cypherpunks-legacy
Threads by month
- ----- 2025 -----
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2004 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2003 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2002 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2001 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2000 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1999 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1998 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1997 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1996 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1995 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1994 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1993 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1992 -----
- December
- November
- October
- September
July 2018
- 1371 participants
- 9656 discussions
I did a little calculation: at what point can governments spy 24/7 on
their citizens and store all the data?
I used the World Bank World Development Indicators and IMF predictors for
future GDP growth and the United nations median population forecasts, the
fit 10.^(-.2502*(t-1980)+6.304) for the cost (in dollars)per gigabyte
(found on various pages about Kryder's law) and the assumption that 24/7
video surveillance would require 10 TB per person per year.
Now, if we assume the total budget is 0.1% of the GDP and the storage is
just 10% of that (the rest is overhead, power, cooling, facilities etc),
then the conclusion is that doing this becomes feasible around 2020.
Bermuda, Luxenbourg and Norway can do it in 2018, by 2019 most of Western
Europe plus the US and Japan can do it. China gets there in 2022. The last
countries to reach this level are Eritrea and Liberia in 2028, and finally
Zimbabwe in 2031. By 2025 the US and China will be able to monitor all of
humanity if they want to/are allowed.
So at least data storage is not going to be any problem. It would be very
interesting to get some estimates of the change in cost of surveillance
cameras and micro-drones, since presumably they are the ones that are
actually going to be the major hardware costs. Offset a bit because we are
helpfully adding surveillance capabilities to all our must-have smartphones
and smart cars. I suspect the hardware part will delay introduction a bit
in countries that want it, but that just mean there will be hardware
overhang once they get their smart dust, locators or gnatbots.
Note that this kind of video archive is useful even if you don't have a
myriad analysts, perfect speech recognition or AI (in fact, it would be a
great incentive and training corpus for developing them). When you figure
out that somebody is doing or have just done something nasty, you can
easily backtrack and check on everybody they had been in touch with. It
would be quite easy to catch most members of any rebel network this way as
soon as it was recognized as a rebel network - and one could easily create
incentives for not associating with potential subversives and/or reporting
them, adding crowdsourced reporting. The only kind of uprisnings with any
kind of chance would be spontaneous eruptions.
The more interesting (sinister) uses of this kind of intelligence corpus
is of course to do trials and experiments to see what predicts social norm
compliance and obedience. How well does various forms of nudging work? What
about the longitudinal loyalty effects of natural or deliberate
experiments? How well can you predict people from their saccade patterns?
We might actually be living in a short window of opportunity right now.
The problem is not the surveillance per se, but the danger from
non-accountable uses of them once they are in place. Totalitarian
governments with this kind of transparency might prove extremely hard to
dislodge, and could become stable attractor states. This suggests that we
should work very hard on figuring out how to maintain government
accountability even when it has total surveillance powers, and how to
prevent open societies from sliding into the totalitarian trap. Given that
the tail statistics of big disasters is dominated by pandemics, wars and
democides we have very good reasons to view this as among the top questions
for human survival.
Appendix:
2018 Bermuda
2018 Luxembourg
2018 Norway
2019 Australia
2019 Austria
2019 Belgium
2019 Canada
2019 Denmark
2019 Finland
2019 France
2019 Germany
2019 Iceland
2019 Ireland
2019 Japan
2019 Kuwait
2019 Netherlands
2019 Singapore
2019 Sweden
2019 Switzerland
2019 United Kingdom
2019 United States
2020 Cyprus
2020 French Polynesia
2020 Greece
2020 Israel
2020 Italy
2020 New Caledonia
2020 New Zealand
2020 Oman
2020 Puerto Rico
2020 Seychelles
2020 Slovakia
2020 Slovenia
2020 Spain
2020 United Arab Emirates
2021 Antigua and Barbuda
2021 Bahamas
2021 Bahrain
2021 Barbados
2021 Chile
2021 Croatia
2021 Czech Republic
2021 Equatorial Guinea
2021 Estonia
2021 Hungary
2021 Lithuania
2021 Poland
2021 Portugal
2021 Saudi Arabia
2021 Trinidad and Tobago
2021 Turkey
2022 Argentina
2022 Belarus
2022 Botswana
2022 Brazil
2022 Bulgaria
2022 China
2022 Costa Rica
2022 Cuba
2022 Dominica
2022 Dominican Republic
2022 Gabon
2022 Grenada
2022 Kazakhstan
2022 Latvia
2022 Lebanon
2022 Malaysia
2022 Mauritius
2022 Mexico
2022 Palau
2022 Panama
2022 Peru
2022 Romania
2022 South America
2022 Suriname
2022 Uruguay
2023 Albania
2023 Algeria
2023 Angola
2023 Azerbaijan
2023 Belize
2023 Bhutan
2023 Colombia
2023 Ecuador
2023 El Salvador
2023 Fiji
2023 Iraq
2023 Mongolia
2023 Morocco
2023 Namibia
2023 Serbia
2023 Thailand
2023 Tonga
2023 Tunisia
2023 Turkmenistan
2023 Ukraine
2024 Armenia
2024 Georgia
2024 Guatemala
2024 Guyana
2024 Honduras
2024 India
2024 Indonesia
2024 Marshall Islands
2024 Paraguay
2024 Philippines
2024 Samoa
2024 Sri Lanka
2024 Swaziland
2025 Bangladesh
2025 Cameroon
2025 Djibouti
2025 Egypt
2025 Ghana
2025 Lesotho
2025 Nicaragua
2025 Nigeria
2025 Pakistan
2025 Papua New Guinea
2025 Sao Tome and Principe
2025 Senegal
2025 Solomon Islands
2025 Sub-Saharan Africa
2025 Sudan
2025 Uzbekistan
2025 Zambia
2026 Afghanistan
2026 Benin
2026 Haiti
2026 Kenya
2026 Kyrgyzstan
2026 Mauritania
2026 Mozambique
2026 Tajikistan
2026 Uganda
2027 Central African Republic
2027 Chad
2027 Ethiopia
2027 Gambia
2027 Guinea
2027 Madagascar
2027 Malawi
2027 Mali
2027 Nepal
2027 Niger
2027 Rwanda
2027 Sierra Leone
2027 Togo
2028 Burundi
2028 Eritrea
2028 Liberia
2031 Zimbabwe
--
Anders Sandberg,
Future of Humanity Institute
Philosophy Faculty of Oxford University
_______________________________________________
extropy-chat mailing list
extropy-chat(a)lists.extropy.org
http://lists.extropy.org/mailman/listinfo.cgi/extropy-chat
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
1
0
Format Note: If you cannot easily read the text below, or you prefer to
receive Secrecy News in another format, please reply to this email to let
us know.
SECRECY NEWS
from the FAS Project on Government Secrecy
Volume 2012, Issue No. 106
October 15, 2012
Secrecy News Blog: http://www.fas.org/blog/secrecy/
** KIRIAKOU NOT ALLOWED TO ARGUE LACK OF INTENT TO HARM U.S.
** SECRECY CONFERENCE AT FORDHAM LAW SCHOOL
KIRIAKOU NOT ALLOWED TO ARGUE LACK OF INTENT TO HARM U.S.
A court ruled this month that former CIA officer John Kiriakou, who is
charged with unauthorized disclosures of classified information to the
media, will not be permitted to argue at trial that he intended no harm to
the United States, or that his entire career testifies to a deep commitment
to national security.
Instead, the central question at trial will be whether Kiriakou "had
reason to believe" that the information he allegedly released would cause
injury to the United States.
The court ruling, which favors the prosecution's conception of the case,
was issued during a sealed hearing on October 1. The hearing transcript
has not been released, but the ruling was disclosed in two footnotes in an
October 3 defense pleading that was unsealed last week.
http://www.fas.org/sgp/jud/kiriakou/100312-reply98.pdf
The defense said it would have demonstrated at trial "that Mr. Kiriakou
had no intent to harm the United States, and that he had no motive to do so
had the Court not ruled such arguments inadmissible" (footnote 7).
Similarly, the defense indicated that "this Court's October 1, 2012 ruling
precludes arguments regarding Mr. Kiriakou's intent to harm the United
States or a defense resting on Mr. Kiriakou's lack of bad faith" (footnote
4).
The defense said it would continue to "note where information would be
relevant to such arguments in order to preserve its ability to appeal the
issue should that become necessary."
Meanwhile, two reporters who were subpoenaed by the Kiriakou defense filed
motions to quash the subpoenas.
Attorneys for Matthew Cole, designated "Journalist A" in the Kiriakou
indictment, said that the information sought by the Kiriakou defense was
protected by a reporter's First Amendment privilege and that there was no
basis to overrule the privilege.
Not only that, but Cole attorneys George Doumar and Mark Zaid added that
Mr. Cole would assert a Fifth Amendment right to refuse to testify to avoid
self-incrimination. They said that the government's past move to prosecute
unauthorized receipt and transmission of classified information in the
AIPAC case (US v. Rosen) raises the possibility that Cole's testimony
"could subject him to a subsequent federal criminal proceeding. Therefore,
he will invoke his Fifth Amendment right to remain silent."
http://www.fas.org/sgp/jud/kiriakou/101112-Aquash.pdf
Washington Post researcher Julie Tate also moved to quash a subpoena for
her testimony. She was identified as the "Researcher 1" sought by the
defense in an article by Josh Gerstein of Politico last week.
Ms. Tate possesses exceptional news gathering skills. But she has nothing
to do with the charges against Mr. Kiriakou, her attorneys said in their
October 11 motion to quash.
"The testimony defendant seeks from Ms. Tate has no conceivable relevance
to this case. Defendant has been charged with unlawfully disclosing
classified information to Journalist A and Journalist B--not to Ms. Tate.
Ms. Tate is not mentioned in the Indictment, and there is no evidence in
the record that Ms. Tate has ever met or communicated with Mr. Kiriakou....
The law places the burden on the defendant to establish that he has a need
for Ms. Tate's testimony that is so compelling that it outweighs the First
Amendment interests at stake. That burden has not been met."
http://www.fas.org/sgp/jud/kiriakou/101112-tate-quash.pdf
Scott Shane of the New York Times, who is "Journalist B" in the Kiriakou
indictment, is also believed to have been subpoenaed. But that subpoena is
said to have been withdrawn for reasons that are unclear. In any case, Mr.
Shane and the New York Times did not file a motion to quash.
The pending motions to quash the subpoenas will be argued before Judge
Leonie M. Brinkema at an October 18 hearing.
SECRECY CONFERENCE AT FORDHAM LAW SCHOOL
A day-long conference on national security secrecy will be held tomorrow,
October 16, at Fordham Law School in New York City.
The conference brings together a promising mix of former government
officials, journalists, litigators, academics and others, including myself.
For more information on the conference, which is open to the public, see
here:
http://www.fas.org/sgp/news/2012/10/fordham.pdf
_______________________________________________
Secrecy News is written by Steven Aftergood and published by the
Federation of American Scientists.
The Secrecy News Blog is at:
http://www.fas.org/blog/secrecy/
To SUBSCRIBE to Secrecy News, go to:
http://www.fas.org/sgp/news/secrecy/subscribe.html
To UNSUBSCRIBE, go to
http://www.fas.org/sgp/news/secrecy/unsubscribe.html
OR email your request to saftergood(a)fas.org
Secrecy News is archived at:
http://www.fas.org/sgp/news/secrecy/index.html
Support the FAS Project on Government Secrecy with a donation:
http://www.fas.org/member/donate_today.html
_______________________
Steven Aftergood
Project on Government Secrecy
Federation of American Scientists
web: www.fas.org/sgp/index.html
email: saftergood(a)fas.org
voice: (202) 454-4691
twitter: @saftergood
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
1
0
============================================================
EDRi-gram
biweekly newsletter about digital civil rights in Europe
Number 7.1, 14 January 2009
============================================================
Contents
============================================================
1. DHS Report shows lack of compliance with the EU-US PNR agreement
2. Lists of allegedly illegal websites always leak
3. France: ARMT was useless
4. UK Culture Secretary wants film-style ratings to individual websites
5. Open Access to High Energy Physics Literature
6. No e-voting in Azerbaijan and Macedonia
7. Big Brother Awards UK 2008
8. Montenegro blocks Facebook and Youtube for civil servants
9. ENDitorial: Everyone can eavesdrop in Macedonia
10. Recommended Reading
11. Agenda
12. About
============================================================
1. DHS Report shows lack of compliance with the EU-US PNR agreement
============================================================
The Privacy Office of the U.S. Department of Homeland Security (DHS)
released in the second part of December 2008 a report regarding the
Passenger Name Record (PNR) information from the EU-US flights.
Even though the official conclusion of the authors is that DHS handling of
PNR data "is in compliance with both US law and the DHS-EU agreement on USA
access to, and use of, PNR data related to flights between the EU and the
USA." In reality the report shows a number of major disfunctionalities that
proves the DHS did not comply with the EU agreement or with the US
legislation in its use of PNR, that includes data from Europeans that travel
to US.
According with the second PNR agreement between US and EU, there should have
been periodic joint US-EU reviews of compliance. But the present report is
just an unilateral internal review conducted within the DHS, which did not
include EU representatives or any outside experts in PNR data.
A detailed analysis by the Identity Project in the US shows the specific DHS
compliance failings resulted from the report:
- Requests for PNR data have typically taken more than a year to
answer - many times longer than the legal time limits in the Privacy Act and
Freedom of Information Act;
- When individuals have requested "all data" about them held by the DHS,
often they have not been given any of their PNR data;
- Because of this, the vast majority of requesters who should have
received PNR data did not;
- PNR data has been inconsistently censored before it was released;
- A large backlog from the initial requests for PNR data remains
unanswered, more than a year later.
The results of the report are in line with the findings of the earlier
reports of the Identity Project that revealed the practical problems in
accessing your PNR data with the DHS. These problems are the same that the
European citizens might face in getting access to their data from DHS
A clear example is the last year request from MEP Sophia In 't Veld to get
her PNR information - a request which received a first false claim from DHS
that they didn't have any record of her trip.The MEP finally received her
PNR data after EFF lawyers filed a Federal lawsuit on her behalf, but the
data was late, clearly incomplete, and inconsistently and inappropriately
redacted, according with a well-known PNR expert, Edward Hasbrouck .
A report concerning Passenger Name Record Information derived from flights
between the US and the European Union (18.12.2008)
http://www.dhs.gov/xlibrary/assets/privacy/privacy_pnr_report_20081218.pdf
DHS admits problems in disclosing travel surveillance records (24.12.2008)
http://www.papersplease.org/wp/2008/12/24/dhs-admits-problems-in-disclosing…
Can you really see what records are kept about your travel? (30.12.2008)
http://hasbrouck.org/blog/archives/001595.html
European Lawmaker Sues U.S. Agencies to Obtain Travel-Related and Other
Personal Information (1.07.2008)
http://www.eff.org/press/archives/2008/07/01
EDRi-gram: Final agreements between EU and USA on PNR and SWIFT (4.07.2007)
http://www.edri.org/edrigram/number5.13/eu-us-pnr-swift
============================================================
2. Lists of allegedly illegal websites always leak
============================================================
While some European countries block the illegal content (mostly child
pornography websites), other are considering implementing a similar measure
through a hidden list. However the past month has shown, one more time if
necessary, that usually the list of any blocked content will leak and thus
the allegedly blocked content will become widely available.
Belgium is one of the new countries considering such a list. The Minister of
Enterprise and Administrative Reform, Vincent Van Quickenborne, want to ban
child pornography on the Internet through a protocol between ISPs and the
Government. The protocol might extend to other illegal sites, such as hate
and racism websites or Internet fraud.
The federal police special division Federal Computer Crime Unit (FCCU)
confirms that it detects yearly 800 - 1000 child pornography websites hosted
in foreign countries and the court procedure to block those sites is rarely
used since it is too burdensome.
The Flemish League for Human Rights (Liga voor Mensenrechten) has criticized
the project underlining that " the decision to block websites must remain
under exclusive authority of the judicial branch. It is unacceptable that
the police gets a wild card to block certain websites at will."
The legal framework already exists in Belgium, but Minister Van
Quickenborne wants a more flexible mechanism that can be used more quickly
to effectively block websites. It seems that the police will get the
authority to compose the blacklists of to be blocked websites, without any
legal safeguards or external oversight mechanisms. The fact that FCCU
admits right away that this practice should also be applicable in other
cases, makes the whole practice very worrisome.
The practice of the hidden lists of illegal websites is not new. But in the
past month, we've seen at least 3 major blacklists become public, thus
becoming irrelevant.
The blacklist operated by the Danish child pornography filtering system
(3863 blocked URLs) leaked on 23 December 2008 and is available in full
online.
Only a few days before the Thailand's blacklist made by the Ministry of
Information and Communication Technology that block access to websites
deemed unsuitable for the Thai people become available on the Internet.
(1203 websites). The list included hundreds of YouTube videos (including
Hillary Clinton's campaign videos) as well as blogs, cartoons, Charlie
Chaplin videos and an article in the Economist magazine banned for
criticising the Thai king.
In the same period Wikileaks published the Finnish Internet censorship list.
The Finnish National Bureau of Investigation has requested executive
assistance from United States, but it is not known what precisely has been
requested - whether the concern is only removing the list or whether they
are trying to find out who leaked it. The list still includes the critical
Finnish anti-censorship site lapisporno.info.
Government wants to eliminate sites with child pornography (only in Flemish,
12.01.2009)
http://www.demorgen.be/dm/nl/991/Multimedia/article/detail/606707/2009/01/1…
The government wants to block paedophiliac websites (only in French,
12.01.2009)
http://www.datanews.be/fr/news/90-53-21867/le-gouvernement-entend-verrouill…
Flemish Human Rights League - Minister Van Quickenborne want flexible system
for blocking websites.A form of censorship? (12.01.2008)
http://www.mensenrechten.be/main.php?item_content=7116
List of banned websites in Thailand and Denmark leaked online (23.12.2008)
http://www.news.com.au/technology/story/0,28348,24840506-5014239,00.html
List of Child Porn Sites Leaked to Public (13.01.2009)
http://www.yle.fi/uutiset/news/2009/01/list_of_child_porn_sites_leaked_to_p…
EDRi-gram: ENDitorial: Finnish web censorship (27.02.2008)
http://www.edri.org/edrigram/number6.4/finland-web-censorship
============================================================
3. France: ARMT was useless
============================================================
At the end of December 2008 it was publicly presented the first yearly
report of the French Authority for Regulations of the DRMs (Autoriti de
rigulation des mesures techniques - ARMT) that should have ensured the
interoperability of the DRM systems and allow the private copies.
This could be very well the last report, since the new law on Internet
and Creation, could create a new authority (HADOPI - Haute Autoriti pour la
diffusion des oeuvres et la protection des droits sur Internet) that will
take the place of the old one and will have a different scope: to issue
warnings and potentially cutting Internet subscriptions in cases of
copyright infringement.
ARMT report admitted that, in 20 months of activity, it didn't take any
decision on interoperability or on copyright exceptions. The authority
claimed that the main problem was that nobody send them a specific request.
It also acknowledged the fact that the DRM issues have decrease in
importance, especially in the music sector, with the new DRM-free music
available on the market.
The authority has accepted that the DRMs have been an obstacle " to the
legal music offers" that were in direct competition with the p2p networks,
where the same content is available without DRM.
However, the Authority does not want to admit that DRM is dead and it
explains that this might be case only in the musical sector. It also claims
that the DRM play a "major role" in the movie industry and considers that
giving up DRMs on the online video services is not an option today.
The ARMT's report also observes that the penal measures to protect the DRMs
were never used in the French courts in the past 2 years, since the DADVSI
law is in force.
As expected, the ARMT considers that its life was very useful, contributing
in preparing "the field for a more ambitious strategy for public powers",
namely the 3-strikes procedure.
If remains to be seen if the new Hadopi law will be voted by the second
chamber of the French Parliament and if the new Authority, estimated to have
budget close to 7 million Euro, will have better results.
ARMT finds its futility before becoming HADOPI (only in French, 18.12.2008)
http://www.numerama.com/magazine/11577-L-ARMT-constate-son-inutilite-avant-…
ARMT annual report 2008 (only in French, 18.12.2008)
http://armt.fr/IMG/pdf/rapport_annuel_armt.pdf
Albanel views that DRM withdrawal must lead to the graduated response
(only in French, 9.01.2009)
http://www.numerama.com/magazine/11656-Albanel-estime-que-le-retrait-des-DR…
EDRi-gram: France establishes the DRM-regulation authority (12.04.2007)
http://www.edri.org/edrigram/number5.7/drm-authority-france
EDRi-gram: One more step for France in adopting the graduated response
(5.11.2008)
http://www.edri.org/edrigram/number6.21/french-senate-adopts-3-strikes
============================================================
4. UK Culture Secretary wants film-style ratings to individual websites
============================================================
The UK Culture Secretary Andy Burnham has presented, in an interview with
The Daily Telegraph at the end of the last year, some new plans in adopting
to the web "new standards of decency".
The Cabinet minister is planing to give film-style ratings to individual
websites and wants ISPs to offer parents "child-safe" web services. Because
Internet is a global nature, he plans to negotiate with Obama Administration
in order to drew up "international rules for English language websites."
Burnham explained the present situation: "If you look back at the people who
created the internet they talked very deliberately about creating a space
that Governments couldn't reach. I think we are having to revisit that stuff
seriously now. It's true across the board in terms of content, harmful
content, and copyright. Libel is an emerging issue."
He also added in a statement for BBC: "The internet is becoming a more and
more pervasive entity in all our lives and yet the content standards online
are not as clear as we've all been used in traditional media. I think we do
need to have a debate now about clearer signposting and labelling online
because it can be quite a confusing world, particularly for parents who are
trying to ensure their children are only accessing appropriate stuff."
Richard Clayton from the EDRi-member FIPR has dismissed the UK Culture
Secretary plans and considered that as "a childlike hope that merely
wishing for something will make it come true." He explains that all the
solutions have been discussed and dismissed in the past.
"ISPs have tried 'child-safe' services in the past and even those who still
keep their systems working hardly mention them in their adverts any more. I
thought that it was no longer a part of modern politics to force an industry
to make products that nobody actually wants to buy."
Clayton also pointed the fact that online defamation was already considered
twice by the Law Commission and their main concerns centred around making
it harder for ISPs to be sued and addressing the issues of archives.
As regards the web labelling, he points the 10 years history of failure and
explains with the website of Mr Burnham's own department:
"They have labelled their main website with the ICRA scheme. To their
credit, they have used more than just a blanket "innocuous" setting, albeit
they have clearly overdone it since a description of the minutiae of the
Gambling Act 2005 is still marked up as "gambling", which may disappoint
anyone who was hoping to have a flutter.
Although the DCMS proudly displays the ICRA logo on their front page, they
haven't been bothered to label any of their subsites, such as the Government
Art Collection, which contains images that some people might consider
indecent - such as this full frontal nude of a young boy."
Despite all these problems, the European Union seems to support also in the
future these type of projects. Encouraging and assisting providers to
develop labelling is one of the actions funded under the new EU Safer
Internet programme 2009 - 2013.
A recent report of the Internet Safety Technical Task Force, a working group
established by the 49 state attorneys general from US, to
look into the problem of sexual solicitation of children online has reached
some interesting conclusion. The report challenges some of the earlier
beliefs concluding that: "Social network sites are not the most common space
for solicitation and unwanted exposure to problematic content, but are
frequently used in peer-to-peer harassment, most likely because they are
broadly adopted by minors and are used primarily to reinforce pre-existing
social relations."
The report also claims that "Minors are not equally at risk online. Those
who are most at risk often engage in risky behaviors and have difficulties
in other parts of their lives. The psychosocial makeup of and family
dynamics surrounding particular minors are better predictors of risk than
the use of specific media or technologies."
Internet sites could be given 'cinema-style age ratings', Culture Secretary
says (27.12.2008)
http://www.telegraph.co.uk/scienceandtechnology/technology/technologynews/3…
Website age ratings 'an option' (27.12.2008)
http://news.bbc.co.uk/2/hi/uk_news/7800846.stm
Andy Burnham and the decline of standards (29.12.2008)
http://www.lightbluetouchpaper.org/2008/12/29/andy_burnham/
Web content labelling (17.09.2007)
http://www.lightbluetouchpaper.org/2007/09/17/web-content-labelling/
EU Safer Internet programme 2009 - 2013
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2008:348:0118:01…
Final Report of the Internet Safety Technical Task Force to the Multi-State
Working Group on Social Networking of State Attorneys General of the United
States (31.12.2008)
http://cyber.law.harvard.edu/pubrelease/isttf/
============================================================
5. Open Access to High Energy Physics Literature
============================================================
An interesting alternative model for open access publishing for the High
Energy Physics journals has emerged in the past years in a project led by
CERN (European Organization for Nuclear Research) that attempts to make the
current research openly accessible in this field.
CERN was the leader since the 50s, when the first pre-print repository was
established at the headquarters of the European organisation. The
repository gathered working papers and reports submitted to CERN by authors
from institutions across the world.
Now, a new project, called SCOAP3 (Sponsoring Consortium for Open Access
Publishing in Particle Physics) is trying to come up with a new model for
the entire High Energy Physics (HEP) literature to open access. The model
might be easier to implement taking into consideration that basically just
six peer-reviewed journals publish the majority of HEP articles. In this new
model the publisher's subscription income from multiple institutions would
be replaced by income from a single financial partner the SCOAP3 . Each
SCOAP partner will finance its contribution by cancelling journal
subscriptions and each country will contribute according to its share of HEP
publishing.
SCOAP3 is a consortium composed of high-energy physics funding agencies,
high-energy physics laboratories and leading national and international
libraries and library consortia. In the beginning of 2009 SCOAP3 announced
that the major part of the European countries have agreed to participate, so
did 44 US partners, Turkey, Israel and Australia. In less than one year and
a half, SCOAP3 has received pledges for 49.5% of its budget.
Formal discussion with the publishers have not officially started, but all
major publishers show a pro-active attitude of great support to Open Access
in HEP.
Project Underway To Convert High Energy Physics Literature To Open Access
(5.01.2009)
http://www.ip-watch.org/weblog/index.php?p=1388
SCOAP3 Funding status report (12.12.2008)
http://www.scoap3.org/news/news54.html
SCOAP3: Funding status report for ICOLC Munich (11.2008)
http://www.charlestonco.com/index.php?do=Press+Room&pg=pr_details&pr_id=1649
About SCOAP3
http://www.scoap3.org/about.html
Towards Open Access Publishing in High Energy Physics (3.06.2007)
http://www.scoap3.org/files/Scoap3ExecutiveSummary.pdf
============================================================
6. No e-voting in Azerbaijan and Macedonia
============================================================
After the major problems with the e-voting system tested in Western Europe,
some Eastern European countries has expressed their reservation in
implementing such as system.
The Central Election Commission from Azerbaijan considered that e-voting is
not required in the 2009 referendum or in the 2009 local elections and 2010
parliamentary vote.
Even though Azerbaijan is part of the Council of Europe's Electronic Voting
Committee that has recommended the introduction of Internet-based voting,
the Central Election Commission Secretary, Natiq Mammadov, explained online
newspaper Trend News that there is no chance to implement this for the next
elections:
"We must have a reason to apply innovation as opposed to simply wanting to.
We do not need e-voting to increase the voter turnout in Azerbaijan."
He also claimed that "there is no need to make hasty decisions about
e-voting.
A similar decision was made in Macedonia in the beginning of 2009, the
leaders of the major parties deciding that no electronic voting will be
necessary for the next presidential elections and more time is needed
before the system can be set up. However, Macedonian politicians supported
to use such a system might be used in the next electoral cycles.
No need for e-voting: Azerbaijani Central Election Commission (12.01.2009)
http://news.trend.az/index.shtml?show=news&newsid=1394353&lang=en
No e-voting in next elections (9.01.2009)
http://www.makfax.com.mk/look/novina/article.tpl?IdLanguage=1&IdPublication…
EDRi-gram: Finnish e-voting fiasco: votes lost (5.11.2008)
http://www.edri.org/edrigram/number6.21/finnish-evoting-fiasco
============================================================
7. Big Brother Awards UK 2008
============================================================
Big Brother Awards (BBA) are back in UK with more positive awards to
celebrate the people that have been involved in protecting privacy in the
past years.
The event, held in December 2008 at the London School of Economics, was
organized by the EDRi-member Privacy International and gave only one Big
Brother 2008 award - the statue of a boot stamping upon a human head - to
the New Labour.
Other six positive prices, called Roll of Honour, were received by:
- Baroness Sarah Ludford MEP - one of the Liberal Democrat Members of
the European Parliament, member of the Human Rights Committee;
- Phil Booth, the National Coordinator of the NO2ID Campaign against the
Database State;
- Helen Wallace, Executive Director of GeneWatch UK, that has provided
expert evidence on behalf of S. and Marper to the European Court of Human
Rights;
- Gareth Crossman - retiring Director of Policy at Liberty Human Rights;
- Becky Hogge - retiring Executive Director of the Open Rights Group;
- Rt. Hon. David Davis MP, the former Conservative Shadow Home Affairs
spokesman.
UK Big Brother Awards - boos for NuLabour, hurrahs for Sarah Ludford, Phil
Booth, Helen Wallace, Gareth Crossman, Becky Hogge and David Davis
(12.12.2008)
http://p10.hostingprod.com/@spyblog.org.uk/blog/2008/12/uk-big-brother-awar…
The Big Brother awards are back (12.12.2008)
http://gizmonaut.net/blog/uk/big_brother_awards_2008.html
EDRi-gram: ECHR decided against the UK DNA Database (17.12.2008)
http://www.edri.org/edri-gram/number6.24/echr-marper-case-dna-uk
============================================================
8. Montenegro blocks Facebook and Youtube for civil servants
============================================================
Montenegro's office in charge with the government Internet infrastructure
decided to ban access to several social networking or video sharing
websites, such as YouTube or Facebook. The public servants were announced by
a statement sent at the end of December 2008 by the office to all civil
servants.
Now, the civil servants trying to access those website will receive an
access denied message. Even though this is not a spectacular measure at
workplace, it is interesting that the reason behind the blockage was not to
allow an increase of the productivity for all government employees, but to "
avoid a meltdown of its system from excess traffic".
The official statement explained: "Therefore, during working hours, access
to certain potentially malicious and huge traffic generating websites is
disabled," and accepted not to block the websites off the working hours.
Montenegro, the newest European country with 650 000 inhabitants has an
Internet penetration rate of almost 40% and more than 14 000 Facebook users.
Montenegro bans Facebook access in government offices (18.12.2008)
http://www.reuters.com/article/internetNews/idUSTRE4BH36620081218
Social Media's Popularity Too Much For Montenegro Gov't (18.12.2008)
http://www.webpronews.com/topnews/2008/12/18/social-medias-popularity-too-m…
============================================================
9. ENDitorial: Everyone can eavesdrop in Macedonia
============================================================
Eavesdropping devices that are being sold through adverts are mostly used by
pupils for cheating at their school exams, and by men who doubt their wives'
fidelity.
"Hey, let's meet, we should not discuss this over the phone." This sentence
has long been used among friends, colleagues and relatives, but today, if
something important is to be discussed, the sentence would rather be "Let me
whisper something to you, but check your ear first".
Today, the technologies for communications monitoring and recording
conversations are so advanced, practically unnoticeable, and easily
available - they can be bought through an advert for only 250 denars! This
equipment surely cannot help you hear about the next mischief Greece is
planning to do, but you can at least hear the crying baby in another room,
catch your wife with the neighbour or cheat at most of the exams at the
faculty or in high school.
An electronics technician from Skopje who is selling these devices has had a
very unpleasant experience with the victims of his clients. He insisted that
we do not publish his name.
I'm only making these devices, and I am not responsible for how people are
using them. My "bug" has a range of 50 meters, and the recording can also be
heard on a mobile phone. It is recording excellent on an FM-radiofrequency,
except when waves from the radio stations in Skopje are causing
interference - he says, while showing us the small transmitter.
For commercial purposes, the name of his firm is on the package of the
transmitter. This is how the problems started for the technician.
"A teacher from a school in Skopje called me. I could feel the anger in
his voice. He caught his students cheating during an exam by using my "bug".
What can I say; I am not encouraging children to do this. I also explained
to him that there are also other young electronics technicians, who are
manufacturing transmitters" he said.
Let me be clear, I am not selling these devices so that they could be
abused. Some people are using my "bugs" to discover marital infidelities.
Sometimes people are calling me, as if I had placed the device. I want these
devices to be used for noble purposes, so that mothers could hear their
babies crying, for instance. I am even prepared to give one of my bugs to
each mother with twins, he added.
The devices of the Macedonian electronics technician are just part of the
technological array of devices that can be used for eavesdropping. Almost
all of the mobile phones have voice recorders. The new voice recorders are
so small that they can be hidden in one's sleeve. eBay and other websites
are selling mobile phones worth up to 1,000 euros that can be used to
eavesdrop on other mobile phones. Hacker websites on the internet are
offering small programs for free, that can be sent via e-mail, that are
afterwards sending back usernames and passwords of the email's user to the
original sender. The list is quite long. There are even so called "spy
shops" in the USA.
With the amendments of the Law on communications monitoring it is projected
that private companies would also be able to purchase, sell and use
communications monitoring equipment, having obtained prior authorization
from the Ministry of Interior. This mostly applies for the security agencies
and detectives.
We don't have any communications monitoring equipment. To be honest, some of
our clients have required this from us but we have not done it - say the
employees of the security agency "Branitel" from Skopje. Other security
agencies gave us the same answer.
The people from the Ministry of Interior say that, so far, nobody has
submitted a request for purchase, since the commission responsible for
reviewing such requests is still being formed.
There is still no commission or body with the role of controlling the usage
of this equipment, neither in the state institutions, nor in the private
companies.
So far, a more efficient system for controlling these eavesdropping devices
has not been established. Someone from the authorities should explain how
these devices are being controlled. Nobody informed us how much money has
been spent for purchasing communications monitoring equipment. This is an
opportunity for any kind of abuse. Now, by providing private companies with
the opportunity to use such equipment, the abuse will not only be political.
The ones that adopted this law will eventually become its victims as well -
says professor Slagjana Taseva.
Officials from the Directorate for Personal Data Protection emphasize that
it is necessary to take into consideration the method of usage of the
personal data collected in the process of eavesdropping.
The citizens must know that according to the Law on communications, a court
warrant is required for such an activity. As for the ones that are selling
various devices through advertisements, they should know that this is
illegal - says Marijana Marushik, director of the DPDP.
Nevertheless, it seems that nothing can stop mass eavesdropping on
communications.
Original article - newspaper Nova Makedonija (only in Macedonian,
29.12.2008)
http://www.novamakedonija.com.mk/DesktopDefault.aspx?tabindex=1&tabid=2&fCa…
(contribution by Aleksandar Bozhinovski - Nova Makedonija)
============================================================
10. Recommended Reading
============================================================
EDPS - Second opinion on ePrivacy Directive review and security breach
(9.01.2008)
http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consu…
The European Ombudsman - Public Access to Information in EU Databases
http://www.statewatch.org/news/2009/jan/eu-ombs-databases-report.pdf
ICANN Annual Report 2008
http://www.icann.org/en/annualreport/annual-report-2008-en.pdf
Pdivikki Karhula: A cattle hotshot - citizens on a shadow of the ubiquitous
society
http://lib.eduskunta.fi/dman/Document.phx?documentId=aa28808131125576&cmd=d…
============================================================
11. Agenda
============================================================
16-17 January 2009, Brussels, Belgium
Computers, Privacy & Data Protection conference
CPDP 2009: Data Protection in A Profiled World?
http://www.cpdpconferences.org/
28 January 2009, Europe-wide
3rd Data Protection Day
http://www.coe.int/t/e/legal_affairs/legal_co-operation/data_protection/Dat…
28 January 2009, Helsinki, Finland
Data Protection Day seminar in Finland
Raising Awareness
http://www.effi.org/tapahtumat/tietosuojapaivan_seminaari_20090128_english.…
28 January 2009, Sofia, Bulgaria
Bulgarian Big Brother Awards
3-4 February 2009, Victoria, British Columbia, Canada
10th Annual Privacy and Security Conference "Life in a Digital Fishbowl: A
Struggle for Survival or a Sea of Opportunity?"
http://www.rebootconference.com/privacy2009/
7-8 February 2009, Brussels, Belgium
Free and Open source Software Developers' European Meeting (FOSDEM)
http://www.fosdem.org/2009/
18-20 March 2009, Athens, Greece
WebSci'09: Society On-Line
http://www.websci09.org/
27-29 March 2009, Manchaster, UK
Oekonux Conference: Free Software and Beyond The World of Peer Production
http://www.oekonux-conference.org/
29-31 March 2009, Edinburgh, UK
Governance Of New Technologies: The Transformation Of Medicine, Information
Technology And Intellectual Property" An International Interdisciplinary
Conference
http://www.law.ed.ac.uk/ahrc/conference09/
1-3 April 2009, Berlin, Germany
re:publica 2009 "Shift happens"
http://www.re-publica.de/09/
Subconference: 2nd European Privacy Open Space
http://www.privacyos.eu/
13-14 May 2009 Uppsala, Sweden
Mashing-up Culture: The Rise of User-generated Content
http://www.counter2010.org/workshop_call
24-28 May 2009, Venice, Italy
ICIMP 2009, The Fourth International Conference on Internet Monitoring
and Protection
http://www.iaria.org/conferences2009/ICIMP09.html
1-4 June 2009, Washington, DC, USA
Computers Freedom and Privacy 2009
Proposal Submissions by 23 January 2009
http://www.cfp2009.org/
5 June 2009, London, UK
The Second Multidisciplinary Workshop on Identity in the Information
Society (IDIS 09): "Identity and the Impact of Technology"
Call for papers, deadline 13 March 2009
http://is2.lse.ac.uk/idis/2009/
2-3 July 2009, Padova, Italy
3rd FLOSS International Workshop on Free/Libre Open Source Software
Paper submission by 31 March 2009
http://www.decon.unipd.it/personale/curri/manenti/floss/floss09.html
13-16 August 2009, Vierhouten, The Netherlands
Hacking at Random
http://www.har2009.org/
23-27 August 2009, Milan, Italy
World Library and Information Congress: 75th IFLA General Conference and
Council: "Libraries create futures: Building on cultural heritage"
Call for papers by 15 January 2009
http://www.ifla.org/IV/ifla75/index.htm
10-12 September 2009, Potsdam, Germany
5th ECPR General Conference, Potsdam
Section: Protest Politics
Panel: The Contentious Politics of Intellectual Property
First proposals to be submitted by 1 February 2009
http://www.ecpr.org.uk/potsdam/default.asp
16-18 September 2009, Crete, Greece
World Summit on the Knowledge Society WSKS 2009
http://www.open-knowledge-society.org/
October 2009, Istanbul, Turkey
eChallenges 2009
Call for papers by 27 February 2009
http://www.echallenges.org/e2009/default.asp?page=c4p
15-18 November 2009, Sharm El Sheikh, Egypt
UN Internet Governance Forum
http://www.intgovforum.org/
============================================================
12. About
============================================================
EDRI-gram is a biweekly newsletter about digital civil rights in Europe.
Currently EDRI has 29 members based or with offices in 18 different
countries in Europe. European Digital Rights takes an active interest in
developments in the EU accession countries and wants to share knowledge and
awareness through the EDRI-grams.
All contributions, suggestions for content, corrections or agenda-tips are
most welcome. Errors are corrected as soon as possible and visibly on the
EDRI website.
Except where otherwise noted, this newsletter is licensed under the
Creative Commons Attribution 3.0 License. See the full text at
http://creativecommons.org/licenses/by/3.0/
Newsletter editor: Bogdan Manolea <edrigram(a)edri.org>
Information about EDRI and its members:
http://www.edri.org/
European Digital Rights needs your help in upholding digital rights in the
EU. If you wish to help us promote digital rights, please consider making a
private donation.
http://www.edri.org/about/sponsoring
- EDRI-gram subscription information
subscribe by e-mail
To: edri-news-request(a)edri.org
Subject: subscribe
You will receive an automated e-mail asking to confirm your request.
unsubscribe by e-mail
To: edri-news-request(a)edri.org
Subject: unsubscribe
- EDRI-gram in Macedonian
EDRI-gram is also available partly in Macedonian, with delay. Translations
are provided by Metamorphosis
http://www.metamorphosis.org.mk/edrigram-mk.php
- EDRI-gram in German
EDRI-gram is also available in German, with delay. Translations are provided
Andreas Krisch from the EDRI-member VIBE!AT - Austrian Association for
Internet Users
http://www.unwatched.org/
- Newsletter archive
Back issues are available at:
http://www.edri.org/edrigram
- Help
Please ask <edrigram(a)edri.org> if you have any problems with subscribing or
unsubscribing.
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
1
0
The problem with the attack scenario where two versions of a program are
created with the same hash, is that from what little we know of the new
attacks, they aren't powerful enough to do this.
All of the collisions they have shown have the property where the two
alternatives start with the same initial value for the hash; they then
have one or two blocks which are very carefully selected, with a few
bits differing between the two blocks; and at the end, they are back
to a common value for the hash.
It is known that their techniques are not sensitive to this initial value.
They actually made a mistake when they published their MD5 collision,
because they had the wrong initial values due to a typo in Schneier's
book. When people gave them the correct initial values, they were able
to come up with new collisions within a matter of hours.
If you look at their MD5 collision in detail, it was two blocks long.
Each block was almost the same as the other, with just a few bits
different. They start with the common initial value. Then they run
the first blocks through. Amazingly, this has only a small impact on
the intermediate value after this first block. Only a relatively few
bits are different.
If you or I tried to take two blocks with a few bits different and feed
them to MD5, we would get totally different outputs. Changing even
one bit will normally change half the output bits. The fact that they
are able to change several bits and get only a small difference in the
output is the first miracle.
But then they do an even better trick. They now go on and do the
second pair of blocks. The initial values for these blocks (which are
the outputs from the previous stage) are close but not quite the same.
And amazingly, these second blocks not only keep things from getting
worse, they manage to heal the differences. They precisely compensate
for the changes and bring the values back together. This is the second
miracle and it is even greater.
Now, it would be a big leap from this to being able to take two arbitrary
different initial values and bring them together to a common output.
That is what would be necessary to mount the code fraud attack. But as
we can see by inspection of the collisions produced by the researchers
(who are keeping their methodology secret for now), they don't seem to
have that power. Instead, they are able to introduce a very carefully
controlled difference between the two blocks, and then cancel it.
Being able to cancel a huge difference between blocks would be a problem
of an entirely different magnitude.
Now, there is this other idea which Zooko alludes to, from Dan Kaminsky,
www.doxpara.com, which could exploit the power of the new attacks to
do something malicious. Let us grant that the only ability we have is
that we can create slightly different pairs of blocks that collide.
We can't meaningfully control the contents of these blocks, and they
will differ in only a few bits. And these blocks have to be inserted
into a program being distributed, which will have two versions that
are *exactly the same* except for the few bits of difference between
the blocks. This way the two versions will have the same hash, and this
is the power which the current attacks seem to have.
Kaminsky shows that you could still have "good" and "bad" versions of
such a program. You'd have to write a program which tested a bit in
the colliding blocks, and behaved "good" if the bit was set, and "bad"
if the bit was clear. When someone reviewed this program, they'd see
the potential bad behavior, but they'd also see that the behavior was
not enabled because the bit that enabled it was not set. Maybe the
bad behavior could be a back door used during debugging, and there is
some flag bit that turns off the debugging mode. So the reviewer might
assume that the program was OK despite this somewhat questionable code,
because he builds it and makes sure to sign or validate the hash when
built in the mode when the bad features are turned off.
But what he doesn't know is, Kaminsky has another block of data prepared
which has that flag bit in the opposite state, and which he can substitute
without changing the hash. That will cause the program to behave in its
"bad" mode, even though the only change was a few bits in this block
of random data. So this way he can distribute a malicious build and it
has the hash which was approved by the reviewer.
And as Zooko points out, this doesn't have to be the main developer
who is doing this, anyone who is doing some work on creating the final
package might be able to do so.
On the other hand, this attack is pretty blatant once you know it is
possible. The lesson is that a reviewer should be suspicious of code
whose security properties depend on the detailed contents of blocks
of random-looking data. One problem with this is that there are some
circumstances where it could be hard to tell. Zooko links to the example
of a crypto key which could have weak and strong versions. The strong
version could be approved and then the weak version substituted.
There are also some crypto algorithms that use random-looking blocks of
data which could have weak and strong versions.
So it's not always as easy as it sounds. But most code will not have
these problems, and for those programs it would be pretty conspicuous
to implement Kaminsky's attacks. At present, that looks to be the best
someone could do with SHA-1 or even MD5.
Hal Finney
_______________________________________________
p2p-hackers mailing list
p2p-hackers(a)zgp.org
http://zgp.org/mailman/listinfo/p2p-hackers
_______________________________________________
Here is a web page listing P2P Conferences:
http://www.neurogrid.net/twiki/bin/view/Main/PeerToPeerConferences
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a>
______________________________________________________________
ICBM: 48.07078, 11.61144 http://www.leitl.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
http://moleculardevices.org http://nanomachines.net
[demime 1.01d removed an attachment of type application/pgp-signature]
1
0
On Wed, Sep 28, 2005 at 02:45:35AM -0400, Jeffrey F. Bloss wrote:
[...]
> Has anyone considered applying a HashCash type solution to this?
Hashcash is often considered, but commonly dismissed, because it
limits identities based on the wrong resource: computers.
If you haven't read the paper "'Proof-of-work' Proves Not To Work" by
Ben Laurie and Richard Clayton, I recommend it highly. See
http://www.cl.cam.ac.uk/users/rnc1/proofwork.pdf . It mostly
discusses why hashcash can't prevent spam, but the arguments would
seem to apply to wikipedia editing as well.
[...]
> > On the other hand, if there were an authentication service that gave
> > you pseudonyms for Tor users who wanted pseudonyms, you could tell
> > which pseudonyms contributed well, and which were jerks, and which
> > were nonentities.
>
> The problem I see with this is that as the name implies, it's
> pseudo-anonymous.
Sorry, but you've stumbled a personal crusade of mine.
The word is pseudonymous, not pseudo-anonymous. And the difference is
importatant. "Pseudonymous" means "using false names," like calling
yourself Batman instead of Bruce Wayne. "Anonymous" means "without a
name," like writing "The Joker will pay for his crimes" and not
signing it. "Pseudo-anonymous" isn't a real word, but if it were, it
would mean "falsely anonymous", like the bank robber who disguised
himself by wearing a motorcycle helmet with his name written on the
back.{1}
> Tor is an anonymous network by design. And there is a
> difference.
As one of the designers, I'd like to weigh in. Tor provides
anonymity, but we've never opposed people who wanted to use an
anonymous system to bootstrap per-service or cross-service
pseudonymity.
We will never, of course, alter Tor to make people have pseudonyms.
But letting using pseudonyms is not against our overarching goals.
The overarching goals are privacy and usability.{2}
> It's real time nature also compounds any additional partitioning
> problems a hard-keyed pseudonym setup brings with it.
I don't see any iterable (that is, awful) partitioning attacks here.
Assume a network where some users have pseudonyms and some don't.
Assume that pseudonyms are first obtained through a blinded{3}
process, so that an attacker can't tell which user has which
pseudonym.
Assume that the attacker is watching all authentication services
(since this is probably the best point for these attacks). The
attacker could tell when users create new pseudonyms, and when
pseudonymous users are active. From this info, the attacker could
rule out some users as possible owners of some pseudonyms, but that's
about it. Correlation and intersection attacks are unlikely to work
unless the attacker is watching the user as well as the auth server,
and that's outside our threat model.
> Although, this too might fall under that "good enough" umbrella as
> long as the tor network were disjoined from the nym creation and key
> distribution process as much as possible. The nyms would have to be
> managed outside a tor egress point to maintain user's anonymity.
Right.
> I also question whether or not a system can be devised that makes
> nym creation expensive enough to thwart nefarious users from simply
> collection a lot of nyms. :(
Right. I suspect that this is one of those social engineering
problems that we won't solve except by trying things out and seeing
whether they work.
{1} There are all other kinds of great terms in the field. For
example, "allonymous" is using a name belonging to someone else,
like if the Joker writes a letter and signs it "Batman." Oddly,
there is no classical term for using one's given name.
{2} If you care about privacy and not usability, I recommend DC nets.
If you care about usability and not privacy, I recommend turning
Tor off.
{3} Again see http://en.wikipedia.org/wiki/Blind_signature
yrs,
--
Nick Mathewson
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a>
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.leitl.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
[demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
1
0
============================================================
EDRi-gram
biweekly newsletter about digital civil rights in Europe
Number 7.1, 14 January 2009
============================================================
Contents
============================================================
1. DHS Report shows lack of compliance with the EU-US PNR agreement
2. Lists of allegedly illegal websites always leak
3. France: ARMT was useless
4. UK Culture Secretary wants film-style ratings to individual websites
5. Open Access to High Energy Physics Literature
6. No e-voting in Azerbaijan and Macedonia
7. Big Brother Awards UK 2008
8. Montenegro blocks Facebook and Youtube for civil servants
9. ENDitorial: Everyone can eavesdrop in Macedonia
10. Recommended Reading
11. Agenda
12. About
============================================================
1. DHS Report shows lack of compliance with the EU-US PNR agreement
============================================================
The Privacy Office of the U.S. Department of Homeland Security (DHS)
released in the second part of December 2008 a report regarding the
Passenger Name Record (PNR) information from the EU-US flights.
Even though the official conclusion of the authors is that DHS handling of
PNR data "is in compliance with both US law and the DHS-EU agreement on USA
access to, and use of, PNR data related to flights between the EU and the
USA." In reality the report shows a number of major disfunctionalities that
proves the DHS did not comply with the EU agreement or with the US
legislation in its use of PNR, that includes data from Europeans that travel
to US.
According with the second PNR agreement between US and EU, there should have
been periodic joint US-EU reviews of compliance. But the present report is
just an unilateral internal review conducted within the DHS, which did not
include EU representatives or any outside experts in PNR data.
A detailed analysis by the Identity Project in the US shows the specific DHS
compliance failings resulted from the report:
- Requests for PNR data have typically taken more than a year to
answer - many times longer than the legal time limits in the Privacy Act and
Freedom of Information Act;
- When individuals have requested "all data" about them held by the DHS,
often they have not been given any of their PNR data;
- Because of this, the vast majority of requesters who should have
received PNR data did not;
- PNR data has been inconsistently censored before it was released;
- A large backlog from the initial requests for PNR data remains
unanswered, more than a year later.
The results of the report are in line with the findings of the earlier
reports of the Identity Project that revealed the practical problems in
accessing your PNR data with the DHS. These problems are the same that the
European citizens might face in getting access to their data from DHS
A clear example is the last year request from MEP Sophia In 't Veld to get
her PNR information - a request which received a first false claim from DHS
that they didn't have any record of her trip.The MEP finally received her
PNR data after EFF lawyers filed a Federal lawsuit on her behalf, but the
data was late, clearly incomplete, and inconsistently and inappropriately
redacted, according with a well-known PNR expert, Edward Hasbrouck .
A report concerning Passenger Name Record Information derived from flights
between the US and the European Union (18.12.2008)
http://www.dhs.gov/xlibrary/assets/privacy/privacy_pnr_report_20081218.pdf
DHS admits problems in disclosing travel surveillance records (24.12.2008)
http://www.papersplease.org/wp/2008/12/24/dhs-admits-problems-in-disclosing…
Can you really see what records are kept about your travel? (30.12.2008)
http://hasbrouck.org/blog/archives/001595.html
European Lawmaker Sues U.S. Agencies to Obtain Travel-Related and Other
Personal Information (1.07.2008)
http://www.eff.org/press/archives/2008/07/01
EDRi-gram: Final agreements between EU and USA on PNR and SWIFT (4.07.2007)
http://www.edri.org/edrigram/number5.13/eu-us-pnr-swift
============================================================
2. Lists of allegedly illegal websites always leak
============================================================
While some European countries block the illegal content (mostly child
pornography websites), other are considering implementing a similar measure
through a hidden list. However the past month has shown, one more time if
necessary, that usually the list of any blocked content will leak and thus
the allegedly blocked content will become widely available.
Belgium is one of the new countries considering such a list. The Minister of
Enterprise and Administrative Reform, Vincent Van Quickenborne, want to ban
child pornography on the Internet through a protocol between ISPs and the
Government. The protocol might extend to other illegal sites, such as hate
and racism websites or Internet fraud.
The federal police special division Federal Computer Crime Unit (FCCU)
confirms that it detects yearly 800 - 1000 child pornography websites hosted
in foreign countries and the court procedure to block those sites is rarely
used since it is too burdensome.
The Flemish League for Human Rights (Liga voor Mensenrechten) has criticized
the project underlining that " the decision to block websites must remain
under exclusive authority of the judicial branch. It is unacceptable that
the police gets a wild card to block certain websites at will."
The legal framework already exists in Belgium, but Minister Van
Quickenborne wants a more flexible mechanism that can be used more quickly
to effectively block websites. It seems that the police will get the
authority to compose the blacklists of to be blocked websites, without any
legal safeguards or external oversight mechanisms. The fact that FCCU
admits right away that this practice should also be applicable in other
cases, makes the whole practice very worrisome.
The practice of the hidden lists of illegal websites is not new. But in the
past month, we've seen at least 3 major blacklists become public, thus
becoming irrelevant.
The blacklist operated by the Danish child pornography filtering system
(3863 blocked URLs) leaked on 23 December 2008 and is available in full
online.
Only a few days before the Thailand's blacklist made by the Ministry of
Information and Communication Technology that block access to websites
deemed unsuitable for the Thai people become available on the Internet.
(1203 websites). The list included hundreds of YouTube videos (including
Hillary Clinton's campaign videos) as well as blogs, cartoons, Charlie
Chaplin videos and an article in the Economist magazine banned for
criticising the Thai king.
In the same period Wikileaks published the Finnish Internet censorship list.
The Finnish National Bureau of Investigation has requested executive
assistance from United States, but it is not known what precisely has been
requested - whether the concern is only removing the list or whether they
are trying to find out who leaked it. The list still includes the critical
Finnish anti-censorship site lapisporno.info.
Government wants to eliminate sites with child pornography (only in Flemish,
12.01.2009)
http://www.demorgen.be/dm/nl/991/Multimedia/article/detail/606707/2009/01/1…
The government wants to block paedophiliac websites (only in French,
12.01.2009)
http://www.datanews.be/fr/news/90-53-21867/le-gouvernement-entend-verrouill…
Flemish Human Rights League - Minister Van Quickenborne want flexible system
for blocking websites.A form of censorship? (12.01.2008)
http://www.mensenrechten.be/main.php?item_content=7116
List of banned websites in Thailand and Denmark leaked online (23.12.2008)
http://www.news.com.au/technology/story/0,28348,24840506-5014239,00.html
List of Child Porn Sites Leaked to Public (13.01.2009)
http://www.yle.fi/uutiset/news/2009/01/list_of_child_porn_sites_leaked_to_p…
EDRi-gram: ENDitorial: Finnish web censorship (27.02.2008)
http://www.edri.org/edrigram/number6.4/finland-web-censorship
============================================================
3. France: ARMT was useless
============================================================
At the end of December 2008 it was publicly presented the first yearly
report of the French Authority for Regulations of the DRMs (Autoriti de
rigulation des mesures techniques - ARMT) that should have ensured the
interoperability of the DRM systems and allow the private copies.
This could be very well the last report, since the new law on Internet
and Creation, could create a new authority (HADOPI - Haute Autoriti pour la
diffusion des oeuvres et la protection des droits sur Internet) that will
take the place of the old one and will have a different scope: to issue
warnings and potentially cutting Internet subscriptions in cases of
copyright infringement.
ARMT report admitted that, in 20 months of activity, it didn't take any
decision on interoperability or on copyright exceptions. The authority
claimed that the main problem was that nobody send them a specific request.
It also acknowledged the fact that the DRM issues have decrease in
importance, especially in the music sector, with the new DRM-free music
available on the market.
The authority has accepted that the DRMs have been an obstacle " to the
legal music offers" that were in direct competition with the p2p networks,
where the same content is available without DRM.
However, the Authority does not want to admit that DRM is dead and it
explains that this might be case only in the musical sector. It also claims
that the DRM play a "major role" in the movie industry and considers that
giving up DRMs on the online video services is not an option today.
The ARMT's report also observes that the penal measures to protect the DRMs
were never used in the French courts in the past 2 years, since the DADVSI
law is in force.
As expected, the ARMT considers that its life was very useful, contributing
in preparing "the field for a more ambitious strategy for public powers",
namely the 3-strikes procedure.
If remains to be seen if the new Hadopi law will be voted by the second
chamber of the French Parliament and if the new Authority, estimated to have
budget close to 7 million Euro, will have better results.
ARMT finds its futility before becoming HADOPI (only in French, 18.12.2008)
http://www.numerama.com/magazine/11577-L-ARMT-constate-son-inutilite-avant-…
ARMT annual report 2008 (only in French, 18.12.2008)
http://armt.fr/IMG/pdf/rapport_annuel_armt.pdf
Albanel views that DRM withdrawal must lead to the graduated response
(only in French, 9.01.2009)
http://www.numerama.com/magazine/11656-Albanel-estime-que-le-retrait-des-DR…
EDRi-gram: France establishes the DRM-regulation authority (12.04.2007)
http://www.edri.org/edrigram/number5.7/drm-authority-france
EDRi-gram: One more step for France in adopting the graduated response
(5.11.2008)
http://www.edri.org/edrigram/number6.21/french-senate-adopts-3-strikes
============================================================
4. UK Culture Secretary wants film-style ratings to individual websites
============================================================
The UK Culture Secretary Andy Burnham has presented, in an interview with
The Daily Telegraph at the end of the last year, some new plans in adopting
to the web "new standards of decency".
The Cabinet minister is planing to give film-style ratings to individual
websites and wants ISPs to offer parents "child-safe" web services. Because
Internet is a global nature, he plans to negotiate with Obama Administration
in order to drew up "international rules for English language websites."
Burnham explained the present situation: "If you look back at the people who
created the internet they talked very deliberately about creating a space
that Governments couldn't reach. I think we are having to revisit that stuff
seriously now. It's true across the board in terms of content, harmful
content, and copyright. Libel is an emerging issue."
He also added in a statement for BBC: "The internet is becoming a more and
more pervasive entity in all our lives and yet the content standards online
are not as clear as we've all been used in traditional media. I think we do
need to have a debate now about clearer signposting and labelling online
because it can be quite a confusing world, particularly for parents who are
trying to ensure their children are only accessing appropriate stuff."
Richard Clayton from the EDRi-member FIPR has dismissed the UK Culture
Secretary plans and considered that as "a childlike hope that merely
wishing for something will make it come true." He explains that all the
solutions have been discussed and dismissed in the past.
"ISPs have tried 'child-safe' services in the past and even those who still
keep their systems working hardly mention them in their adverts any more. I
thought that it was no longer a part of modern politics to force an industry
to make products that nobody actually wants to buy."
Clayton also pointed the fact that online defamation was already considered
twice by the Law Commission and their main concerns centred around making
it harder for ISPs to be sued and addressing the issues of archives.
As regards the web labelling, he points the 10 years history of failure and
explains with the website of Mr Burnham's own department:
"They have labelled their main website with the ICRA scheme. To their
credit, they have used more than just a blanket "innocuous" setting, albeit
they have clearly overdone it since a description of the minutiae of the
Gambling Act 2005 is still marked up as "gambling", which may disappoint
anyone who was hoping to have a flutter.
Although the DCMS proudly displays the ICRA logo on their front page, they
haven't been bothered to label any of their subsites, such as the Government
Art Collection, which contains images that some people might consider
indecent - such as this full frontal nude of a young boy."
Despite all these problems, the European Union seems to support also in the
future these type of projects. Encouraging and assisting providers to
develop labelling is one of the actions funded under the new EU Safer
Internet programme 2009 - 2013.
A recent report of the Internet Safety Technical Task Force, a working group
established by the 49 state attorneys general from US, to
look into the problem of sexual solicitation of children online has reached
some interesting conclusion. The report challenges some of the earlier
beliefs concluding that: "Social network sites are not the most common space
for solicitation and unwanted exposure to problematic content, but are
frequently used in peer-to-peer harassment, most likely because they are
broadly adopted by minors and are used primarily to reinforce pre-existing
social relations."
The report also claims that "Minors are not equally at risk online. Those
who are most at risk often engage in risky behaviors and have difficulties
in other parts of their lives. The psychosocial makeup of and family
dynamics surrounding particular minors are better predictors of risk than
the use of specific media or technologies."
Internet sites could be given 'cinema-style age ratings', Culture Secretary
says (27.12.2008)
http://www.telegraph.co.uk/scienceandtechnology/technology/technologynews/3…
Website age ratings 'an option' (27.12.2008)
http://news.bbc.co.uk/2/hi/uk_news/7800846.stm
Andy Burnham and the decline of standards (29.12.2008)
http://www.lightbluetouchpaper.org/2008/12/29/andy_burnham/
Web content labelling (17.09.2007)
http://www.lightbluetouchpaper.org/2007/09/17/web-content-labelling/
EU Safer Internet programme 2009 - 2013
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2008:348:0118:01…
Final Report of the Internet Safety Technical Task Force to the Multi-State
Working Group on Social Networking of State Attorneys General of the United
States (31.12.2008)
http://cyber.law.harvard.edu/pubrelease/isttf/
============================================================
5. Open Access to High Energy Physics Literature
============================================================
An interesting alternative model for open access publishing for the High
Energy Physics journals has emerged in the past years in a project led by
CERN (European Organization for Nuclear Research) that attempts to make the
current research openly accessible in this field.
CERN was the leader since the 50s, when the first pre-print repository was
established at the headquarters of the European organisation. The
repository gathered working papers and reports submitted to CERN by authors
from institutions across the world.
Now, a new project, called SCOAP3 (Sponsoring Consortium for Open Access
Publishing in Particle Physics) is trying to come up with a new model for
the entire High Energy Physics (HEP) literature to open access. The model
might be easier to implement taking into consideration that basically just
six peer-reviewed journals publish the majority of HEP articles. In this new
model the publisher's subscription income from multiple institutions would
be replaced by income from a single financial partner the SCOAP3 . Each
SCOAP partner will finance its contribution by cancelling journal
subscriptions and each country will contribute according to its share of HEP
publishing.
SCOAP3 is a consortium composed of high-energy physics funding agencies,
high-energy physics laboratories and leading national and international
libraries and library consortia. In the beginning of 2009 SCOAP3 announced
that the major part of the European countries have agreed to participate, so
did 44 US partners, Turkey, Israel and Australia. In less than one year and
a half, SCOAP3 has received pledges for 49.5% of its budget.
Formal discussion with the publishers have not officially started, but all
major publishers show a pro-active attitude of great support to Open Access
in HEP.
Project Underway To Convert High Energy Physics Literature To Open Access
(5.01.2009)
http://www.ip-watch.org/weblog/index.php?p=1388
SCOAP3 Funding status report (12.12.2008)
http://www.scoap3.org/news/news54.html
SCOAP3: Funding status report for ICOLC Munich (11.2008)
http://www.charlestonco.com/index.php?do=Press+Room&pg=pr_details&pr_id=1649
About SCOAP3
http://www.scoap3.org/about.html
Towards Open Access Publishing in High Energy Physics (3.06.2007)
http://www.scoap3.org/files/Scoap3ExecutiveSummary.pdf
============================================================
6. No e-voting in Azerbaijan and Macedonia
============================================================
After the major problems with the e-voting system tested in Western Europe,
some Eastern European countries has expressed their reservation in
implementing such as system.
The Central Election Commission from Azerbaijan considered that e-voting is
not required in the 2009 referendum or in the 2009 local elections and 2010
parliamentary vote.
Even though Azerbaijan is part of the Council of Europe's Electronic Voting
Committee that has recommended the introduction of Internet-based voting,
the Central Election Commission Secretary, Natiq Mammadov, explained online
newspaper Trend News that there is no chance to implement this for the next
elections:
"We must have a reason to apply innovation as opposed to simply wanting to.
We do not need e-voting to increase the voter turnout in Azerbaijan."
He also claimed that "there is no need to make hasty decisions about
e-voting.
A similar decision was made in Macedonia in the beginning of 2009, the
leaders of the major parties deciding that no electronic voting will be
necessary for the next presidential elections and more time is needed
before the system can be set up. However, Macedonian politicians supported
to use such a system might be used in the next electoral cycles.
No need for e-voting: Azerbaijani Central Election Commission (12.01.2009)
http://news.trend.az/index.shtml?show=news&newsid=1394353&lang=en
No e-voting in next elections (9.01.2009)
http://www.makfax.com.mk/look/novina/article.tpl?IdLanguage=1&IdPublication…
EDRi-gram: Finnish e-voting fiasco: votes lost (5.11.2008)
http://www.edri.org/edrigram/number6.21/finnish-evoting-fiasco
============================================================
7. Big Brother Awards UK 2008
============================================================
Big Brother Awards (BBA) are back in UK with more positive awards to
celebrate the people that have been involved in protecting privacy in the
past years.
The event, held in December 2008 at the London School of Economics, was
organized by the EDRi-member Privacy International and gave only one Big
Brother 2008 award - the statue of a boot stamping upon a human head - to
the New Labour.
Other six positive prices, called Roll of Honour, were received by:
- Baroness Sarah Ludford MEP - one of the Liberal Democrat Members of
the European Parliament, member of the Human Rights Committee;
- Phil Booth, the National Coordinator of the NO2ID Campaign against the
Database State;
- Helen Wallace, Executive Director of GeneWatch UK, that has provided
expert evidence on behalf of S. and Marper to the European Court of Human
Rights;
- Gareth Crossman - retiring Director of Policy at Liberty Human Rights;
- Becky Hogge - retiring Executive Director of the Open Rights Group;
- Rt. Hon. David Davis MP, the former Conservative Shadow Home Affairs
spokesman.
UK Big Brother Awards - boos for NuLabour, hurrahs for Sarah Ludford, Phil
Booth, Helen Wallace, Gareth Crossman, Becky Hogge and David Davis
(12.12.2008)
http://p10.hostingprod.com/@spyblog.org.uk/blog/2008/12/uk-big-brother-awar…
The Big Brother awards are back (12.12.2008)
http://gizmonaut.net/blog/uk/big_brother_awards_2008.html
EDRi-gram: ECHR decided against the UK DNA Database (17.12.2008)
http://www.edri.org/edri-gram/number6.24/echr-marper-case-dna-uk
============================================================
8. Montenegro blocks Facebook and Youtube for civil servants
============================================================
Montenegro's office in charge with the government Internet infrastructure
decided to ban access to several social networking or video sharing
websites, such as YouTube or Facebook. The public servants were announced by
a statement sent at the end of December 2008 by the office to all civil
servants.
Now, the civil servants trying to access those website will receive an
access denied message. Even though this is not a spectacular measure at
workplace, it is interesting that the reason behind the blockage was not to
allow an increase of the productivity for all government employees, but to "
avoid a meltdown of its system from excess traffic".
The official statement explained: "Therefore, during working hours, access
to certain potentially malicious and huge traffic generating websites is
disabled," and accepted not to block the websites off the working hours.
Montenegro, the newest European country with 650 000 inhabitants has an
Internet penetration rate of almost 40% and more than 14 000 Facebook users.
Montenegro bans Facebook access in government offices (18.12.2008)
http://www.reuters.com/article/internetNews/idUSTRE4BH36620081218
Social Media's Popularity Too Much For Montenegro Gov't (18.12.2008)
http://www.webpronews.com/topnews/2008/12/18/social-medias-popularity-too-m…
============================================================
9. ENDitorial: Everyone can eavesdrop in Macedonia
============================================================
Eavesdropping devices that are being sold through adverts are mostly used by
pupils for cheating at their school exams, and by men who doubt their wives'
fidelity.
"Hey, let's meet, we should not discuss this over the phone." This sentence
has long been used among friends, colleagues and relatives, but today, if
something important is to be discussed, the sentence would rather be "Let me
whisper something to you, but check your ear first".
Today, the technologies for communications monitoring and recording
conversations are so advanced, practically unnoticeable, and easily
available - they can be bought through an advert for only 250 denars! This
equipment surely cannot help you hear about the next mischief Greece is
planning to do, but you can at least hear the crying baby in another room,
catch your wife with the neighbour or cheat at most of the exams at the
faculty or in high school.
An electronics technician from Skopje who is selling these devices has had a
very unpleasant experience with the victims of his clients. He insisted that
we do not publish his name.
I'm only making these devices, and I am not responsible for how people are
using them. My "bug" has a range of 50 meters, and the recording can also be
heard on a mobile phone. It is recording excellent on an FM-radiofrequency,
except when waves from the radio stations in Skopje are causing
interference - he says, while showing us the small transmitter.
For commercial purposes, the name of his firm is on the package of the
transmitter. This is how the problems started for the technician.
"A teacher from a school in Skopje called me. I could feel the anger in
his voice. He caught his students cheating during an exam by using my "bug".
What can I say; I am not encouraging children to do this. I also explained
to him that there are also other young electronics technicians, who are
manufacturing transmitters" he said.
Let me be clear, I am not selling these devices so that they could be
abused. Some people are using my "bugs" to discover marital infidelities.
Sometimes people are calling me, as if I had placed the device. I want these
devices to be used for noble purposes, so that mothers could hear their
babies crying, for instance. I am even prepared to give one of my bugs to
each mother with twins, he added.
The devices of the Macedonian electronics technician are just part of the
technological array of devices that can be used for eavesdropping. Almost
all of the mobile phones have voice recorders. The new voice recorders are
so small that they can be hidden in one's sleeve. eBay and other websites
are selling mobile phones worth up to 1,000 euros that can be used to
eavesdrop on other mobile phones. Hacker websites on the internet are
offering small programs for free, that can be sent via e-mail, that are
afterwards sending back usernames and passwords of the email's user to the
original sender. The list is quite long. There are even so called "spy
shops" in the USA.
With the amendments of the Law on communications monitoring it is projected
that private companies would also be able to purchase, sell and use
communications monitoring equipment, having obtained prior authorization
from the Ministry of Interior. This mostly applies for the security agencies
and detectives.
We don't have any communications monitoring equipment. To be honest, some of
our clients have required this from us but we have not done it - say the
employees of the security agency "Branitel" from Skopje. Other security
agencies gave us the same answer.
The people from the Ministry of Interior say that, so far, nobody has
submitted a request for purchase, since the commission responsible for
reviewing such requests is still being formed.
There is still no commission or body with the role of controlling the usage
of this equipment, neither in the state institutions, nor in the private
companies.
So far, a more efficient system for controlling these eavesdropping devices
has not been established. Someone from the authorities should explain how
these devices are being controlled. Nobody informed us how much money has
been spent for purchasing communications monitoring equipment. This is an
opportunity for any kind of abuse. Now, by providing private companies with
the opportunity to use such equipment, the abuse will not only be political.
The ones that adopted this law will eventually become its victims as well -
says professor Slagjana Taseva.
Officials from the Directorate for Personal Data Protection emphasize that
it is necessary to take into consideration the method of usage of the
personal data collected in the process of eavesdropping.
The citizens must know that according to the Law on communications, a court
warrant is required for such an activity. As for the ones that are selling
various devices through advertisements, they should know that this is
illegal - says Marijana Marushik, director of the DPDP.
Nevertheless, it seems that nothing can stop mass eavesdropping on
communications.
Original article - newspaper Nova Makedonija (only in Macedonian,
29.12.2008)
http://www.novamakedonija.com.mk/DesktopDefault.aspx?tabindex=1&tabid=2&fCa…
(contribution by Aleksandar Bozhinovski - Nova Makedonija)
============================================================
10. Recommended Reading
============================================================
EDPS - Second opinion on ePrivacy Directive review and security breach
(9.01.2008)
http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consu…
The European Ombudsman - Public Access to Information in EU Databases
http://www.statewatch.org/news/2009/jan/eu-ombs-databases-report.pdf
ICANN Annual Report 2008
http://www.icann.org/en/annualreport/annual-report-2008-en.pdf
Pdivikki Karhula: A cattle hotshot - citizens on a shadow of the ubiquitous
society
http://lib.eduskunta.fi/dman/Document.phx?documentId=aa28808131125576&cmd=d…
============================================================
11. Agenda
============================================================
16-17 January 2009, Brussels, Belgium
Computers, Privacy & Data Protection conference
CPDP 2009: Data Protection in A Profiled World?
http://www.cpdpconferences.org/
28 January 2009, Europe-wide
3rd Data Protection Day
http://www.coe.int/t/e/legal_affairs/legal_co-operation/data_protection/Dat…
28 January 2009, Helsinki, Finland
Data Protection Day seminar in Finland
Raising Awareness
http://www.effi.org/tapahtumat/tietosuojapaivan_seminaari_20090128_english.…
28 January 2009, Sofia, Bulgaria
Bulgarian Big Brother Awards
3-4 February 2009, Victoria, British Columbia, Canada
10th Annual Privacy and Security Conference "Life in a Digital Fishbowl: A
Struggle for Survival or a Sea of Opportunity?"
http://www.rebootconference.com/privacy2009/
7-8 February 2009, Brussels, Belgium
Free and Open source Software Developers' European Meeting (FOSDEM)
http://www.fosdem.org/2009/
18-20 March 2009, Athens, Greece
WebSci'09: Society On-Line
http://www.websci09.org/
27-29 March 2009, Manchaster, UK
Oekonux Conference: Free Software and Beyond The World of Peer Production
http://www.oekonux-conference.org/
29-31 March 2009, Edinburgh, UK
Governance Of New Technologies: The Transformation Of Medicine, Information
Technology And Intellectual Property" An International Interdisciplinary
Conference
http://www.law.ed.ac.uk/ahrc/conference09/
1-3 April 2009, Berlin, Germany
re:publica 2009 "Shift happens"
http://www.re-publica.de/09/
Subconference: 2nd European Privacy Open Space
http://www.privacyos.eu/
13-14 May 2009 Uppsala, Sweden
Mashing-up Culture: The Rise of User-generated Content
http://www.counter2010.org/workshop_call
24-28 May 2009, Venice, Italy
ICIMP 2009, The Fourth International Conference on Internet Monitoring
and Protection
http://www.iaria.org/conferences2009/ICIMP09.html
1-4 June 2009, Washington, DC, USA
Computers Freedom and Privacy 2009
Proposal Submissions by 23 January 2009
http://www.cfp2009.org/
5 June 2009, London, UK
The Second Multidisciplinary Workshop on Identity in the Information
Society (IDIS 09): "Identity and the Impact of Technology"
Call for papers, deadline 13 March 2009
http://is2.lse.ac.uk/idis/2009/
2-3 July 2009, Padova, Italy
3rd FLOSS International Workshop on Free/Libre Open Source Software
Paper submission by 31 March 2009
http://www.decon.unipd.it/personale/curri/manenti/floss/floss09.html
13-16 August 2009, Vierhouten, The Netherlands
Hacking at Random
http://www.har2009.org/
23-27 August 2009, Milan, Italy
World Library and Information Congress: 75th IFLA General Conference and
Council: "Libraries create futures: Building on cultural heritage"
Call for papers by 15 January 2009
http://www.ifla.org/IV/ifla75/index.htm
10-12 September 2009, Potsdam, Germany
5th ECPR General Conference, Potsdam
Section: Protest Politics
Panel: The Contentious Politics of Intellectual Property
First proposals to be submitted by 1 February 2009
http://www.ecpr.org.uk/potsdam/default.asp
16-18 September 2009, Crete, Greece
World Summit on the Knowledge Society WSKS 2009
http://www.open-knowledge-society.org/
October 2009, Istanbul, Turkey
eChallenges 2009
Call for papers by 27 February 2009
http://www.echallenges.org/e2009/default.asp?page=c4p
15-18 November 2009, Sharm El Sheikh, Egypt
UN Internet Governance Forum
http://www.intgovforum.org/
============================================================
12. About
============================================================
EDRI-gram is a biweekly newsletter about digital civil rights in Europe.
Currently EDRI has 29 members based or with offices in 18 different
countries in Europe. European Digital Rights takes an active interest in
developments in the EU accession countries and wants to share knowledge and
awareness through the EDRI-grams.
All contributions, suggestions for content, corrections or agenda-tips are
most welcome. Errors are corrected as soon as possible and visibly on the
EDRI website.
Except where otherwise noted, this newsletter is licensed under the
Creative Commons Attribution 3.0 License. See the full text at
http://creativecommons.org/licenses/by/3.0/
Newsletter editor: Bogdan Manolea <edrigram(a)edri.org>
Information about EDRI and its members:
http://www.edri.org/
European Digital Rights needs your help in upholding digital rights in the
EU. If you wish to help us promote digital rights, please consider making a
private donation.
http://www.edri.org/about/sponsoring
- EDRI-gram subscription information
subscribe by e-mail
To: edri-news-request(a)edri.org
Subject: subscribe
You will receive an automated e-mail asking to confirm your request.
unsubscribe by e-mail
To: edri-news-request(a)edri.org
Subject: unsubscribe
- EDRI-gram in Macedonian
EDRI-gram is also available partly in Macedonian, with delay. Translations
are provided by Metamorphosis
http://www.metamorphosis.org.mk/edrigram-mk.php
- EDRI-gram in German
EDRI-gram is also available in German, with delay. Translations are provided
Andreas Krisch from the EDRI-member VIBE!AT - Austrian Association for
Internet Users
http://www.unwatched.org/
- Newsletter archive
Back issues are available at:
http://www.edri.org/edrigram
- Help
Please ask <edrigram(a)edri.org> if you have any problems with subscribing or
unsubscribing.
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
1
0
Look at NetOptics Directors or the VSS 4x24. I've deployed several.
On Mon, May 23, 2011 at 8:34 PM, Darren Bolding <darren(a)bolding.org> wrote:
> We are planning on purchasing some network taps for a couple of locations
> in
> our network, and we expect to make significantly greater use of them in the
> next year or two.
>
> Something that is new since I last investigated taps (it has been a while)
> is that many of them now allow for functionality I would typically think of
> as far outside what a simple tap does.
>
> For example:
>
> Selective forwarding of packets based on MAC address, TCP/UDP port, IP
> address range etc.
> Selective forwarding/load balancing based on flow, so that you can
> distribute traffic across a cluster of devices (e.g. IDS or netflow probes)
> Ability to insert a device (firewall, IDS, etc) into the network flow and
> via software configuration bypass traffic around the device- e.g. able to
> quickly drop a device out of the network path.
> - Some have the ability to send network probes, or monitor traffic
> downstream of an inline device so they can automatically take the device
> out
> of line if it fails to pass traffic.
> - Some can filter which traffic goes through the inline device and merge it
> back with the traffic that was not sent to the inline device for downstream
> consumption.
> Some can be connected and automatically be managed as if one device,
> allowing monitor and replication ports to be used across the stack/mesh of
> devices.
>
> All of this is very interesting. Of course these taps cost more than your
> basic dumb tap.
>
> More interestingly to me is that these taps are no longer dumb, and that
> makes them a bit of a riskier proposition. In evaluating some we have run
> into issues ranging from misconfiguration/user error to what appear to be
> crashes (with associated loss of forwarding).
>
> I'm wondering if anyone has had significant experience deploying these more
> advanced taps, whether it was good or bad, general comments you might like
> to share regarding them, and whether you would recommend particular
> vendors.
>
> If people reply off-list, I will make a point of summarizing back if I get
> any feedback.
>
> Thanks!
>
> --D
>
> --
> -- Darren Bolding --
> -- darren(a)bolding.org --
>
--
Jason
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
1
0
Look at NetOptics Directors or the VSS 4x24. I've deployed several.
On Mon, May 23, 2011 at 8:34 PM, Darren Bolding <darren(a)bolding.org> wrote:
> We are planning on purchasing some network taps for a couple of locations
> in
> our network, and we expect to make significantly greater use of them in the
> next year or two.
>
> Something that is new since I last investigated taps (it has been a while)
> is that many of them now allow for functionality I would typically think of
> as far outside what a simple tap does.
>
> For example:
>
> Selective forwarding of packets based on MAC address, TCP/UDP port, IP
> address range etc.
> Selective forwarding/load balancing based on flow, so that you can
> distribute traffic across a cluster of devices (e.g. IDS or netflow probes)
> Ability to insert a device (firewall, IDS, etc) into the network flow and
> via software configuration bypass traffic around the device- e.g. able to
> quickly drop a device out of the network path.
> - Some have the ability to send network probes, or monitor traffic
> downstream of an inline device so they can automatically take the device
> out
> of line if it fails to pass traffic.
> - Some can filter which traffic goes through the inline device and merge it
> back with the traffic that was not sent to the inline device for downstream
> consumption.
> Some can be connected and automatically be managed as if one device,
> allowing monitor and replication ports to be used across the stack/mesh of
> devices.
>
> All of this is very interesting. Of course these taps cost more than your
> basic dumb tap.
>
> More interestingly to me is that these taps are no longer dumb, and that
> makes them a bit of a riskier proposition. In evaluating some we have run
> into issues ranging from misconfiguration/user error to what appear to be
> crashes (with associated loss of forwarding).
>
> I'm wondering if anyone has had significant experience deploying these more
> advanced taps, whether it was good or bad, general comments you might like
> to share regarding them, and whether you would recommend particular
> vendors.
>
> If people reply off-list, I will make a point of summarizing back if I get
> any feedback.
>
> Thanks!
>
> --D
>
> --
> -- Darren Bolding --
> -- darren(a)bolding.org --
>
--
Jason
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
1
0
The problem with the attack scenario where two versions of a program are
created with the same hash, is that from what little we know of the new
attacks, they aren't powerful enough to do this.
All of the collisions they have shown have the property where the two
alternatives start with the same initial value for the hash; they then
have one or two blocks which are very carefully selected, with a few
bits differing between the two blocks; and at the end, they are back
to a common value for the hash.
It is known that their techniques are not sensitive to this initial value.
They actually made a mistake when they published their MD5 collision,
because they had the wrong initial values due to a typo in Schneier's
book. When people gave them the correct initial values, they were able
to come up with new collisions within a matter of hours.
If you look at their MD5 collision in detail, it was two blocks long.
Each block was almost the same as the other, with just a few bits
different. They start with the common initial value. Then they run
the first blocks through. Amazingly, this has only a small impact on
the intermediate value after this first block. Only a relatively few
bits are different.
If you or I tried to take two blocks with a few bits different and feed
them to MD5, we would get totally different outputs. Changing even
one bit will normally change half the output bits. The fact that they
are able to change several bits and get only a small difference in the
output is the first miracle.
But then they do an even better trick. They now go on and do the
second pair of blocks. The initial values for these blocks (which are
the outputs from the previous stage) are close but not quite the same.
And amazingly, these second blocks not only keep things from getting
worse, they manage to heal the differences. They precisely compensate
for the changes and bring the values back together. This is the second
miracle and it is even greater.
Now, it would be a big leap from this to being able to take two arbitrary
different initial values and bring them together to a common output.
That is what would be necessary to mount the code fraud attack. But as
we can see by inspection of the collisions produced by the researchers
(who are keeping their methodology secret for now), they don't seem to
have that power. Instead, they are able to introduce a very carefully
controlled difference between the two blocks, and then cancel it.
Being able to cancel a huge difference between blocks would be a problem
of an entirely different magnitude.
Now, there is this other idea which Zooko alludes to, from Dan Kaminsky,
www.doxpara.com, which could exploit the power of the new attacks to
do something malicious. Let us grant that the only ability we have is
that we can create slightly different pairs of blocks that collide.
We can't meaningfully control the contents of these blocks, and they
will differ in only a few bits. And these blocks have to be inserted
into a program being distributed, which will have two versions that
are *exactly the same* except for the few bits of difference between
the blocks. This way the two versions will have the same hash, and this
is the power which the current attacks seem to have.
Kaminsky shows that you could still have "good" and "bad" versions of
such a program. You'd have to write a program which tested a bit in
the colliding blocks, and behaved "good" if the bit was set, and "bad"
if the bit was clear. When someone reviewed this program, they'd see
the potential bad behavior, but they'd also see that the behavior was
not enabled because the bit that enabled it was not set. Maybe the
bad behavior could be a back door used during debugging, and there is
some flag bit that turns off the debugging mode. So the reviewer might
assume that the program was OK despite this somewhat questionable code,
because he builds it and makes sure to sign or validate the hash when
built in the mode when the bad features are turned off.
But what he doesn't know is, Kaminsky has another block of data prepared
which has that flag bit in the opposite state, and which he can substitute
without changing the hash. That will cause the program to behave in its
"bad" mode, even though the only change was a few bits in this block
of random data. So this way he can distribute a malicious build and it
has the hash which was approved by the reviewer.
And as Zooko points out, this doesn't have to be the main developer
who is doing this, anyone who is doing some work on creating the final
package might be able to do so.
On the other hand, this attack is pretty blatant once you know it is
possible. The lesson is that a reviewer should be suspicious of code
whose security properties depend on the detailed contents of blocks
of random-looking data. One problem with this is that there are some
circumstances where it could be hard to tell. Zooko links to the example
of a crypto key which could have weak and strong versions. The strong
version could be approved and then the weak version substituted.
There are also some crypto algorithms that use random-looking blocks of
data which could have weak and strong versions.
So it's not always as easy as it sounds. But most code will not have
these problems, and for those programs it would be pretty conspicuous
to implement Kaminsky's attacks. At present, that looks to be the best
someone could do with SHA-1 or even MD5.
Hal Finney
_______________________________________________
p2p-hackers mailing list
p2p-hackers(a)zgp.org
http://zgp.org/mailman/listinfo/p2p-hackers
_______________________________________________
Here is a web page listing P2P Conferences:
http://www.neurogrid.net/twiki/bin/view/Main/PeerToPeerConferences
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a>
______________________________________________________________
ICBM: 48.07078, 11.61144 http://www.leitl.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
http://moleculardevices.org http://nanomachines.net
[demime 1.01d removed an attachment of type application/pgp-signature]
1
0
On Wed, Sep 28, 2005 at 02:45:35AM -0400, Jeffrey F. Bloss wrote:
[...]
> Has anyone considered applying a HashCash type solution to this?
Hashcash is often considered, but commonly dismissed, because it
limits identities based on the wrong resource: computers.
If you haven't read the paper "'Proof-of-work' Proves Not To Work" by
Ben Laurie and Richard Clayton, I recommend it highly. See
http://www.cl.cam.ac.uk/users/rnc1/proofwork.pdf . It mostly
discusses why hashcash can't prevent spam, but the arguments would
seem to apply to wikipedia editing as well.
[...]
> > On the other hand, if there were an authentication service that gave
> > you pseudonyms for Tor users who wanted pseudonyms, you could tell
> > which pseudonyms contributed well, and which were jerks, and which
> > were nonentities.
>
> The problem I see with this is that as the name implies, it's
> pseudo-anonymous.
Sorry, but you've stumbled a personal crusade of mine.
The word is pseudonymous, not pseudo-anonymous. And the difference is
importatant. "Pseudonymous" means "using false names," like calling
yourself Batman instead of Bruce Wayne. "Anonymous" means "without a
name," like writing "The Joker will pay for his crimes" and not
signing it. "Pseudo-anonymous" isn't a real word, but if it were, it
would mean "falsely anonymous", like the bank robber who disguised
himself by wearing a motorcycle helmet with his name written on the
back.{1}
> Tor is an anonymous network by design. And there is a
> difference.
As one of the designers, I'd like to weigh in. Tor provides
anonymity, but we've never opposed people who wanted to use an
anonymous system to bootstrap per-service or cross-service
pseudonymity.
We will never, of course, alter Tor to make people have pseudonyms.
But letting using pseudonyms is not against our overarching goals.
The overarching goals are privacy and usability.{2}
> It's real time nature also compounds any additional partitioning
> problems a hard-keyed pseudonym setup brings with it.
I don't see any iterable (that is, awful) partitioning attacks here.
Assume a network where some users have pseudonyms and some don't.
Assume that pseudonyms are first obtained through a blinded{3}
process, so that an attacker can't tell which user has which
pseudonym.
Assume that the attacker is watching all authentication services
(since this is probably the best point for these attacks). The
attacker could tell when users create new pseudonyms, and when
pseudonymous users are active. From this info, the attacker could
rule out some users as possible owners of some pseudonyms, but that's
about it. Correlation and intersection attacks are unlikely to work
unless the attacker is watching the user as well as the auth server,
and that's outside our threat model.
> Although, this too might fall under that "good enough" umbrella as
> long as the tor network were disjoined from the nym creation and key
> distribution process as much as possible. The nyms would have to be
> managed outside a tor egress point to maintain user's anonymity.
Right.
> I also question whether or not a system can be devised that makes
> nym creation expensive enough to thwart nefarious users from simply
> collection a lot of nyms. :(
Right. I suspect that this is one of those social engineering
problems that we won't solve except by trying things out and seeing
whether they work.
{1} There are all other kinds of great terms in the field. For
example, "allonymous" is using a name belonging to someone else,
like if the Joker writes a letter and signs it "Batman." Oddly,
there is no classical term for using one's given name.
{2} If you care about privacy and not usability, I recommend DC nets.
If you care about usability and not privacy, I recommend turning
Tor off.
{3} Again see http://en.wikipedia.org/wiki/Blind_signature
yrs,
--
Nick Mathewson
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a>
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.leitl.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
[demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
1
0