July 2018 - cypherpunks-legacy

Re: UK internet filtering
by phobos＠rootme.org 06 Jul '18

06 Jul '18

On Sat, Dec 06, 2008 at 07:49:58PM -0500, gmaxwell(a)gmail.com wrote 0.2K bytes in 4 lines about: : I've confirmed the reports of UK ISPs censoring Wikipedia using some : UK tor exists. http://en.wikinews.org/wiki/UK_ISPs_erect_%27Great_Firewall_of_Britain%27_t… -- Andrew ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE

1 0

[i2p] weekly status notes [jan 18]
by jrandom 06 Jul '18

06 Jul '18

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi y'all, weekly update time * Index 1) Net status 2) 0.5 3) i2pmail.v2 4) azneti2p_0.2 5) ??? * 1) Net status Hmm, not much to report here - things still work as they did last week, size of the net is still pretty similar, perhaps a little larger. Some neat new sites are popping up - see the forum [1] and orion [2] for details. [1]http://forum.i2p.net/viewforum.php?f=16 [2]http://orion.i2p/ * 2) 0.5 Thanks to the help of postman, dox, frosk, and cervantes (and everyone who tunneled data through their routers ;), we've collected a full day's worth of message size stats [3]. There are two sets of stats there - height and width of the zoom. This was driven by the desire to explore the impact of different message padding strategies on the network load, as explained [4] in one of the drafts for the 0.5 tunnel routing. (ooOOoo pretty pictures). The scary part about what I found digging through those was that by using some pretty simple hand-tuned padding breakpoints, padding to those fixed sizes would still ended up with over 25% of the bandwidth wasted. Yeah, I know, we're not going to do that. Perhaps y'all can come up with something better by digging through that raw data. [3] http://dev.i2p.net/~jrandom/messageSizes/ [4] http://dev.i2p.net/cgi-bin/cvsweb.cgi/i2p/router/doc/ tunnel.html?rev=HEAD#tunnel.padding Actually, that [4] link leads us into the state of the 0.5 plans for the tunnel routing. As Connelly posted [5], there has been a lot of discussion lately on IRC about some of the drafts, with polecat, bla, duck, nickster, detonate and others contributing suggestions and probing questions (ok, and snarks ;). After a little more than a week, we came across a potential vulnerability with [4] dealing with an adversary who was somehow able to take over the inbound tunnel gateway who also controlled one of the other peers later in that tunnel. While in most cases this by itself wouldn't expose the endpoint, and would be probabalistically hard to do as the network grows, it still Sucks (tm). So in comes [6]. This gets rid of that issue, allows us to have tunnels of any length, and solves world hunger [7]. It does open another issue where an attacker could build loops in the tunnel, but based on a suggestion [8] Taral made last year regarding the session tags used on ElGamal/AES, we can minimize the damage done by using a series of synchronized pseudorandom number generators [9]. [5] http://dev.i2p.net/pipermail/i2p/2005-January/000557.html [6] http://dev.i2p.net/cgi-bin/cvsweb.cgi/i2p/router/doc/ tunnel-alt.html?rev=HEAD [7] guess which statement is false? [8] http://www.i2p.net/todo#sessionTag [9] http://dev.i2p.net/cgi-bin/cvsweb.cgi/i2p/router/doc/ tunnel-alt.html?rev=HEAD#tunnel.prng Don't worry if the above sounds confusing - you're seeing the innards of some gnarly design issues being wrung out in the open. If the above *doesnt* sound confusing, please get in touch, as we're always looking for more heads to hash through this stuff :) Anyway, as I mentioned on the list [10], next up I'd like to get the second strategy [6] implemented to hash through the remaining details. The plan for 0.5 is currently to get all of the backwards incompatible changes together - the new tunnel crypto, etc - and push that as 0.5.0, then as that settles on the net, move on to the other parts of 0.5 [11], such as adjusting the pooling strategy as described in the proposals, pushing that as 0.5.1. I'm hoping we can still hit 0.5.0 by the end of the month, but we'll see. [10] http://dev.i2p.net/pipermail/i2p/2005-January/000558.html [11] http://www.i2p.net/roadmap#0.5 * 3) i2pmail.v2 The other day postman put out a draft plan of action for the next generation mail infrastructure [12], and it looks bloody cool. Of course, there are always yet more bells and whistles we can dream up, but its got a pretty nice architecture in many ways. Check out what's been doc'ed up so far [13], and get in touch with the postman with your thoughts! [12] http://forum.i2p.net/viewtopic.php?t=259 [13] http://www.postman.i2p/mailv2.html 4) azneti2p_0.2 As I posted to the list [14], the original azneti2p plugin for azureus had a serious anonymity bug. The problem was that mixed torrents where some users are anonymous and others are not, the anonymous users would contact the non-anonymous users /directly/ rather than through I2P. Paul Gardner and the rest of the azureus devs were quite responsive and put out a patch right away. The issue I saw is no longer present in azureus v. 2203-b12 + azneti2p_0.2. We haven't gone through and audited the code to review any potential anonymity issues though, so "use at your own risk" (OTOH, we say the same about I2P, prior to the 1.0 release). If you're up for it, I know the azureus devs would appreciate more feedback and bug reports with the plugin. We'll of course keep people informed if we find out about any other issues. [14] http://dev.i2p.net/pipermail/i2p/2005-January/000553.html * 5) ??? Lots going on, as you can see. I think thats about all I've got to bring up, but please swing by the meeting in 40 minutes if there's something else you'd like to discuss (or if you just want to rant about the stuff above) =jr -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFB7XCWGnFL2th344YRAmhxAKC9tc+9ocOgu02PBAH1iBEghzpVXQCbBHLB LFh9H55UFtsLPRFk7hxdv1c= =0FdX -----END PGP SIGNATURE----- _______________________________________________ i2p mailing list i2p(a)i2p.net http://i2p.dnsalias.net/mailman/listinfo/i2p ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net [demime 1.01d removed an attachment of type application/pgp-signature]

1 0

None
by John Gilmore 06 Jul '18

06 Jul '18

<cryptography(a)metzdowd.com> Subject: Re: Has there been a change in US banking regulations recently? > who's your enemy? The NSA? The SVR? Or garden-variety cybercrooks? "Enemy"? We don't have to be the enemy for someone to crack our security. We merely have to be in the way of something they want; or to be a convenient tool or foil in executing a strategy. Given the prevalence of Chinese crypto researchers at the open crypto conferences, I suspect that China is as much of a threat as the US's National Security Agency, Russia's Sluzhba Vneshney Razvedki, India's Research and Analysis Wing, Japan's JCE8hCE8honbu, Israel's Mossad, or Brazil's AgbCbB*ncia Brasileira de InteligbCbB*nc. A small country with a good economy -- there are dozens more -- could also be such a threat, if they focused on this area. The big ones can crack RSA keys AND do all the other things big countries do. Many people on this list provide significant civilian or military infrastructures depended on by millions. When we know at least ten nations are grasping at having the power to take down arbitrary civilian infrastructures via cyberspace, we had better assume that somebody among them can spend tens of millions of dollars *per year* on key cracking. And how much work is it, really, for us to use longer keys? Not all of us are in the US. Those of us in the US perhaps have come to a complacency about being a superpower - we haven't fought a war on our own land, in which significant numbers of our own civilians died, in what, a century? The US government's idiotic response to 9/11 has made more enemies around the world every year, while simultaneously destroying the value of our currency. The best time for a foreign "enemy" to stop funding our $0.X trillion dollar a year debt would be right after taking down much of our civilian infrastructure. And perhaps it might be hard for Washington to raise a billion dollars a day in international bond sales, even from friendly countries, when the international financial networks had been subtly or completely compromised? Hell, half the people in this country would starve two days after their ATM cards stopped working. The whole point of the trillion dollar Bush and Obama bailouts (which were done by moving a few bits in a federal funds transfer network somewhere) was to avoid the specter of long lines around the block at bank branches, full of angry people failing to turn bits in bank accounting databases into paper or gold money. Such a spectre would be easy for a cracker to create -- and then how much confidence will people have in either the currency or the government? What keys secure that funds transfer network? Suppose an attacker merely multipled a random 10% of the transfers by 1000? Somebody wires you a thousand dollars, you have a 10% chance of it becoming a million. Wire a million, it might come through as a billion. Then you look at strategy: should they pay themselves back immediately for the cost of cracking the keys, then be quiet? Or should they just make everyone a billionaire and make the entire currency worthless? Did you think Adi Shamir's work on TWINKLE and TWIRL was theoretical? Israeli leadership is paranoid enough to regularly shoot their friends as well as their enemies, and usually in advance, on the theory of weakening them *before* they turn against Israel. And Israel would have a lot more geopolitical power in a world without superpowers. Did you think nobody else was designing or building such things? Thank Adi for publishing - but what he published might not have been his very best design. Why did this community wait until a DES cracker cost only $250,000 to build before thinking, duuh, maybe we should defend our infrastructure against DES crackers. How many countries had secret DES crackers before I built one publicly? To this day, no country has admitted having one -- yet I have been privately told that government experts were aware that the cost of building one was in the $250K range. Do you think they learned that merely by twirling a pencil at their desk, in agencies with budgets way over $100 million a year? (A private industry expert also told me that they'd been hoping the first public DES cracker would happen at least a year later than it did, to give them more time to secure their networks, e.g. before their bosses found out how vulnerable the previous design was.) In 2003, Shamir's estimate was that TWIRL could factor a 1024-bit number in a year at a cost of about $10M US dollars. More recent estimates are here: http://people.csail.mit.edu/tromer/cryptodev/ Either that page hasn't been updated since 2006-7 or there's been no published research since then. I encourage others to post more surveys of the cost of cracking RSA keys using dedicated hardware. A typical academic analysis, such as 1996's "Minimal Key Lengths for Symmetric Ciphers to Provide Adequate Security" said things like: Because ASICs require a far greater engineering investment than FPGAs and must be fabricated in quantity before they are economical, this approach is only available to serious, well-funded operations such as dedicated commercial (or criminal) enterprises and government intelligence agencies. But that was bullshit. Two years later, a team of about six guys designed and built a 1-week DES cracker for much less than what it costs to buy a condo in San Francisco. Circuit layout and fabrication services were readily available in the commercial market. Anybody who builds and deploys one machine that can crack RSA-1024 in a year will build more. The design is paid for; and it's cheaper to build them in quantity 10 than in quantity 1. Every year the tech can get better, too. After they've built 50, which perhaps only take six months to crack a key, will YOUR key be one of the 100 keys that they crack this year? How about next year? Smart allied countries - or criminals - would split up the work, attack different keys, and swap results, spreading the cost around -- two countries with banks of 50 6-mo machines could crack twice as deep down into the infrastructure, rather than both of them wasting their time cracking the same keys. It wouldn't even take much coordination; they could offer a key they've already cracked, to trade for another one. If somebody burns them and gets a cracked key while failing to provide one, big deal; they get one freebie. But if your partner keeps feeding you cracked keys that were on your list but you hadn't gotten to, you'd keep doing deals; it *halves* the cost of your cracking. Who'll do the math to figure out how to crack ten thousand keys in parallel in hardware? Such a device might not crack any particular key in a year, but it'll crack *some* of those keys in a year, depending on luck. Having such a machine would produce some interesting results if you were in the cracked-key trading market. You could probably trade some to people who value them more than you do, in return for keys that you value more. Now do you see why it's a bad idea that 90+% of keys are 1024 bits? When that size became vulnerable, it brought market forces to bear on the problem. If in fixing that mistake we make another sharp focus at some other size, as soon as that size becomes barely vulnerable, another key-cracking market will appear. It would be better if we had a hundred small markets at different sizes. There might be six critial keys you really want to crack with your new, expensive, slow, right-at-the-limit-of-viability 1200 bit cracker - but only six. To get the 1300-bit keys you'll need more years of design and semiconductor evolution. John --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo(a)metzdowd.com

1 0

Re: UK internet filtering
by phobos＠rootme.org 06 Jul '18

06 Jul '18

On Sat, Dec 06, 2008 at 07:49:58PM -0500, gmaxwell(a)gmail.com wrote 0.2K bytes in 4 lines about: : I've confirmed the reports of UK ISPs censoring Wikipedia using some : UK tor exists. http://en.wikinews.org/wiki/UK_ISPs_erect_%27Great_Firewall_of_Britain%27_t… -- Andrew ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE

1 0

None
by John Gilmore 06 Jul '18

06 Jul '18

<cryptography(a)metzdowd.com> Subject: Re: Has there been a change in US banking regulations recently? > who's your enemy? The NSA? The SVR? Or garden-variety cybercrooks? "Enemy"? We don't have to be the enemy for someone to crack our security. We merely have to be in the way of something they want; or to be a convenient tool or foil in executing a strategy. Given the prevalence of Chinese crypto researchers at the open crypto conferences, I suspect that China is as much of a threat as the US's National Security Agency, Russia's Sluzhba Vneshney Razvedki, India's Research and Analysis Wing, Japan's JCE8hCE8honbu, Israel's Mossad, or Brazil's AgbCbB*ncia Brasileira de InteligbCbB*nc. A small country with a good economy -- there are dozens more -- could also be such a threat, if they focused on this area. The big ones can crack RSA keys AND do all the other things big countries do. Many people on this list provide significant civilian or military infrastructures depended on by millions. When we know at least ten nations are grasping at having the power to take down arbitrary civilian infrastructures via cyberspace, we had better assume that somebody among them can spend tens of millions of dollars *per year* on key cracking. And how much work is it, really, for us to use longer keys? Not all of us are in the US. Those of us in the US perhaps have come to a complacency about being a superpower - we haven't fought a war on our own land, in which significant numbers of our own civilians died, in what, a century? The US government's idiotic response to 9/11 has made more enemies around the world every year, while simultaneously destroying the value of our currency. The best time for a foreign "enemy" to stop funding our $0.X trillion dollar a year debt would be right after taking down much of our civilian infrastructure. And perhaps it might be hard for Washington to raise a billion dollars a day in international bond sales, even from friendly countries, when the international financial networks had been subtly or completely compromised? Hell, half the people in this country would starve two days after their ATM cards stopped working. The whole point of the trillion dollar Bush and Obama bailouts (which were done by moving a few bits in a federal funds transfer network somewhere) was to avoid the specter of long lines around the block at bank branches, full of angry people failing to turn bits in bank accounting databases into paper or gold money. Such a spectre would be easy for a cracker to create -- and then how much confidence will people have in either the currency or the government? What keys secure that funds transfer network? Suppose an attacker merely multipled a random 10% of the transfers by 1000? Somebody wires you a thousand dollars, you have a 10% chance of it becoming a million. Wire a million, it might come through as a billion. Then you look at strategy: should they pay themselves back immediately for the cost of cracking the keys, then be quiet? Or should they just make everyone a billionaire and make the entire currency worthless? Did you think Adi Shamir's work on TWINKLE and TWIRL was theoretical? Israeli leadership is paranoid enough to regularly shoot their friends as well as their enemies, and usually in advance, on the theory of weakening them *before* they turn against Israel. And Israel would have a lot more geopolitical power in a world without superpowers. Did you think nobody else was designing or building such things? Thank Adi for publishing - but what he published might not have been his very best design. Why did this community wait until a DES cracker cost only $250,000 to build before thinking, duuh, maybe we should defend our infrastructure against DES crackers. How many countries had secret DES crackers before I built one publicly? To this day, no country has admitted having one -- yet I have been privately told that government experts were aware that the cost of building one was in the $250K range. Do you think they learned that merely by twirling a pencil at their desk, in agencies with budgets way over $100 million a year? (A private industry expert also told me that they'd been hoping the first public DES cracker would happen at least a year later than it did, to give them more time to secure their networks, e.g. before their bosses found out how vulnerable the previous design was.) In 2003, Shamir's estimate was that TWIRL could factor a 1024-bit number in a year at a cost of about $10M US dollars. More recent estimates are here: http://people.csail.mit.edu/tromer/cryptodev/ Either that page hasn't been updated since 2006-7 or there's been no published research since then. I encourage others to post more surveys of the cost of cracking RSA keys using dedicated hardware. A typical academic analysis, such as 1996's "Minimal Key Lengths for Symmetric Ciphers to Provide Adequate Security" said things like: Because ASICs require a far greater engineering investment than FPGAs and must be fabricated in quantity before they are economical, this approach is only available to serious, well-funded operations such as dedicated commercial (or criminal) enterprises and government intelligence agencies. But that was bullshit. Two years later, a team of about six guys designed and built a 1-week DES cracker for much less than what it costs to buy a condo in San Francisco. Circuit layout and fabrication services were readily available in the commercial market. Anybody who builds and deploys one machine that can crack RSA-1024 in a year will build more. The design is paid for; and it's cheaper to build them in quantity 10 than in quantity 1. Every year the tech can get better, too. After they've built 50, which perhaps only take six months to crack a key, will YOUR key be one of the 100 keys that they crack this year? How about next year? Smart allied countries - or criminals - would split up the work, attack different keys, and swap results, spreading the cost around -- two countries with banks of 50 6-mo machines could crack twice as deep down into the infrastructure, rather than both of them wasting their time cracking the same keys. It wouldn't even take much coordination; they could offer a key they've already cracked, to trade for another one. If somebody burns them and gets a cracked key while failing to provide one, big deal; they get one freebie. But if your partner keeps feeding you cracked keys that were on your list but you hadn't gotten to, you'd keep doing deals; it *halves* the cost of your cracking. Who'll do the math to figure out how to crack ten thousand keys in parallel in hardware? Such a device might not crack any particular key in a year, but it'll crack *some* of those keys in a year, depending on luck. Having such a machine would produce some interesting results if you were in the cracked-key trading market. You could probably trade some to people who value them more than you do, in return for keys that you value more. Now do you see why it's a bad idea that 90+% of keys are 1024 bits? When that size became vulnerable, it brought market forces to bear on the problem. If in fixing that mistake we make another sharp focus at some other size, as soon as that size becomes barely vulnerable, another key-cracking market will appear. It would be better if we had a hundred small markets at different sizes. There might be six critial keys you really want to crack with your new, expensive, slow, right-at-the-limit-of-viability 1200 bit cracker - but only six. To get the 1300-bit keys you'll need more years of design and semiconductor evolution. John --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo(a)metzdowd.com

1 0

[i2p] weekly status notes [jan 18]
by jrandom 06 Jul '18

06 Jul '18

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi y'all, weekly update time * Index 1) Net status 2) 0.5 3) i2pmail.v2 4) azneti2p_0.2 5) ??? * 1) Net status Hmm, not much to report here - things still work as they did last week, size of the net is still pretty similar, perhaps a little larger. Some neat new sites are popping up - see the forum [1] and orion [2] for details. [1]http://forum.i2p.net/viewforum.php?f=16 [2]http://orion.i2p/ * 2) 0.5 Thanks to the help of postman, dox, frosk, and cervantes (and everyone who tunneled data through their routers ;), we've collected a full day's worth of message size stats [3]. There are two sets of stats there - height and width of the zoom. This was driven by the desire to explore the impact of different message padding strategies on the network load, as explained [4] in one of the drafts for the 0.5 tunnel routing. (ooOOoo pretty pictures). The scary part about what I found digging through those was that by using some pretty simple hand-tuned padding breakpoints, padding to those fixed sizes would still ended up with over 25% of the bandwidth wasted. Yeah, I know, we're not going to do that. Perhaps y'all can come up with something better by digging through that raw data. [3] http://dev.i2p.net/~jrandom/messageSizes/ [4] http://dev.i2p.net/cgi-bin/cvsweb.cgi/i2p/router/doc/ tunnel.html?rev=HEAD#tunnel.padding Actually, that [4] link leads us into the state of the 0.5 plans for the tunnel routing. As Connelly posted [5], there has been a lot of discussion lately on IRC about some of the drafts, with polecat, bla, duck, nickster, detonate and others contributing suggestions and probing questions (ok, and snarks ;). After a little more than a week, we came across a potential vulnerability with [4] dealing with an adversary who was somehow able to take over the inbound tunnel gateway who also controlled one of the other peers later in that tunnel. While in most cases this by itself wouldn't expose the endpoint, and would be probabalistically hard to do as the network grows, it still Sucks (tm). So in comes [6]. This gets rid of that issue, allows us to have tunnels of any length, and solves world hunger [7]. It does open another issue where an attacker could build loops in the tunnel, but based on a suggestion [8] Taral made last year regarding the session tags used on ElGamal/AES, we can minimize the damage done by using a series of synchronized pseudorandom number generators [9]. [5] http://dev.i2p.net/pipermail/i2p/2005-January/000557.html [6] http://dev.i2p.net/cgi-bin/cvsweb.cgi/i2p/router/doc/ tunnel-alt.html?rev=HEAD [7] guess which statement is false? [8] http://www.i2p.net/todo#sessionTag [9] http://dev.i2p.net/cgi-bin/cvsweb.cgi/i2p/router/doc/ tunnel-alt.html?rev=HEAD#tunnel.prng Don't worry if the above sounds confusing - you're seeing the innards of some gnarly design issues being wrung out in the open. If the above *doesnt* sound confusing, please get in touch, as we're always looking for more heads to hash through this stuff :) Anyway, as I mentioned on the list [10], next up I'd like to get the second strategy [6] implemented to hash through the remaining details. The plan for 0.5 is currently to get all of the backwards incompatible changes together - the new tunnel crypto, etc - and push that as 0.5.0, then as that settles on the net, move on to the other parts of 0.5 [11], such as adjusting the pooling strategy as described in the proposals, pushing that as 0.5.1. I'm hoping we can still hit 0.5.0 by the end of the month, but we'll see. [10] http://dev.i2p.net/pipermail/i2p/2005-January/000558.html [11] http://www.i2p.net/roadmap#0.5 * 3) i2pmail.v2 The other day postman put out a draft plan of action for the next generation mail infrastructure [12], and it looks bloody cool. Of course, there are always yet more bells and whistles we can dream up, but its got a pretty nice architecture in many ways. Check out what's been doc'ed up so far [13], and get in touch with the postman with your thoughts! [12] http://forum.i2p.net/viewtopic.php?t=259 [13] http://www.postman.i2p/mailv2.html 4) azneti2p_0.2 As I posted to the list [14], the original azneti2p plugin for azureus had a serious anonymity bug. The problem was that mixed torrents where some users are anonymous and others are not, the anonymous users would contact the non-anonymous users /directly/ rather than through I2P. Paul Gardner and the rest of the azureus devs were quite responsive and put out a patch right away. The issue I saw is no longer present in azureus v. 2203-b12 + azneti2p_0.2. We haven't gone through and audited the code to review any potential anonymity issues though, so "use at your own risk" (OTOH, we say the same about I2P, prior to the 1.0 release). If you're up for it, I know the azureus devs would appreciate more feedback and bug reports with the plugin. We'll of course keep people informed if we find out about any other issues. [14] http://dev.i2p.net/pipermail/i2p/2005-January/000553.html * 5) ??? Lots going on, as you can see. I think thats about all I've got to bring up, but please swing by the meeting in 40 minutes if there's something else you'd like to discuss (or if you just want to rant about the stuff above) =jr -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFB7XCWGnFL2th344YRAmhxAKC9tc+9ocOgu02PBAH1iBEghzpVXQCbBHLB LFh9H55UFtsLPRFk7hxdv1c= =0FdX -----END PGP SIGNATURE----- _______________________________________________ i2p mailing list i2p(a)i2p.net http://i2p.dnsalias.net/mailman/listinfo/i2p ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net [demime 1.01d removed an attachment of type application/pgp-signature]

1 0

Re: [tor-talk] Tor and P2P
by Mike Perry 06 Jul '18

06 Jul '18

Thus spake Nathan Freitas (nathan(a)freitas.net) > On 09/26/2012 10:08 AM, meh. wrote: > > > > After implementing the torchat protocol and seeing how bad it is, > > but how nice the idea is, I started thinking it would be cool to > > have a more general protocol for P2P use through hidden services. > > This is something we have definitely been considering as a feature or > add-on to Orbot - essentially mobile-to-mobile file sharing, > messaging/voice messaging via hidden services. > > While we don't need a very complex p2p design (in short, we are mostly > just talking about simple HTTP servers running on each device, behind > a hidden service .onion), I am concerned in the long run about > scalability and reliability of this. It is not unheard of for apps > that work well and do something cool to suddently have 1M+ users, and > already are nearing half that with Orbot. This is a great point, and I wish I could reply to it and Robert's comments about DoSing the hsdirs in the same mail. It would seem that "simple" solutions might end up destroying the Tor network. Based on Robert's comments, it sounds like the properties we need are: 1. Persistent hidserv connections. Reconnecting for each message via an HTTP POST is right out. Way too many circuits+onionskins to scale. 2. Avoid the situation where a single user is creating multiple hidden services for all their crazy P2P apps. For 1: It would seem to me that a system that ships a local torified XMPP server would satisfy this. XMPP is fully decentralized, and maintains persistent connections between servers. Each user would run their own server over .onion. For 2: The resource identifiers of XMPP mean we can connect multiple XMPP clients to a single local XMPP server, and have them provide multiple (admittedly linkable) P2P services over XMPP 'streams' without spinning up additional hidden services for each client app. XMPP has some obvious downsides... We'd need to audit the whole beast to make sure the federation+decentralization properties can't be manipulated to connect to things over non-tor. It also appears to have the property that social networks where everybody wants presence notifications for everybody else end up requiring O(n^2) persistent hidserv connections between the n XMPP servers... Not sure how serious this is, or if there are any workable decentralized alternatives. However, unlike torchat, the XMPP protocol itself is well documented, widely used, and seems to be designed for a superset of the things we want. I was able to spend just 10 minutes reviewing the XMPP specs to fact-check before composing this email: http://xmpp.org/xmpp-protocols/rfcs/ I was unable to determine if torchat even has property 1 in that time... -- Mike Perry _______________________________________________ tor-talk mailing list tor-talk(a)lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE

1 0

Re: [liberationtech] /. ITU Approves Deep Packet Inspection
by Christian Fuchs 06 Jul '18

06 Jul '18

If this approval by the ITU is true - then it is no surprise at all, but what one would expect. What else has the ITU in the past ever been than an instrument that supports capitalist interests and commodification of the ICT and telecommunications industries? DPI can advance large-scale monitoring of citizens by the state-capital complex that is connected by a right-wing state ideology of fighting crime and terror by massive use of surveillance technologies and a neoliberal ideology of capitalist organisations that want to make a profit out of surveillance and want to hinder the undermining of intellectual property rights. See this: Christian Fuchs: Implications of Deep Packet Inspection (DPI) Internet Surveillance for Society. http://www.projectpact.eu/documents-1/%231_Privacy_and_Security_Research_Pa… Best, CF Am 12/5/12 7:11 PM, schrieb Nicholas Judd: > Hi list, Nick from techPresident here. If I could tap into your hive-mind intelligence for a moment to help me be more precise about explaining why this is an issue, I would appreciate it ... > > Governments, intelligence organizations and assorted nogoodniks already use deep-packet inspection, so the declaration of a standard for DPI comes off as vaguely Orwellian but not news. I'm searching for a way to explain the privacy-advocate position on this is both accurately and concisely. > > The sense I get from CDT's blog post is that there are three reasons why this is more than just creepy in principle: > > 1. The standard outlines ways that, in the ITU's view, ISPs should structure their operations so that highly invasive surveillance can function; > 2. Under current governance, this standard could be as widely ignored as the <blink> tag, but ISPs could be forced to comply if the ITU becomes a must-follow standards-making body for the Internet b meaning all traffic in every ITU member state, in this extreme example, would be vulnerable by design; > 3. On principle, IETF and W3C don't address standards for surveillance, highlighting another way the ITU is ideologically removed from the way the Internet is now governed. > > Am I on target here? > > On Dec 5, 2012, at 12:41 PM, Cynthia Wong wrote: > >> The final version of the standard should show up here... eventually: >> >> http://www.itu.int/en/ITU-T/publications/Pages/latest.aspx >> >> http://www.itu.int/dms_pages/itu-t/rec/T-REC-RSS.xml >> >> >> >> -----Original Message----- >> From: liberationtech-bounces(a)lists.stanford.edu [mailto:liberationtech-bounces@lists.stanford.edu] On Behalf Of Asher Wolf >> Sent: Wednesday, December 05, 2012 7:38 AM >> To: liberationtech(a)lists.stanford.edu >> Subject: Re: [liberationtech] /. ITU Approves Deep Packet Inspection >> >> From http://committee.tta.or.kr : >> Revision of Y.2770 Requirements for #DPI in Next Generation Networks http://bit.ly/Yx0Sya (via @BetweenMyths) >> >> On 5/12/12 9:25 PM, Andre Rebentisch wrote: >>> Am 05.12.2012 10:27, schrieb Eugen Leitl: >>>> http://yro.slashdot.org/story/12/12/05/0115214/itu-approves-deep-pack >>>> et-inspection >>>> >>>> >>>> ITU Approves Deep Packet Inspection >>>> >>>> Posted by Soulskill on Tuesday December 04, @08:19PM >>>> >>>> from the inspect-my-encryption-all-you'd-like dept. >>>> >>>> dsinc sends this quote from Techdirt about the International >>>> Telecommunications Union's ongoing conference in Dubai that will have >>>> an effect on the internet everywhere: >>> The WCIT is a "diplomatic conference" for the rules governing the ITU, >>> the ITRs. It seems wrong to mix that with ongoing specific >>> standardisation work of the ITU. >>> >>> Anyway, interesting discussions over at circleid.com: >>> http://www.circleid.com/posts/20121203_wcit_off_to_a_flying_start/ >>> Apparently ITU fellows are disgruntled that they cannot control the >>> media coverage and complain about all the "misinformation". >>> >>> Best, >>> AndrC) >>> >>> >>> -- >>> Unsubscribe, change to digest, or change password at: >>> https://mailman.stanford.edu/mailman/listinfo/liberationtech >> >> -- >> Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech >> -- >> Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech > > -- > Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech > -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE

1 0

[tahoe-dev] ANNOUNCING Tahoe-LAFS v1.4
by zooko 06 Jul '18

06 Jul '18

ANNOUNCING Tahoe, the Least-Authority Filesystem, v1.4 The allmydata.org team is pleased to announce the release of version 1.4.1 of "Tahoe", the Lightweight-Authorization Filesystem. This is the first release of Tahoe-LAFS which was created solely as a labor of love by volunteers -- it is no longer funded by allmydata.com (see [1] for details). Tahoe-LAFS is a secure, decentralized, fault-tolerant cloud storage system. All of the source code is publicly available under Free Software, Open Source licences. This filesystem is distributed over multiple servers in such a way the filesystem continues to operate correctly even when some of the servers are unavailable, malfunctioning, or malicious. Here is the one-page explanation of Tahoe's unique security and fault-tolerance properties: http://allmydata.org/source/tahoe/trunk/docs/about.html This is the successor to Tahoe-LAFS v1.3, which was released February 13, 2009 [2]. This is a major new release, adding garbage collection, improved diagnostics and error-reporting, and fixing a critical performance problem when downloading large (many GB) files. See the NEWS file [3] and the known_issues.txt file [4] for more information. Besides the Tahoe core, a crop of related projects have sprung up, including frontends for Windows and Macintosh, two front-ends written in JavaScript, a Ruby interface, a plugin for duplicity, a plugin for TiddlyWiki, a new backup tool named "GridBackup", CIFS/SMB integration, an iPhone app, and three incomplete frontends for FUSE. See the Related Projects page on the wiki: [5]. COMPATIBILITY Tahoe v1.4 is fully compatible with the version 1 series of Tahoe. Files written by v1.4 clients can be read by clients of all versions back to v1.0. v1.4 clients can read files produced by clients of all versions since v1.0. v1.4 servers can serve clients of all versions back to v1.0 and v1.4 clients can use servers of all versions back to v1.0. This is the fifth release in the version 1 series. The version 1 series of Tahoe will be actively supported and maintained for the forseeable future, and future versions of Tahoe will retain the ability to read files and directories produced by Tahoe v1 for the forseeable future. The version 1 branch of Tahoe is the basis of the consumer backup product from Allmydata, Inc. -- http://allmydata.com . WHAT IS IT GOOD FOR? With Tahoe, you can distribute your filesystem across a set of servers, such that if some of them fail or even turn out to be malicious, the entire filesystem continues to be available. You can share your files with other users, using a simple and flexible access control scheme. Because this software is new, we do not categorically recommend it as the sole repository of data which is extremely confidential or precious. However, we believe that erasure coding, strong encryption, Free/Open Source Software and careful engineering make Tahoe safer than common alternatives, such as RAID, removable drive, tape, "on-line storage" or "Cloud storage" systems. This software comes with extensive tests, and there are no known security flaws which would compromise confidentiality or data integrity. (For all currently known issues please see the known_issues.txt file [3].) This release of Tahoe is suitable for the "friendnet" use case [6] -- it is easy to create a filesystem spread over the computers of you and your friends so that you can share disk space and files. LICENCE You may use this package under the GNU General Public License, version 2 or, at your option, any later version. See the file "COPYING.GPL" [7] for the terms of the GNU General Public License, version 2. You may use this package under the Transitive Grace Period Public Licence, version 1 or, at your option, any later version. (The Transitive Grace Period Public Licence has requirements similar to the GPL except that it allows you to wait for up to twelve months after you redistribute a derived work before releasing the source code of your derived work.) See the file "COPYING.TGPPL.html" [8] for the terms of the Transitive Grace Period Public Licence, version 1. (You may choose to use this package under the terms of either licence, at your option.) INSTALLATION Tahoe works on Linux, Mac OS X, Windows, Cygwin, and Solaris, and probably most other systems. Start with "docs/install.html" [9]. HACKING AND COMMUNITY Please join us on the mailing list [10]. Patches are gratefully accepted -- the RoadMap page [11] shows the next improvements that we plan to make and CREDITS [12] lists the names of people who've contributed to the project. The wiki Dev page [13] contains resources for hackers. SPONSORSHIP Tahoe was originally developed thanks to the sponsorship of Allmydata, Inc. [14], a provider of commercial backup services. Allmydata, Inc. created the Tahoe project, and contributed hardware, software, ideas, bug reports, suggestions, demands, and money (employing several Tahoe hackers and instructing them to spend part of their work time on this Free Software project). Also they awarded customized t-shirts to hackers who find security flaws in Tahoe (see http://hacktahoe.org ). After discontinuing funding of Tahoe R&D in early 2009, Allmydata, Inc. has continued to provide servers, co-lo space and bandwidth to the open source project. Thank you to Allmydata, Inc. for their generous and public-spirited support. Zooko Wilcox-O'Hearn on behalf of the allmydata.org team Special acknowledgment goes to Brian Warner, whose superb engineering skills and dedication are primarily responsible for the Tahoe implementation, and significantly responsible for the Tahoe design as well, not to mention most of the docs and tests and many other things besides. April 13, 2009 Boulder, Colorado, USA [1] http://allmydata.org/pipermail/tahoe-dev/2009-March/001461.html [2] http://allmydata.org/trac/tahoe/browser/relnotes.txt?rev=3620 [3] http://allmydata.org/trac/tahoe/browser/NEWS?rev=3835 [4] http://allmydata.org/trac/tahoe/browser/docs/known_issues.txt [5] http://allmydata.org/trac/tahoe/wiki/RelatedProjects [6] http://allmydata.org/trac/tahoe/wiki/UseCases [7] http://allmydata.org/trac/tahoe/browser/COPYING.GPL [8] http://allmydata.org/source/tahoe/trunk/COPYING.TGPPL.html [9] http://allmydata.org/source/tahoe/trunk/docs/install.html [10] http://allmydata.org/cgi-bin/mailman/listinfo/tahoe-dev [11] http://allmydata.org/trac/tahoe/roadmap [12] http://allmydata.org/trac/tahoe/browser/CREDITS?rev=3758 [13] http://allmydata.org/trac/tahoe/wiki/Dev [14] http://allmydata.com --- Tahoe, the Least-Authority Filesystem -- http://allmydata.org store your data: $10/month -- http://allmydata.com/?tracking=zsig I am available for work -- http://zooko.com/risumi.html _______________________________________________ tahoe-dev mailing list tahoe-dev(a)allmydata.org http://allmydata.org/cgi-bin/mailman/listinfo/tahoe-dev ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE

1 0

EDRi-gram newsletter - Number 7.19, 7 October 2009
by EDRI-gram newsletter 06 Jul '18

06 Jul '18

============================================================ EDRi-gram biweekly newsletter about digital civil rights in Europe Number 7.19, 7 October 2009 ============================================================ Contents ============================================================ 1. Controversial draft Framework Decision on Child Sexual Exploitation 2. Reding: EU policy for information society for the next years 3. Turkey blocks thousands of foreign websites 4. Deja-vu: France's three-strikes law referred to Constitutional Council 5. The Pirate Bay may be banned in Italy 6. France wants to filter online gambling sites 7. Paris Court of Appeals on a GPL - related case 8. US gives up its unilateral supervision powers over ICANN 9. ENDitorial: Amendment 138-EP asked to choose between democracy and defeat 10. Recommended Reading 11. Agenda 12. About ============================================================ 1. Controversial draft Framework Decision on Child Sexual Exploitation ============================================================ The Civil Liberties Committee of the European Parliament held its first exchange of views on the controversial Proposal for a Framework Decision on combatting the sexual abuse, sexual exploitation of children and child pornography. The draft legislation includes an obligation to require ISPs to "block" access to child pornography sites and attempts to harmonise the approach of the 27 EU Member States to this issue. This new legislation repeals and replaces an existing instrument from 2004, which failed to have a significant impact on harmonisation in some of the key areas covered by the legislation, such as the definition of "child pornography" and which was also not fully implemented by all Member States. In the meeting, the European Commission defended its proposal for mandatory blocking on the simple basis that it will "prevent crime" because customers will no longer be able to access commercial child pornography sites directly. Fundamental issues such as whether this approach, with its various technical limitations and practical inadequacies, would be proportionate to the "solution" being offered were not addressed or acknowledged. The fact that circumvention is possible was, however, mentioned. A Commission official also made several obscure references to plans to take "extraterritorial" action to have websites taken offline at source. These statements appear to echo plans in the Commission Communication of June 2009 on "an area of freedom security and justice serving the citizen" COM(2009)262 to create "mechanisms to revoke the IP addresses of criminal ISPs and to facilitate rapid shutdown of websites outside Europe". The MEP in charge, Roberta Angelilli (EPP, Italy) was also responsible for a report on the previous Framework Decision adopted by the Parliament earlier this year. At that time, the Parliament rejected her attempt to propose blocking as a solution for child pornography websites. In the previous session of the Parliament, she was an ordinary member of one of the smallest political groups in the Parliament, but she is now a Parliament Vice-President and a member of the biggest political group. She was not present for this first discussion and her substitute Salvatore Iacolino (EPP, Italy) did not mention blocking. EDRi distributed its position paper to the political groups before the meeting. During the debate, issues raised in the EDRi position paper were highlighted by some MEPs. In particular, Jan-Philipp Albrecht (Germany, Greens) and Birgit Sippel (S&D, Germany) raised serious concerns regarding the need to engage in effective international cooperation to remove websites at source rather than leaving them online to be accessed via technical circumvention measures or accessed directly in countries where they are not blocked. On the other side of the argument, certain MEPs did not reflect on the rights and wrongs of blocking, preferring instead to call for "everything" to be done to protect children, on the unexplained assumption that blocking would achieve this goal. One key issue of controversy in the Impact Assessment is the question of whether or not a legal basis for blocking is necessary in order for it to comply with Article 10 of the European Convention on Human Rights. This is significant because some countries that have already implemented blocking have done so without a legal basis and rumours emerging from the Council suggest that "self-regulation" is being discussed as an alternative to mandatory blocking. The Commission document explains that Member States should only consider legislation in the absence of "effective" self-regulation (i.e. no legislation is needed). It then goes on to explain that over-blocking is a concern and, in the absence of a blocking being "prescribed by law", "this measure risks to amount to a non-legitimate interference with fundamental rights" (i.e. legislation may be needed). Finally, the Impact Assessment argues that "as interpreted by the European Court of Human Rights in Strasbourg, to respect fundamental rights such interference needs to be in accordance with the law and constitute a necessary measure in a democratic society for important interests, such as the prevention of crime.Such measures must indeed be subject to law, or they are illegal". EDRi position paper: Framework Decision on Child Sexual Exploitation (Angelilli Report) (28.09.2009) http://www.edri.org/files/edri_blocking_paper090928.pdf Impact assessment: http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=SEC:2009:0355:FIN:EN:… Proposal: http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:52009PC0136:EN:… (links to all EU languages) Commission Communication on freedom, security and justice: http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2009:0262:FIN:EN:… (Contribution by Joe McNamee - EDRi ) ============================================================ 2. Reding: EU policy for information society for the next years ============================================================ The EU Commissioner for Information Society and Media, Viviane Reding, participated last week at a breakfast event organised by the European Digital Media Association (EdiMA) and had a speech that highlighted the main EU key policy areas for information society for the next commission. Ms. Reading insisted that the President Barroso has announced his policy commitment to define, under the next Commission, an ambitious European Digital Agenda that is scheduled for adoption in March 2010, aimed at tackling the main obstacles to a genuine digital single market with targeted legislative measures. She also pointed out the main five points where pro-active measures are needed from the Commission: 1.The issue of mass scale digitisation of books and orphan works. Ms. Reading expressed her frustrations in relation with the development of Europeana, Europe's digital library and pushed for "a modern set of European rules that encourage the digitisation of books, including one or several European Right Registries" "If we don't act quickly, soon U.S. citizens will not only benefit from the largest digital content offer, they will also be able to access through a simple click almost 10 million books, including orphan works which are largely part of our European cultural heritage. As European citizens, students, teachers and researchers will not being able to do the same, there is an actual risk of establishing a new digital divide across the Atlantic" stressed the Commissioner. 2. A harmonised single European market with clearer rules enabling users to be free to buy and enjoy anywhere, anytime and on any platform the content they paid for. On this topic the Commissioner suggested a reflection paper over a set of possible policy and legislative options aimed at facilitating multi-territorial or EU-wide licensing for digital content. She rejected the "Copyright task force" aimed at policy coordination - as suggested by EDIMA - and argued for a common objective of the key directorates in the Commission "a modern, pro-competitive and consumer-friendly single-market framework for digitising, accessing and licensing digital content online across the 27 EU Member States." 3. The European-wide adoption of the global web accessibility standard, the new Web Content Accessibility Guidelines. 4. Industry and consumers should work together for a European system of trustmarks. 5. Network neutrality. Ms Reding praised the European Parliament for "strengthening" the provisions concerning net neutrality in the Telecom package and suggested a broad debate in 2010 about this topic. The Commissioner also confirmed that she was a strong advocate for Internet neutrality: "I have myself indicated that I would be prepared to act on this basis in case of continued blocking of Voice over IP services by certain mobile operators. The new Telecom package is in many instances a quite robust answer to such new threats to net neutrality. However, I also know that technology and regulation will evolve further in the years to come. And I plan to be Europe's first line of defence whenever it comes to real threats to net neutrality." This seems contradictory with the current text of the Telecom package, heavily criticized by civil society especially for not providing enough safeguards for network neutrality. Moreover, the discussions between the EP Conciliation Committee and the European Council seem to go in the opposite direction: not to open up again the negotiations on the network neutrality subjects. Viviane Reding Member of the European Commission responsible for Information Society and Media The Digital Single Market: a key to unlock the potential of the knowledge based economy EDiMA's White Paper on Policy Strategy for the Development of New Media Services 2009-2014 - Launch Breakfast Event Brussels (1.10.2009) http://europa.eu/rapid/pressReleasesAction.do?reference=SPEECH/09/429&forma… Opening the Package "too risky" for EU (28.09.2009) http://www.iptegrity.com/index.php?option=com_content&task=view&id=415&Item… Concerns About Article 20, 21 and Recital 26 of the Telecoms Package (27.09.2009) http://www.laquadrature.net/en/concerns-about-article-20-21-and-recital-26-… ============================================================ 3. Turkey blocks thousands of foreign websites ============================================================ Following the entering into force in November 2007 of the Turkish Law No. 5651 entitled Regulation of Publications on the Internet and Suppression of Crimes Committed by means of Such Publication, a large number of websites have been blocked in Turkey. According to Dr. Yaman Akdeniz, Founder and Director of Cyber-Rights & Cyber-Liberties (UK), there are at present more than 6000 websites blocked in Turkey including known sites such as YouTube, WordPress, GoogleGroups and Sites, DailyMotion and others. Some of the sites are blocked by court orders while most of them are blocked by administrative blocking orders issued by the Telecommunications Communication Presidency (TIB). Some websites are blocked because they are considered obscene, others for involving child abuse and sexual exploitation, gambling, betting, prostitution and others for being considered as related to crimes committed against Atat|rk. Part of the websites has been blocked by courts although the reasons for blocking them were outside the scope of Law No. 5651. The website blocking can also occur in relation to intellectual property and websites such as The Pirate Bay or MegaUpload are constantly blocked in Turkey. Myspace has been recently blocked and, for a temporary period of time even Farmville, the game offered by Zynga.com through Facebook was also blocked based on an administrative decision because Zynga promotes gambling through some of its social games. Two other sites related to the largest gay community in Turkey were blocked the same day and it seems the sites intend to challenge the order. Since May 2009, TIB has decided not to publish any statistics or details related to the websites blocked on the basis of Law No. 5651 which as Dr. Akdeniz says is "a step backwards and in the absence of information, openness, and transparency". >From Farmville to Gayville, Internet censorship continues in Turkey (4.10.2009) http://cyberlaw.org.uk/2009/10/04/from-farmville-to-gayville-internet-censo… At least 6000 websites censored from Turkey (22.09.2009) http://cyberlaw.org.uk/2009/09/22/at-least-6000-websites-censored-from-turk… Unblock The Banned Websites In Turkey Petition (28.09.2009) http://www.besthostingservices.net/215/unblock-the-banned-websites-in-turke… EDRi-gram: Turkey: Another blocking order against YouTube (3.12.2008) http://www.edri.org/edri-gram/number6.23/youtube-turkey-blocked-november2008 ============================================================ 4. Deja-vu: France's three-strikes law referred to Constitutional Council ============================================================ As expected, on 28 September 2009 the socialist group of the French National Assembly submitted their referral to the Constitutional Council against the second version of the three strikes law (so-called Hadopi 2) passed in September through both chambers of the French Parliament. The text of the referral, obtained exclusively by Liberation, challenges the law article by article. The main argument supported by the socialist group against the law is the non-observance by the Assembly of the "procedural guarantees regarding the sanctions involved", meaning the right to a fair trial, right to defense, presumption of innocence etc. Other arguments are some of those which caused the rejection of the first version of the law, Hadopi 1, by the Constitutional Council in June 2009, such as the sanctioning of a user for negligence. Another anti-constitutional provision is related to the simplified procedure chosen by the government in the application of sanctions. According to the French Criminal Code, "the public ministry can appeal to the simplified procedure only when it results from the police enquiry that the deeds the defendant is investigated for are established". A simple IP address sent by HADOPI authority to the judge is not enough to prove the facts the user is accused of. The procedure looks more like an administrative procedure, putting the judge in the position of just approving an already taken decision. The Constitutional Council has a month to take its decision on the matter. Hadopi 2: the appeal to the Constitutional Council submitted on Friday (only in French, 24.09.2009) http://www.numerama.com/magazine/14056-hadopi-2-le-recours-au-conseil-const… Hadopi-2 goes to Constitutional Council http://www.iptegrity.com/index.php?option=com_content&task=view&id=417&Item… Hadopi 2: Exclusively, the referral submitted to the Constitutional Council (only in French, 28.09.2009) http://www.ecrans.fr/Hadopi-2-En-exclu-la-saisine,8192.html EDRi-gram: The French Constitutional Council censures the 3 strikes law (17.07.2009) http://www.edri.org/edri-gram/number7.12/3-strikes-censured-council-constit… ============================================================ 5. France wants to filter online gambling sites ============================================================ >From 7 till 9 October 2009, the French National Assembly will discuss a draft law on opening the competition and regulation of online gambling sector. The text foresees the creation of a similar authority to that of HADOPI, called ARJEL that would order the filtering of the gambling sites considered to operate illegally. Although in a first version of the draft law ARJEL was referring to a judge for the blocking of the site, now, in order to expedite the procedure, the present text gives the authority the direct right to impose filtering of websites to ISPs. ARJEL is meant to operate in a similar way to HADOPI. The authority will address the non-authorised gambling sites asking them to observe the interdiction and giving them 8 days to present their observations. In case of non-compliance, the authority may order the banning of the service. The authority can act upon any claim made by any natural or legal person. The text says nothing about the filtering methods to be used or the way to make public or update the list of sites to be blocked and no reference is made to the costs incurred by blocking the sites. Deputy Lionel Tardy and the socialist group have submitted an amendment to the text by which they require the filtering modalities to be specified by the law as well as the modalities to compensate the costs supported by operators. The group also asks for the reintroduction of the initial legal procedure, where a judge is the one who takes the decision regarding blocking the websites. La Quadrature du Net warns that not only filtering sites is entirely inefficient but it is also a dangerous measure as it may just be a precedent allowing for an extention from gambling sites to other types of sites later on, opening the door to limitations of the freedom of expression and bringing forth the risk of censoring the Internet. There is also the risk of blocking other sites than the targeting ones which may happen when access to a site is blocked especially if this is done based on their IP address. Another serious issue is that ARJEL as administrative authority is given the power to direclty filter sites, which is unconstitutional. As it happened in case of Hadopi, la Quadrature du Net encourages the citizens to contact their deputies and convince them to stop Internet filtering. Online gambling: The Assembly asked to vote for Net filtering (only in French, 5.10.2009) http://www.numerama.com/magazine/14141-jeu-en-ligne-l-assemblee-appelee-a-v… Blocking a site is to limit access to the Internet (only in French, 2.10.2009) http://www.ecrans.fr/Loi-sur-les-jeux-en-ligne-Bloquer,8276.html Online gambling: Filtering the Net on 7 October in the Assembly (only in French, 5.10.2009) http://www.laquadrature.net/fr/jeu-en-ligne-filtrage-du-net-le-7-octobre-a-… Draft project: Economy: online gambling- Preliminary works of the National Assembly - First reading (only in French) http://www.assemblee-nationale.fr/13/dossiers/jeux_argent.asp Draft Law N0 1549 - National Assembly - on the openness to competition and the regulation of online gambling (only in French, 30.03.2009) http://www.assemblee-nationale.fr/13/projets/pl1549.asp ============================================================ 6. The Pirate Bay may be banned in Italy ============================================================ An appeal won on 24 September 2008 against the decision of the Italian court enforced on 10 August 2008 ordering the seizure of The Pirate Bay (TPB) in Italy, has been reversed by the Italian Court of Cassation. The Order of the Justice for preliminary investigation of the Court of Bergamo issued on in August 2008 was asking for the "seizure" of the PirateBay website for displaying links to allegedly illegal duplicated material and was forcing Italian ISPs to block the access to that site. Following the EDRi-member ALCEI report to the Italian Data Protection Authority showing violations of the law in the seizure order, the Bergamo Criminal Court overruled the seizure but only on a procedural basis. Now the Italian Court of Cassation has addmitted the recourse of the Bergamo Prosecutors and has decided to send back the case to the first comptent court. TPB can once again be blocked in Italy, to the satisfaction of FIMI, the major representative body of the Italian record labels which, early this year, together with anti-piracy organisation FPM, filed a 1 million euro damages lawsuit against the site on behalf of the Italian music industry. In the meantime in Sweden, in TPB's appeal case against the ruling from April 2009, judge Fredrik Niemeld has been disqualified by the Appeal Court from the hearing planned for November 2009 for holding stock options in Spotify digital music service. Italian Appeals Court Rules against Pirate Bay (1.10.2009) http://www.billboard.biz/bbbiz/content_display/industry/e3ie41d1967dbc1d096… Cassation: The un-seizure of TPB is revised (only in Italian, 30.09.2009) http://punto-informatico.it/2718088/PI/News/cassazione-dissequestro-della-b… Baia, the judge takes sides. But with whom? (only in Italian, 30.09.2009) http://punto-informatico.it/2717757/PI/News/baia-giudice-parte-ma-quale.aspx EDRi-gram: An update on the Italian PirateBay case (8.08.2009) http://www.edri.org/edrigram/number6.19/update-piratebay-italy ============================================================ 7. Paris Court of Appeals on a GPL - related case ============================================================ The Paris Court of Appeals published in September 2009 its decision on a case that involved the distribution of the VNC Software, remote desktop access software available under GPL GNU licence. The case was brought forward by AFPA (Association for professional education of adults) against Edu4, a commercial company. Edu4 won a contract in 2000 that foreseen the delivery of a software solution to AFPA. The Association discovered that VNC was distributed with this equipment without providing the source code or keeping the licence notices. Free Software Foundation France presented the case like a landmark ruling and stated: "Companies distributing the software have been given a strong reminder that the license's terms are enforceable under French law. And users in France can rest assured that, if need be, they can avail themselves of the legal system to see violations addressed and their rights respected." Unfortunately, the case is merely a contractual dispute between the two parties that did not involve the GPL licence as such. Also, the court did not specifically address the enforceability of the GPL Licence. As the lawyer Martin von Willebrand explains on his blog "Not a single claim (by either party), as cited in the court's decision, is based on GPL license, any interpretation of GPL as a contract or any copyright. The decision cites GPL license a number of times, mostly to describe VNC-software and also partly related to the discussion whether it was allowed or not to include free software into the outcome of the project." The court decision considered that " Edu4 has failed to fullfil its contractual obligations delivering in December 2001 (...) a product which, on the one hand, created privacy risks for EOF users and, on the other hand, did not satisfy the terms of the GNU GPL licence, as Edu4 had replaced by its own copyright the original VNC's copyright notices regarding the ownership of the two files and the text of the licence." Thus, this case can't be considered a landmark ruling, with the GPL licence playing a side role in the context of the entire case. However, it is worth underlining that "the court habitually considers the software licensed under the terms of GNU GPL and attaches legal significance to the terms" as von Willebrand concludes. Paris Court of Appeals condemns Edu4 for violating the GNU General Public License (22.09.2009) http://fsffrance.org/news/article2009-09-22.en.html Recent Court Decision in Paris (referred as Paris GPL case) (1.10.2009) http://martinvonwillebrand.net/2009/10/01/recent-court-decision-in-paris-re… Court decision - Cour d'Appel de Paris, Ptle 5, Chambre 10, no: 294, (only in French, 16.09.2009) http://fsffrance.org/news/arret-ca-paris-16.09.2009.pdf ============================================================ 8. US gives up its unilateral supervision powers over ICANN ============================================================ In a movement welcomed by the European Commission, the US have announced they would become more open in Internet governance and give up their dominant position in the supervision of the Internet Corporation for Assigned Names and Numbers (ICANN), the body created in 1998, responsible with the global management of the internet domain names and addresses. A recent statement co-signed by US Communication and Information Administration and ICANN stated the "commitment to a multi-stakeholder, private sector-led, bottom-up policy development model for the domain name and addressing system (DNS)" and that "A private coordinating process, the outcomes of which reflect the public interest, is best able to flexibly meet the changing needs of the Internet and of Internet users." According to Massimiliano Minisci from ICANN this actually means that "the political responsibility of the Internet moves from the US to the global community" which includes governments, civil society, companies and experts from all over the world. Since 2005, the US have been largely criticised for their dominant position in ICANN and strongly pressured by the European Commission to be more open and loose its tight grips on Internet governance. In a speech made on 4 May 2009, Commissioner Viviane Reding made an appeal to president Obama to reform the US position in Internet governance. "I trust that President Obama will have the courage, the wisdom and the respect for the global nature of the Internet to pave the way in September for a new, more accountable, more transparent, more democratic and more multilateral form of Internet governance," said Reding at that time when she proposed a large reform of the Internet governance including "an independent judicial body" and "a multilateral forum for governments to discuss policy and security issues" related to the Internet. She proposed the forum to be structured as a G12, with two representatives from Europe, North America, South America, Africa and Asia, one from Oceania, and the chairman of ICANN as a non-voting member. Starting with 30 September, the "Joint Project Agreement" in the US, presently ensuring a unilateral supervision of ICANN's decision by the US Department of Commerce will be replaced by a joint "affirmation of commitments" of the US Government and of ICANN. Reding expressed her satisfaction for the US's present decision considering that ICANN's decisions related to domain names and addresses can now be "more independent and more accountable, taking into account everyone's interests". She stated that ICANN's performances would be periodically evaluated by external review panels. The panels will be appointed jointly by ICANN and ICANN's Governmental Advisory Committee which is open to governments and public authorities from all around the world and advises the ICANN Board on public policy aspects. The Swedish EU Presidency considers the US announcement as "an important moment in the process towards the increased internationalisation of ICANN's coordination and management of the Internet DNS". EU hails US move to open up Internet governance (2.10.2009) http://www.euractiv.com/en/infosociety/eu-hails-us-move-open-internet-gover… European Commission welcomes US move to more independent, accountable, international internet governance (30.09.2009) http://europa.eu/rapid/pressReleasesAction.do?reference=IP/09/1397&format=H… Reding attacks US rule over Internet governance (6.05.2009) http://www.euractiv.com/en/infosociety/reding-attacks-us-rule-internet-gove… ============================================================ 9. ENDitorial: Amendment 138-EP asked to choose between democracy and defeat ============================================================ The opening meeting of the informal conciliation discussions between the Council and European Parliament (EP) has taken place. This process was largely brought about by the Parliament's overwhelming rejection of a "compromise" proposal with regard to the famous "amendment 138" text in May of this year. The Council of Ministers' current proposal is for the Parliament to unconditionally overturn its current position and accept the text that it previously rejected. As a result, the debate has become wider than "simply" the wording of one paragraph of a piece of telecoms legislation. Instead, it is now a question of the credibility of the Parliament as an institution and as a truly equal partner in the legislative process. Consequently, the parliamentarians in the Conciliation Committee are faced with a very stark choice between a defeat, whose consequences for the Parliament will extend far beyond the telecom package, or defending the democratic choices it has already made: Defeat Parliamentarians can choose to accept the Council's text. If they do so: 1. This will establish a new benchmark for inter-institutional negotiations, suggesting that any Parliament vote of any size on any dossier is vulnerable to being abandoned at a later stage in the decision-making process. This can only serve to durably weaken the Parliament's negotiating credibility. 2. They are laying the Parliament open to the accusation that they were being pro-consumer before the elections and now betraying the trust of citizens by taking an opposite position after the elections. 3. They are giving up the mandate that the previous vote gave them to accept a Council position for which no coherent justification has ever been provided. Democracy On the other hand, the Parliament can demand that the Council (finally) explain its motives for opposing amendment 138, thereby fulfilling a key role that a parliament is supposed to play - demanding an adequate level of coherent and transparent decision-making from other institutions. For the moment, the arguments being used by the Council vary from the obviously weak to the simply far-fetched. According to sources in the negotiations, the Council has suggested, for example, that it cannot allow consumers an unconditional right to a prior judgement by a judicial body because of the need to protect networks from attacks. Telecoms Package - Wikipedia http://en.wikipedia.org/wiki/Telecoms_Package List of MEPs on the Conciliation Committee: http://www.europarl.europa.eu/code/dossier/2009/2007_0247_telecom/members_e… (contribution from Joe McNamee - EDRi) ============================================================ 10. Recommended Reading ============================================================ European Association for the Defense of Human Rights: Human Rights must be the cornerstone, not just a reference, of the Stockholm Programme (7.10.2009) http://www.aedh.eu/Human-Rights-must-the-cornerstone.html Association Europienne pour la difense des Droits de l'Homme: Les droits de l'Homme doivent jtre le socle du Programme de Stockholm et non une simple rifirence (7.10.2009) http://www.aedh.eu/Les-droits-de-l-Homme-doivent-etre.html ============================================================ 11. Agenda ============================================================ 10 October 2009, Dublin, Ireland 2019 AC: After Copyright Keynote discussion with Anna Troberg, Swedish Pirate Party http://www.darklight.ie/ 16 October 2009, Bielefeld, Germany 10th German Big Brother Awards http://www.bigbrotherawards.de/ 21-23 October 2009, Istanbul, Turkey eChallenges 2009 http://www.echallenges.org/e2009/default.asp 24 October 2009, Zurich, Switzerland Big Brother Awards Switzerland http://www.bigbrotherawards.ch/2009/ 25 October 2009, Vienna, Austria Austrian Big Brother Awards http://www.bigbrotherawards.at/ 26-27 October 2009, Vienna, Austria 3rd European Privacy Open Space http://www.privacyos.eu 26 October 2009, Brussels, Belgium European Commission - Public hearing on orphan works http://ec.europa.eu/internal_market/copyright/copyright-infso/copyright-inf… 29 October 2009, Barcelona, Spain oXcars, the biggest free culture event of all times, 2nd edition http://oxcars09.exgae.net 29 October - 1 November 2009, Barcelona, Spain Free Culture Forum: Organization and Action http://fcforum.net/ 3 November 2009, Madrid, Spain Civil Society Conference: "Global Privacy Standards in a Global World" Organized by "The Public Voice" coalition http://thepublicvoice.org/events/madrid09 4-6 November 2009, Madrid, Spain 31st International Conference of Data Protection and Privacy http://www.privacyconference2009.org 10-11 November 2009, Cambridge, UK Public Domain Calculators Meeting http://wiki.okfn.org/PublicDomainCalculators/Meeting 13-15 November 2009, Gothenburg, Sweden Free Society Conference and Nordic Summit http://www.fscons.org/ 15-18 November 2009, Sharm El Sheikh, Egypt UN Internet Governance Forum http://www.intgovforum.org/ 19-20 November 2009, Malmv, Sweden First popular European e-government conference http://malmo09.org/ 27-30 December 2009, Berlin, Germany 26th Chaos Communication Congress Deadline for submissions: 9 October 2009 http://events.ccc.de/congress/2009/ ============================================================ 12. About ============================================================ EDRI-gram is a biweekly newsletter about digital civil rights in Europe. Currently EDRI has 29 members based or with offices in 18 different countries in Europe. European Digital Rights takes an active interest in developments in the EU accession countries and wants to share knowledge and awareness through the EDRI-grams. All contributions, suggestions for content, corrections or agenda-tips are most welcome. Errors are corrected as soon as possible and visibly on the EDRI website. Except where otherwise noted, this newsletter is licensed under the Creative Commons Attribution 3.0 License. See the full text at http://creativecommons.org/licenses/by/3.0/ Newsletter editor: Bogdan Manolea <edrigram(a)edri.org> Information about EDRI and its members: http://www.edri.org/ European Digital Rights needs your help in upholding digital rights in the EU. If you wish to help us promote digital rights, please consider making a private donation. http://www.edri.org/about/sponsoring - EDRI-gram subscription information subscribe by e-mail To: edri-news-request(a)edri.org Subject: subscribe You will receive an automated e-mail asking to confirm your request. unsubscribe by e-mail To: edri-news-request(a)edri.org Subject: unsubscribe - EDRI-gram in Macedonian EDRI-gram is also available partly in Macedonian, with delay. Translations are provided by Metamorphosis http://www.metamorphosis.org.mk/edrigram-mk.php - EDRI-gram in German EDRI-gram is also available in German, with delay. Translations are provided Andreas Krisch from the EDRI-member VIBE!AT - Austrian Association for Internet Users http://www.unwatched.org/ - Newsletter archive Back issues are available at: http://www.edri.org/edrigram - Help Please ask <edrigram(a)edri.org> if you have any problems with subscribing or unsubscribing. ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE

1 0