries. Television Without Frontiers - Report with Evidence - House of Lords - European Union Committee, 3rd Report of Session 2006-07 (23.01.2007) http://www.publications.parliament.uk/pa/ld200607/ldselect/ldeucom/27/27.pdf Lords oppose new media Directive (8.02.2007) http://www.out-law.com/page-7742 EDRI-gram: New Audiovisual Directive: First Reading in EU Parliament completed (20.12.2006) http://www.edri.org/edrigram/number4.24/avms EP Legislative Observatory AVMS Directive file http://www.europarl.europa.eu/oeil/file.jsp?id=5301252 ============================================================ 10. French Court decides on the sequel of Les Miserables ============================================================ The French Cour de Cassation (the highest Appeal Court in France) has taken a decision regarding a sequel of the famous French book Les Miserables, that was contested by one of the descendants of Victor Hugo. The Court has refused to ban the appearance of the sequel and has taken into consideration the right of adaptation and not just the moral right of integrity. However, the procedure is not over yet. The case started six years ago when the great-great-grandson of Victor Hugo, Pierre Hugo, considered that two books published and marketed by Plon publisher as the sequels of the famous "Les Miserables" were breaching the moral rights of the author. Victor Hugo's masterpiece is in the public domain, but, under the French law, the moral rights of the author are considered timeless and are passed on to descendants. The Court of Appeal decided in March 2004 that Hugo's heirs were right in their demands and condemned Plan in paying a symbolic 1 Euro as damages. The Appeal Court considered that no sequel could be made on such a masterpiece as Les Miserables, without breaching the moral right of the author, that thought that his work was complete. However, Plon appealed the decision to the Cour de Cassation. The Cour de Cassation has reached a different conclusion. It considered that a sequel of a work is mainly related with the right of adaptation, which is one of the limited rights of the author (seventy years after its death) contrary to the moral rights that are timeless. Since the work is in the public domain, anyone has the right to write a sequel of that work. A different opinion would mean the extension of this limited right and a violation if the freedom to create new works. Therefore the mere writing of a sequel could not be considered a breach of the moral rights of a work, irrespective of the work quality. Consequently, the case was sent back to the Court of Appeal, where different judges should consider if the twobooks are really infringing the moral rights of the author. Les Misirables, sequel or end ? (only in French, 2.02.2007) http://www.lesechos.fr/info/metiers/4532468.htm Heir of Victor Hugo fails to stop Les Mis II (31.01.2007) http://www.guardian.co.uk/international/story/0,,2002303,00.html ============================================================ 11. Recommended reading ============================================================ Data Protection Working Party - Opinion 1/2007 on the Green Paper on Detection Technologies in the Work of Law Enforcement, Customs and other Security Authorities http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2007/wp129_en.pdf ============================================================ 12. Agenda ============================================================ 15-16 February 2007, Brussels, Belgium Scientific Publishing in the European Research Area Access, Dissemination and Preservation in the Digital Age http://ec.europa.eu/research/science-society/page_en.cfm?id=3459 19-23 February 2007, Geneva, Switzerland Provisional Committee on Proposals Related to a WIPO Development Agenda: Third Session http://www.wipo.int/meetings/en/details.jsp?meeting_id=11926 18-20 February 2007, Salamanca, Spain International Association for Development of the Information Society Web Based Communities 2007 Conference http://www.webcommunities-conf.org 22 February 2007, Amsterdam, Netherlands The Future of Ambient Intelligence http://www.clubofamsterdam.com/event.asp?contentid=653 13-14 March 2007 Brussels, Belgium The EU RFID Forum 2007 http://ec.europa.eu/information_society/policy/rfid/conference2007_reg/inde… en.htm 16 March 2007, Hannover, Germany European Commission conference on Mobile TV at CeBIT http://ec.europa.eu/information_society/events/cebit_07/index_en.htm 1-4 May 2007, Montreal, Canada 7th Conference on Computers, Freedom, and Privacy (CFP2007) http://www.cfp2007.org/live/ 18-19 May 2007, Brasov, Romania eLiberatica - The Benefits of Open and Free Technologies - Romanian IT Open Source and Free Software Conference http://www.eliberatica.ro/ ============================================================ 13. About ============================================================ EDRI-gram is a biweekly newsletter about digital civil rights in Europe. Currently EDRI has 25 members from 16 European countries. European Digital Rights takes an active interest in developments in the EU accession countries and wants to share knowledge and awareness through the EDRI-grams. All contributions, suggestions for content, corrections or agenda-tips are most welcome. Errors are corrected as soon as possible and visibly on the EDRI website. Except where otherwise noted, this newsletter is licensed under the Creative Commons Attribution 2.0 License. See the full text at http://creativecommons.org/licenses/by/2.0/ Newsletter editor: Bogdan Manolea <edrigram(a)edri.org> Information about EDRI and its members: http://www.edri.org/ - EDRI-gram subscription information subscribe by e-mail To: edri-news-request(a)edri.org Subject: subscribe You will receive an automated e-mail asking to confirm your request. unsubscribe by e-mail To: edri-news-request(a)edri.org Subject: unsubscribe - EDRI-gram in Macedonian EDRI-gram is also available partly in Macedonian, with delay. Translations are provided by Metamorphosis http://www.metamorphosis.org.mk/edrigram-mk.php - EDRI-gram in German EDRI-gram is also available in German, with delay. Translations are provided Andreas Krisch from the EDRI-member VIBE!AT - Austrian Association for Internet Users http://www.unwatched.org/ - Newsletter archive Back issues are available at: http://www.edri.org/edrigram - Help Please ask <edrigram(a)edri.org> if you have any problems with subscribing or unsubscribing. ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]

1 0

CRYPTO-GRAM, August 15, 2009
by Bruce Schneier 06 Jul '18

06 Jul '18

CRYPTO-GRAM August 15, 2009 by Bruce Schneier Chief Security Technology Officer, BT schneier(a)schneier.com http://www.schneier.com A free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise. For back issues, or to subscribe, visit <http://www.schneier.com/crypto-gram.html>. You can read this issue on the web at <http://www.schneier.com/crypto-gram-0908.html>. These same essays appear in the "Schneier on Security" blog: <http://www.schneier.com/blog>. An RSS feed is available. ** *** ***** ******* *********** ************* In this issue: Risk Intuition Privacy Salience and Social Networking Sites Building in Surveillance News Laptop Security while Crossing Borders Self-Enforcing Protocols Schneier News Another New AES Attack Lockpicking and the Internet Comments from Readers ** *** ***** ******* *********** ************* Risk Intuition People have a natural intuition about risk, and in many ways it's very good. It fails at times due to a variety of cognitive biases, but for normal risks that people regularly encounter, it works surprisingly well: often better than we give it credit for. This struck me as I listened to yet another conference presenter complaining about security awareness training. He was talking about the difficulty of getting employees at his company to actually follow his security policies: encrypting data on memory sticks, not sharing passwords, not logging in from untrusted wireless networks. "We have to make people understand the risks," he said. It seems to me that his co-workers understand the risks better than he does. They know what the real risks are at work, and that they all revolve around not getting the job done. Those risks are real and tangible, and employees feel them all the time. The risks of not following security procedures are much less real. Maybe the employee will get caught, but probably not. And even if he does get caught, the penalties aren't serious. Given this accurate risk analysis, any rational employee will regularly circumvent security to get his or her job done. That's what the company rewards, and that's what the company actually wants. "Fire someone who breaks security procedure, quickly and publicly," I suggested to the presenter. "That'll increase security awareness faster than any of your posters or lectures or newsletters." If the risks are real, people will get it. You see the same sort of risk intuition on motorways. People are less careful about posted speed limits than they are about the actual speeds police issue tickets for. It's also true on the streets: people respond to real crime rates, not public officials proclaiming that a neighborhood is safe. The warning stickers on ladders might make you think the things are considerably riskier than they are, but people have a good intuition about ladders and ignore most of the warnings. (This isn't to say that some people don't do stupid things around ladders, but for the most part they're safe. The warnings are more about the risk of lawsuits to ladder manufacturers than risks to people who climb ladders.) As a species, we are naturally tuned in to the risks inherent in our environment. Throughout our evolution, our survival depended on making reasonably accurate risk management decisions intuitively, and we're so good at it, we don't even realize we're doing it. Parents know this. Children have surprisingly perceptive risk intuition. They know when parents are serious about a threat and when their threats are empty. And they respond to the real risks of parental punishment, not the inflated risks based on parental rhetoric. Again, awareness training lectures don't work; there have to be real consequences. It gets even weirder. The University College London professor John Adams popularized the metaphor of a mental risk thermostat. We tend to seek some natural level of risk, and if something becomes less risky, we tend to make it more risky. Motorcycle riders who wear helmets drive faster than riders who don't. Our risk thermostats aren't perfect (that newly helmeted motorcycle rider will still decrease his overall risk) and will tend to remain within the same domain (he might drive faster, but he won't increase his risk by taking up smoking), but in general, people demonstrate an innate and finely tuned ability to understand and respond to risks. Of course, our risk intuition fails spectacularly and often, with regards to rare risks, unknown risks, voluntary risks, and so on. But when it comes to the common risks we face every day -- the kinds of risks our evolutionary survival depended on -- we're pretty good. So whenever you see someone in a situation who you think doesn't understand the risks, stop first and make sure you understand the risks. You might be surprised. This essay previously appeared in The Guardian. http://www.guardian.co.uk/technology/2009/aug/05/bruce-schneier-risk-securi… or http://tinyurl.com/ngu224 Risk thermostat: http://www.amazon.com/Risk-John-Adams/dp/1857280687/ref=sr_1_1?ie=UTF8&… or http://tinyurl.com/kwmuz9 http://davi.poetry.org/blog/?p=4492 Failures in risk intuition http://www.schneier.com/essay-155.html http://www.schneier.com/essay-171.html ** *** ***** ******* *********** ************* Privacy Salience and Social Networking Sites Reassuring people about privacy makes them more, not less, concerned. It's called "privacy salience," and Leslie John, Alessandro Acquisti, and George Loewenstein -- all at Carnegie Mellon University -- demonstrated this in a series of clever experiments. In one, subjects completed an online survey consisting of a series of questions about their academic behavior -- "Have you ever cheated on an exam?" for example. Half of the subjects were first required to sign a consent warning -- designed to make privacy concerns more salient -- while the other half did not. Also, subjects were randomly assigned to receive either a privacy confidentiality assurance, or no such assurance. When the privacy concern was made salient (through the consent warning), people reacted negatively to the subsequent confidentiality assurance and were less likely to reveal personal information. In another experiment, subjects completed an online survey where they were asked a series of personal questions, such as "Have you ever tried cocaine?" Half of the subjects completed a frivolous-looking survey -- How BAD are U??" -- with a picture of a cute devil. The other half completed the same survey with the title "Carnegie Mellon University Survey of Ethical Standards," complete with a university seal and official privacy assurances. The results showed that people who were reminded about privacy were less likely to reveal personal information than those who were not. Privacy salience does a lot to explain social networking sites and their attitudes towards privacy. From a business perspective, social networking sites don't want their members to exercise their privacy rights very much. They want members to be comfortable disclosing a lot of data about themselves. Joseph Bonneau and Soeren Preibusch of Cambridge University have been studying privacy on 45 popular social networking sites around the world. (You may not have realized that there *are* 45 popular social networking sites around the world.) They found that privacy settings were often confusing and hard to access; Facebook, with its 61 privacy settings, is the worst. To understand some of the settings, they had to create accounts with different settings so they could compare the results. Privacy tends to increase with the age and popularity of a site. General-use sites tend to have more privacy features than niche sites. But their most interesting finding was that sites consistently hide any mentions of privacy. Their splash pages talk about connecting with friends, meeting new people, sharing pictures: the benefits of disclosing personal data. These sites do talk about privacy, but only on hard-to-find privacy policy pages. There, the sites give strong reassurances about their privacy controls and the safety of data members choose to disclose on the site. There, the sites display third-party privacy seals and other icons designed to assuage any fears members have. It's the Carnegie Mellon experimental result in the real world. Users care about privacy, but don't really think about it day to day. The social networking sites don't want to remind users about privacy, even if they talk about it positively, because any reminder will result in users remembering their privacy fears and becoming more cautious about sharing personal data. But the sites also need to reassure those "privacy fundamentalists" for whom privacy is always salient, so they have very strong pro-privacy rhetoric for those who take the time to search them out. The two different marketing messages are for two different audiences. Social networking sites are improving their privacy controls as a result of public pressure. At the same time, there is a counterbalancing business pressure to decrease privacy; watch what's going on right now on Facebook, for example. Naively, we should expect companies to make their privacy policies clear to allow customers to make an informed choice. But the marketing need to reduce privacy salience will frustrate market solutions to improve privacy; sites would much rather obfuscate the issue than compete on it as a feature. This essay originally appeared in the Guardian. http://www.guardian.co.uk/technology/2009/jul/15/privacy-internet-facebook or http://tinyurl.com/ml7kv4 Privacy experiments: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1430482 Privacy and social networking sites: http://www.cl.cam.ac.uk/~jcb82/doc/privacy_jungle_bonneau_preibusch.pdf Facebook: http://www.insidefacebook.com/2009/05/13/facebook-privacy-guide/ http://www.nytimes.com/external/readwriteweb/2009/06/24/24readwriteweb-the-… or http://tinyurl.com/lgpfh8 http://www.allfacebook.com/2009/02/facebook-privacy ** *** ***** ******* *********** ************* Building in Surveillance China is the world's most successful Internet censor. While the Great Firewall of China isn't perfect, it effectively limits information flowing in and out of the country. But now the Chinese government is taking things one step further. Under a requirement taking effect soon, every computer sold in China will have to contain the Green Dam Youth Escort software package. Ostensibly a pornography filter, it is government spyware that will watch every citizen on the Internet. Green Dam has many uses. It can police a list of forbidden Web sites. It can monitor a user's reading habits. It can even enlist the computer in some massive botnet attack, as part of a hypothetical future cyberwar. China's actions may be extreme, but they're not unique. Democratic governments around the world -- Sweden, Canada and the United Kingdom, for example -- are rushing to pass laws giving their police new powers of Internet surveillance, in many cases requiring communications system providers to redesign products and services they sell. Many are passing data retention laws, forcing companies to keep information on their customers. Just recently, the German government proposed giving itself the power to censor the Internet. The United States is no exception. The 1994 CALEA law required phone companies to facilitate FBI eavesdropping, and since 2001, the NSA has built substantial eavesdropping systems in the United States. The government has repeatedly proposed Internet data retention laws, allowing surveillance into past activities as well as present. Systems like this invite criminal appropriation and government abuse. New police powers, enacted to fight terrorism, are already used in situations of normal crime. Internet surveillance and control will be no different. Official misuses are bad enough, but the unofficial uses worry me more. Any surveillance and control system must itself be secured. An infrastructure conducive to surveillance and control invites surveillance and control, both by the people you expect and by the people you don't. China's government designed Green Dam for its own use, but it's been subverted. Why does anyone think that criminals won't be able to use it to steal bank account and credit card information, use it to launch other attacks, or turn it into a massive spam-sending botnet? Why does anyone think that only authorized law enforcement will mine collected Internet data or eavesdrop on phone and IM conversations? These risks are not theoretical. After 9/11, the National Security Agency built a surveillance infrastructure to eavesdrop on telephone calls and e-mails within the United States. Although procedural rules stated that only non-Americans and international phone calls were to be listened to, actual practice didn't always match those rules. NSA analysts collected more data than they were authorized to, and used the system to spy on wives, girlfriends, and famous people such as President Clinton. But that's not the most serious misuse of a telecommunications surveillance infrastructure. In Greece, between June 2004 and March 2005, someone wiretapped more than 100 cell phones belonging to members of the Greek government -- the prime minister and the ministers of defense, foreign affairs and justice. Ericsson built this wiretapping capability into Vodafone's products, and enabled it only for governments that requested it. Greece wasn't one of those governments, but someone still unknown -- a rival political party? organized crime? -- figured out how to surreptitiously turn the feature on. Researchers have already found security flaws in Green Dam that would allow hackers to take over the computers. Of course there are additional flaws, and criminals are looking for them. Surveillance infrastructure can be exported, which also aids totalitarianism around the world. Western companies like Siemens, Nokia, and Secure Computing built Iran's surveillance infrastructure. U.S. companies helped build China's electronic police state. Twitter's anonymity saved the lives of Iranian dissidents -- anonymity that many governments want to eliminate. Every year brings more Internet censorship and control -- not just in countries like China and Iran, but in the United States, the United Kingdom, Canada and other free countries. The control movement is egged on by both law enforcement, trying to catch terrorists, child pornographers and other criminals, and by media companies, trying to stop file sharers. It's bad civic hygiene to build technologies that could someday be used to facilitate a police state. No matter what the eavesdroppers and censors say, these systems put us all at greater risk. Communications systems that have no inherent eavesdropping capabilities are more secure than systems with those capabilities built in. This essay previously appeared -- albeit with fewer links -- on the Minnesota Public Radio website. http://minnesota.publicradio.org/display/web/2009/07/30/schneier/ A copy of this essay, with all embedded links, is here: http://www.schneier.com/blog/archives/2009/08/building_in_sur.html ** *** ***** ******* *********** ************* News Data can leak through power lines; the NSA has known about this for decades: http://news.bbc.co.uk/2/hi/technology/8147534.stm These days, there's a lot of open research on side channels. http://www.schneier.com/blog/archives/2008/10/remotely_eavesd.html http://www.schneier.com/blog/archives/2009/06/eavesdropping_o_3.html http://www.schneier.com/paper-side-channel.html South Africa takes its security seriously. Here's an ATM that automatically squirts pepper spray into the faces of "people tampering with the card slots." Sounds cool, but these kinds of things are all about false positives: http://www.guardian.co.uk/world/2009/jul/12/south-africa-cash-machine-peppe… or http://tinyurl.com/nj5zks Cybercrime paper: "Distributed Security: A New Model of Law Enforcement," Susan W. Brenner and Leo L. Clarke. It's from 2005, but I'd never seen it before. http://papers.ssrn.com/sol3/papers.cfm?abstract_id=845085 Cryptography has zero-knowledge proofs, where Alice can prove to Bob that she knows something without revealing it to Bob. Here's something similar from the real world. It's a research project to allow weapons inspectors from one nation to verify the disarming of another nation's nuclear weapons without learning any weapons secrets in the process, such as the amount of nuclear material in the weapon. http://news.bbc.co.uk/2/hi/europe/8154029.stm I wrote about mapping drug use by testing sewer water in 2007, but there's new research: http://www.schneier.com/blog/archives/2009/07/mapping_drug_us.html Excellent article detailing the Twitter attack. http://www.techcrunch.com/2009/07/19/the-anatomy-of-the-twitter-attack/ or http://tinyurl.com/lderkq Social Security numbers are not random. In some cases, you can predict them with date and place of birth. http://www.nhregister.com/articles/2009/07/07/news/a1_--_id_theft.txt http://redtape.msnbc.com/2009/07/theres-a-new-reason-to-worry-about-the-sec… or http://tinyurl.com/n8o7kf http://www.wired.com/wiredscience/2009/07/predictingssn/ http://www.cnn.com/2009/US/07/10/social.security.numbers/index.html http://www.pnas.org/content/106/27/10975 http://www.pnas.org/content/early/2009/07/02/0904891106.full.pdf http://www.heinz.cmu.edu/~acquisti/ssnstudy/ I don't see any new insecurities here. We already know that Social Security numbers are not secrets. And anyone who wants to steal a million SSNs is much more likely to break into one of the gazillion databases out there that store them. NIST has announced the 14 SHA-3 candidates that have advanced to the second round: BLAKE, Blue Midnight Wish, CubeHash, ECHO, Fugue, Grostl, Hamsi, JH, Keccak, Luffa, Shabal, SHAvite-3, SIMD, and Skein. In February, I chose my favorites: Arirang, BLAKE, Blue Midnight Wish, ECHO, Grostl, Keccak, LANE, Shabal, and Skein. Of the ones NIST eventually chose, I am most surprised to see CubeHash and most surprised not to see LANE. http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/submissions_rnd2.html http://www.schneier.com/essay-249.html http://csrc.nist.gov/groups/ST/hash/sha-3/index.html http://www.skein-hash.info/ Nice description of the base rate fallacy. http://news.bbc.co.uk/2/hi/uk_news/magazine/8153539.stm This is funny: "Tips for Staying Safe Online": http://www.schneier.com/blog/archives/2009/07/tips_for_stayin.html Seems like the Swiss may be running out of secure gold storage. If this is true, it's a real security issue. You can't just store the stuff behind normal locks. Building secure gold storage takes time and money. http://www.commodityonline.com/news/Swiss-banks-have-no-space-left-for-gold… or http://tinyurl.com/kqpm8w I am reminded of a related problem the EU had during the transition to the euro: where to store all the bills and coins before the switchover date. There wasn't enough vault space in banks, because the vast majority of currency is in circulation. It's a similar problem, although the EU banks could solve theirs with lots of guards, because it was only a temporary problem. A large sign saying "United States" at a border crossing was deemed a security risk: http://www.schneier.com/blog/archives/2009/07/large_signs_a_s.html Clever new real estate scam: http://www.schneier.com/blog/archives/2009/07/new_real_estate.html Bypassing the iPhone's encryption. I want more technical details. http://www.wired.com/gadgetlab/2009/07/iphone-encryption/ Excellent essay by Jonathan Zittrain on the risks of cloud computing: http://www.nytimes.com/2009/07/20/opinion/20zittrain.html Here's me on cloud computing: http://www.schneier.com/blog/archives/2009/06/cloud_computing.html More fearmongering. The headline is "Terrorists could use internet to launch nuclear attack: report." The subhead: "The risk of cyber-terrorism escalating to a nuclear strike is growing daily, according to a study." http://www.guardian.co.uk/technology/2009/jul/24/internet-cyber-attack-terr… or http://tinyurl.com/mhfdyy Note the weasel words in the article. The study "suggests that under the right circumstances." We're "leaving open the possibility." The report "outlines a number of potential threats and situations" where the bad guys could "make a nuclear attack more likely." Gadzooks. I'm tired of this idiocy. Stop overreacting to rare risks. Refuse to be terrorized, people. http://www.schneier.com/essay-171.html http://www.schneier.com/essay-124.html Interesting TED talk by Eve Ensler on security. She doesn't use any of the terms, but in the beginning she's echoing a lot of the current thinking about evolutionary psychology and how it relates to security. http://www.ted.com/talks/eve_ensler_on_security.html In cryptography, we've long used the term "snake oil" to refer to crypto systems with good marketing hype and little actual security. It's the phrase I generalized into "security theater." Well, it turns out that there really is a snake oil salesman. http://blogs.reuters.com/oddly-enough/2009/07/24/we-found-him-he-really-exi… or http://tinyurl.com/mo75tu Research that proves what we already knew: too many security warnings results in complacency. http://lorrie.cranor.org/pubs/sslwarnings.pdf The New York Times has an editorial on regulating chemical plants. http://www.nytimes.com/2009/08/04/opinion/04tue2.html The problem is a classic security externality, which I wrote about in 2007. http://www.schneier.com/essay-194.html Good essay on security vs. usability: "When Security Gets in the Way." http://jnd.org/dn.mss/when_security_gets_in_the_way.html A 1934 story from the International Herald Tribune shows how we reacted to the unexpected 75 years ago: http://www.schneier.com/blog/archives/2009/08/how_we_reacted.html New airport security hole: funny. http://scienceblogs.com/gregladen/2009/07/overheard_at_airport.php Here's some complicated advice on securing passwords that -- I'll bet -- no one follows. Of the ten rules, I regularly break seven. How about you? http://windowssecrets.com/2009/08/06/01-Gmail-flaw-shows-value-of-strong-pa… or http://tinyurl.com/px784h Here's my advice on choosing secure passwords. http://www.wired.com/politics/security/commentary/securitymatters/2007/01/7… or http://tinyurl.com/2beaq2 "An Ethical Code for Intelligence Officers" http://www.schneier.com/blog/archives/2009/08/an_ethical_code.html Man-in-the-middle trucking attack: http://www.schneier.com/blog/archives/2009/08/man-in-the-midd.html "On Locational Privacy, and How to Avoid Losing it Forever" http://www.eff.org/wp/locational-privacy ** *** ***** ******* *********** ************* Laptop Security while Crossing Borders Last year, I wrote about the increasing propensity for governments, including the U.S. and Great Britain, to search the contents of people's laptops at customs. What we know is still based on anecdote, as no country has clarified the rules about what their customs officers are and are not allowed to do, and what rights people have. Companies and individuals have dealt with this problem in several ways, from keeping sensitive data off laptops traveling internationally, to storing the data -- encrypted, of course -- on websites and then downloading it at the destination. I have never liked either solution. I do a lot of work on the road, and need to carry all sorts of data with me all the time. It's a lot of data, and downloading it can take a long time. Also, I like to work on long international flights. There's another solution, one that works with whole-disk encryption products like PGP Disk (I'm on PGP's advisory board), TrueCrypt, and BitLocker: Encrypt the data to a key you don't know. It sounds crazy, but stay with me. Caveat: Don't try this at home if you're not very familiar with whatever encryption product you're using. Failure results in a bricked computer. Don't blame me. Step One: Before you board your plane, add another key to your whole-disk encryption (it'll probably mean adding another "user") -- and make it random. By "random," I mean really random: Pound the keyboard for a while, like a monkey trying to write Shakespeare. Don't make it memorable. Don't even try to memorize it. Technically, this key doesn't directly encrypt your hard drive. Instead, it encrypts the key that is used to encrypt your hard drive -- that's how the software allows multiple users. So now there are two different users named with two different keys: the one you normally use, and some random one you just invented. Step Two: Send that new random key to someone you trust. Make sure the trusted recipient has it, and make sure it works. You won't be able to recover your hard drive without it. Step Three: Burn, shred, delete or otherwise destroy all copies of that new random key. Forget it. If it was sufficiently random and non-memorable, this should be easy. Step Four: Board your plane normally and use your computer for the whole flight. Step Five: Before you land, delete the key you normally use. At this point, you will not be able to boot your computer. The only key remaining is the one you forgot in Step Three. There's no need to lie to the customs official, which in itself is often a crime; you can even show him a copy of this article if he doesn't believe you. Step Six: When you're safely through customs, get that random key back from your confidant, boot your computer and re-add the key you normally use to access your hard drive. And that's it. This is by no means a magic get-through-customs-easily card. Your computer might be impounded, and you might be taken to court and compelled to reveal who has the random key. But the purpose of this protocol isn't to prevent all that; it's just to deny any possible access to your computer to customs. You might be delayed. You might have your computer seized. (This will cost you any work you did on the flight, but -- honestly -- at that point that's the least of your troubles.) You might be turned back or sent home. But when you're back home, you have access to your corporate management, your personal attorneys, your wits after a good night's sleep, and all the rights you normally have in whatever country you're now in. This procedure not only protects you against the warrantless search of your data at the border, it also allows you to deny a customs official your data without having to lie or pretend -- which itself is often a crime. Now the big question: Who should you send that random key to? Certainly it should be someone you trust, but -- more importantly -- it should be someone with whom you have a privileged relationship. Depending on the laws in your country, this could be your spouse, your attorney, your business partner or your priest. In a larger company, the IT department could institutionalize this as a policy, with the help desk acting as the key holder. You could also send it to yourself, but be careful. You don't want to e-mail it to your webmail account, because then you'd be lying when you tell the customs official that there is no possible way you can decrypt the drive. You could put the key on a USB drive and send it to your destination, but there are potential failure modes. It could fail to get there in time to be waiting for your arrival, or it might not get there at all. You could airmail the drive with the key on it to yourself a couple of times, in a couple of different ways, and also fax the key to yourself ... but that's more work than I want to do when I'm traveling. If you only care about the return trip, you can set it up before you return. Or you can set up an elaborate one-time pad system, with identical lists of keys with you and at home: Destroy each key on the list you have with you as you use it. Remember that you'll need to have full-disk encryption, using a product such as PGP Disk, TrueCrypt or BitLocker, already installed and enabled to make this work. I don't think we'll ever get to the point where our computer data is safe when crossing an international border. Even if countries like the U.S. and Britain clarify their rules and institute privacy protections, there will always be other countries that will exercise greater latitude with their authority. And sometimes protecting your data means protecting your data from yourself. This essay originally appeared on Wired.com. http://www.wired.com/politics/security/commentary/securitymatters/2009/07/s… or http://tinyurl.com/nw6bkd ** *** ***** ******* *********** ************* Self-Enforcing Protocols There are several ways two people can divide a piece of cake in half. One way is to find someone impartial to do it for them. This works, but it requires another person. Another way is for one person to divide the piece, and the other person to complain (to the police, a judge, or his parents) if he doesn't think it's fair. This also works, but still requires another person -- at least to resolve disputes. A third way is for one person to do the dividing, and for the other person to choose the half he wants. That third way, known by kids, pot smokers, and everyone else who needs to divide something up quickly and fairly, is called cut-and-choose. People use it because it's a self-enforcing protocol: a protocol designed so that neither party can cheat. Self-enforcing protocols are useful because they don't require trusted third parties. Modern systems for transferring money -- checks, credit cards, PayPal -- require trusted intermediaries like banks and credit card companies to facilitate the transfer. Even cash transfers require a trusted government to issue currency, and they take a cut in the form of seigniorage. Modern contract protocols require a legal system to resolve disputes. Modern commerce wasn't possible until those systems were in place and generally trusted, and complex business contracts still aren't possible in areas where there is no fair judicial system. Barter is a self-enforcing protocol: nobody needs to facilitate the transaction or resolve disputes. It just works. Self-enforcing protocols are safer than other types because participants don't gain an advantage from cheating. Modern voting systems are rife with the potential for cheating, but an open show of hands in a room -- one that everyone in the room can count for himself -- is self-enforcing. On the other hand, there's no secret ballot, late voters are potentially subjected to coercion, and it doesn't scale well to large elections. But there are mathematical election protocols that have self-enforcing properties, and some cryptographers have suggested their use in elections. Here's a self-enforcing protocol for determining property tax: the homeowner decides the value of the property and calculates the resultant tax, and the government can either accept the tax or buy the home for that price. Sounds unrealistic, but the Greek government implemented exactly that system for the taxation of antiquities. It was the easiest way to motivate people to accurately report the value of antiquities. And shotgun clauses in contracts are essentially the same thing. A VAT, or value-added tax, is a self-enforcing alternative to sales tax. Sales tax is collected on the entire value of the thing at the point of retail sale; both the customer and the storeowner want to cheat the government. But VAT is collected at every step between raw materials and that final customer; it's the difference between the price of the materials sold and the materials bought. Buyers wants official receipts with as high a purchase price as possible, so each buyer along the chain keeps each seller honest. Yes, there's still an incentive to cheat on the final sale to the customer, but the amount of tax collected at that point is much lower. Of course, self-enforcing protocols aren't perfect. For example, someone in a cut-and-choose can punch the other guy and run away with the entire piece of cake. But perfection isn't the goal here; the goal is to reduce cheating by taking away potential avenues of cheating. Self-enforcing protocols improve security not by implementing countermeasures that prevent cheating, but by leveraging economic incentives so that the parties don't want to cheat. One more self-enforcing protocol. Imagine a pirate ship that encounters a storm. The pirates are all worried about their gold, so they put their personal bags of gold in the safe. During the storm, the safe cracks open, and all the gold mixes up and spills out on the floor. How do the pirates determine who owns what? They each announce to the group how much gold they had. If the total of all the announcements matches what's in the pile, it's divided as people announced. If it's different, then the captain keeps it all. I can think of all kinds of ways this can go wrong -- the captain and one pirate can collude to throw off the total, for example -- but it is self-enforcing against individual misreporting. This essay originally appeared on ThreatPost. http://threatpost.com/blogs/value-self-enforcing-protocols ** *** ***** ******* *********** ************* Schneier News I am speaking at the OWASP meeting in Minneapolis on August 24: http://www.owasp.org/index.php/Minneapolis_St_Paul Audio from my Black Hat talk is here: http://www.blackhat.com/html/bh-usa-09/bh-usa-09-archives.html#Schneier or http://tinyurl.com/mvewwx ** *** ***** ******* *********** ************* Another New AES Attack A new and very impressive attack against AES has just been announced. Over the past couple of months, there have been two new cryptanalysis papers on AES. The attacks presented in the papers are not practical -- they're far too complex, they're related-key attacks, and they're against larger-key versions and not the 128-bit version that most implementations use -- but they are impressive pieces of work all the same. This new attack, by Alex Biryukov, Orr Dunkelman, Nathan Keller, Dmitry Khovratovich, and Adi Shamir, is much more devastating. It is a completely practical attack against ten-round AES-256: Abstract. AES is the best known and most widely used block cipher. Its three versions (AES-128, AES-192, and AES-256) differ in their key sizes (128 bits, 192 bits and 256 bits) and in their number of rounds (10, 12, and 14, respectively). In the case of AES-128, there is no known attack which is faster than the 2^128 complexity of exhaustive search. However, AES-192 and AES-256 were recently shown to be breakable by attacks which require 2^176 and 2^119 time, respectively. While these complexities are much faster than exhaustive search, they are completely non-practical, and do not seem to pose any real threat to the security of AES-based systems. In this paper we describe several attacks which can break with practical complexity variants of AES-256 whose number of rounds are comparable to that of AES-128. One of our attacks uses only two related keys and 2^39^ time to recover the complete 256-bit key of a 9-round version of AES-256 (the best previous attack on this variant required 4 related keys and 2^120 time). Another attack can break a 10 round version of AES-256 in 2^45 time, but it uses a stronger type of related subkey attack (the best previous attack on this variant required 64 related keys and 2^172 time). They also describe an attack against 11-round AES-256 that requires 2^70 time -- almost practical. These new results greatly improve on the Biryukov, Khovratovich, and Nikolic papers mentioned above, and a paper I wrote with six others in 2000, where we describe a related-key attack against 9-round AES-256 (then called Rijndael) in 2^224. (This again proves the cryptographer's adage: attacks always get better, they never get worse.) By any definition of the term, this is a huge result. There are three reasons not to panic: * The attack exploits the fact that the key schedule for 256-bit version is pretty lousy -- something we pointed out in our 2000 paper -- but doesn't extend to AES with a 128-bit key. * It's a related-key attack, which requires the cryptanalyst to have access to plaintexts encrypted with multiple keys that are related in a specific way. * The attack only breaks 11 rounds of AES-256. Full AES-256 has 14 rounds. Not much comfort there, I agree. But it's what we have. Cryptography is all about safety margins. If you can break n rounds of a cipher, you design it with 2n or 3n rounds. What we're learning is that the safety margin of AES is much less than previously believed. And while there is no reason to scrap AES in favor of another algorithm, NST should increase the number of rounds of all three AES variants. At this point, I suggest AES-128 at 16 rounds, AES-192 at 20 rounds, and AES-256 at 28 rounds. Of maybe even more; we don't want to be revising the standard again and again. And for new applications I suggest that people don't use AES-256. AES-128 provides more than enough security margin for the foreseeable future. But if you're already using AES-256, there's no reason to change. The paper: http://eprint.iacr.org/2009/374 Older AES cryptanalysis papers: http://eprint.iacr.org/2009/241 http://eprint.iacr.org/2009/317 AES: http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf http://www.schneier.com/blog/archives/2009/07/new_attack_on_a.html http://www.schneier.com/paper-rijndael.pdf ** *** ***** ******* *********** ************* Lockpicking and the Internet Physical locks aren't very good. They keep the honest out, but any burglar worth his salt can pick the common door lock pretty quickly. It used to be that most people didn't know this. Sure, we all watched television criminals and private detectives pick locks with an ease only found on television and thought it realistic, but somehow we still held onto the belief that our own locks kept us safe from intruders. The Internet changed that. First was the MIT Guide to Lockpicking, written by the late Bob ("Ted the Tool") Baldwin. Then came Matt Blaze's 2003 paper on breaking master key systems. After that, came a flood of lockpicking information on the Net: opening a bicycle lock with a Bic pen, key bumping, and more. Many of these techniques were already known in both the criminal and locksmith communities. The locksmiths tried to suppress the knowledge, believing their guildlike secrecy was better than openness. But they've lost: never has there been more public information about lockpicking -- or safecracking, for that matter. Lock companies have responded with more complicated locks, and more complicated disinformation campaigns. There seems to be a limit to how secure you can make a wholly mechanical lock, as well as a limit to how large and unwieldy a key the public will accept. As a result, there is increasing interest in other lock technologies. As a security technologist, I worry that if we don't fully understand these technologies and the new sorts of vulnerabilities they bring, we may be trading a flawed technology for an even worse one. Electronic locks are vulnerable to attack, often in new and surprising ways. Start with keypads, more and more common on house doors. These have the benefit that you don't have to carry a physical key around, but there's the problem that you can't give someone the key for a day and then take it away when that day is over. As such, the security decays over time -- the longer the keypad is in use, the more people know how to get in. More complicated electronic keypads have a variety of options for dealing with this, but electronic keypads work only when the power is on, and battery-powered locks have their own failure modes. Plus, far too many people never bother to change the default entry code. Keypads have other security failures, as well. I regularly see keypads where four of the 10 buttons are more worn than the other six. They're worn from use, of course, and instead of 10,000 possible entry codes, I now have to try only 24. Fingerprint readers are another technology, but there are many known security problems with those. And there are operational problems, too: They're hard to use in the cold or with sweaty hands; and leaving a key with a neighbor to let the plumber in starts having a spy-versus-spy feel. Some companies are going even further. Earlier this year, Schlage launched a series of locks that can be opened either by a key, a four-digit code, or the Internet. That's right: The lock is online. You can send the lock SMS messages or talk to it via a website, and the lock can send you messages when someone opens it -- or even when someone tries to open it and fails. Sounds nifty, but putting a lock on the Internet opens up a whole new set of problems, none of which we fully understand. Even worse: Security is only as strong as the weakest link. Schlage's system combines the inherent "pickability" of a physical lock, the new vulnerabilities of electronic keypads, and the hacking risk of online. For most applications, that's simply too much risk. This essay previously appeared on DarkReading.com. http://www.darkreading.com/blog/archives/2009/08/locks.html A copy of this essay, with all embedded links, is here: http://www.schneier.com/blog/archives/2009/08/lockpicking_and.html ** *** ***** ******* *********** ************* Comments from Readers There are thousands of comments -- many of them interesting -- on these topics on my blog. Search for the story you want to comment on, and join in. http://www.schneier.com/blog ** *** ***** ******* *********** ************* Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise. You can subscribe, unsubscribe, or change your address on the Web at <http://www.schneier.com/crypto-gram.html>. Back issues are also available at that URL. Please feel free to forward CRYPTO-GRAM, in whole or in part, to colleagues and friends who will find it valuable. Permission is also granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety. CRYPTO-GRAM is written by Bruce Schneier. Schneier is the author of the best sellers "Schneier on Security," "Beyond Fear," "Secrets and Lies," and "Applied Cryptography," and an inventor of the Blowfish, Twofish, Phelix, and Skein algorithms. He is the Chief Security Technology Officer of BT BCSG, and is on the Board of Directors of the Electronic Privacy Information Center (EPIC). He is a frequent writer and lecturer on security topics. See <http://www.schneier.com>. Crypto-Gram is a personal newsletter. Opinions expressed are not necessarily those of BT. Copyright (c) 2009 by Bruce Schneier. ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE

1 0

Re: [IP] more on Whistleblower outs NSA's secret spy room at
by Suresh Ramasubramanian 06 Jul '18

06 Jul '18

AT&T Spaf and Dave, I was watching CNN where they were interviewing a former CIA head, who was talking about the CIA whistleblower who was fired a few months back. He pointed out that while leaking any classified information to the press is a definite no no, there are plenty of avenues for whistle blowers, such as approaching the senate / congressional committees that have oversight over Intelligence. He also mentioned another internal grievance handling channel that could have been used. These committees are bilateral, and do take action more often than not - according to what I heard on CNN (and based on what I have read about these committees and how they work) suresh David Farber wrote: > From: Gene Spafford < spaf(a)cerias.purdue.edu> > Anyone with a security clearance, a military commission, or > Federal office swears an oath to uphold the Constitution and the > laws of the United States. If that person observes activity that > he/she judges to be violations of the Constitution committed under > color of authority, then how can the oath be upheld without > possibly disclosing information? Given a choice between upholding > the Constitution or being compliant with orders intended to cover > up violations of law seems to be clear although potentially > fraught with personal danger. ------------------------------------- You are subscribed as web(a)reportica.net To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting- people/ -- Sheryl Coe web(a)reportica.net Reportica www.Reportica.net ______________________ ------------------------------------- You are subscribed as eugen(a)leitl.org To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/ ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]

1 0

Re: [IP] more on Whistleblower outs NSA's secret spy room at
by Sheryl Coe - Reportica 06 Jul '18

06 Jul '18

AT&T [Whistleblower Protection] Many do not know that intelligence employees are excluded by law from whistleblower protection under the Patriot Act and previous law as well. Until we have slogged through the fine print, we just don't know what is legal anymore. Whistleblowers have had a very hard time being 'seen' by congressional committees. Whistleblowers like Sibel Edmonds are treated like hot potatoes until they leak to the press and a groundswell of concern forces congress to invite them into a closed session. And then... not much happens. That's just where we find ourselves in 2006 in America... This is one key to the popularity of the relatively new blogger Glenn Greenwald (author of new book, see his site below). He's just one person, but he tries to do the legwork to actually read the laws, such as the Patriot Act, that our 'lawmakers' pass without reading. He's just one person, but that's the work that needs to be done. - Sheryl Coe Glenn Greenwald, of Unclaimed Territory Original: http://glenngreenwald.blogspot.com/2006/05/no-need-for- congress-no-need-for.html (2) The legal and constitutional issues, especially at first glance and without doing research, reading cases, etc., are complicated and, in the first instance, difficult to assess, at least for me. That was also obviously true for Qwest's lawyers, which is why they requested a court ruling and, when the administration refused, requested an advisory opinion from DoJ. But not everyone is burdened by these difficulties. Magically, hordes of brilliant pro-Bush legal scholars have been able to determine instantaneously -- as in, within hours of the program's disclosure -- that the program is completely legal and constitutional (just like so many of them were able confidently to opine within hours of the disclosure of the warrantless eavesdropping program that it, too, was perfectly legal and constitutional). Government Accountability Project Original: http://www.whistleblower.org/content/press_detail.cfm? press_id=446 CIA Leaks Investigation Highlights Need for Whistleblower Law Reform Washington, D.C. b Today, the Government Accountability Project proclaims that the CIA's public efforts to crackdown on leaks of classified information demonstrate the need for Congress to approve meaningful whistleblower protections for employees who decide to disclose classified evidence of government wrongdoing, misconduct and illegality. http://www.whistleblower.org/content/press_detail.cfm? press_id=446 >From Russell Tice via DemocracyNow: Original: http://www.democracynow.org/article.pl? sid=06/04/04/1420212&mode=thread&tid=25 And the intelligence community, all of the whistleblower protection laws are -- pretty much exempt the intelligence community. So the intelligence community can put forth their lip service about, 'Oh, yeah, we want you to put report waste fraud abuse,' or 'You shall report suspicions of espionage,' but when they retaliate you for doing so, you pretty much have no recourse. I think a lot of people don't realize that. >From by Mike Whitney at Znet: original: http://www.zmag.org/content/showarticle.cfm?ItemID=6848 Intelligence reform has been a stealth-project from the get-go. [...] Instead of addressing the underlying issues, the new bill eviscerates what's left of the Bill of Rights and hands over more power to Bush. Now, Bush is free to hand-pick the men he wants for top-level Intelligence positions without Senate confirmation - an invitation to create his personal security apparatus without congressional interference. The bill also decreases Congress' powers of oversight. The new Intelligence Director can exempt his office from "audits and investigations, and Congress will not receive reports from an objective internal auditor." In other words, Congress has limited its own access to critical information of how taxpayer dollars are being spent. They've simply given up their role of checking for presidential abuse. The bill "eliminates provisions to ensure that it (Congress) receives timely access to intelligence, and it also allows the White House's Office of Management and Budget to screen testimony before the Intelligence Director presents it to the Congress." So, now Bush can either stonewall Congress entirely or just cherry-pick the tidbits he doesn't mind handing over. The Congress is just paving the way for even greater secrecy. Needless to say, all the whistle-blower protections have been removed from the new bill. In this new paradigm of Mafia-style governance the only unpardonable offense is reporting the crimes of one's bosses. Now, the Bush Fedayeen can purge the entire intelligence apparatus and no one will be the wiser. On 5/15/06, David Farber <dave(a)farber.net> wrote: Begin forwarded message:

1 0

[IP] more on Whistleblower outs NSA's secret spy room at AT&T
by David Farber 06 Jul '18

06 Jul '18

[Whistleblower Protection] X-Mailer: Apple Mail (2.750) Reply-To: dave(a)farber.net Begin forwarded message:

1 0

EDRI-gram newsletter - Number 5.3, 14 February 2007
by EDRI-gram newsletter 06 Jul '18

06 Jul '18

============================================================ EDRI-gram biweekly newsletter about digital civil rights in Europe Number 5.3, 14 February 2007 ============================================================ Contents ============================================================ 1. Online police searches found illegal in Germany 2. MEPs support again the rules on defamation in Rome II 3. The ORG and FIPR week of e-voting events 4. Towards a committee for French on-line services regulation ? 5. European Central Bank found accountable in the SWIFT case 6. Belgium court backs decision against Google 7. European institutions try to impose a stronger position in the PNR debate 8. Bulgaria fails to protect citizen's personal data 9. House of Lords produces report against the AVMS directive 10. French Court decides on the sequel of Les Miserables 11. Recommended reading 12. Agenda 13. About ============================================================ 1. Online police searches found illegal in Germany ============================================================ The German Federal Supreme Court (BGH) in Karlsruhe ruled, on 5 February, that, according to the German Code of Criminal Procedure (StPO), online police snooping was illegal. As the court argued, StPO had no provisions to allow the authorities to perform online snooping, the code allowing only overt searches. Magistrate Ulrich Hebenstreit had already ruled against house searches arguing that such searches had to take place in the presence of the person affected. He emphasized that the data stored on computers could often be confidential and compared online spying measures to electronic eavesdropping. The Protection of the Constitution Act on the German federal state of North Rhine-Westphalia has recently included a provision that allows online PC searches against which a complaint of unconstitutionality is presently being prepared. Consequently, Federal Minister of the Interior Wolfgang Schduble, is now asking the legislators to create a legal basis for the criminal prosecutors to perform online searches ,that he considers indispensable. Jvrg Crozier, President of the German Criminal Police Office, asked also for new legislation to support these actions and stated "We have to be able to keep up with new technologies when unscrupulous criminals hide on the Internet, where they can plan their attacks and prepare their criminal actions." At the same time, he wanted to assure the German citizens that they shouldn't worry about the Government monitoring them in a way that would violate their rights. "These measures will not even affect 99.9 percent of the population." Ziercke stated that the Internet was playing a major part in the war against terrorism, child pornography, neo-Nazi propaganda and other types of crimes but can also play an important role in committing those crimes. "The Internet is the criminal platform of the future. In fact, it is the criminal platform of today." On the other hand, Burkhard Hirsch, the former vice president of the lower chamber of Germany's Federal Parliament and a member of the opposition Free Democratic Party (FDP), considers online search by the police of a PC as "worse than a major eavesdropping operation." He declared to the German newsmagazine DerSpiegel that spying a computer through the Internet is a "more brutal form of intrusion" than previous criminal investigation methods. Surreptitious online searches of PCs are illegal (6.02.2007) http://www.heise.de/english/newsticker/news/84867 German criminology czar believes that online searches are urgently needed (7.02.2007) http://www.heise.de/english/newsticker/news/84908 Germany outlaws secret police snooping (6.02.2007) http://www.out-law.com/page-7737 EDRI-gram: Proposal of computers online searching in Germany (20.12.2006) http://www.edri.org/edrigram/number4.24/computer-online-searching ============================================================ 2. MEPs support again the rules on defamation in Rome II ============================================================ The European Parliament has voted in its second reading on the Rome II Regulation to reintroduce the rules regarding the defamation by media or publications via the Internet and other electronic networks. The Rome II regulation is establishing the rules on the applicable law to non-contractual obligations. . The member states and media organizations wanted a simple formula to be introduced and not to apply the general principle - the applicable law to be that of the country in which the defamed person lives. That would practically mean that every media company would have to know the privacy and defamation laws of every European country. At the first reading in July 2005, MEPs had approved a compromise amendment that regulated the violation of privacy by a printed or audiovisual media. The Council decided to delete this provision from its Common Position. In the vote in plenary, MEPs decided to reintroduce the same rules, as adopted at the first reading. The Parliament's amendment suggests that in the case of print or broadcast media the law which should apply in disputes is the law of the country to which the publication or broadcast is most directed. That must be determined in particular by the language of the publication or broadcast or by sales or audience size in a given country as a proportion of total sales or audience size or by a combination of those factors. If that is not an easy fact to determine, the relevant law will be the one of the country where editorial control is exercised. This provision will apply also to publications via the Internet and other electronic networks. Regarding the right to reply, the applicable law should be the law of the country in which the publisher or broadcaster has its habitual residence. Strong disagreemnts between the Council and the Parliament still exist especially on the defamantion rules. According to Commission Vice-President Franco Frattini, who spoke before the vote, on the approved rules on defamation, "there is no way they will get through" in the Council. MEP Diana Wallis stated her satisfaction on the result of the vote, but also warned: "We may not have reached the end of the story of Rome II; by again passing these amendments there will almost certainly have to be a conciliation process to iron out the final difficulties between the European law-making institutions." The text adopted by the Parliament should go now through the conciliation procedure, where Member States and MEPs, equally represented, will have to debate further to find a compromise and approve the Regulation. Rome II: MEPs reintroduce rules on defamation (18.01.2006) http://www.europarl.europa.eu/news/expert/infopress_page/008-1942-015-01-03… 01-20070112IPR01917-15-01-2007-2007-false/default_en.htm European Parliament stands firm on cross-border defamation law(2.02.2007) http://www.out-law.com/page-7726 EDRI-gram: Rome II: Applicable law and freedom of expression (29.06.2005) http://www.edri.org/edrigram/number3.13/RomeII EP Legislative Observatory Rome II file http://www2.europarl.eu.int/oeil/file.jsp?id=235142 ============================================================ 3. The ORG and FIPR week of e-voting events ============================================================ Last week there were three e-voting events hosted in London by EDRI members, the Open Rights Group (ORG) and the Foundation for Information Policy Research (FIPR). On 6 February guests saw a screening of the documentary film "Hacking Democracy" which reveals in detail the failings of e-voting and e-counting systems in the United States. After the film a lively panel, chaired by ORG's e-voting co-ordinator Jason Kitcat, discussed the film's implications particularly given e-voting pilots planned in the UK for May 2007. On the panel were John Pugh MP (Liberal Democrat); Russell Michaels, one of the film's co-directors and Dr Rebecca Mercuri, an e-voting expert from the United States. On 8 February there were two events which gathered, for the first time, a wide array of e-voting experts and activists from around the world. In the afternoon the European e-Voting Activism Workshop was started with a keynote by Harri Hursti, a Finnish security expert who has demonstrated a number of major security flaws in US election systems. Mr Hursti discussed how he compromised an optical counting system to provide the finale for "Hacking Democracy". He also shared his views on the wide variety of ways in which e-voting and e-counting systems are vulnerable to fraud and error. Subsequently experts from Belgium, France, Germany, Ireland, The Netherlands and the United States presented the problems they were experiencing with the introduction of e-voting in their countries. Attendees were struck by the strong similarities between all the presentations: - Governments would, with extremely weak standards in place, contract the running and monitoring of elections to private companies; - These companies would do minimal testing and withhold the results of those tests; - Problems and possible indications of fraud would arise during and after elections. Further investigation would be impossible due to failings in the technology and/or due to obstruction by vendors and government. After the workshop's broad overview of e-voting, the evening event "e-Voting: A challenge to democracy?" provided time for more detailed presentations. Margaret McGaley, the founder of Irish Citizens for Trustworthy e-Voting, reported on the thus-far abortive attempts to introduce e-voting machines to the Republic of Ireland. She noted that early in the process experts had offered advice but weren't listened to. After pushing on at great expense the Irish government were forced to create an Independent Commission on Electronic Voting which found serious flaws in the Nedap voting machines and software purchased. Dr Anne-Marie Oostveen, a founder of the Dutch "We don't trust voting computers" foundation, reported how in the Netherlands the government position went from 'trust us' to uncertainty. "We don't trust voting computers" demonstrated on national TV several important hacks on the Nedap machines used in the majority of Dutch municipalities. The result was the withdrawal of SDU machines from elections and the creation of an independent commission to examine the voting process. Colm MacCarthaigh, a founding member of Irish Citizens for Trustworthy e-voting, now following the Dutch situation since it has become resident in The Netherlands, tied together the Dutch and Irish stories. He commented on how the Irish independent commission's report had provided information on the Nedap machines which had helped the Dutch activists find flaws more quickly. The successful Dutch hacks, in their turn, helped apply more pressure on the Irish government. Dr Rebecca Mercuri presented the latest developments concerning voting technology in the United States. She noted how vendors, when forced to create voter-verified paper audit trails, had created unreliable, barely usable systems which had created new problems of their own. In place of e-voting machines Ms Mercuri advocated the use of paper ballots, perhaps optically or barcode scanned. To conclude Ms Mercuri argued that Internet voting, as proposed for the UK's 2007 pilots, was an inherently flawed technology that should not be pursued. One question which kept being asked after every one of our events was, why are governments pushing so hard for e-voting technology when the problems are so evident? We just don't understand it. The events ended with the activists resolved to meet more often and collaborate through a newly formed umbrella grouping, 'Europeans for Verifiable Elections'. The Open Rights Group will continue its campaign against e-voting in the UK and our sister organisations will carry on their work across Europe. Audio, video and slides from the events will be available soon http://www.openrightsgroup.org Europeans for Verifiable Elections http://www.efve.eu (Contribution by Jason Kitcat - EDRI-member Open Rights Group) ============================================================ 4. Towards a committee for French on-line services regulation ? ============================================================ French Internet regulation history seems to repeat itself, as shows a recently unveiled administrative decree project, which aims at creating a "National Commission for the deontology of on-line public communication services". The Commission would be in charge of elaborating "deontological recommendations" towards professional on- line communication services, including fixed and mobile telecom operators, ISPs, publishing and distributing services. The Commission would also be in charge of attributing "quality labels" to these services. However, these recommendations would also indirectly apply to the users of these services, through subscribing contractual clauses, especially since a "quality label" may be withdrawn by the Commission when it is found that "deontological recommendations" are not respected. The Commission should include of 23 members nominated by the French Prime minister for 5 years. Besides representatives of different ministries, one magistrate and one member of the French Conseil d'Etat, the Commission should include 14 members representing both - and in parity - online communication services users and professionals. French digital rights organizations have soon denounced this new attempt of censorship. EDRI member IRIS notes that this proposal sounds very similar to the first attempt of Internet regulation in France in... 1996, through what was popularly called the "Fillon Amendment" to the Telecom law. This amendment was found unconstitutional in July 1996, and then its major provisions were censored since, according to article 34 of the Constitution, fundamental freedoms may only be limited by the legislator, while in this case there were no specified binding principles for recommendations to be made by an administrative Commission, with strong impact on freedom of expression. IRIS reminds that these arguments from the Constitutional council examining the 1996 law still apply and may well be reused against a 2007 administrative decree before the competent jurisdiction. Draft of administrative decree (in French only, 07.02.2007) http://odebi.org/docs/Projetdecretcommissiondeontologie.pdf Polemics on the regulation of French Internet (in French only, 09.02.2007) http://www.01net.com/editorial/341006/legislation/polemique-autour-de-la-re… lation-de-l-internet-francais/ APRIL Press release - Internet Regulation : always the good old methods...(in French only, 12.02.2007) http://www.april.org/articles/communiques/pr-20070212.html IRIS Press release - + Fillon Amendment ; 2.0 : help, the public expression +deontology ; returns ! (in French only, 14.02.2007) http://www.iris.sgdg.org/info-debat/comm-deontologie0207.html (Contribution by Meryem Marzouki, EDRI-member IRIS - France) ============================================================ 5. European Central Bank found accountable in the SWIFT case ============================================================ On 1 February, Peter Hustinx, the European Data Protection Supervisor (EDPS) gave his opinion on the role of the European Central Bank (ECB) in the SWIFT case, considering the bank as accountable along with SWIFT for failing compliance with the European privacy laws in the secret US investigation into terrorist finances. By using SWIFT's services in its own payment operations, the ECB has become a joint controller being thus co-responsible in ensuring compliance with data protection rules, meaning observing the purpose limitation principle, informing to data subjects, and ensuring guarantees at the transfer of personal data to third countries. "Just as other banks, the ECB can not escape some responsibilities in the SWIFT case which has breached the trust and private lives of many millions of people. Secret, routine and massive access of third country authorities to banking data is unacceptable. The financial community should therefore provide payment systems which do not violate European data protection laws" affirmed Hustinx in a written statement. He gave the ECB until April to demonstrate that it complies with data protection laws. However, the ECB does not admit any responsibility in the matter considering data protection was not its concern but financial stability was. It also considers the legislators should have given clearer guidance. "The monitoring of SWIFT activities that do not affect financial stability is not a matter for central bank oversight and, therefore, the US Treasury subpoenas of SWIFT were outside the purview of central bank oversight. The Oversight Group has no authority to oversee SWIFT with regard to compliance with data protection laws," was ECB statement. The bank said it would notify the organisations for whom it conducts transactions and ask for their consent before sharing their data. It also appreciated the initative of the EU and US data protection authorities, intelligence agencies and financial regulators to find a way to properly monitor international organisations like SWIFT. The EDPS also addressed the ECB asking them to transfer data to third parties only when they can guarantee the privacy protection of the owners of the data transferred. The punitive actions that Hustinx could take against ECB are limited. As SWIFT has no credible alternative, asking the ECB to stop using their services would not be a reasonable measure. EDPS calls on ECB to ensure that European payment systems comply with data protection law - Press release (1.02.2007) http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/EDPS/… essNews/Press/2007/EDPS-2007-1-EN_SWIFT.pdf ECB blamed (again) for SWIFT privacy debacle (1.02.2007) http://www.theregister.co.uk/2007/02/01/ecb_swift_edps/ Hands off our bank data, Europe tells US (23.11.2006) http://www.theregister.co.uk/2006/11/23/ec_swift_ruling/ EDRI-gram: SWIFT found in breach of Belgian laws (11.10.2006) http://www.edri.org/edrigram/number4.19/swift ============================================================ 6. Belgium court backs decision against Google ============================================================ In the case brought by Copiepresse, a trade group representing 17 Belgium newspapers, against Google for publishing links to newspaper articles without permission, the Brussels Tribunal upheld its previous decision and ruled that Google violated the copyright law. Google was ordered to remove Belgian newspaper content from its search engine results. The search engine is no longer allowed to refer to articles, pictures or drawings of Copiepress members without previous agreements that are to be negociated, non-compliance being fined by 25 000 Euros per day. The ruling also says that any other copyright holder could get in touch with Google and notify its copyright infringement. In this case Google has to remove the content within 24 hours or pay a 1 000 euros a day fine. Google will appeal the judgment as it considers that making reference to a page is no violation of the law and is actually in favour of the Belgian newspapers by sending Internet users to their websites. "Search tools such as Google Web Search and Google News are of real benefit to publishers because they drive valuable traffic to their websites and connect them to a wider global audience," said the Google spokeswoman. Some Belgian journalists have also considered that the court ruling will lead to newspapers loosing readers as the traditional print newspapers are in decline. "We want more readers, not less readers. Belgian newspapers will not make the internet work by trying to stand against the tide of global change," said a journalist. The Belgium press plays at who gains looses with Google (Only in French13.02.2007) http://www.lemonde.fr/web/article/0,1-0@2-651865,36-866673@51-837044,0.html Google must respect copyright (Only in French 13.02.2007) http://www.rtbf.be/info/societe/ARTICLE_070337 Google to pay #2.4m over 'copyright breach' (13.02.2007) http://www.telegraph.co.uk/news/main.jhtml?xml=/news/2007/02/13/wgoogle113.… l Google will appeal Copiepresse decision (13.02.2007) http://www.out-law.com/page-7758 Belgian Court Decision (13.02.2007) http://www.copiepresse.be/copiepresse_google.pdf EDRI-gram : Belgium says no to Google News (26.09.2006) http://www.edri.org/edrigram/number4.18/google_be ============================================================ 7. European institutions try to impose a stronger position in the PNR debate ============================================================ The European Parliament intends to strengthen its opposition to the US demands related to the transfer of European air passenger data (PNR). Following the debate that took place on 31 January 2007 in the European Parliament, the vote on the position that EU should have concerning the new PNR agreement to be signed with USA on 31 July 2007 was delayed. The end of the temporary agreement with the US gets closer and the US maintain their threat to fine non-compliant airlines and deny them the landing rights in the US. The American authorities already indicated that they had no intention of changing the terms of the agreement to a better data protection and privacy standards. The Commission and the Council of Ministers have come to join the EP in its position to this matter and they are very likely to ask for a shorter list of data categories and the limitation of the access to these data only to US immigration officers. Very strong positions were expressed during the session by Guenther Gloser, Germany's deputy foreign minister and the European commissioner in charge of justice and home affairs issues, Franco Frattini. "There is therefore the need to negotiate a very solid and stable legal framework which will enable the exchange of PNR data with the United States with full respect of data protection and privacy rights." said Frattini. He expressed his concern related to the U.S. Automated Targeting System, system by means of which millions of people have been assessed since 2002, information made public only recently. The system is considered illegal even in US by the Congress and some privacy advocates. The Commissioner also added: "I have said on a number of occasions that the right to privacy is for me non-negotiable. It has to be respected, fully and completely. Legal certainty is also an important element for air-carriers. It must be taken into account, as it has been from the very beginning. ..the Commission is committed to continuing to give due consideration to privacy on the one hand and legal security on the other, as they form key principles of this file, without forgetting the importance of preventing and fighting terrorism and related transnational crimes." He also stressed the fact that the negotiations would be very challenging requiring imagination and effort both from EU institutions as well as from the US "in order to reach a very robust, solid solution." In the absence of an agreement, the airlines will be placed in a very delicate situation between being fined by US for failing to provide the data or sued for non-complying with European data protection laws in case they do so. New developments in this matter will probably occur during this week's EP session. Data transfer to US: MEPs raise pressure (1.02.2007) http://www.euractiv.com/en/justice/data-transfer-us-meps-raise-pressure/art… le-161367 Europe preps for battle with U.S. over traveller data (1.02.2007) http://www.infoworld.com/article/07/02/01/HNbattleontravelerdata_1.html European Parliament: Joint debate on a new agreement on Passenger Name Records (PNR) and on SWIFT data (31.01.2007) http://www.euractiv.com/29/images/PNR+SWIFT_tcm29-161379.pdf EDRI-gram : EU-US PNR agreement formally adopted by the EU Council (25.10.2006) http://www.edri.org/edrigram/number4.20/pnr ============================================================ 8. Bulgaria fails to protect citizen's personal data ============================================================ A recent report made public by the Bulgarian National Audit Office about the activity of the Commission for Personal Data Protection (CPDP) in Bulgaria in the period 1 January 2003 - 31 December 2005 shows that CPDP has failed in achieving its main purpose - to protect the citizen's personal data. Parts of the National Audit Office report have been translated by Bulgarian NGO Access to Information Programme and published on Statewatch. According to the report, the CDPD has spent approx. 1.35 million Euro for its activities, but has completed only 17 investigations at citizens' complaints. The Commission has failed in creating the mandatory registry of personal data processors and hasn't imposed any sanction so far. Moreover, there is no policy in place, strategy or established goals for the personal data protection field. The National Audit Office has considered that CPDP did not function as a permanent working body since the main part of its staff has predominantly maintained working relations with other employers. The report noted that no legal provisions regulates the registration procedure, and the CPDP had not adopted written rules, procedures and methodology for exercising control over the activities of the administrators. The objects of control, the types of control activities and their scope are not explicitly defined, the powers of the controllers are defined vaguely and incompletely. The flaws of the present data protection legislation and its implementation have been highlighted by Access to Information Programme. The insufficient protection of personal data in Bulgaria was criticized in the European Commission monitoring reports in the pre-accession process, as well. Bulgaria: The Commission for Personal Data Protection in Bulgaria has done little for the protection of personal data - 1.35 million. Euro were spent instead (01.02.2007) http://www.statewatch.org/news/2007/feb/01bulgaria-dp.htm Audit Report of the CDPD (only in Bulgarian, 30.01.2007) http://www.bulnao.government.bg/pages.html?catID=18 Access to Information Programme - Bulgaria http://www.aip-bg.org ============================================================ 9. House of Lords produces report against the AVMS directive ============================================================ A report of the Lords European Union Committee offered new reasons to oppose the Commission's draft Audiovisual Media Services Directive (AVMS), successor of the Television Without Frontiers Directive, that will extend television regulation to some Internet video services. The Directive was approved in its first reading by the Parliament in December 2006 and should be backed now by the Council of Ministers. The Directive, as it is now drafted, applies only to commercial TV-like services, but concerns still exist on the vagueness of what this would cover and the fear that the regulation might be wrongly applied to other content such as that of blogs. Lord Freeman, chairman of the Lords European Union Committee stated: "Such an attempt risks damaging the new media industry, which is a vibrant and important sector of the UK's economy." The report warned that the Directive might cause production companies outside of the EU to try and escape the regulation, considering UK would be one of the main victims of this action. The Lords committee considers that EU as regulator should not help to preserve the dominance of the players already established on the market and does not see the necessity to introduce "quantitative restrictions on advertising in a market which is now clearly open to competition". "We are concerned that the identification of some of media services as 'television-like', may lead some to conclude that eventually 'like services' should be regulated in a 'like-manner', i.e. a perfectly 'level playing field'," said the report. "If these services are to be included at all we agree that they must be regulated differently, but the wording and definitions in the latest versions of the text may encourage the idea that they can and should be regulated in the same way as television. We would consider such a move now or in the future to be a grave error." The EU presidency, presently hold by Germany, expressed its wish to finalise the Directive by June 2007. The new act should be implemented within 2 years into the national legislations of the member countries. Television Without Frontiers - Report with Evidence - House of Lords - European Union Committee, 3rd Report of Session 2006-07 (23.01.2007) http://www.publications.parliament.uk/pa/ld200607/ldselect/ldeucom/27/27.pdf Lords oppose new media Directive (8.02.2007) http://www.out-law.com/page-7742 EDRI-gram: New Audiovisual Directive: First Reading in EU Parliament completed (20.12.2006) http://www.edri.org/edrigram/number4.24/avms EP Legislative Observatory AVMS Directive file http://www.europarl.europa.eu/oeil/file.jsp?id=5301252 ============================================================ 10. French Court decides on the sequel of Les Miserables ============================================================ The French Cour de Cassation (the highest Appeal Court in France) has taken a decision regarding a sequel of the famous French book Les Miserables, that was contested by one of the descendants of Victor Hugo. The Court has refused to ban the appearance of the sequel and has taken into consideration the right of adaptation and not just the moral right of integrity. However, the procedure is not over yet. The case started six years ago when the great-great-grandson of Victor Hugo, Pierre Hugo, considered that two books published and marketed by Plon publisher as the sequels of the famous "Les Miserables" were breaching the moral rights of the author. Victor Hugo's masterpiece is in the public domain, but, under the French law, the moral rights of the author are considered timeless and are passed on to descendants. The Court of Appeal decided in March 2004 that Hugo's heirs were right in their demands and condemned Plan in paying a symbolic 1 Euro as damages. The Appeal Court considered that no sequel could be made on such a masterpiece as Les Miserables, without breaching the moral right of the author, that thought that his work was complete. However, Plon appealed the decision to the Cour de Cassation. The Cour de Cassation has reached a different conclusion. It considered that a sequel of a work is mainly related with the right of adaptation, which is one of the limited rights of the author (seventy years after its death) contrary to the moral rights that are timeless. Since the work is in the public domain, anyone has the right to write a sequel of that work. A different opinion would mean the extension of this limited right and a violation if the freedom to create new works. Therefore the mere writing of a sequel could not be considered a breach of the moral rights of a work, irrespective of the work quality. Consequently, the case was sent back to the Court of Appeal, where different judges should consider if the twobooks are really infringing the moral rights of the author. Les Misirables, sequel or end ? (only in French, 2.02.2007) http://www.lesechos.fr/info/metiers/4532468.htm Heir of Victor Hugo fails to stop Les Mis II (31.01.2007) http://www.guardian.co.uk/international/story/0,,2002303,00.html ============================================================ 11. Recommended reading ============================================================ Data Protection Working Party - Opinion 1/2007 on the Green Paper on Detection Technologies in the Work of Law Enforcement, Customs and other Security Authorities http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2007/wp129_en.pdf ============================================================ 12. Agenda ============================================================ 15-16 February 2007, Brussels, Belgium Scientific Publishing in the European Research Area Access, Dissemination and Preservation in the Digital Age http://ec.europa.eu/research/science-society/page_en.cfm?id=3459 19-23 February 2007, Geneva, Switzerland Provisional Committee on Proposals Related to a WIPO Development Agenda: Third Session http://www.wipo.int/meetings/en/details.jsp?meeting_id=11926 18-20 February 2007, Salamanca, Spain International Association for Development of the Information Society Web Based Communities 2007 Conference http://www.webcommunities-conf.org 22 February 2007, Amsterdam, Netherlands The Future of Ambient Intelligence http://www.clubofamsterdam.com/event.asp?contentid=653 13-14 March 2007 Brussels, Belgium The EU RFID Forum 2007 http://ec.europa.eu/information_society/policy/rfid/conference2007_reg/inde… en.htm 16 March 2007, Hannover, Germany European Commission conference on Mobile TV at CeBIT http://ec.europa.eu/information_society/events/cebit_07/index_en.htm 1-4 May 2007, Montreal, Canada 7th Conference on Computers, Freedom, and Privacy (CFP2007) http://www.cfp2007.org/live/ 18-19 May 2007, Brasov, Romania eLiberatica - The Benefits of Open and Free Technologies - Romanian IT Open Source and Free Software Conference http://www.eliberatica.ro/ ============================================================ 13. About ============================================================ EDRI-gram is a biweekly newsletter about digital civil rights in Europe. Currently EDRI has 25 members from 16 European countries. European Digital Rights takes an active interest in developments in the EU accession countries and wants to share knowledge and awareness through the EDRI-grams. All contributions, suggestions for content, corrections or agenda-tips are most welcome. Errors are corrected as soon as possible and visibly on the EDRI website. Except where otherwise noted, this newsletter is licensed under the Creative Commons Attribution 2.0 License. See the full text at http://creativecommons.org/licenses/by/2.0/ Newsletter editor: Bogdan Manolea <edrigram(a)edri.org> Information about EDRI and its members: http://www.edri.org/ - EDRI-gram subscription information subscribe by e-mail To: edri-news-request(a)edri.org Subject: subscribe You will receive an automated e-mail asking to confirm your request. unsubscribe by e-mail To: edri-news-request(a)edri.org Subject: unsubscribe - EDRI-gram in Macedonian EDRI-gram is also available partly in Macedonian, with delay. Translations are provided by Metamorphosis http://www.metamorphosis.org.mk/edrigram-mk.php - EDRI-gram in German EDRI-gram is also available in German, with delay. Translations are provided Andreas Krisch from the EDRI-member VIBE!AT - Austrian Association for Internet Users http://www.unwatched.org/ - Newsletter archive Back issues are available at: http://www.edri.org/edrigram - Help Please ask <edrigram(a)edri.org> if you have any problems with subscribing or unsubscribing. ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]

1 0

Re: [FoRK] Fwd: [IP] Aaron Swartz commits suicide - The Tech
by Joseph S. Barrera III 06 Jul '18

06 Jul '18

Lessig's article is pretty powerful. I think it's amazing that you can kill someone and get out in less than a decade, but if you "steal" Intellectual Property (without even distributing it) you can get a life sentence. Such things point to Corporations being first-class persons and us flesh-and-blood people are at best second-class. - Joe _______________________________________________ FoRK mailing list http://xent.com/mailman/listinfo/fork ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE

1 0

[gsc] Trubanc Web Client Public Beta
by Bill St. Clair 06 Jul '18

06 Jul '18

I've been working since late July on Trubanc, an anonymous, digitally-signed vault and trading system. Inspired by Patrick Chkeroff's Loom.cc, but with digital signatures for security. The first version of a web client is available for beta testing. Check it out. Send me email to get a coupon with the usage tokens you need to register. Site: http://trubanc.com/ Announcement: http://billstclair.com/blog/trubanc_web_client_public_beta.html Client: http://trubanc.com/client/ Client docs: http://trubanc.com/client.html Technical stuff Protocol description: http://trubanc.com/plain-english.html Protocol and database details: http://trubanc.com/viewtext.php?file=doc/db.txt Client database details: http://trubanc.com/viewtext.php?file=doc/client.txt Source viewer: http://trubanc.com/viewtext.php Git archive: http://repo.or.cz/w/Trubanc.git It's open source. Please review for security if you're inclined and able. Mine is a US-based testing and development server only. Hopefully, servers with real assets, hosted in financial-privacy-respecting countries, will follow shortly, maybe run by some of you. -Bill

1 0

[p2p-hackers] ePOST: Secure, Severless Email
by Alan Mislove 06 Jul '18

06 Jul '18

As some of you may know, the FreePastry group at Rice University is developing ePOST, a secure, decentralized, p2p email system. The service is provided cooperatively by the user's desktop computers, and ePOST provides better security and fault tolerance than existing email systems. Email exchanged between ePOST users is cryptographically sealed and authenticated and the service remains available even when traditional mail servers have failed. ePOST gives users plenty of email storage (users can use as much as they contribute of their own disk space). Moreover, users don't have to entrust their email to a commercial provider, who may mine thier data, target them with advertisement or start charging them once they're hooked. ePOST has been running as the primary email system for members of our group for over a year. ePOST works by joining a peer-to-peer network running a personal IMAP and SMTP server on your desktop, which is only for your email. ePOST is backward compatible with existing email systems, and your ePOST email address works just like a normal email address - you can send and receive messages from non-ePOST users. Additionally, you can use your existing email clients with ePOST, since ePOST provides standard IMAP and POP3 servers. A few of other features of ePOST are: - support for SSL connections - a data durability layer called Glacier, providing durability with up to 60% member node failures - support for laptops and machines behind NATs - support for networks with routing anomalies More information about ePOST is available at http://www.epostmail.org/. We now welcome additional ePOST users. If you are interested in seting up an ePOST account, please follow the installation instructions posted at http://www.epostmail.org/install.html. Most ePOST users have set up mail forwarding so that a copy of incoming mails are kept on their normal mail server, in addition to being forwarded to their ePOST account. We recommend this setup until ePOST is no longer in beta status, although we have not found an instance yet where using this backup was necessary to recover a lost email. Also, please let us know if you are interested in running a local ePOST ring at your institution. Running such a ring allows organizations to ensure all overlay traffic remains internal to the organization, while maintaining global connectivity. More information on running an organizational ring is available at http://www.epostmail.org/deploy.html. We are currently collecting high-level statistics from all of the ePOST nodes in our deployment for research purposes. These statistics concern the number of overlay messages sent and the amount of data stored on disk. We are not recording the plain text of emails, nor are we examining which users are exchanging emails. If the collection of statistics would prevent you from using ePOST, please don't hesitate to contact us, and we can turn these features off for you. Thanks again for your help, and don't hesitate to ask us any questions, comments, or suggestions, Alan Mislove, Ansley Post, Andreas Haeberlen, and Peter Druschel (epost-team(a)rice.epostmail.org) _______________________________________________ p2p-hackers mailing list p2p-hackers(a)zgp.org http://zgp.org/mailman/listinfo/p2p-hackers _______________________________________________ Here is a web page listing P2P Conferences: http://www.neurogrid.net/twiki/bin/view/Main/PeerToPeerConferences ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]

1 0

nym-0.4 released (now includes Javascript)
by Jason Holt 06 Jul '18

06 Jul '18

The most notable feature in this release of nym is that you can now use nym entirely from your web browser: http://www.lunkwill.org/src/nym/javascript/jsnymclient.html Until someone figures out how to create client certificate requests in Javascript, the CA will have to do so instead (or, you could generate the request on a separate machine and paste it in with a trivial hack). This means the CA will know your certificate's private key; this is bad if you want to make sure you can never be impersonated. It's actually good if you want deniability, since you can always claim that the CA chose to impersonate you. There are other miscellaneous bugfixes which break compatibility with earlier versions. Sources (including the javascript client) are available here, as always: http://www.lunkwill.org/src/nym/ -J ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]

1 0