July 2018 - cypherpunks-legacy

EDRi-gram newsletter - Number 7.11, 3 June 2009
by EDRI-gram newsletter 06 Jul '18

06 Jul '18

============================================================ EDRi-gram biweekly newsletter about digital civil rights in Europe Number 7.11, 3 June 2009 ============================================================ Contents ============================================================ 1. The French Government wants to spy on electronic communications 2. Pressure of the record companies on The Pirate Bay 3. Open source supporters criticize European govts for favouring MS 4. DRI against the Irish law on the interception of communications 5. French Government hurries to put HADOPI law into application 6. WIPO: Visually impaired treaty proposal 7. EU will examine Google Books project 8. Deutsche Telecom investigating the sexual life of job applicants 9. Recommended Action 10. Recommended Reading 11. Agenda 12. About ============================================================ 1. The French Government wants to spy on electronic communications ============================================================ On 27 May 2009, the law on orientation and programming for the performance of the domestic security (Loppsi) was presented by Michhle Alliot-Marie to the French Council of Ministers. The law will give the French police the possibility to physically or remotely install spying software to listen to electronic communications and introduces the Internet filtering by administrative decision. According to the text, the Criminal Investigation Police will be allowed to place on a suspect's computer a sort of internal or external USB key which will send data to the computers of the authorities. The police may also remotely install Trojans which will give access to all the data in a computer in real time. The police will be allowed to make use of these tools only in "the most severe cases" which however include "support given to the illegal entry and residence of a foreigner". Under the control of an examining magistrate (juge d'instruction), the investigating authority will have to justify the use of the technique by declaring the infringement investigated, the place where the investigation will take place and its duration. The spyware can be installed for a four-month period that can be renewed once. The examining magistrate's control would be a positive thing as the examining magistrates are independent from the Ministry of Justice and are free to take decisions, in terms of the gravity of the investigation. However, if the justice reform project of the French Government comes into being, the examining magistrates will disappear which means that the responsibility to authorize spyware will come to the prosecutor of the Republic. The law also obliges ISPs to block access, "without delay", to sites included on a list drafted under the authority of the Ministry of Internal Affairs. The list will not be made public and therefore it will be impossible to contest and this will create the risk of abuses. In order to prevent contestations, for the beginning, the law will target the paedophilic contents with the declared purpose to "protect the Internet users from child pornography images". The operators will have to introduce in their network software that will stop any connection to sites having a pedophile character that will be listed by the police. The French Government will always be able to extend the target by a simple decree. The text also stipulates severe sanctions for the ISPs that do not observe the law providing a fine up to 75 000 euro and a year of imprisonment. Loppsi : the sneaks under the authority of an endangered judge (only in French, 25.05.2009) http://www.numerama.com/magazine/12976-Loppsi-les-mouchards-sous-l-autorite… Loppsi wants to "protect the Internet users" by filtering (only in French, 27.05.2009) http://www.numerama.com/magazine/13010-La-Loppsi-veut-proteger-les-internau… The police will be able to pirate the computers of the yobs (only in French, 25.05.2009) http://www.lefigaro.fr/actualite-france/2009/05/24/01016-20090524ARTFIG0009… Loppsi: ISPs will have to "block access without delay" (MAJ) (only in French, 27.05.2009) http://www.numerama.com/magazine/13004-Loppsi-les-FAI-devront-empecher-l-ac… Loppsi presented this Wednesday in the Council of Ministers (MAJ) (only in French, 27.05.2009) http://www.numerama.com/magazine/13002-La-Loppsi-presentee-ce-mercredi-en-c… Draft law on the orientation and programming for the performance of the domestic security http://static.pcinpact.com/pdf/Loppsi_projet_loi.pdf Decrypting: Sarkozy and his work of controlling the Internet (only in French, 20.05.2009) http://www.numerama.com/magazine/12948-Decryptage-Sarkozy-et-son-oeuvre-de-… ============================================================ 2. Pressure of the record companies on The Pirate Bay ============================================================ The Swedish court has denied the request of four major record companies to fine The Pirate Bay (TPB) for being still operational. At the middle of May 2009, Universal, EMI, Sony and Warner asked the Swedish District Court to apply penalties to the operators of TPB for every day they continue to operate the site. The plaintiffs claimed TPB was an "infringing service" as they had been able to download through it 467 music albums to which they owned the copyright. They also asked that the four operators of TPB take measures so that the works for which they own the copyright could not be downloaded by Internet users via the site. Moreover, the recording companies seem to have asked the ISP "Black Internet" to stop providing services to TPB. Additionally, they asked the court to apply the penalties even before the District Court ruled on it and without hearing the four defendants. On 25 May 2009, the District Court denied the demands stating they wanted to hear the defendants first and gave the Pirate Bay operators a few weeks to state their position in the matter. The record companies were also given a week to decide whether they wanted to appeal the decision to the Court of Appeal. "I don't think these are circumstances where the case must be tried immediately. Usually you get to make your statement before a demand like this is granted" said judge Caroline Hindmarsh who reviewed the demands and made the decision. IT security expert Andri Rickardsson said to DN.se that the demand of the record companies was surprising. "Swedish law applies in Sweden and their Internet service isn't even in Sweden. I don't understand why the district court has anything to do with this. The Pirate Bay operates in countries where the activity is permitted," said the expert. Peter Sunde, one of the defendants, has stated that the record companies have never asked TPB to remove any of the torrents the plaintiffs refer to in their request to the District Court and accused the record companies of being more interested in money and power than in the artists they should represent. In the meantime, TPB is searching for unbiased judges after they filed, along with the appeal to the High Court of Justice, accusations against Judge Tomas Norstrvm for conflict of interest due to its membership with associations such as the Swedish Copyright Association. Judge Ulrika Ihrfeldt was appointed to investigate the conflict of interest but, soon after that, the judge also revealed having been a member of the Swedish Copyright Association and was removed from the case. The next judge appointed to lead the investigation, Anders Eka, appears to be connected to the Stockholm Center for Commercial Law, where lawyers Monique Wadsted and Peter Danowsky representing the record companies in TPB trial also are involved. Although Eka said he had no personal relationships with the plaintiffs' lawyers and that he had no background in copyright law, he acknowledged however he might be suspected for potential bias. Court President Fredrik Wersdll Wersdll stated that the investigation of Norstrvm's potential conflict of interest would be finished in a few weeks. If Norstrvm is found biased, the case will be sent back to the District Court. In case the judge is cleared of the accusation, the High Court of Justice will deal with the main appeal of the verdict and decide on whether to hold a new trial. Pirate Bay Money Squeeze Rejected by Court (25.05.2009) http://torrentfreak.com/pirate-bay-money-squeeze-rejected-by-court-090525/ Pirate Bay: In search of an unbiased judge (23.05.2009) http://news.cnet.com/8301-13578_3-10248264-38.html?tag=mncol;title Record Labels Increase Legal Pressure on Pirate Bay (19.05.2009) http://torrentfreak.com/record-labels-increase-legal-pressure-on-pirate-bay… Court rejects lawyers' call to gag Pirates (25.05.2009) http://www.thelocal.se/19656/20090525/ EDRi-gram: The Pirate Bay asks for retrial claiming conflict of interest (6.05.2009) http://www.edri.org/edri-gram/number7.9/pirate-bay-mistrial ============================================================ 3. Open source supporters criticize European govts for favouring MS ============================================================ Recent governmental plans in several European countries to buy proprietary software for public administration or education have caused concerns over the methods used and the lack of public discussion over the decisions. 18 open source companies (including Red Hat) have challenged successfully in the Federal court a three-year contract between the Swiss Federal Bureau for Building and Logistics (BBL) and Microsoft for the provisions of Windows desktops and applications, including support and maintenance. The total value of the contract was estimated at about 27.8 million euro. The preliminary ruling of the Federal court from 28 May 2009 was based on the fact that the BBL disregarded the procurement rules and did not issue a call for tender. A future final positive decision of the court could mean that the contract will be canceled and a public auction call needs to be made. Just a few days before the court decision, another similar case was raised by the Swiss open source advocacy group ch/open. They have presented the situation in the Bern canton, where a 18 million euro contract was attributed directly for Microsoft software licences, without a public auction. Ch/open criticized the lack of transparency of the deal and explained the current action: "Without any public process, contracts are awarded to a proprietary software vendor. This makes public administration increasingly dependent on Microsoft, giving it again no other option in eight years time." This deal will be debated in the canton's Parliament by the parliamentary group on digital sustainability that has the main scope to increase the use of open source by Swiss public bodies. Another government-related project that created rumors was the Spain government decision to install Microsoft software on the 420 000 laptops for students. After the Spanish Socialist Party supported the idea that laptops should be equipped with Open Source software, the Microsoft's chaiman Bill Gates and Spain's Prime Minister Josi Luis Rodriguez Zapatero met on 26 May 2009 to decide on the new software for this project. The project was criticized even earlier this year by open source organisations such as Hispalinux that pointed out that there was no public tender on this topic. Similarly, in a different corner of Europe, the Romanian Government has announced that it has mandated the Ministry of Communications to buy Microsoft licences of 100 million euros for the Ministries and Governmental Agencies in the period 2009-2012. Although the government press release talks about obtaining these licences through a possible auction, there is a clear-cut signal on who will be the winner. "The Romanian Government seems out of touch with reality" has been the harsh comment by Lucian Savluc, the organizer of the third national open source conference eLiberatica that took place in Bucharest in the second part of May 2009. Georg Greve, the president of Free Software Foundation Europe and a speaker at the same event, commented on the situation: "Microsoft's deals in new EU member states have raised concerns over corruption before, e.g. in Bulgaria. But while Microsoft seems to raise such questions more often than others, it should be noted that the problem of illegal procurement is larger and not limited to Microsoft. Nor is the problem limited to the new EU member states, as the recent irregularities and resulting antitrust complaint filed in Switzerland demonstrate. (...) It seems ironic that the European Commission has to fine Microsoft repeatedly over sustained monopoly abuse, then transfers part of that money to Romania, which enjoyed the highest level of financial support ever granted to a candidate country in the history of the European Union, and the Romanian government then decides to return part of that money to Microsoft with close to no tangible benefit for Romania." CH: Court scraps federal no-bid software licence deal (28.05.2009) http://www.osor.eu/news/ch-court-scraps-federal-no-bid-software-licence-deal CH: Protests over no-bid software contract in Bern (28.05.2009) http://www.osor.eu/news/ch-protests-over-no-bid-software-contract-in-bern Bill Gates, pleased with the announcement of Zapatero of giving laptops to students (only in Spanish, 26.05.2009) http://www.20minutos.es/noticia/470593/0/zapatero/gates/reunion/ Hispalinux censorship financial costs and technological dependence of the "solution" for Microsoft Education (only in Spanish, 27.04.2009) http://www.hispalinux.es/minipc-primaria ES: Gates and Zapatero weigh in on debate over school laptops (29.05.2009) http://www.osor.eu/news/es-gates-and-zapatero-weigh-in-on-debate-over-schoo… My official position - The Romanian government is about to spend millions of euro on proprietary software. (27.05.2009) http://www.cianblog.com/2009/05/27/my-official-position-the-romanian-govern… Minister of Communications - mandated to pay 100 million euro for Microsoft licences (only in Romanian, 1.06.2009) http://www.mediafax.ro/economic/ministerul-comunicatiilor-mandatat-sa-achit… ============================================================ 4. DRI against the Irish law on the interception of communications ============================================================ Digital Rights Ireland has lodged a formal complaint with the European Commission against Ireland over the Irish law on the interception of communications. The Irish law, which is governed by the Interception of Postal Packets and Telecommunications Messages (Regulation) Act 1993, applies only to telecommunications providers who operate under a licence or general authorisation. Consequently, the vast majority of internet communication services (such as VOIP providers, webmail and instant messaging services) are not covered, so the interception of communications on those services is unregulated. This is in breach of Art. 5 of the e-Privacy Directive (Directive 2002/58/EC) which requires member states to "prohibit listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data by persons other than users, without the consent of the users concerned, except when legally authorised to do so (by) legislative measures (which are) necessary, appropriate and proportionate within a democratic society". Complaint to European Commission over Irish Interception Laws (28.05.2009) http://www.digitalrights.ie/2009/05/28/complaint-to-european-commission-ove… (contribution by EDRi-member Digital Rights Ireland DRI) ============================================================ 5. French Government hurries to put HADOPI law into application ============================================================ No sooner has the three strikes law been adopted that the French government issued CCAPs (special administrative specifications) and CCTPs (special technical specifications) which were sent by the Ministry of Culture to the candidate enterprises to put into function the information system of HADOPI. The call for tenders was sent since the beginning of the year even before the Hadopi law was adopted, the notification date having been set for 5 June 2009 with a deadline on 1 July 2009 for a first prototype of the graduate response system. A draft calendar foresees the application of the Hadopi law in stages starting with 5 June 2009 until 31 March 2010. In the beginning, Hadopi will send only written recommendations by e-mail at a rate of about 100 infringing cases per day after which, when the treatment is completely automatic probably in September 2009, the number of cases will increase to 1000 per day reaching 10 000 when the prototype is finalised in 2010. A calendar of actions is left however at the choice of the candidates, the CCTP mentioning that "the offers will be assessed in terms of the closeness of the proposed calendar as compared to the target calendar". The ministry is not concerned with costs or means but only with speed. The candidates will have a rather difficult task as the beta-test will last only two weeks before the first warnings and the blocking bugs will have to be corrected in one day, otherwise they will face sanctions. There is also the result obligation, the operator taking the responsibility in case of problems and having to compensate Hadopi in case of delays or malfunctions. There is no provision for the moment that Hadopi makes sure, before issuing a warning or a sanction, that illegal downloading has effectively taken place from the IP address of a suspected Internet subscriber. It appears that between the IP address collection phase and the warning or sanction phase there will be a "notarisation and sampling" phase. The notarisation phase means the "qualification of the data and the recording of essential elements of the transaction from a trustworthy third party" meaning the recording of all the elements proving the downloading or rather making copyrighted material available. "The content, origin, receiving date, the sender's identification key and the destination of the file are essential elements" says the CCTP. Sampling means Hadopi would retain only some of the complaints received in order to deal mostly with those of higher interest. An algorithmic system will allow targeting potential recidivists as a priority. Hadopi does not take into account the presumption of innocence and only needs to be certain of the reliability of the IP address lists on the basis of which it would give warnings and sanctions. Hence the provision of attaching a "chunk" of the file to every submission of a case in court which would be a material proof of the infringing. However, such a provision raises practical and economical problems. The CCAP and CCTP do not precise either the criteria based on which Hadopi will decide on recidivism in order to send another e-mail, registered letter or give sanctions. It is only mentioned that a "study of the reiterations is carried out so as to bring out the following elements for each subscriber: infringement stage (1st, 2nd, 3rd.); type of actions taken or sanctions given by the High Authority: time interval between each infringement; and type of works concerned". There are also very little details as to what are the means of appeal for the sanctioned Internet users. It is provided that an appeal can be made by means of an electronic form or by mail and that the appeal may lead to informing the ISP of the obligation to re-establish a suspended subscription. On the other hand, no observations can be brought by a subscriber before the sanction stage. For the time being, Hadopi continues to be criticised and contested. On 15 June, a concert evening against the graduate response will take place with several groups of artists supported by Numerama, co-organised by Riseau des Pirates and Owni.fr, in partnership with Vendredi Hebdo and International and supported also by Slate, Agoravox, LePost, Ivox, 22mars, Social Midia Club, j'affiche and ZikNation. The evening will include the projection on films dealing with Hadopi, the new models to remunerate artists, the protection of numerical freedoms, a debate on the topics as well as music moments. "The problem with HADOPI is triple: it does not bring more money to artists, it touches the fundamental rights and finally it opens a breach into net neutrality allowing private interests to get hold of a judge in order to oblige an access provider to censure part of the net. This law stigmatises the Net which is however an incredible chance for the music to get renewed. (...) A new model must be invented and the technological evolution must be accompanied rather than rowing against it. This is what the public politics serve for, not to protect an industry where 5 multinationals make a trust of the entire market and refuse in a single voice to accept the challenge," was the statement of Flowers From The Man Who Shot Your Cousin / Waterhouse Records that will participate in the event. Exclusive: Hadopi will target as a priority the potential recidivists! (only in French, 20.05.2009) http://www.numerama.com/magazine/12960-Exclusif-l-Hadopi-ciblera-en-priorit… Exclusive: Hadopi will not collect material evidence... for the moment (only in French, 27.05.2009) http://www.numerama.com/magazine/13006-Exclusif-l-Hadopi-ne-collectera-pas-… Concert-Evening "Hadopi has killed me" Monday 15 June in Paris (only in French, 26.05.2009) http://www.numerama.com/magazine/12998-Soiree-Concert-Hadopi-m-a-Tuer-le-lu… ============================================================ 6. WIPO: Visually impaired treaty proposal ============================================================ The WIPO Standing Committee on Copyright and Related Rights (SCCR) met from 25 to 29 May in Geneva. This time, the main points on the agenda were the survey on limitations and exceptions and the visually impaired treaty proposal introduced by Brazil Ecuador and Paraguay (BEP proposal). As usual, the committee also briefly dealt with the situation pertaining broadcaster's rights and audiovisual protection but since the national positions are not moving, no real progress was made. The most interesting part of the meeting was the discussion about the BEP proposal. The treaty was strongly supported by the South American countries and it was also seen in a favourable light by most of the African representatives (which would like to see even wider support for access to information, though) and Asian delegates. However, group B and the European Union did their best to derail the process of getting the treaty under serious consideration. The given reasons for this were rather perplexing e.g. "the matter is so complex" (unlike the broadcast treaty?) and "there's need for more fact-finding" (there's lot of published research by both WIPO and WBU). In reality, the civil servants from Germany, France etc. want to oppose categorically any instrument which would give rights to the users. However, since it is not politically possible to oppose helping visually impaired persons such poor excuses are needed. EDRi also stressed in its intervention the fact that EU is ready to use a "hard law" approach to help elder stage musicians so it would be very unsincere to oppose the same approach for blind persons. WIPO Limitations & Exceptions Treaty Advances; Audiovisual Treaty Gets New Life (30.05.2009) http://www.ip-watch.org/weblog/2009/05/30/wipo-limitations-audiovisual-trea… SCCR to Expedite Work in Favor of Reading Impaired (2.06.2009) http://www.wipo.int/pressroom/en/articles/2009/article_0012.html (Contribution by Ville Oksanen, EDRI-member EFFI) ============================================================ 7. EU will examine Google Books project ============================================================ The German delegation submitted at the European Council meeting held in Brussels on 28 and 29 May 2009, an information note asking EU to take action against Google's online library project, Google Books, a project targeting the scanning of entire book collections of major libraries. "This move has an impact on cultural and media policy that we need to put on a European level," said Culture Minister Bernd Neumann. There is already a dispute between Google and US authors and publishers as the publishing industry is concerned by the fact that scanning books without authors' permission is a violation of copyright laws. Germany's information note argues that many of the rights holders having works that are scanned by Google are in the EU and that European copyright law differs from the US one. The German delegation considers that Google is using the excuse of a fair use exception to face copyright claims, an exemption which doesn't exist in EU member states. The main concern is related to the necessity of obtaining consent given by authors before scanning their works. "Google's actions are irreconcilable with the principles of European copyright law, according to which the consent of the author must be obtained before his or her works may be reproduced or made publicly available on the Internet" says the note. Foreign Minister Frank-Walter Steinmeier has shown concerns regarding competitivity issues: "Through digitalising millions of books without right holders' permission, Google has already gained a competitive advantage against similar projects like Europeana and libreka.de - who unlike Google respect European copyright laws." The EU has immediately confirmed the launching of a formal inquiry which will apparently focus on copyright matters and will look into the settlement Google has with publishers and authors. After Authors Guild and the Association of American Publishers filed a law suit against Google in 2004 arguing the giant was violating copyright by displaying excerpts of books without the permission of the copyright holders, a settlement reached in October 2008 raised criticism and is now investigated by the US Justice Department on anti-trust grounds. The settlement would let Google sell to other libraries access to its online books and subscriptions to its entire library and the revenues would go to Google, publishers and authors. The settlement gives authors until early January to adhere to it and hence receive money for having their books scanned or to opt out of the system by September 2009. Anne Bergman-Tahon, director of the FEP believes that "millions of works will never be claimed because these 300 pages of settlement are so complicated." Therefore, critics argue that when copyright holders do not come forward, Google alone will have the rights to "orphan books" which, according to a recent article in the Wall Street Journal newspaper are estimated at 50 to 70 percent of books published after 1923. Google will hold monopoly under the circumstances and will be in the position to charge as much as it wants for access to books. On the other hand, Google stated that by its project it was giving an eternal digital life to millions of books which are now out of print and that it was "happy to engage in any constructive dialogue about the future of books and copyright." EU may flex regulatory muscles against Google book deal (1.06.2009) http://arstechnica.com/tech-policy/news/2009/06/eu-may-flex-regulatory-musc… Germany wants EU to fight Google Books project (2.06.2009) http://www.thelocal.de/sci-tech/20090602-19649.html Council calls on Commission to examine Google Books project (2.06.2009) http://euroalert.net/en/news.aspx?idn=8811 EU states concerned over Google library plans (27.05.2009) http://euobserver.com/19/28193 EU confirms Google investigation (31.05.2009) http://www.thebookseller.com/news/86904-page.htm ============================================================ 8. Deutsche Telecom investigating the sexual life of job applicants ============================================================ According to German newspaper Handelsblatt, Deutsche Telecom was keeping records about personal details of job applicants, including details about their sexual life. Similar records on potential employees were also kept in Macedonia, Croatia, Slovenia and Hungary. An anonymous security consultant who used to work for Deutsche Telecom stated for the German newspaper that this was actually a common practice of the company. According to Handelsblatt, the German Telecom hired private detectives from Germany who were collecting data about potential employees by eavesdropping phone conversations, investigating their bank accounts and intimate, sexual life, explaining that this way they could know who they were dealing with. This was revealed soon after Deutsche Telecom confirmed the information that it was spying on the directors in its companies and on journalists, in order to determine where the information was leaking from. The company announced that it did not order regular reports on the private life of the potential employees. The people from Macedonian Telecommunications say that this was not, is not and will not be a practice of their company. "These allegations are absolutely wrong, unserious and unsubstantiated. Such practice is prohibited by the Law on personal data protection. Everybody knows what information should be submitted by the applicant; first and last name, address, education, previous work experience, recommendations and a motivation letter" claim the representatives of T-Mobile and T-Home, companies owned by Deutsche Telecom. "All of the employment applications can be found on the company's website" say the representatives from Macedonian Telecom. The representatives of the Croatian T-Com stated that they did not know anything about the spying, and if the investigation proves that this really happened, the responsible persons will have to bear the consequences. According to the reports to which the newspaper had access, a woman that was applying for a job in the Croatian telecom - a branch of DT, is described as an experienced sexual partner with a rich imagination. The partners of the candidate allegedly said that she was a "female predator" with a big sexual urge and that she prefered older men. In another report, which was allegedly prepared by the German counterintelligence service BND, a candidate is described as an alcoholic, and another one as a corrupted old man. Deutsche Telecom claims it did not order reports with personal data of the candidates. "Deutsche Telecom is not analyzing the private life of the applicants. DT doesn't need any information about the private life of the candidates" stated Philip Blank, the company's spokesman. According to AFP, this is one of the several scandals that broke out in Deutsche Telecom and the company also admitted to have spied on journalists and members of the supervisory board in order to find the source of the media. DT also admitted that in 2006 it was checking the bank accounts of more than 100 000 workers to determine whether any of them were involved in corruption. Deutsche Telecom investigating the sexual life of job applicants (26.05.2009) http://www.metamorphosis.org.mk/en/news/world/1498-dojce-telekom-go-proveru… (contribution by Kire Dimik - EDRi-member Metamorphosis - Macedonia) ============================================================ 9. Recommended Action ============================================================ On 26 May 2009 the European Commission opened a consultation on the conclusions of the online commerce roundtable on the online distribution of music. The consultation will close on 30 June 2009. http://europa.eu/rapid/pressReleasesAction.do?reference=IP/09/832&format=HT… http://ec.europa.eu/competition/consultations/2009_online_commerce/roundtab… ============================================================ 10. Recommended Reading ============================================================ Ethnic Profiling in the European Union: Pervasive, Ineffective, and Discriminatory (26.05.2009) http://www.soros.org/initiatives/osji/articles_publications/publications/pr… Constitutional complaint against Hadopi (only in French, 19.05.2009) http://www.lesechos.fr/medias/2009/0519//300350517.pdf The German constitutional court published its 2008-ruling that created a "fundamental right to the guarantee of the confidentiality and integrity of information technology systems" in English (27.02.2008) http://www.bverfg.de/en/decisions/rs20080227_1bvr037007en.html ============================================================ 11. Agenda ============================================================ 1-4 June 2009, Washington, DC, USA Computers Freedom and Privacy 2009 http://www.cfp2009.org/ 5 June 2009, London, UK The Second Multidisciplinary Workshop on Identity in the Information Society (IDIS 09): "Identity and the Impact of Technology" http://is2.lse.ac.uk/idis/2009/ 10 June 2009, Brussels, Belgium The Global Enforcement Agenda of copyright, patents and other IPRs: Some consumer perspectives Organized by TransAtlantic Consumer Dialogue (TACD), Knowledge Ecology International (KEI) and Health Action International Europe (HAI-E) http://www.tacd-ip.org/blog/2009/05/29/tacd-kei-and-hai-e-host-event-on-enf… 28-30 June 2009, Torino, Italy COMMUNIA Conference 2009: Global Science & Economics of Knowledge-Sharing Institutions http://www.communia-project.eu/conf2009 2-3 July 2009, Padova, Italy 3rd FLOSS International Workshop on Free/Libre Open Source Software http://www.decon.unipd.it/personale/curri/manenti/floss/floss09.html 13-16 August 2009, Vierhouten, The Netherlands Hacking at Random http://www.har2009.org/ 23-27 August 2009, Milan, Italy World Library and Information Congress: 75th IFLA General Conference and Council: "Libraries create futures: Building on cultural heritage" http://www.ifla.org/IV/ifla75/index.htm 10-12 September 2009, Potsdam, Germany 5th ECPR General Conference, Potsdam Section: Protest Politics Panel: The Contentious Politics of Intellectual Property http://www.ecpr.org.uk/potsdam/default.asp 16-18 September 2009, Crete, Greece World Summit on the Knowledge Society WSKS 2009 http://www.open-knowledge-society.org/ 17-18 September 2009, Amsterdam, Netherlands Gikii, A Workshop on Law, Technology and Popular Culture Institute for Information Law (IViR) - University of Amsterdam Call for papers by 1 July 2009 http://www.law.ed.ac.uk/ahrc/gikii/2009.asp 21-23 October 2009, Istanbul, Turkey eChallenges 2009 http://www.echallenges.org/e2009/default.asp 24-25 October 2009, Vienna, Austria 3rd European Privacy Open Space http://www.privacyos.eu 25 October 2009, Vienna, Austria Austrian Big Brother Awards Deadline for nominations: 21 September 2009 http://www.bigbrotherawards.at/ 16 October 2009, Bielefeld, Germany 10th German Big Brother Awards Deadline for nominations: 15 July 2009 http://www.bigbrotherawards.de/ 13-15 November 2009, Gothenburg, Sweden Free Society Conference and Nordic Summit http://www.fscons.org/ 15-18 November 2009, Sharm El Sheikh, Egypt UN Internet Governance Forum http://www.intgovforum.org/ ============================================================ 12. About ============================================================ EDRI-gram is a biweekly newsletter about digital civil rights in Europe. Currently EDRI has 29 members based or with offices in 18 different countries in Europe. European Digital Rights takes an active interest in developments in the EU accession countries and wants to share knowledge and awareness through the EDRI-grams. All contributions, suggestions for content, corrections or agenda-tips are most welcome. Errors are corrected as soon as possible and visibly on the EDRI website. Except where otherwise noted, this newsletter is licensed under the Creative Commons Attribution 3.0 License. See the full text at http://creativecommons.org/licenses/by/3.0/ Newsletter editor: Bogdan Manolea <edrigram(a)edri.org> Information about EDRI and its members: http://www.edri.org/ European Digital Rights needs your help in upholding digital rights in the EU. If you wish to help us promote digital rights, please consider making a private donation. http://www.edri.org/about/sponsoring - EDRI-gram subscription information subscribe by e-mail To: edri-news-request(a)edri.org Subject: subscribe You will receive an automated e-mail asking to confirm your request. unsubscribe by e-mail To: edri-news-request(a)edri.org Subject: unsubscribe - EDRI-gram in Macedonian EDRI-gram is also available partly in Macedonian, with delay. Translations are provided by Metamorphosis http://www.metamorphosis.org.mk/edrigram-mk.php - EDRI-gram in German EDRI-gram is also available in German, with delay. Translations are provided Andreas Krisch from the EDRI-member VIBE!AT - Austrian Association for Internet Users http://www.unwatched.org/ - Newsletter archive Back issues are available at: http://www.edri.org/edrigram - Help Please ask <edrigram(a)edri.org> if you have any problems with subscribing or unsubscribing. ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE

1 0

Tor 0.0.9 is out
by Roger Dingledine 06 Jul '18

06 Jul '18

Aside from the many bug fixes, 0.0.9 includes a win32 installer, better circuit building algorithms, bandwidth accounting and hibernation, more efficient directory fetching, and support for a separate Tor GUI controller program (once somebody writes one for us). tarball: http://tor.freehaven.net/dist/tor-0.0.9.tar.gz signature: http://tor.freehaven.net/dist/tor-0.0.9.tar.gz.asc win32 exe: http://tor.freehaven.net/dist/tor-0.0.9-win32.exe win32 sig: http://tor.freehaven.net/dist/tor-0.0.9-win32.exe.asc (use -dPr tor-0_0_9 if you want to check out from cvs) o Bugfixes on 0.0.8.1 (Crashes and asserts): - Catch and ignore SIGXFSZ signals when log files exceed 2GB; our write() call will fail and we handle it there. - When we run out of disk space, or other log writing error, don't crash. Just stop logging to that log and continue. - Fix isspace() and friends so they still make Solaris happy but also so they don't trigger asserts on win32. - Fix assert failure on malformed socks4a requests. - Fix an assert bug where a hidden service provider would fail if the first hop of his rendezvous circuit was down. - Better handling of size_t vs int, so we're more robust on 64 bit platforms. o Bugfixes on 0.0.8.1 (Win32): - Make windows sockets actually non-blocking (oops), and handle win32 socket errors better. - Fix parse_iso_time on platforms without strptime (eg win32). - win32: when being multithreaded, leave parent fdarray open. - Better handling of winsock includes on non-MSV win32 compilers. - Change our file IO stuff (especially wrt OpenSSL) so win32 is happier. - Make unit tests work on win32. o Bugfixes on 0.0.8.1 (Path selection and streams): - Calculate timeout for waiting for a connected cell from the time we sent the begin cell, not from the time the stream started. If it took a long time to establish the circuit, we would time out right after sending the begin cell. - Fix router_compare_addr_to_addr_policy: it was not treating a port of * as always matching, so we were picking reject *:* nodes as exit nodes too. Oops. - When read() failed on a stream, we would close it without sending back an end. So 'connection refused' would simply be ignored and the user would get no response. - Stop a sigpipe: when an 'end' cell races with eof from the app, we shouldn't hold-open-until-flush if the eof arrived first. - Let resolve conns retry/expire also, rather than sticking around forever. - Fix more dns related bugs: send back resolve_failed and end cells more reliably when the resolve fails, rather than closing the circuit and then trying to send the cell. Also attach dummy resolve connections to a circuit *before* calling dns_resolve(), to fix a bug where cached answers would never be sent in RESOLVED cells. o Bugfixes on 0.0.8.1 (Circuits): - Finally fix a bug that's been plaguing us for a year: With high load, circuit package window was reaching 0. Whenever we got a circuit-level sendme, we were reading a lot on each socket, but only writing out a bit. So we would eventually reach eof. This would be noticed and acted on even when there were still bytes sitting in the inbuf. - Use identity comparison, not nickname comparison, to choose which half of circuit-ID-space each side gets to use. This is needed because sometimes we think of a router as a nickname, and sometimes as a hex ID, and we can't predict what the other side will do. o Bugfixes on 0.0.8.1 (Other): - Fix a whole slew of memory leaks. - Disallow NDEBUG. We don't ever want anybody to turn off debug. - If we are using select, make sure we stay within FD_SETSIZE. - When poll() is interrupted, we shouldn't believe the revents values. - Add a FAST_SMARTLIST define to optionally inline smartlist_get and smartlist_len, which are two major profiling offenders. - If do_hup fails, actually notice. - Flush the log file descriptor after we print "Tor opening log file", so we don't see those messages days later. - Hidden service operators now correctly handle version 1 style INTRODUCE1 cells (nobody generates them still, so not a critical bug). - Handle more errnos from accept() without closing the listener. Some OpenBSD machines were closing their listeners because they ran out of file descriptors. - Some people had wrapped their tor client/server in a script that would restart it whenever it died. This did not play well with our "shut down if your version is obsolete" code. Now people don't fetch a new directory if their local cached version is recent enough. - Make our autogen.sh work on ksh as well as bash. - Better torrc example lines for dirbindaddress and orbindaddress. - Improved bounds checking on parsed ints (e.g. config options and the ones we find in directories.) - Stop using separate defaults for no-config-file and empty-config-file. Now you have to explicitly turn off SocksPort, if you don't want it open. - We were starting to daemonize before we opened our logs, so if there were any problems opening logs, we would complain to stderr, which wouldn't work, and then mysteriously exit. - If a verified OR connects to us before he's uploaded his descriptor, or we verify him and hup but he still has the original TLS connection, then conn->nickname is still set like he's unverified. o Code security improvements, inspired by Ilja: - tor_snprintf wrapper over snprintf with consistent (though not C99) overflow behavior. - Replace sprintf with tor_snprintf. (I think they were all safe, but hey.) - Replace strcpy/strncpy with strlcpy in more places. - Avoid strcat; use tor_snprintf or strlcat instead. o Features (circuits and streams): - New circuit building strategy: keep a list of ports that we've used in the past 6 hours, and always try to have 2 circuits open or on the way that will handle each such port. Seed us with port 80 so web users won't complain that Tor is "slow to start up". - Make kill -USR1 dump more useful stats about circuits. - When warning about retrying or giving up, print the address, so the user knows which one it's talking about. - If you haven't used a clean circuit in an hour, throw it away, just to be on the safe side. (This means after 6 hours a totally unused Tor client will have no circuits open.) - Support "foo.nickname.exit" addresses, to let Alice request the address "foo" as viewed by exit node "nickname". Based on a patch from Geoff Goodell. - If your requested entry or exit node has advertised bandwidth 0, pick it anyway. - Be more greedy about filling up relay cells -- we try reading again once we've processed the stuff we read, in case enough has arrived to fill the last cell completely. - Refuse application socks connections to port 0. - Use only 0.0.9pre1 and later servers for resolve cells. o Features (bandwidth): - Hibernation: New config option "AccountingMax" lets you set how many bytes per month (in each direction) you want to allow your server to consume. Rather than spreading those bytes out evenly over the month, we instead hibernate for some of the month and pop up at a deterministic time, work until the bytes are consumed, then hibernate again. Config option "MonthlyAccountingStart" lets you specify which day of the month your billing cycle starts on. - Implement weekly/monthly/daily accounting: now you specify your hibernation properties by AccountingMax N bytes|KB|MB|GB|TB AccountingStart day|week|month [day] HH:MM Defaults to "month 1 0:00". - Let bandwidth and interval config options be specified as 5 bytes, kb, kilobytes, etc; and as seconds, minutes, hours, days, weeks. o Features (directories): - New "router-status" line in directory, to better bind each verified nickname to its identity key. - Clients can ask dirservers for /dir.z to get a compressed version of the directory. Only works for servers running 0.0.9, of course. - Make clients cache directories and use them to seed their router lists at startup. This means clients have a datadir again. - Respond to content-encoding headers by trying to uncompress as appropriate. - Clients and servers now fetch running-routers; cache running-routers; compress running-routers; serve compressed running-routers.z - Make moria2 advertise a dirport of 80, so people behind firewalls will be able to get a directory. - Http proxy support - Dirservers translate requests for http://%s:%d/x to /x - You can specify "HttpProxy %s[:%d]" and all dir fetches will be routed through this host. - Clients ask for /tor/x rather than /x for new enough dirservers. This way we can one day coexist peacefully with apache. - Clients specify a "Host: %s%d" http header, to be compatible with more proxies, and so running squid on an exit node can work. - Protect dirservers from overzealous descriptor uploading -- wait 10 seconds after directory gets dirty, before regenerating. o Features (packages and install): - Add NSI installer contributed by J Doe. - Apply NT service patch from Osamu Fujino. Still needs more work. - Commit VC6 and VC7 workspace/project files. - Commit a tor.spec for making RPM files, with help from jbash. - Add contrib/torctl.in contributed by Glenn Fink. - Make expand_filename handle ~ and ~username. - Use autoconf to enable largefile support where necessary. Use ftello where available, since ftell can fail at 2GB. - Ship src/win32/ in the tarball, so people can use it to build. - Make old win32 fall back to CWD if SHGetSpecialFolderLocation is broken. o Features (ui controller): - Control interface: a separate program can now talk to your client/server over a socket, and get/set config options, receive notifications of circuits and streams starting/finishing/dying, bandwidth used, etc. The next step is to get some GUIs working. Let us know if you want to help out. See doc/control-spec.txt . - Ship a contrib/tor-control.py as an example script to interact with the control port. - "tor --hash-password zzyxz" will output a salted password for use in authenticating to the control interface. - Implement the control-spec's SAVECONF command, to write your configuration to torrc. - Get cookie authentication for the controller closer to working. - When set_conf changes our server descriptor, upload a new copy. But don't upload it too often if there are frequent changes. o Features (config and command-line): - Deprecate unofficial config option abbreviations, and abbreviations not on the command line. - Configuration infrastructure support for warning on obsolete options. - Give a slightly more useful output for "tor -h". - Break DirFetchPostPeriod into: - DirFetchPeriod for fetching full directory, - StatusFetchPeriod for fetching running-routers, - DirPostPeriod for posting server descriptor, - RendPostPeriod for posting hidden service descriptors. - New log format in config: "Log minsev[-maxsev] stdout|stderr|syslog" or "Log minsev[-maxsev] file /var/foo" - DirPolicy config option, to let people reject incoming addresses from their dirserver. - "tor --list-fingerprint" will list your identity key fingerprint and then exit. - Make tor --version --version dump the cvs Id of every file. - New 'MyFamily nick1,...' config option for a server to specify other servers that shouldn't be used in the same circuit with it. Only believed if nick1 also specifies us. - New 'NodeFamily nick1,nick2,...' config option for a client to specify nodes that it doesn't want to use in the same circuit. - New 'Redirectexit pattern address:port' config option for a server to redirect exit connections, e.g. to a local squid. - Add "pass" target for RedirectExit, to make it easier to break out of a sequence of RedirectExit rules. - Make the dirservers file obsolete. - Include a dir-signing-key token in directories to tell the parsing entity which key is being used to sign. - Remove the built-in bulky default dirservers string. - New config option "Dirserver %s:%d [fingerprint]", which can be repeated as many times as needed. If no dirservers specified, default to moria1,moria2,tor26. - Make 'Routerfile' config option obsolete. - Discourage people from setting their dirfetchpostperiod more often than once per minute. o Features (other): - kill -USR2 now moves all logs to loglevel debug (kill -HUP to get back to normal.) - Accept *:706 (silc) in default exit policy. - Implement new versioning format for post 0.1. - Distinguish between TOR_TLS_CLOSE and TOR_TLS_ERROR, so we can log more informatively. - Check clock skew for verified servers, but allow unverified servers and clients to have any clock skew. - Make sure the hidden service descriptors are at a random offset from each other, to hinder linkability. - Clients now generate a TLS cert too, in preparation for having them act more like real nodes. - Add a pure-C tor-resolve implementation. - Use getrlimit and friends to ensure we can reach MaxConn (currently 1024) file descriptors. - Raise the max dns workers from 50 to 100. ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net [demime 1.01d removed an attachment of type application/pgp-signature]

1 0

Re: [silk] Fake Fingerprints
by Rishab Aiyer Ghosh 06 Jul '18

06 Jul '18

i like the one that was reported a couple of years ago, on how to do it with edible gelatin rather than wood glue: http://www.deeperwants.com/cul1/homeworlds/journal/archives/000048.html the best line: "after [security door] lets you in, eat the evidence". -r At 11:57 17/05/2005, Udhay Shankar N wrote: >What fun. > >http://www.ccc.de/biometrie/fingerabdruck_kopieren.xml?language=en > >Udhay > >-- >((Udhay Shankar N)) ((udhay @ pobox.com)) ((www.digeratus.com)) ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]

1 0

the physics arXiv blog
by the physics arXiv blog 06 Jul '18

06 Jul '18

[1]the physics arXiv blog [2]Steganophony-when internet telephony meets steganography Posted: 27 Nov 2008 09:30 PM PST [3]steganophony.jpg Steganophony is the term coined by Wojciech Mazurczyk and Jzef Lubacz at the Warsaw University of Technology in Poland to describe the practice of hiding messages in internet telephony traffic (presumably the word is an amalgamation of the terms steganography and telephony). The growing interest in this area is fueled by the fear that terrorist groups may be able to use services such as Skype to send messages secretly by embedding them in the data stream of internet telephony. At least that's what Mazurczyk and Lubacz tell us. The pair has developed a method for doing exactly that called Lost Audio PaCKets Steganography or LACKS and outline it on the arXiv today. LACKS exploits a feature of internet telephony systems: they ignore data packets that are delayed by more than a certain time. LACKS plucks data packets out of the stream, changes the information they contain and then sends them on after a suitable delay. An ordinary receiver simply ignores these packets if they arrive after a certain time but the intended receiver collates them and extracts the information they contain. That makes LACKS rather tricky to detect since dropped packets are a natural phenomenon of the internet traffic. But is this really an area driven by the threat of terrorism? If anybody really wants to keep messages secret then there are plenty of easier ways to do it, such as Pretty Good Privacy. There's a far more powerful driver for this kind of work. It's name? Paranoia Ref: [4]arxiv.org/abs/0811.4138: LACK a VoIP Steganographic Method [5][ISMAP:i] [6][arXivblog?d=41] [7][arXivblog?d=43] [8][arXivblog?i=T8IvmQ0Z] [9][arXivblog?d=50] [10][arXivblog?i=h4NffYqK] [11][arXivblog?d=54] [12][arXivblog?i=cEazSrgL] [13][arXivblog?d=52] You are subscribed to email updates from [14]the physics arXiv blog To stop receiving these emails, you may [15]unsubscribe now. Email delivery powered by Google Inbox too full? [16](feed) [17]Subscribe to the feed version of the physics arXiv blog in a feed reader. If you prefer to unsubscribe via postal mail, write to: the physics arXiv blog, c/o Google, 20 W Kinzie, Chicago IL USA 60610 References 1. http://arxivblog.com/ 2. http://feedproxy.google.com/~r/arXivblog/~3/6lCv8Iiibpw/ 3. http://arxivblog.com/wp-content/uploads/2008/11/steganophony.jpg 4. http://arxiv.org/abs/0811.4138 5. https://feedads.googleadservices.com/~a/6eeH_4hq5ApO1HpULd8NL4ChEWk/a 6. http://feedproxy.google.com/~f/arXivblog?a=fEO0PUGu 7. http://feedproxy.google.com/~f/arXivblog?a=wdGMyQNE 8. http://feedproxy.google.com/~f/arXivblog?a=T8IvmQ0Z 9. http://feedproxy.google.com/~f/arXivblog?a=ShG5N5nk 10. http://feedproxy.google.com/~f/arXivblog?a=h4NffYqK 11. http://feedproxy.google.com/~f/arXivblog?a=A7z74bGw 12. http://feedproxy.google.com/~f/arXivblog?a=cEazSrgL 13. http://feedproxy.google.com/~f/arXivblog?a=3X6kmeSB 14. http://arxivblog.com/ 15. http://feedburner.google.com/fb/a/mailunsubscribe?k=118r9-S4Z0vJg-AkQPASPmD… 16. http://feedproxy.google.com/arXivblog 17. http://feedproxy.google.com/arXivblog ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE

1 0

EDRi-gram newsletter - Number 7.11, 3 June 2009
by EDRI-gram newsletter 06 Jul '18

06 Jul '18

============================================================ EDRi-gram biweekly newsletter about digital civil rights in Europe Number 7.11, 3 June 2009 ============================================================ Contents ============================================================ 1. The French Government wants to spy on electronic communications 2. Pressure of the record companies on The Pirate Bay 3. Open source supporters criticize European govts for favouring MS 4. DRI against the Irish law on the interception of communications 5. French Government hurries to put HADOPI law into application 6. WIPO: Visually impaired treaty proposal 7. EU will examine Google Books project 8. Deutsche Telecom investigating the sexual life of job applicants 9. Recommended Action 10. Recommended Reading 11. Agenda 12. About ============================================================ 1. The French Government wants to spy on electronic communications ============================================================ On 27 May 2009, the law on orientation and programming for the performance of the domestic security (Loppsi) was presented by Michhle Alliot-Marie to the French Council of Ministers. The law will give the French police the possibility to physically or remotely install spying software to listen to electronic communications and introduces the Internet filtering by administrative decision. According to the text, the Criminal Investigation Police will be allowed to place on a suspect's computer a sort of internal or external USB key which will send data to the computers of the authorities. The police may also remotely install Trojans which will give access to all the data in a computer in real time. The police will be allowed to make use of these tools only in "the most severe cases" which however include "support given to the illegal entry and residence of a foreigner". Under the control of an examining magistrate (juge d'instruction), the investigating authority will have to justify the use of the technique by declaring the infringement investigated, the place where the investigation will take place and its duration. The spyware can be installed for a four-month period that can be renewed once. The examining magistrate's control would be a positive thing as the examining magistrates are independent from the Ministry of Justice and are free to take decisions, in terms of the gravity of the investigation. However, if the justice reform project of the French Government comes into being, the examining magistrates will disappear which means that the responsibility to authorize spyware will come to the prosecutor of the Republic. The law also obliges ISPs to block access, "without delay", to sites included on a list drafted under the authority of the Ministry of Internal Affairs. The list will not be made public and therefore it will be impossible to contest and this will create the risk of abuses. In order to prevent contestations, for the beginning, the law will target the paedophilic contents with the declared purpose to "protect the Internet users from child pornography images". The operators will have to introduce in their network software that will stop any connection to sites having a pedophile character that will be listed by the police. The French Government will always be able to extend the target by a simple decree. The text also stipulates severe sanctions for the ISPs that do not observe the law providing a fine up to 75 000 euro and a year of imprisonment. Loppsi : the sneaks under the authority of an endangered judge (only in French, 25.05.2009) http://www.numerama.com/magazine/12976-Loppsi-les-mouchards-sous-l-autorite… Loppsi wants to "protect the Internet users" by filtering (only in French, 27.05.2009) http://www.numerama.com/magazine/13010-La-Loppsi-veut-proteger-les-internau… The police will be able to pirate the computers of the yobs (only in French, 25.05.2009) http://www.lefigaro.fr/actualite-france/2009/05/24/01016-20090524ARTFIG0009… Loppsi: ISPs will have to "block access without delay" (MAJ) (only in French, 27.05.2009) http://www.numerama.com/magazine/13004-Loppsi-les-FAI-devront-empecher-l-ac… Loppsi presented this Wednesday in the Council of Ministers (MAJ) (only in French, 27.05.2009) http://www.numerama.com/magazine/13002-La-Loppsi-presentee-ce-mercredi-en-c… Draft law on the orientation and programming for the performance of the domestic security http://static.pcinpact.com/pdf/Loppsi_projet_loi.pdf Decrypting: Sarkozy and his work of controlling the Internet (only in French, 20.05.2009) http://www.numerama.com/magazine/12948-Decryptage-Sarkozy-et-son-oeuvre-de-… ============================================================ 2. Pressure of the record companies on The Pirate Bay ============================================================ The Swedish court has denied the request of four major record companies to fine The Pirate Bay (TPB) for being still operational. At the middle of May 2009, Universal, EMI, Sony and Warner asked the Swedish District Court to apply penalties to the operators of TPB for every day they continue to operate the site. The plaintiffs claimed TPB was an "infringing service" as they had been able to download through it 467 music albums to which they owned the copyright. They also asked that the four operators of TPB take measures so that the works for which they own the copyright could not be downloaded by Internet users via the site. Moreover, the recording companies seem to have asked the ISP "Black Internet" to stop providing services to TPB. Additionally, they asked the court to apply the penalties even before the District Court ruled on it and without hearing the four defendants. On 25 May 2009, the District Court denied the demands stating they wanted to hear the defendants first and gave the Pirate Bay operators a few weeks to state their position in the matter. The record companies were also given a week to decide whether they wanted to appeal the decision to the Court of Appeal. "I don't think these are circumstances where the case must be tried immediately. Usually you get to make your statement before a demand like this is granted" said judge Caroline Hindmarsh who reviewed the demands and made the decision. IT security expert Andri Rickardsson said to DN.se that the demand of the record companies was surprising. "Swedish law applies in Sweden and their Internet service isn't even in Sweden. I don't understand why the district court has anything to do with this. The Pirate Bay operates in countries where the activity is permitted," said the expert. Peter Sunde, one of the defendants, has stated that the record companies have never asked TPB to remove any of the torrents the plaintiffs refer to in their request to the District Court and accused the record companies of being more interested in money and power than in the artists they should represent. In the meantime, TPB is searching for unbiased judges after they filed, along with the appeal to the High Court of Justice, accusations against Judge Tomas Norstrvm for conflict of interest due to its membership with associations such as the Swedish Copyright Association. Judge Ulrika Ihrfeldt was appointed to investigate the conflict of interest but, soon after that, the judge also revealed having been a member of the Swedish Copyright Association and was removed from the case. The next judge appointed to lead the investigation, Anders Eka, appears to be connected to the Stockholm Center for Commercial Law, where lawyers Monique Wadsted and Peter Danowsky representing the record companies in TPB trial also are involved. Although Eka said he had no personal relationships with the plaintiffs' lawyers and that he had no background in copyright law, he acknowledged however he might be suspected for potential bias. Court President Fredrik Wersdll Wersdll stated that the investigation of Norstrvm's potential conflict of interest would be finished in a few weeks. If Norstrvm is found biased, the case will be sent back to the District Court. In case the judge is cleared of the accusation, the High Court of Justice will deal with the main appeal of the verdict and decide on whether to hold a new trial. Pirate Bay Money Squeeze Rejected by Court (25.05.2009) http://torrentfreak.com/pirate-bay-money-squeeze-rejected-by-court-090525/ Pirate Bay: In search of an unbiased judge (23.05.2009) http://news.cnet.com/8301-13578_3-10248264-38.html?tag=mncol;title Record Labels Increase Legal Pressure on Pirate Bay (19.05.2009) http://torrentfreak.com/record-labels-increase-legal-pressure-on-pirate-bay… Court rejects lawyers' call to gag Pirates (25.05.2009) http://www.thelocal.se/19656/20090525/ EDRi-gram: The Pirate Bay asks for retrial claiming conflict of interest (6.05.2009) http://www.edri.org/edri-gram/number7.9/pirate-bay-mistrial ============================================================ 3. Open source supporters criticize European govts for favouring MS ============================================================ Recent governmental plans in several European countries to buy proprietary software for public administration or education have caused concerns over the methods used and the lack of public discussion over the decisions. 18 open source companies (including Red Hat) have challenged successfully in the Federal court a three-year contract between the Swiss Federal Bureau for Building and Logistics (BBL) and Microsoft for the provisions of Windows desktops and applications, including support and maintenance. The total value of the contract was estimated at about 27.8 million euro. The preliminary ruling of the Federal court from 28 May 2009 was based on the fact that the BBL disregarded the procurement rules and did not issue a call for tender. A future final positive decision of the court could mean that the contract will be canceled and a public auction call needs to be made. Just a few days before the court decision, another similar case was raised by the Swiss open source advocacy group ch/open. They have presented the situation in the Bern canton, where a 18 million euro contract was attributed directly for Microsoft software licences, without a public auction. Ch/open criticized the lack of transparency of the deal and explained the current action: "Without any public process, contracts are awarded to a proprietary software vendor. This makes public administration increasingly dependent on Microsoft, giving it again no other option in eight years time." This deal will be debated in the canton's Parliament by the parliamentary group on digital sustainability that has the main scope to increase the use of open source by Swiss public bodies. Another government-related project that created rumors was the Spain government decision to install Microsoft software on the 420 000 laptops for students. After the Spanish Socialist Party supported the idea that laptops should be equipped with Open Source software, the Microsoft's chaiman Bill Gates and Spain's Prime Minister Josi Luis Rodriguez Zapatero met on 26 May 2009 to decide on the new software for this project. The project was criticized even earlier this year by open source organisations such as Hispalinux that pointed out that there was no public tender on this topic. Similarly, in a different corner of Europe, the Romanian Government has announced that it has mandated the Ministry of Communications to buy Microsoft licences of 100 million euros for the Ministries and Governmental Agencies in the period 2009-2012. Although the government press release talks about obtaining these licences through a possible auction, there is a clear-cut signal on who will be the winner. "The Romanian Government seems out of touch with reality" has been the harsh comment by Lucian Savluc, the organizer of the third national open source conference eLiberatica that took place in Bucharest in the second part of May 2009. Georg Greve, the president of Free Software Foundation Europe and a speaker at the same event, commented on the situation: "Microsoft's deals in new EU member states have raised concerns over corruption before, e.g. in Bulgaria. But while Microsoft seems to raise such questions more often than others, it should be noted that the problem of illegal procurement is larger and not limited to Microsoft. Nor is the problem limited to the new EU member states, as the recent irregularities and resulting antitrust complaint filed in Switzerland demonstrate. (...) It seems ironic that the European Commission has to fine Microsoft repeatedly over sustained monopoly abuse, then transfers part of that money to Romania, which enjoyed the highest level of financial support ever granted to a candidate country in the history of the European Union, and the Romanian government then decides to return part of that money to Microsoft with close to no tangible benefit for Romania." CH: Court scraps federal no-bid software licence deal (28.05.2009) http://www.osor.eu/news/ch-court-scraps-federal-no-bid-software-licence-deal CH: Protests over no-bid software contract in Bern (28.05.2009) http://www.osor.eu/news/ch-protests-over-no-bid-software-contract-in-bern Bill Gates, pleased with the announcement of Zapatero of giving laptops to students (only in Spanish, 26.05.2009) http://www.20minutos.es/noticia/470593/0/zapatero/gates/reunion/ Hispalinux censorship financial costs and technological dependence of the "solution" for Microsoft Education (only in Spanish, 27.04.2009) http://www.hispalinux.es/minipc-primaria ES: Gates and Zapatero weigh in on debate over school laptops (29.05.2009) http://www.osor.eu/news/es-gates-and-zapatero-weigh-in-on-debate-over-schoo… My official position - The Romanian government is about to spend millions of euro on proprietary software. (27.05.2009) http://www.cianblog.com/2009/05/27/my-official-position-the-romanian-govern… Minister of Communications - mandated to pay 100 million euro for Microsoft licences (only in Romanian, 1.06.2009) http://www.mediafax.ro/economic/ministerul-comunicatiilor-mandatat-sa-achit… ============================================================ 4. DRI against the Irish law on the interception of communications ============================================================ Digital Rights Ireland has lodged a formal complaint with the European Commission against Ireland over the Irish law on the interception of communications. The Irish law, which is governed by the Interception of Postal Packets and Telecommunications Messages (Regulation) Act 1993, applies only to telecommunications providers who operate under a licence or general authorisation. Consequently, the vast majority of internet communication services (such as VOIP providers, webmail and instant messaging services) are not covered, so the interception of communications on those services is unregulated. This is in breach of Art. 5 of the e-Privacy Directive (Directive 2002/58/EC) which requires member states to "prohibit listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data by persons other than users, without the consent of the users concerned, except when legally authorised to do so (by) legislative measures (which are) necessary, appropriate and proportionate within a democratic society". Complaint to European Commission over Irish Interception Laws (28.05.2009) http://www.digitalrights.ie/2009/05/28/complaint-to-european-commission-ove… (contribution by EDRi-member Digital Rights Ireland DRI) ============================================================ 5. French Government hurries to put HADOPI law into application ============================================================ No sooner has the three strikes law been adopted that the French government issued CCAPs (special administrative specifications) and CCTPs (special technical specifications) which were sent by the Ministry of Culture to the candidate enterprises to put into function the information system of HADOPI. The call for tenders was sent since the beginning of the year even before the Hadopi law was adopted, the notification date having been set for 5 June 2009 with a deadline on 1 July 2009 for a first prototype of the graduate response system. A draft calendar foresees the application of the Hadopi law in stages starting with 5 June 2009 until 31 March 2010. In the beginning, Hadopi will send only written recommendations by e-mail at a rate of about 100 infringing cases per day after which, when the treatment is completely automatic probably in September 2009, the number of cases will increase to 1000 per day reaching 10 000 when the prototype is finalised in 2010. A calendar of actions is left however at the choice of the candidates, the CCTP mentioning that "the offers will be assessed in terms of the closeness of the proposed calendar as compared to the target calendar". The ministry is not concerned with costs or means but only with speed. The candidates will have a rather difficult task as the beta-test will last only two weeks before the first warnings and the blocking bugs will have to be corrected in one day, otherwise they will face sanctions. There is also the result obligation, the operator taking the responsibility in case of problems and having to compensate Hadopi in case of delays or malfunctions. There is no provision for the moment that Hadopi makes sure, before issuing a warning or a sanction, that illegal downloading has effectively taken place from the IP address of a suspected Internet subscriber. It appears that between the IP address collection phase and the warning or sanction phase there will be a "notarisation and sampling" phase. The notarisation phase means the "qualification of the data and the recording of essential elements of the transaction from a trustworthy third party" meaning the recording of all the elements proving the downloading or rather making copyrighted material available. "The content, origin, receiving date, the sender's identification key and the destination of the file are essential elements" says the CCTP. Sampling means Hadopi would retain only some of the complaints received in order to deal mostly with those of higher interest. An algorithmic system will allow targeting potential recidivists as a priority. Hadopi does not take into account the presumption of innocence and only needs to be certain of the reliability of the IP address lists on the basis of which it would give warnings and sanctions. Hence the provision of attaching a "chunk" of the file to every submission of a case in court which would be a material proof of the infringing. However, such a provision raises practical and economical problems. The CCAP and CCTP do not precise either the criteria based on which Hadopi will decide on recidivism in order to send another e-mail, registered letter or give sanctions. It is only mentioned that a "study of the reiterations is carried out so as to bring out the following elements for each subscriber: infringement stage (1st, 2nd, 3rd.); type of actions taken or sanctions given by the High Authority: time interval between each infringement; and type of works concerned". There are also very little details as to what are the means of appeal for the sanctioned Internet users. It is provided that an appeal can be made by means of an electronic form or by mail and that the appeal may lead to informing the ISP of the obligation to re-establish a suspended subscription. On the other hand, no observations can be brought by a subscriber before the sanction stage. For the time being, Hadopi continues to be criticised and contested. On 15 June, a concert evening against the graduate response will take place with several groups of artists supported by Numerama, co-organised by Riseau des Pirates and Owni.fr, in partnership with Vendredi Hebdo and International and supported also by Slate, Agoravox, LePost, Ivox, 22mars, Social Midia Club, j'affiche and ZikNation. The evening will include the projection on films dealing with Hadopi, the new models to remunerate artists, the protection of numerical freedoms, a debate on the topics as well as music moments. "The problem with HADOPI is triple: it does not bring more money to artists, it touches the fundamental rights and finally it opens a breach into net neutrality allowing private interests to get hold of a judge in order to oblige an access provider to censure part of the net. This law stigmatises the Net which is however an incredible chance for the music to get renewed. (...) A new model must be invented and the technological evolution must be accompanied rather than rowing against it. This is what the public politics serve for, not to protect an industry where 5 multinationals make a trust of the entire market and refuse in a single voice to accept the challenge," was the statement of Flowers From The Man Who Shot Your Cousin / Waterhouse Records that will participate in the event. Exclusive: Hadopi will target as a priority the potential recidivists! (only in French, 20.05.2009) http://www.numerama.com/magazine/12960-Exclusif-l-Hadopi-ciblera-en-priorit… Exclusive: Hadopi will not collect material evidence... for the moment (only in French, 27.05.2009) http://www.numerama.com/magazine/13006-Exclusif-l-Hadopi-ne-collectera-pas-… Concert-Evening "Hadopi has killed me" Monday 15 June in Paris (only in French, 26.05.2009) http://www.numerama.com/magazine/12998-Soiree-Concert-Hadopi-m-a-Tuer-le-lu… ============================================================ 6. WIPO: Visually impaired treaty proposal ============================================================ The WIPO Standing Committee on Copyright and Related Rights (SCCR) met from 25 to 29 May in Geneva. This time, the main points on the agenda were the survey on limitations and exceptions and the visually impaired treaty proposal introduced by Brazil Ecuador and Paraguay (BEP proposal). As usual, the committee also briefly dealt with the situation pertaining broadcaster's rights and audiovisual protection but since the national positions are not moving, no real progress was made. The most interesting part of the meeting was the discussion about the BEP proposal. The treaty was strongly supported by the South American countries and it was also seen in a favourable light by most of the African representatives (which would like to see even wider support for access to information, though) and Asian delegates. However, group B and the European Union did their best to derail the process of getting the treaty under serious consideration. The given reasons for this were rather perplexing e.g. "the matter is so complex" (unlike the broadcast treaty?) and "there's need for more fact-finding" (there's lot of published research by both WIPO and WBU). In reality, the civil servants from Germany, France etc. want to oppose categorically any instrument which would give rights to the users. However, since it is not politically possible to oppose helping visually impaired persons such poor excuses are needed. EDRi also stressed in its intervention the fact that EU is ready to use a "hard law" approach to help elder stage musicians so it would be very unsincere to oppose the same approach for blind persons. WIPO Limitations & Exceptions Treaty Advances; Audiovisual Treaty Gets New Life (30.05.2009) http://www.ip-watch.org/weblog/2009/05/30/wipo-limitations-audiovisual-trea… SCCR to Expedite Work in Favor of Reading Impaired (2.06.2009) http://www.wipo.int/pressroom/en/articles/2009/article_0012.html (Contribution by Ville Oksanen, EDRI-member EFFI) ============================================================ 7. EU will examine Google Books project ============================================================ The German delegation submitted at the European Council meeting held in Brussels on 28 and 29 May 2009, an information note asking EU to take action against Google's online library project, Google Books, a project targeting the scanning of entire book collections of major libraries. "This move has an impact on cultural and media policy that we need to put on a European level," said Culture Minister Bernd Neumann. There is already a dispute between Google and US authors and publishers as the publishing industry is concerned by the fact that scanning books without authors' permission is a violation of copyright laws. Germany's information note argues that many of the rights holders having works that are scanned by Google are in the EU and that European copyright law differs from the US one. The German delegation considers that Google is using the excuse of a fair use exception to face copyright claims, an exemption which doesn't exist in EU member states. The main concern is related to the necessity of obtaining consent given by authors before scanning their works. "Google's actions are irreconcilable with the principles of European copyright law, according to which the consent of the author must be obtained before his or her works may be reproduced or made publicly available on the Internet" says the note. Foreign Minister Frank-Walter Steinmeier has shown concerns regarding competitivity issues: "Through digitalising millions of books without right holders' permission, Google has already gained a competitive advantage against similar projects like Europeana and libreka.de - who unlike Google respect European copyright laws." The EU has immediately confirmed the launching of a formal inquiry which will apparently focus on copyright matters and will look into the settlement Google has with publishers and authors. After Authors Guild and the Association of American Publishers filed a law suit against Google in 2004 arguing the giant was violating copyright by displaying excerpts of books without the permission of the copyright holders, a settlement reached in October 2008 raised criticism and is now investigated by the US Justice Department on anti-trust grounds. The settlement would let Google sell to other libraries access to its online books and subscriptions to its entire library and the revenues would go to Google, publishers and authors. The settlement gives authors until early January to adhere to it and hence receive money for having their books scanned or to opt out of the system by September 2009. Anne Bergman-Tahon, director of the FEP believes that "millions of works will never be claimed because these 300 pages of settlement are so complicated." Therefore, critics argue that when copyright holders do not come forward, Google alone will have the rights to "orphan books" which, according to a recent article in the Wall Street Journal newspaper are estimated at 50 to 70 percent of books published after 1923. Google will hold monopoly under the circumstances and will be in the position to charge as much as it wants for access to books. On the other hand, Google stated that by its project it was giving an eternal digital life to millions of books which are now out of print and that it was "happy to engage in any constructive dialogue about the future of books and copyright." EU may flex regulatory muscles against Google book deal (1.06.2009) http://arstechnica.com/tech-policy/news/2009/06/eu-may-flex-regulatory-musc… Germany wants EU to fight Google Books project (2.06.2009) http://www.thelocal.de/sci-tech/20090602-19649.html Council calls on Commission to examine Google Books project (2.06.2009) http://euroalert.net/en/news.aspx?idn=8811 EU states concerned over Google library plans (27.05.2009) http://euobserver.com/19/28193 EU confirms Google investigation (31.05.2009) http://www.thebookseller.com/news/86904-page.htm ============================================================ 8. Deutsche Telecom investigating the sexual life of job applicants ============================================================ According to German newspaper Handelsblatt, Deutsche Telecom was keeping records about personal details of job applicants, including details about their sexual life. Similar records on potential employees were also kept in Macedonia, Croatia, Slovenia and Hungary. An anonymous security consultant who used to work for Deutsche Telecom stated for the German newspaper that this was actually a common practice of the company. According to Handelsblatt, the German Telecom hired private detectives from Germany who were collecting data about potential employees by eavesdropping phone conversations, investigating their bank accounts and intimate, sexual life, explaining that this way they could know who they were dealing with. This was revealed soon after Deutsche Telecom confirmed the information that it was spying on the directors in its companies and on journalists, in order to determine where the information was leaking from. The company announced that it did not order regular reports on the private life of the potential employees. The people from Macedonian Telecommunications say that this was not, is not and will not be a practice of their company. "These allegations are absolutely wrong, unserious and unsubstantiated. Such practice is prohibited by the Law on personal data protection. Everybody knows what information should be submitted by the applicant; first and last name, address, education, previous work experience, recommendations and a motivation letter" claim the representatives of T-Mobile and T-Home, companies owned by Deutsche Telecom. "All of the employment applications can be found on the company's website" say the representatives from Macedonian Telecom. The representatives of the Croatian T-Com stated that they did not know anything about the spying, and if the investigation proves that this really happened, the responsible persons will have to bear the consequences. According to the reports to which the newspaper had access, a woman that was applying for a job in the Croatian telecom - a branch of DT, is described as an experienced sexual partner with a rich imagination. The partners of the candidate allegedly said that she was a "female predator" with a big sexual urge and that she prefered older men. In another report, which was allegedly prepared by the German counterintelligence service BND, a candidate is described as an alcoholic, and another one as a corrupted old man. Deutsche Telecom claims it did not order reports with personal data of the candidates. "Deutsche Telecom is not analyzing the private life of the applicants. DT doesn't need any information about the private life of the candidates" stated Philip Blank, the company's spokesman. According to AFP, this is one of the several scandals that broke out in Deutsche Telecom and the company also admitted to have spied on journalists and members of the supervisory board in order to find the source of the media. DT also admitted that in 2006 it was checking the bank accounts of more than 100 000 workers to determine whether any of them were involved in corruption. Deutsche Telecom investigating the sexual life of job applicants (26.05.2009) http://www.metamorphosis.org.mk/en/news/world/1498-dojce-telekom-go-proveru… (contribution by Kire Dimik - EDRi-member Metamorphosis - Macedonia) ============================================================ 9. Recommended Action ============================================================ On 26 May 2009 the European Commission opened a consultation on the conclusions of the online commerce roundtable on the online distribution of music. The consultation will close on 30 June 2009. http://europa.eu/rapid/pressReleasesAction.do?reference=IP/09/832&format=HT… http://ec.europa.eu/competition/consultations/2009_online_commerce/roundtab… ============================================================ 10. Recommended Reading ============================================================ Ethnic Profiling in the European Union: Pervasive, Ineffective, and Discriminatory (26.05.2009) http://www.soros.org/initiatives/osji/articles_publications/publications/pr… Constitutional complaint against Hadopi (only in French, 19.05.2009) http://www.lesechos.fr/medias/2009/0519//300350517.pdf The German constitutional court published its 2008-ruling that created a "fundamental right to the guarantee of the confidentiality and integrity of information technology systems" in English (27.02.2008) http://www.bverfg.de/en/decisions/rs20080227_1bvr037007en.html ============================================================ 11. Agenda ============================================================ 1-4 June 2009, Washington, DC, USA Computers Freedom and Privacy 2009 http://www.cfp2009.org/ 5 June 2009, London, UK The Second Multidisciplinary Workshop on Identity in the Information Society (IDIS 09): "Identity and the Impact of Technology" http://is2.lse.ac.uk/idis/2009/ 10 June 2009, Brussels, Belgium The Global Enforcement Agenda of copyright, patents and other IPRs: Some consumer perspectives Organized by TransAtlantic Consumer Dialogue (TACD), Knowledge Ecology International (KEI) and Health Action International Europe (HAI-E) http://www.tacd-ip.org/blog/2009/05/29/tacd-kei-and-hai-e-host-event-on-enf… 28-30 June 2009, Torino, Italy COMMUNIA Conference 2009: Global Science & Economics of Knowledge-Sharing Institutions http://www.communia-project.eu/conf2009 2-3 July 2009, Padova, Italy 3rd FLOSS International Workshop on Free/Libre Open Source Software http://www.decon.unipd.it/personale/curri/manenti/floss/floss09.html 13-16 August 2009, Vierhouten, The Netherlands Hacking at Random http://www.har2009.org/ 23-27 August 2009, Milan, Italy World Library and Information Congress: 75th IFLA General Conference and Council: "Libraries create futures: Building on cultural heritage" http://www.ifla.org/IV/ifla75/index.htm 10-12 September 2009, Potsdam, Germany 5th ECPR General Conference, Potsdam Section: Protest Politics Panel: The Contentious Politics of Intellectual Property http://www.ecpr.org.uk/potsdam/default.asp 16-18 September 2009, Crete, Greece World Summit on the Knowledge Society WSKS 2009 http://www.open-knowledge-society.org/ 17-18 September 2009, Amsterdam, Netherlands Gikii, A Workshop on Law, Technology and Popular Culture Institute for Information Law (IViR) - University of Amsterdam Call for papers by 1 July 2009 http://www.law.ed.ac.uk/ahrc/gikii/2009.asp 21-23 October 2009, Istanbul, Turkey eChallenges 2009 http://www.echallenges.org/e2009/default.asp 24-25 October 2009, Vienna, Austria 3rd European Privacy Open Space http://www.privacyos.eu 25 October 2009, Vienna, Austria Austrian Big Brother Awards Deadline for nominations: 21 September 2009 http://www.bigbrotherawards.at/ 16 October 2009, Bielefeld, Germany 10th German Big Brother Awards Deadline for nominations: 15 July 2009 http://www.bigbrotherawards.de/ 13-15 November 2009, Gothenburg, Sweden Free Society Conference and Nordic Summit http://www.fscons.org/ 15-18 November 2009, Sharm El Sheikh, Egypt UN Internet Governance Forum http://www.intgovforum.org/ ============================================================ 12. About ============================================================ EDRI-gram is a biweekly newsletter about digital civil rights in Europe. Currently EDRI has 29 members based or with offices in 18 different countries in Europe. European Digital Rights takes an active interest in developments in the EU accession countries and wants to share knowledge and awareness through the EDRI-grams. All contributions, suggestions for content, corrections or agenda-tips are most welcome. Errors are corrected as soon as possible and visibly on the EDRI website. Except where otherwise noted, this newsletter is licensed under the Creative Commons Attribution 3.0 License. See the full text at http://creativecommons.org/licenses/by/3.0/ Newsletter editor: Bogdan Manolea <edrigram(a)edri.org> Information about EDRI and its members: http://www.edri.org/ European Digital Rights needs your help in upholding digital rights in the EU. If you wish to help us promote digital rights, please consider making a private donation. http://www.edri.org/about/sponsoring - EDRI-gram subscription information subscribe by e-mail To: edri-news-request(a)edri.org Subject: subscribe You will receive an automated e-mail asking to confirm your request. unsubscribe by e-mail To: edri-news-request(a)edri.org Subject: unsubscribe - EDRI-gram in Macedonian EDRI-gram is also available partly in Macedonian, with delay. Translations are provided by Metamorphosis http://www.metamorphosis.org.mk/edrigram-mk.php - EDRI-gram in German EDRI-gram is also available in German, with delay. Translations are provided Andreas Krisch from the EDRI-member VIBE!AT - Austrian Association for Internet Users http://www.unwatched.org/ - Newsletter archive Back issues are available at: http://www.edri.org/edrigram - Help Please ask <edrigram(a)edri.org> if you have any problems with subscribing or unsubscribing. ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE

1 0

Re: [liberationtech] Exactly how are satellite transmissions tapped/intercepted, in Syria and elsewhere?
by Jacob Appelbaum 06 Jul '18

06 Jul '18

On 11/28/2011 04:22 PM, Gustaf Bjvrksten wrote: > On 11/28/2011 05:42 PM, Brian Conley wrote: >> Hi all, >> >> First of all, thanks Brett for that article about Area SpA, great news! >> >> Secondly, I'm in the middle of some research into how satellite >> communications are being used by activists, as well as how they are being >> used/intercepted by Syrian authorities in an attempt to quell the uprising. >> I've read a number of articles in a disjointed fashion, and am just now >> beginning to coordinate my efforts. I am working on a series of best >> practices for being "most safe" as I'm not sure we can offer much better >> than that with regard to satellite equipment, furthermore I'm hoping to >> provide an educated understanding of just what the risks are and what might >> be done to mitigate them. However my impression is that the guide will >> primarily be about understanding the full extent of the risk you place >> yourself in. >> >> I have heard rumors about Syria's capacity direct from Syrian activists, >> including that some calls made with thuraya phones have been recorded, and >> that a phone simply making a call, for the first time, in a distant >> location was tracked by syrian authorities. unfortunately, as many of you >> know, such anecdotes are not as helpful as they might seem, and that its >> important to understand, as best we can, just why thuraya phones seem to be >> "less safe" than inmarsat or iridium, and to ensure that syrians don't >> become lax and begin to depend on an alternate tool to thuraya such as >> inmarsat phones, only to find themselves equally targeted via that means, >> though it may take the regime longer to establish practices. >> >> Anyhow, what I'm looking for are accounts of how satphones have been >> used/tracked in syria, as well as articles about syria's capacity to >> monitor satellite transmissions. Separately I'll be researching the >> practical capabilities of various satphones to ensure that readers of the >> guide have access to the best information available, though this will >> obviously need to evolve over time. > > Hi Brian, > > Access has also heard a number of reports from Syria that Thuraya > satellite devices have been giving away the location of the device > operators as soon as the devices are used. Our reports suggest this is > limited to Thuraya devices only, and that the use of satellite > technology from other providers does not seem to have the consequence of > position information leakage to the authorities at this time. > This is not strictly correct. All satellite communications systems are privacy invasive. BGAN, Thuraya, etc. > We do know that Thuraya devices transmit their location periodically as > part of their communications protocol[1][2]. This is common in all satellite communications systems. > While this information is > encrypted there seems to be some doubt as to the strength of that > encryption. The US military complex did not have much faith in it and > seems to have been able to bypass or crack the encryption to access the > location information of Thuraya devices used by Iraqi Government > officials[2]. While it is not clear exactly how this was achieved we do > know that Thuraya devices were manufactured by Boeing and this fact may > have contributed to an easy decryption route for US forces. > Thuraya is easy to monitor. It's not even expensive. There are commercial solutions and there are non-commercial projects that work with common hardware. Satellite communication networks are absolutely not secure to use without additional protection. If location anonymity is important, I highly advise against using satellite communications technology. Unless you've properly tampered with the device to falsify the location reporting, you're probably not as secure as you'd like... > In addition to this the location information clearly appears in > unencrypted form in server logs at Thuraya itself[1]. This is worrying > as it turns out that Thuraya is predominantly owned by Etisalat, a telco > from the UAE with a dark history regarding surveillance of their users[3]. > All of these systems keep logs. All of the satellite companies have a dark history. > Etisalat have telecommunications interests in places including Egypt, > Iran, Saudi Arabia, Qatar, Indonesia, and Sri Lanka. Etisalat was also > alleged to be involved in a $39 billion scam in 2010 in India[4], and > they deployed and manage the internet censorship system under the > direction of the authorities in the UAE[5]. > > Due to the above-mentioned technical and ownership issues we > recommend civil society do not use Thuraya satellite devices in the MENA > region. To our knowledge devices from other vendors do not seem to be > affected at this time. Access is working to gather further evidence from > the ground in Syria and elsewhere in the MENA region to shine further > light on the possible misuse of Thuraya satellite device location > information. We also welcome any further information from anyone on this > mailing list. > It's all about threat models. If you're worried about people who have control of Thuraya, use a BGAN. If you're worried about upsetting people who have control of the Hughes network, use Thuraya. If you're worried about location anonymity or evading content inspection, hack your device to lie about the GPS location of your device. The location must be within the same spot beam as your physical location or your device will not sync with the birds in the sky. If you're using one of these devices to transfer data at all, I highly encourage the use of Tor as you're absolutely to be intercepted by multiple parties. Some BGAN devices can be programmed to only send the spot beam ID but again, you're trusting closed source, proprietary software/hardware with your life. That's not a thing I'd suggest. Certainly not in a place like Syria or other extremely hostile places. All the best, Jacob _______________________________________________ liberationtech mailing list liberationtech(a)lists.stanford.edu Should you need to change your subscription options, please go to: https://mailman.stanford.edu/mailman/listinfo/liberationtech If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?" You will need the user name and password you receive from the list moderator in monthly reminders. Should you need immediate assistance, please contact the list moderator. Please don't forget to follow us on http://twitter.com/#!/Liberationtech ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE

1 0

Tor 0.0.9 is out
by Roger Dingledine 06 Jul '18

06 Jul '18

Aside from the many bug fixes, 0.0.9 includes a win32 installer, better circuit building algorithms, bandwidth accounting and hibernation, more efficient directory fetching, and support for a separate Tor GUI controller program (once somebody writes one for us). tarball: http://tor.freehaven.net/dist/tor-0.0.9.tar.gz signature: http://tor.freehaven.net/dist/tor-0.0.9.tar.gz.asc win32 exe: http://tor.freehaven.net/dist/tor-0.0.9-win32.exe win32 sig: http://tor.freehaven.net/dist/tor-0.0.9-win32.exe.asc (use -dPr tor-0_0_9 if you want to check out from cvs) o Bugfixes on 0.0.8.1 (Crashes and asserts): - Catch and ignore SIGXFSZ signals when log files exceed 2GB; our write() call will fail and we handle it there. - When we run out of disk space, or other log writing error, don't crash. Just stop logging to that log and continue. - Fix isspace() and friends so they still make Solaris happy but also so they don't trigger asserts on win32. - Fix assert failure on malformed socks4a requests. - Fix an assert bug where a hidden service provider would fail if the first hop of his rendezvous circuit was down. - Better handling of size_t vs int, so we're more robust on 64 bit platforms. o Bugfixes on 0.0.8.1 (Win32): - Make windows sockets actually non-blocking (oops), and handle win32 socket errors better. - Fix parse_iso_time on platforms without strptime (eg win32). - win32: when being multithreaded, leave parent fdarray open. - Better handling of winsock includes on non-MSV win32 compilers. - Change our file IO stuff (especially wrt OpenSSL) so win32 is happier. - Make unit tests work on win32. o Bugfixes on 0.0.8.1 (Path selection and streams): - Calculate timeout for waiting for a connected cell from the time we sent the begin cell, not from the time the stream started. If it took a long time to establish the circuit, we would time out right after sending the begin cell. - Fix router_compare_addr_to_addr_policy: it was not treating a port of * as always matching, so we were picking reject *:* nodes as exit nodes too. Oops. - When read() failed on a stream, we would close it without sending back an end. So 'connection refused' would simply be ignored and the user would get no response. - Stop a sigpipe: when an 'end' cell races with eof from the app, we shouldn't hold-open-until-flush if the eof arrived first. - Let resolve conns retry/expire also, rather than sticking around forever. - Fix more dns related bugs: send back resolve_failed and end cells more reliably when the resolve fails, rather than closing the circuit and then trying to send the cell. Also attach dummy resolve connections to a circuit *before* calling dns_resolve(), to fix a bug where cached answers would never be sent in RESOLVED cells. o Bugfixes on 0.0.8.1 (Circuits): - Finally fix a bug that's been plaguing us for a year: With high load, circuit package window was reaching 0. Whenever we got a circuit-level sendme, we were reading a lot on each socket, but only writing out a bit. So we would eventually reach eof. This would be noticed and acted on even when there were still bytes sitting in the inbuf. - Use identity comparison, not nickname comparison, to choose which half of circuit-ID-space each side gets to use. This is needed because sometimes we think of a router as a nickname, and sometimes as a hex ID, and we can't predict what the other side will do. o Bugfixes on 0.0.8.1 (Other): - Fix a whole slew of memory leaks. - Disallow NDEBUG. We don't ever want anybody to turn off debug. - If we are using select, make sure we stay within FD_SETSIZE. - When poll() is interrupted, we shouldn't believe the revents values. - Add a FAST_SMARTLIST define to optionally inline smartlist_get and smartlist_len, which are two major profiling offenders. - If do_hup fails, actually notice. - Flush the log file descriptor after we print "Tor opening log file", so we don't see those messages days later. - Hidden service operators now correctly handle version 1 style INTRODUCE1 cells (nobody generates them still, so not a critical bug). - Handle more errnos from accept() without closing the listener. Some OpenBSD machines were closing their listeners because they ran out of file descriptors. - Some people had wrapped their tor client/server in a script that would restart it whenever it died. This did not play well with our "shut down if your version is obsolete" code. Now people don't fetch a new directory if their local cached version is recent enough. - Make our autogen.sh work on ksh as well as bash. - Better torrc example lines for dirbindaddress and orbindaddress. - Improved bounds checking on parsed ints (e.g. config options and the ones we find in directories.) - Stop using separate defaults for no-config-file and empty-config-file. Now you have to explicitly turn off SocksPort, if you don't want it open. - We were starting to daemonize before we opened our logs, so if there were any problems opening logs, we would complain to stderr, which wouldn't work, and then mysteriously exit. - If a verified OR connects to us before he's uploaded his descriptor, or we verify him and hup but he still has the original TLS connection, then conn->nickname is still set like he's unverified. o Code security improvements, inspired by Ilja: - tor_snprintf wrapper over snprintf with consistent (though not C99) overflow behavior. - Replace sprintf with tor_snprintf. (I think they were all safe, but hey.) - Replace strcpy/strncpy with strlcpy in more places. - Avoid strcat; use tor_snprintf or strlcat instead. o Features (circuits and streams): - New circuit building strategy: keep a list of ports that we've used in the past 6 hours, and always try to have 2 circuits open or on the way that will handle each such port. Seed us with port 80 so web users won't complain that Tor is "slow to start up". - Make kill -USR1 dump more useful stats about circuits. - When warning about retrying or giving up, print the address, so the user knows which one it's talking about. - If you haven't used a clean circuit in an hour, throw it away, just to be on the safe side. (This means after 6 hours a totally unused Tor client will have no circuits open.) - Support "foo.nickname.exit" addresses, to let Alice request the address "foo" as viewed by exit node "nickname". Based on a patch from Geoff Goodell. - If your requested entry or exit node has advertised bandwidth 0, pick it anyway. - Be more greedy about filling up relay cells -- we try reading again once we've processed the stuff we read, in case enough has arrived to fill the last cell completely. - Refuse application socks connections to port 0. - Use only 0.0.9pre1 and later servers for resolve cells. o Features (bandwidth): - Hibernation: New config option "AccountingMax" lets you set how many bytes per month (in each direction) you want to allow your server to consume. Rather than spreading those bytes out evenly over the month, we instead hibernate for some of the month and pop up at a deterministic time, work until the bytes are consumed, then hibernate again. Config option "MonthlyAccountingStart" lets you specify which day of the month your billing cycle starts on. - Implement weekly/monthly/daily accounting: now you specify your hibernation properties by AccountingMax N bytes|KB|MB|GB|TB AccountingStart day|week|month [day] HH:MM Defaults to "month 1 0:00". - Let bandwidth and interval config options be specified as 5 bytes, kb, kilobytes, etc; and as seconds, minutes, hours, days, weeks. o Features (directories): - New "router-status" line in directory, to better bind each verified nickname to its identity key. - Clients can ask dirservers for /dir.z to get a compressed version of the directory. Only works for servers running 0.0.9, of course. - Make clients cache directories and use them to seed their router lists at startup. This means clients have a datadir again. - Respond to content-encoding headers by trying to uncompress as appropriate. - Clients and servers now fetch running-routers; cache running-routers; compress running-routers; serve compressed running-routers.z - Make moria2 advertise a dirport of 80, so people behind firewalls will be able to get a directory. - Http proxy support - Dirservers translate requests for http://%s:%d/x to /x - You can specify "HttpProxy %s[:%d]" and all dir fetches will be routed through this host. - Clients ask for /tor/x rather than /x for new enough dirservers. This way we can one day coexist peacefully with apache. - Clients specify a "Host: %s%d" http header, to be compatible with more proxies, and so running squid on an exit node can work. - Protect dirservers from overzealous descriptor uploading -- wait 10 seconds after directory gets dirty, before regenerating. o Features (packages and install): - Add NSI installer contributed by J Doe. - Apply NT service patch from Osamu Fujino. Still needs more work. - Commit VC6 and VC7 workspace/project files. - Commit a tor.spec for making RPM files, with help from jbash. - Add contrib/torctl.in contributed by Glenn Fink. - Make expand_filename handle ~ and ~username. - Use autoconf to enable largefile support where necessary. Use ftello where available, since ftell can fail at 2GB. - Ship src/win32/ in the tarball, so people can use it to build. - Make old win32 fall back to CWD if SHGetSpecialFolderLocation is broken. o Features (ui controller): - Control interface: a separate program can now talk to your client/server over a socket, and get/set config options, receive notifications of circuits and streams starting/finishing/dying, bandwidth used, etc. The next step is to get some GUIs working. Let us know if you want to help out. See doc/control-spec.txt . - Ship a contrib/tor-control.py as an example script to interact with the control port. - "tor --hash-password zzyxz" will output a salted password for use in authenticating to the control interface. - Implement the control-spec's SAVECONF command, to write your configuration to torrc. - Get cookie authentication for the controller closer to working. - When set_conf changes our server descriptor, upload a new copy. But don't upload it too often if there are frequent changes. o Features (config and command-line): - Deprecate unofficial config option abbreviations, and abbreviations not on the command line. - Configuration infrastructure support for warning on obsolete options. - Give a slightly more useful output for "tor -h". - Break DirFetchPostPeriod into: - DirFetchPeriod for fetching full directory, - StatusFetchPeriod for fetching running-routers, - DirPostPeriod for posting server descriptor, - RendPostPeriod for posting hidden service descriptors. - New log format in config: "Log minsev[-maxsev] stdout|stderr|syslog" or "Log minsev[-maxsev] file /var/foo" - DirPolicy config option, to let people reject incoming addresses from their dirserver. - "tor --list-fingerprint" will list your identity key fingerprint and then exit. - Make tor --version --version dump the cvs Id of every file. - New 'MyFamily nick1,...' config option for a server to specify other servers that shouldn't be used in the same circuit with it. Only believed if nick1 also specifies us. - New 'NodeFamily nick1,nick2,...' config option for a client to specify nodes that it doesn't want to use in the same circuit. - New 'Redirectexit pattern address:port' config option for a server to redirect exit connections, e.g. to a local squid. - Add "pass" target for RedirectExit, to make it easier to break out of a sequence of RedirectExit rules. - Make the dirservers file obsolete. - Include a dir-signing-key token in directories to tell the parsing entity which key is being used to sign. - Remove the built-in bulky default dirservers string. - New config option "Dirserver %s:%d [fingerprint]", which can be repeated as many times as needed. If no dirservers specified, default to moria1,moria2,tor26. - Make 'Routerfile' config option obsolete. - Discourage people from setting their dirfetchpostperiod more often than once per minute. o Features (other): - kill -USR2 now moves all logs to loglevel debug (kill -HUP to get back to normal.) - Accept *:706 (silc) in default exit policy. - Implement new versioning format for post 0.1. - Distinguish between TOR_TLS_CLOSE and TOR_TLS_ERROR, so we can log more informatively. - Check clock skew for verified servers, but allow unverified servers and clients to have any clock skew. - Make sure the hidden service descriptors are at a random offset from each other, to hinder linkability. - Clients now generate a TLS cert too, in preparation for having them act more like real nodes. - Add a pure-C tor-resolve implementation. - Use getrlimit and friends to ensure we can reach MaxConn (currently 1024) file descriptors. - Raise the max dns workers from 50 to 100. ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net [demime 1.01d removed an attachment of type application/pgp-signature]

1 0

Re: [silk] Fake Fingerprints
by Rishab Aiyer Ghosh 06 Jul '18

06 Jul '18

i like the one that was reported a couple of years ago, on how to do it with edible gelatin rather than wood glue: http://www.deeperwants.com/cul1/homeworlds/journal/archives/000048.html the best line: "after [security door] lets you in, eat the evidence". -r At 11:57 17/05/2005, Udhay Shankar N wrote: >What fun. > >http://www.ccc.de/biometrie/fingerabdruck_kopieren.xml?language=en > >Udhay > >-- >((Udhay Shankar N)) ((udhay @ pobox.com)) ((www.digeratus.com)) ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]

1 0

Re: [liberationtech] Exactly how are satellite transmissions tapped/intercepted, in Syria and elsewhere?
by Jacob Appelbaum 06 Jul '18

06 Jul '18

On 11/28/2011 04:22 PM, Gustaf Bjvrksten wrote: > On 11/28/2011 05:42 PM, Brian Conley wrote: >> Hi all, >> >> First of all, thanks Brett for that article about Area SpA, great news! >> >> Secondly, I'm in the middle of some research into how satellite >> communications are being used by activists, as well as how they are being >> used/intercepted by Syrian authorities in an attempt to quell the uprising. >> I've read a number of articles in a disjointed fashion, and am just now >> beginning to coordinate my efforts. I am working on a series of best >> practices for being "most safe" as I'm not sure we can offer much better >> than that with regard to satellite equipment, furthermore I'm hoping to >> provide an educated understanding of just what the risks are and what might >> be done to mitigate them. However my impression is that the guide will >> primarily be about understanding the full extent of the risk you place >> yourself in. >> >> I have heard rumors about Syria's capacity direct from Syrian activists, >> including that some calls made with thuraya phones have been recorded, and >> that a phone simply making a call, for the first time, in a distant >> location was tracked by syrian authorities. unfortunately, as many of you >> know, such anecdotes are not as helpful as they might seem, and that its >> important to understand, as best we can, just why thuraya phones seem to be >> "less safe" than inmarsat or iridium, and to ensure that syrians don't >> become lax and begin to depend on an alternate tool to thuraya such as >> inmarsat phones, only to find themselves equally targeted via that means, >> though it may take the regime longer to establish practices. >> >> Anyhow, what I'm looking for are accounts of how satphones have been >> used/tracked in syria, as well as articles about syria's capacity to >> monitor satellite transmissions. Separately I'll be researching the >> practical capabilities of various satphones to ensure that readers of the >> guide have access to the best information available, though this will >> obviously need to evolve over time. > > Hi Brian, > > Access has also heard a number of reports from Syria that Thuraya > satellite devices have been giving away the location of the device > operators as soon as the devices are used. Our reports suggest this is > limited to Thuraya devices only, and that the use of satellite > technology from other providers does not seem to have the consequence of > position information leakage to the authorities at this time. > This is not strictly correct. All satellite communications systems are privacy invasive. BGAN, Thuraya, etc. > We do know that Thuraya devices transmit their location periodically as > part of their communications protocol[1][2]. This is common in all satellite communications systems. > While this information is > encrypted there seems to be some doubt as to the strength of that > encryption. The US military complex did not have much faith in it and > seems to have been able to bypass or crack the encryption to access the > location information of Thuraya devices used by Iraqi Government > officials[2]. While it is not clear exactly how this was achieved we do > know that Thuraya devices were manufactured by Boeing and this fact may > have contributed to an easy decryption route for US forces. > Thuraya is easy to monitor. It's not even expensive. There are commercial solutions and there are non-commercial projects that work with common hardware. Satellite communication networks are absolutely not secure to use without additional protection. If location anonymity is important, I highly advise against using satellite communications technology. Unless you've properly tampered with the device to falsify the location reporting, you're probably not as secure as you'd like... > In addition to this the location information clearly appears in > unencrypted form in server logs at Thuraya itself[1]. This is worrying > as it turns out that Thuraya is predominantly owned by Etisalat, a telco > from the UAE with a dark history regarding surveillance of their users[3]. > All of these systems keep logs. All of the satellite companies have a dark history. > Etisalat have telecommunications interests in places including Egypt, > Iran, Saudi Arabia, Qatar, Indonesia, and Sri Lanka. Etisalat was also > alleged to be involved in a $39 billion scam in 2010 in India[4], and > they deployed and manage the internet censorship system under the > direction of the authorities in the UAE[5]. > > Due to the above-mentioned technical and ownership issues we > recommend civil society do not use Thuraya satellite devices in the MENA > region. To our knowledge devices from other vendors do not seem to be > affected at this time. Access is working to gather further evidence from > the ground in Syria and elsewhere in the MENA region to shine further > light on the possible misuse of Thuraya satellite device location > information. We also welcome any further information from anyone on this > mailing list. > It's all about threat models. If you're worried about people who have control of Thuraya, use a BGAN. If you're worried about upsetting people who have control of the Hughes network, use Thuraya. If you're worried about location anonymity or evading content inspection, hack your device to lie about the GPS location of your device. The location must be within the same spot beam as your physical location or your device will not sync with the birds in the sky. If you're using one of these devices to transfer data at all, I highly encourage the use of Tor as you're absolutely to be intercepted by multiple parties. Some BGAN devices can be programmed to only send the spot beam ID but again, you're trusting closed source, proprietary software/hardware with your life. That's not a thing I'd suggest. Certainly not in a place like Syria or other extremely hostile places. All the best, Jacob _______________________________________________ liberationtech mailing list liberationtech(a)lists.stanford.edu Should you need to change your subscription options, please go to: https://mailman.stanford.edu/mailman/listinfo/liberationtech If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?" You will need the user name and password you receive from the list moderator in monthly reminders. Should you need immediate assistance, please contact the list moderator. Please don't forget to follow us on http://twitter.com/#!/Liberationtech ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE

1 0

[tor-dev] Proposal 208: IPv6 Exits Redux
by Nick Mathewson 06 Jul '18

06 Jul '18

Filename: 208-ipv6-exits-redux.txt Title: IPv6 Exits Redux Author: Nick Mathewson Created: 10-Oct-2012 Status: Open Target: 0.2.4.x 1. Obligatory Motivation Section [Insert motivations for IPv6 here. Mention IPv4 address exhaustion. Insert official timeline for official IPv6 adoption here. Insert general desirability of being able to connect to whatever address there is here. Insert profession of firm conviction that eventually there will be something somebody wants to connect to which requires the ability to connect to an IPv6 address.] 2. Proposal Proposal 117 has been there since coderman wrote it in 2007, and it's still mostly right. Rather than replicate it in full, I'll describe this proposal as a patch to it. 2.1. Exit policies Rather than specify IPv6 policies in full, we should move (as we have been moving with IPv4 addresses) to summaries of which IPv6 ports are generally permitted. So let's allow server descriptors to include a list of accepted IPv6 ports, using the same format as the "p" line in microdescriptors, using the "ipv6-policy" keyword. "ipv6-policy" SP ("accept" / "reject") SP PortList NL Exits should still, of course, be able to configure more complex policies, but they should no longer need to tell the whole world about them. After this ipv6-policy line is validated, it should get copied into a "p6" line in microdescriptors. This change breaks the existing exit enclave idea for IPv6, but the exiting exit enclave implementation never worked right in the first place. If we can come up with a good way to support it, we can add that back in. 2.2. Which addresses should we connect to? One issue that's tripped us up a few times is how to decide whether we can use IPv6 addresses. You can't use them with SOCKS4 or SOCKS4a, IIUC. With SOCKS5, there's no way to indicate that you prefer IPv4 or IPv6. It's possible that some SOCKS5 users won't understand IPv6 addresses. With this in mind, I'm going to suggest that with SOCKS4 or SOCKS4a, clients should always require IPv4. With SOCKS5, clients should accept IPv6. If it proves necessary, we can also add per-SOCKSPort configuration flags to override the above default behavior. See also partitioning discussion in Security Notes below. 2.3. Extending BEGIN cells. Prop117 (and the section above) says that clients should prefer one address or another, but doesn't give them a means to tell the exit to do so. Here's one. We define an extension to the BEGIN cell as follows. After the ADDRESS | ':' | PORT | [00] portion, the cell currently contains all [00] bytes. We add a 32-bit flags field, stored as an unsigned 32 bit value, after the [00]. All these flags default to 0, obviously. We define the following flags: bit 1 -- IPv6 okay. We support learning about IPv6 addresses and connecting to IPv6 addresses. 2 -- IPv4 not okay. We don't want to learn about IPv4 addresses or connect to them. 3 -- IPv6 preferred. If there are both IPv4 and IPv6 addresses, we want to connect to the IPv6 one. (By default, we connect to the IPv4 address.) 4..32 -- Reserved. As with so much else, clients should look at the platform version of the exit they're using to see if it supports these flags before sending them. 2.4. Minor changes to proposal 117 GETINFO commands that return an address, and which should return two, should not in fact begin returning two addresses separated by CRLF. They should retain their current behavior, and there should be a new "all my addresses" GETINFO target. 3. Security notes: Letting clients signal that they want or will accept IPv6 addresses creates two partitioning issues that didn't exist before. One is the version partitioning issue: anybody who supports IPv6 addresses is obviously running the new software. Another is option partitioning: anybody who is using a SOCKS4a application will look different from somebody who is using a SOCKS5 application. We can't do much about version partitioning, I think. If we felt especially clever, we could have a flag day. Is that necessary? For option partitioning, are there many applications whose behavior is indistinguishable except that they are sometimes configured to use SOCKS4a and sometimes to use SOCKS5? If so, the answer may well be to persuade as many users as possible to switch those to SOCKS5, so that they get IPv6 support and have a large anonymity set. IPv6 addresses are plentiful, which makes caching them dangerous if you're hoping to avoid tracking over time. (With IPv4 addresses, it's harder to give every user a different IPv4 address for a target hostname with a long TTL, and then accept connections to those IPv4 addresses from different exits over time. With IPv6, it's easy.) This makes proposal 205 especially necessary here. _______________________________________________ tor-dev mailing list tor-dev(a)lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE

1 0