- cypherpunks - lists.cpunks.org

[liberationtech] the virtual revolution in Second Life -- virtual model or just more RL?
by Shava Nerad 24 Oct '13

24 Oct '13

A virtual trip report with the strongest insider activist biases. Probably if anyone wants a paper out of this, I'm a subject, not an author. Perhaps a small thing in the larger world, where Tor has been in the headlines for Silk Road and amusing powerpoint presentations by the NSA this week, eh? But in the world of tiny virtual first-world-problems, I am also an art performance celebrity/Buckaroo Banzai type in virtual space. tldr links: http://quora.com/What-are-some-brain-hacks-that-neuroscientists-psychologis… http://www.youtube.com/watch?v=3ukKCWRJudM (getting our act slotted on NBC's America's Got Talent) http://www.businessweek.com/stories/2008-02-14/so-i-married-an-avatarbusine… http://npirl.blogspot.com/2008/02/tunas-trippy-textures.html http://www.youtube.com/watch?v=IiAG06k9m7o (one of a series of stealth edu machinima produced for German TV) http:oddfellowstudios.com We have a following of some reasonable thousands on SL, even though we've been in slack mode for a couple years, since this is, needless to say, not a money maker. But it is community. The Second Life community is notable for its to-me loveable and often neurotic population of fannish, high percentage (I'm not) transhumanist digital natives who make "digital native" an absolute in a way unheard of in most gaming or social media contexts. As such, this community is an interesting vanguard for social, legal, and other bubbling up phenomena before they hit more sociotypical online society. With a higher percentage of ASD, disabled, homebound, socially isolated folks, as well as a higher percentage of cultural creatives, intellectuals, educators, DIY/makerspace each-one-teach-one types, medical outreach groups, activists, self-help group facilitators and coaches, human rights advocates, (para)military trainers, wisdom teachers, and other engaged intellectuals (often meshing in Venn diagrams) -- whose silos sometimes interact or not with a vast majority of consumers who are just there to party and buy cool clothes, dance, and hook up -- it's a weird weird weird weird virtual world. When it came to light recently that Linden Lab, operator of Second Life, had made some incredibly draconic changes to their TOS, the community freaked. And LL went to New World Notes (the primary metagame media) and smoothed things out with PR, for the most part. Then I saw the TOS more recently through an individual blog article in the arts community (as I said, we're a bit behind and in slack mode) and freaked, myself, and posted here a couple weeks ago. As a result, in the intervening time, there's been a turnaround in community opinion the issue. We catalyzed a great deal of that. Oddfellow Studios (that being me and Fish Fishman, aka Shava Suntzu and Tuna Oddfellow in virtual space) pulled our stuff and moved to Inworldz, an open source grid (imagine a miniature version of Second Life with a thousands rather than millions of users -- a public private server, so to speak, still with a real-money economy, and with the same asset server type so you can import your own assets -- and violating license could conceivably rip other peoples' (c) but we don't, or could import certain FOSS licensed assets which we have). We were back up and running a rough equivalent to our show within a week, including our monthly collaboration with JaNa KyOmOoN (AKA Jan Pulsford, keyboardist to Cyndi Lauper) with whom we do two monthly dates cross continent, us in New England, her in England. Because we are art performance folks and our fans tend to early adopters even for SL, I think a lot of our fans weren't hesitant to "jump grids" and become metaversals -- this is to say, they just registered with Inworlds, created a new avatar, loaded up the very similar client, and came to enjoy the show. The shows in SL got press coverage too, showing how easy it was to move, and how people moved with us as our fan base. Through all this, I worked the metagame press, as well as blogging and discussing the issues in and out of game, as did Tuna. Language and backgrounders we crafted began to propagate, and went unopposed by any official pushback by the Lab, New World Notes did a dramatic turnaround on their position when I pointed out that a perpetual irrevocable license (including rights to reassign/sell/resell) means that if, say, the Lab goes tits up, all assets go into receivership and anything in the SL asset server is up for auction if it isn't marked by copyright -- hunting down your assets to defend them is up to the owner in that case (IANAL but I did used to work in entertainment licensing). By the time you straighten things out tracking and defending your copyrights, as I pointed out, your legal help better be free. NWN went to the Lab for comment a couple weeks ago. Got none presumably. I think Hamlet/NWN felt somewhat played by the previous PR response he'd gotten. He's solidly on the dissent side of the question now, perhaps feeling like he was likely responsible for people making bad decisions in the first round, although I haven't directly asked him that -- seems like bad form. Though the Lab hasn't officially responded, an interesting, quite erudite comment that opened "Well, I'm not a creator in SL and I don't have a horse in this race but..." on New World Notes signed "imho" supported the Lab's position with expert legal language -- conflating several points masterfully. I refuted it, and postulated "This might not be a very humble opinion, but might even be Humble's [the Linden Lab current CEO's] opinion." "imho?" lol. While I've been ill, one of my sidelines for income has been working as a ghost writer because I have a great ear for different writers' cadence and style. 'nuff said... Now the "bug" is spreading from the arts community to educators and many other communities that have been long time conservative land holder blocs (this is to say, income producers and also PR anchors that are not pr0n) in SL. Intellectual foment is taking over, as is often the case in RL governmental stonewalls of this sort. Movement momentum is reaching, if it hasn't reached, a tipping point, and the brain drain is likely unstoppable. Several major vendors of intellectual property (textures, art assets) have pulled their relationship with SL, stopped selling and forbidden creation of new assets with their assets in SL. Creators are leaving SL in droves for alternate open source grids. The mothership is emptying out, at least experiencing a brain drain of a vibrant population that characterized it's first generation, the generation that made it "Second Life," the dream of its own mad (social) scientist creator, founding CEO Philip Rosedale. Every week that LL withholds action and further comment, they are heading further toward a future more like There.com (an authoritarian barbie-and-ken-and-einstein-on-the-beach dead virtual world that was entirely company authored content) and less like the Burning Man inspired "Your World, Your Imagination" user-created economy envisioned a decade ago. So my assumptions are: They have to know what's going on. They aren't STOOPID. They are either constrained in action. Or they want us out. Or they find the cost acceptable. Or some amalgam thereof. It seems to me that the company is too small for them to be slow to act, which is another possibility in a very large company or bureaucracy. But I'll include that as a gridlock staff/board conflict, say, as a low possibility. Never underestimate the paralysis potentiality of politics. Look at DC. Another interesting aspect becomes the influence of the government crackdown on the Linden Dollar as a "bitcoin" like currency exchange. Several Linden Lab independent linden dollar currency exchanges were shut down in dramatic style earlier this year with the loving interference of the US government, and only two were reopened after undisclosed negotiations having to do with PII, it seems (although more have opened since) -- so this does have some legit overlap with interests on this list...heh... I've even entertained for a fleeting moment that they have some sort of weird NSL thing going on...NAH... C'mon Shava... Not every uncommunicative stonewall from an internet company you like has an NSL behind it... These are just odd times. http://slnewser.blogspot.com/2013/05/most-third-party-linden-exchange.html But interference in the exchanges could also lead to FUD within the investors, a new strength to the internal political clout of the legal department, and many other destabilizing issues (the PR department explanation for the new TOS is that Legal wants "a unified TOS across all the Linden Lab businesses," which include game companies with no user created content. My refutation to this was that if they were running a truck fleet and an airline fleet for shipping businesses, their legal department would be fools to use the same liability and shipping guarantees for both companies. What are other pressures on a company like LL, their board/investors, and the future of Internet culture that leads to moves like this these days? What will it mean to the diaspora of creators to move into a cloud of small grids and how will that be a model for systems like Diaspora and more traditional forms of social networking? Seems to me this is a mesh of issues that bears watching for some folks here. I understand Second Life has been so "over" for at least a half dozen years, but we've been ahead of the game(s) (and distinctly off center) for at least a decade, so we make up for it. ;) yrs, -- Shava Nerad shava23(a)gmail.com -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at companys(a)stanford.edu.

5 4

Re: Curious RNG stalemate [was: use of cpunks]
by Bill Stewart 24 Oct '13

24 Oct '13

At 09:56 AM 10/17/2013, grarpamp wrote: >I'd guess that with good sources, today's prng code is sufficiently >strong and at least some unix systems do save state across reboot. >Now if someone would just sell a completely open discrete logic >serial port hw entropy source for under $50... that would end >a lot of the talk. Even with a more costly radiation source rather >than other phenomena you'd still likely make good profit in quantity >from China at that price. First of all, lots of important hardware doesn't have ports on it, particularly virtual machines, which have a whole raft of issues even if you're running them on a server you physically control rather than somebody else's cloud service. The server has some ports, but you need to make sure your hypervisor and clients have drivers that will let the client access the hypervisor's /dev/random or equivalent. VMware will have to do their own; you might contribute to OpenStack. Another important kind of hardware where that doesn't work are home routers, because the market price of $29-99 can't support much extra money for randomness hardware; if it's not in the ARM core or whatever other low-power cheap CPU, then it's only going to be able to extract entropy from timing and network traffic, and there's unlikely to be a high-precision clock chip. Maybe you can get the manufacturer to burn a pseudo-random number into the box along with the ethernet MAC or something, but otherwise it's going to have to be software. (So maybe you can augment Tomato/WRT-11/etc to listen for traffic for a while before starting, and write an app for your PC that beacons some entropy for the router to listen to?) As far as your entropy dongle goes, the only way to get it cheap is to make large volumes, which means you need a device that's intended for some other application, like a $20 TV tuner/audio frob or a webcam in a dark can getting CCD noise, or a webcam you wave at. If you want speed, you need USB, not serial, but that's fine, because almost nobody's including real serial ports these days. If you want slow, you can get a geiger counter from Sparkfun/etc. for ~$99, but you're not going to get anything intentionally radioactive shipped cheap from China.

9 14

Linux Kodachi
by Trigger Happy 24 Oct '13

24 Oct '13

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Check out new Tor distro - Linux Kodachi http://www.digi77.com/linux-kodachi/ http://sourceforge.net/projects/linuxkodachi/ - -- Trigger Happy jabber: triggerhappy(a)jabber.ccc.de torchat: xruq34bnhbqlkjtn -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJSZscrAAoJEEtm9wC9fGLFq+kP/R1Nxd+wXe9P/Y2PNjwAHyZf Y4xc6RdMoPraOmtaqB1u7V8b7VheLZH6n+bLAl9qD+JqEwVDOx5/vzVFjibqsj9H zi4ndhbY/p2+QvYZKx2BiDBMtaoqrXm9GF0ELLK02xtvSaNVNRpupCx2foqHlMSv GRT0IACaUhIFV1e75CY7wwqZpLujKjVHW2cjhCltI5FHS+wpVBcSh9TFsMz50plV 4XK6rnABw23B9ElDcwHi06J+k6tvPR2vp0jDo5FvQi3m3ijjSk1dfXpBcZS/b2nB 92YnQEa/24EsbhYlHWVXkSk8hno+lgdKOPsaJ3/TNKfD7tfnet8FcyosDB6MHqwI kq4gSI72Nopz1xWIw9++P+Iq8q1QR6bWCHIq79BfPJMUWV/09fAosyp4QhoaxfYe iXlkCeZXmtMeMKJzKhm73E1NRR8nydNFlHq4HuZaV/k4JdxiPE0FbdtNzpY9lVAt scOv/BkVNeaReunOBrilIEwsdzPDr46EfrJG0rsSew4qSHJoQxwy3kJDzkhwMJVa MiplHmayXlAAVf+yIe4fwG0DdGq90qtwru3h0qLVQysOhkUNxgbSSm+GP08Pmw/S tuPXd3vAEQ6MjkQMZJIxMAeA5mo7PGo3wxk7lIl0/oyDUaY7ChghYl5t7gu3KOoF v+jvEOHoCemt61p+zCY7 =SEEQ -----END PGP SIGNATURE-----

7 7

[RISKS] Risks Digest 27.57
by RISKS List Owner 24 Oct '13

24 Oct '13

RISKS-LIST: Risks-Forum Digest Wednesday 23 October 2013 Volume 27 : Issue 57 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/27.57.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Wall Street software failure & relationship to voting (Jeremy Epstein) SecureDrop Project Will Pay To Install Media Outlets' WikiLeaks-Style Submission Systems (Andy Greenberg via Gabe Goldberg) Authors Accept Censors' Rules to Sell in China (Andrew Jacobs via Lauren Weinstein) MIT Tech Review: The Decline of Wikipedia (Tom Simonite via Lauren Weinstein) `Hacker' --> `criminality' ??? (Robert Schaefer) Re: France summons US ambassador to answer allegations of widespread NSA surveillance (Richard A. O'Keefe) Re: Americans Are Way Behind in Math, Vocabulary, and Technology (Richard S. Russell) Re: GPS map leads to border crossing and shooting (Scott Nicol) Unauthorized Access: The Crisis in Online Privacy and Security, by Sloan and Warner (PGN) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Wed, 23 Oct 2013 21:51:42 -0400 From: Jeremy Epstein <jeremy.j.epstein(a)gmail.com> Subject: Wall Street software failure & relationship to voting [Also posted to Freedom to Tinker, slightly PGN-ed for RISKS.] An article in *The Register* explains what happened in the 1 Aug 2012 Wall Street glitch that cost Knight Capital $440M, resulted in a $12M fine, and nearly bankrupted Knight Capital (forcing them to merge with someone else). In short, there were 8 servers that handled trades; 7 of them were correctly upgraded with new software, but the 8th was not. A particular type of transaction triggered the updated code, which worked properly on the upgraded servers. On the non-upgraded server, the transaction triggered an obsolete piece of software, which behaved altogether differently. The result was large numbers of incorrect "buy" transactions. The bottom line is that the cause of the failure was lack of careful procedures in how the software was deployed, coupled with a poor design choice that allowed a new feature to reuse a previously used obsolete option, which meant that the trigger caused an unanticipated result (instead of being ignored of causing an error). So, what does this have to do voting? It's not hard to imagine an Internet voting scheme using 8 servers, and even if the software doesn't have security flaws per se, a botched upgrade like this might work just fine for 7/8 of the voters, and silently fail for the 1/8. If the procedures aren't in place to check all of the systems (and such procedures apparently didn't exist at Knight Capital), a functional check might not detect a mismatch. This experience emphasizes that proper operation isn't *just* having the software itself being built correctly -- it's also having it fielded properly. In a way, this is similar to the DC Internet voting experiment -- in that case, there was a bug in the software, but that particular bug wouldn't have been exploitable if it hadn't been for a mistake in how the software was fielded, replacing one version of a software library with a different version that had an exploitable bug. [This is not to suggest that this was the only bug in the DC voting software, or that Internet voting is safe, just tying to the particular exploit that happened.] Background: http://www.theregister.co.uk/2013/10/23/lone_sysadmin_caused_462_meeellion_… http://www.usatoday.com/story/money/business/2013/10/16/knight-capital-sec-… ------------------------------ Date: Wed, 23 Oct 2013 12:01:20 -0400 From: Gabe Goldberg <gabe(a)gabegold.com> Subject: SecureDrop Project Will Pay To Install Media Outlets' WikiLeaks-Style Submission Systems (Andy Greenberg) Andy Greenberg, *Forbes*, 15 Oct 2013 The non-profit Freedom of the Press Foundation (FPF) announced the launch of SecureDrop, a piece of open-source software designed to serve as an anonymous submission systems for media organizations. And to encourage news outlets to install it, the Foundation has offered to send one of SecureDrop's creators, security consultant James Dolan, to willing news outlets to help install it, in some cases even paying for the necessary hardware. SecureDrop, which like WikiLeaks depends on the anonymity software Tor to hide leakers' identities, was developed from the open-source software DeadDrop, initially created by the late coder and activist Aaron Swartz along with Dolan and Wired editor Kevin Poulsen. http://www.forbes.com/sites/andygreenberg/2013/10/15/securedrop-project-wil… ------------------------------ Date: Tue, 22 Oct 2013 21:58:40 -0700 From: Lauren Weinstein <lauren(a)vortex.com> Subject: Authors Accept Censors' Rules to Sell in China (Andrew Jacobs) "Foreign writers who agree to submit their books to China's fickle censorship regime say the experience can be frustrating. Qiu Xiaolong, a St. Louis-based novelist whose mystery thrillers are set in Shanghai, said Chinese publishers who bought the first three books in his Inspector Chen series altered the identity of pivotal characters and rewrote plot lines they deemed unflattering to the Communist Party. Most egregiously, he said, publishers insisted on removing any references to Shanghai, replacing it with an imaginary Chinese metropolis called H city because they thought an association with violent crime, albeit fictional, might tarnish the city's image." http://j.mp/1dh4BGA (New York Times via NNSquad) [The article also notes the extensive redaction of a biography of reformist leader Deng Xiaoping written by Ezra F. Vogel. I presume this issue of RISKS will also be censored or redacted in China. PGN] ------------------------------ Date: Tue, 22 Oct 2013 22:22:59 -0700 From: Lauren Weinstein <lauren(a)vortex.com> Subject: MIT Tech Review: The Decline of Wikipedia (Tom Simonite) "Yet Wikipedia and its stated ambition to "compile the sum of all human knowledge" are in trouble. The volunteer workforce that built the project's flagship, the English-language Wikipedia-and must defend it against vandalism, hoaxes, and manipulation-has shrunk by more than a third since 2007 and is still shrinking. Those participants left seem incapable of fixing the flaws that keep Wikipedia from becoming a high-quality encyclopedia by any standard, including the project's own. Among the significant problems that aren't getting resolved is the site's skewed coverage: its entries on Pokemon and female porn stars are comprehensive, but its pages on female novelists or places in sub-Saharan Africa are sketchy. Authoritative entries remain elusive. Of the 1,000 articles that the project's own volunteers have tagged as forming the core of a good encyclopedia, most don't earn even Wikipedia's own middle-ranking quality scores. The main source of those problems is not mysterious. The loose collective running the site today, estimated to be 90 percent male, operates a crushing bureaucracy with an often abrasive atmosphere that deters newcomers who might increase participation in Wikipedia and broaden its coverage." http://j.mp/1a6l6UL (MIT via NNSquad) ------------------------------ Date: Tue, 22 Oct 2013 13:32:54 -0400 From: Robert Schaefer <rps(a)haystack.mit.edu> Subject: `Hacker' --> `criminality' ??? In the eyes of the court, calling yourself a hacker is equivalent to admitting criminality: http://yro.slashdot.org/story/13/10/22/153259/call-yourself-a-hacker-lose-y… http://www.digitalbond.com/blog/2013/10/22/call-yourself-a-hacker-lose-your… robert schaefer, Atmospheric Sciences Group, MIT Haystack Observatory Westford, MA 01886 781-981-5767 http://www.haystack.mit.edu ------------------------------ Date: Wed, 23 Oct 2013 18:18:14 +1300 From: "Richard A. O'Keefe" <ok(a)cs.otago.ac.nz> Subject: Re: France summons US ambassador to answer allegations of widespread NSA surveillance http://catless.ncl.ac.uk/Risks/27.56.html#subj9 tells us that the French government are unhappy about the NSA. Let's see where the logic takes us. 1. Blowing up a vehicle in a foreign city and killing an unarmed civilian is a terrorist act. 2. An organisation that trains, equips, and commands such an act is a terrorist organisation. 3. Anyone who contributes to the funding of such an organisation is supporting a terrorist organisation. 4. Anyone who supports a terrorist organisation is a legitimate target of surveillance in the war against terror. 5. In 1985, the French government carried out such a terrorist act in the largest city of my country. http://en.wikipedia.org/wiki/Sinking_of_the_Rainbow_Warrior 6. Therefore every French taxpayer is a legitimate target of surveillance and the French government have no grounds for complaint. Of *course* there are flaws in this (except for 5, which is a legally established fact). But it's frighteningly plausible if you don't stop to think. And it's exactly the kind of "reasoning" that is easy to embody in computer software. (Maybe I should have written these claims using OWL...) Is there anyone, other perhaps than the inhabitants of a few villages in PNG and Vanuatu, that we _can't_ cover this way? ------------------------------ Date: Mon, 21 Oct 2013 22:08:47 -0500 From: "Richard S. Russell" <richardsrussell(a)tds.net> Subject: Re: Americans Are Way Behind in Math, Vocabulary, and Technology (Davidson, RISKS-27.56) If American kids had to take their reading and writing tests in Spanish rather than English, we wouldn't expect them to do very well, since Spanish isn't the first language for most of them. Yet we expect them to take science and math tests which are written using metric units -- the international "language" of technology. And we SHOULD expect this! The sad part is that, while metric units are the first language of measurement for 95% of the world's population, they remain a foreign tongue to almost every American, with commensurate results. Ben Franklin advocated the metric system. Congress adopted the Metric Conversion Act of 1975, and it looked as if we were finally on our way. But then Ronald Reagan was elected president, took the solar panels off the White House roof, and declared that there was no way any government reporting to him was going to dictate measurement rules to business. "Let the free market decide", he insisted. And metrication came to a dead halt. We continue to pay the price today, not only in substandard education but also in failure to manufacture to the kind of international standards that might earn us foreign markets. Plus which, ACHU* makes us dumber, almost as if we had to do all our math using Roman numerals. * Accidental Collection of Heterogeneous Units -- don't mislabel it the "English system". First off, it's not a system (no design), it's an accident. 2nd, the English have come to their senses and metricated decades ago. And for gosh sake don't call it the "American system", because then all the super-patriots will insist that it's a matter of national honor to stick to it. Richard S. Russell, 2642 Kendall Av. #2, Madison WI 53705-3736 608+233-5640 http://richardsrussell.livejournal.com/ If God had wanted us to use the metric system, he would have given us 10 fingers. Ashleigh Brilliant ------------------------------ Date: Tue, 22 Oct 2013 10:53:33 -0400 From: Scott Nicol <scott.nicol(a)gmail.com> Subject: Re: GPS map leads to border crossing and shooting (DeRobertis, RISKS-27.56) In RISKS-27.56, Anthony DeRobertis writes: > This is the most misleading Subject: line I can remember having appeared in > RISKS. Hyperbole in RISKS subject lines? Inconceivable! I cross borders often and it is never routine. I've been "delayed" 6 times (that I recall) at the US/Canada border, even though I had my papers in order. Some of those were probably due to fitting a profile, other times because I won the let's-randomly-check-somebody lottery. If you come without papers, you've won the lottery by default. Anything can happen once they pull you aside and start digging. The border crossing guard won't likely take your story at face value. Even between friendly nations like Canada and the US, there are plenty of things that could result in something much more serious than a delay when crossing the border. You look Mexican. Your last name is Mohammed. You look like a terrorist. You don't sound or look like a Canadian. You are not a Canadian citizen, where's your US visitor visa? Or you have kids in your car. Where is the other parent? Why does that kid not look like you? Is that baby really yours? Perhaps you're carrying contraband? Cuban cigars? Kinder Eggs? http://www.cbc.ca/news/canada/manitoba/kinder-surprise-egg-seized-at-u-s-bo… http://www.cbp.gov/xp/cgov/newsroom/news_releases/national/2012_nr/apr_2012… Drugs? Some medications with codeine are available over the counter in Canada, but only legal with a prescription in the US. You are carrying marijuana, or your buddy in the passenger seat is, or a friend stuffed some under a seat cushion last week. The US will seize your car on the spot, but you don't have to worry about transportation because you'll get a free ride in the back seat of a government car. You have a prior criminal record. You have been barred from entering the US. You have a warrant in the US. You have too much beer in the trunk of your car. Regardless if they let you through or turn you around, you'll have to go through customs on return to Canada and you can run into the same set of problems, and even more because there are legal reasons why you may not be allowed to leave (you are out on bail, probation, parole) or return (single-entry visa) to Canada. And yes turning around means going through Canadian customs, because the US customs house is on US soil. What could possibly go wrong? What if you aren't admissible to Canada or the US? How do you think people get stuck in limbo in airport terminals? ------------------------------ Date: Tue, 22 Oct 2013 16:42:07 PDT From: "Peter G. Neumann" <neumann(a)csl.sri.com> Subject: Unauthorized Access: The Crisis in Online Privacy and Security (Sloan and Warner) Robert H. Sloan and Richard Warner Unauthorized Access: The Crisis in Online Privacy and Security CRC Press, 2014 xxiii+374 Robert Sloan is a professor of computer science, and Richard Warner is a law professor, which would seem to make a nice collaboration. However, this book is explicitly aimed primarily at legal and policy folks, rather than techies. The back jacket says that this book ``proposes specific solutions to public policy issues pertaining to online privacy and security.'' It is highly readable, and could be very helpful for those who are not yet aware of the serious issues it raises and the remedies it proposes. On the other hand, it seems much less specific in discussing the implications of many of the security problems (such as pervasive vulnerabilities and exploits) whose existence might make some of the legal and policy issues less effective, or whose remediation might possibly make the recommended fixes less necessary. Also, there seem to be many inherent weaknesses in best practices (not just in those proposed), as well as likely limitations in legal remedies that might still exist despite the authors' recommendations. A second edition might dig further into some of these additional considerations. However, their recommendations certainly deserve serious consideration -- especially given the poor state of the technology for security, integrity, reliability, and so on. Overall, policy and law are important -- if properly enforced. At the same time, they are not enough by themselves -- especially in the absence of meaningful trustworthiness of systems, networks, and people. I have a few quibbles with the title of the book that may be familiar to long-time RISKS readers, first with `Unauthorized Access', and second with `Online Privacy and Security'. As we should learn from studying exploits such as the Internet Worm and the Snowden affair, many of our problems in this area involve Authorized Access rather than Unauthorized Access, especially relating to policies, ethics, and the law. For example, as I noted in RISKS-12.15 relating to the Internet Worm, no authorization was required to exploit the sendmail debug option, the finger daemon buffer overflow, freely open-to-the-world .rhosts files, and explicitly readable encrypted password files. This fact seriously muddied the waters in a prosecution that was based on Exceeding Authority when no authority was actually required. Similarly, denial-of-service attacks frequently require no authority, even when they manage to exploit fundamental flaws in security. Worse yet, privacy violations often exist outside the purview of computer system authentication and access controls, in which case it is not at all clear what is actually `unauthorized' once the information involved has become extrinsic to the systems in which it originated. Thus, offline privacy is perhaps just at least as problematic as online privacy, while offline security seems to be more of a fantasy. Besides, as I noted in my Inside Risks column, The Foresight Saga, Redux (Comm.ACM 55, 10, Oct 2012, http://www.csl.sri.com/neumann/cacm228/pdf) although the best may be the enemy of the good, the good may not be good enough. ------------------------------ Date: Sun, 7 Oct 2012 20:20:16 -0900 From: RISKS-request(a)csl.sri.com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request(a)csl.sri.com containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe(a)csl.sri.com or risks-unsubscribe(a)csl.sri.com depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact <Lindsay.Marshall(a)newcastle.ac.uk>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks(a)CSL.sri.com with meaningful SUBJECT: line. *** NOTE: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing is no longer maintained up-to-date except for recent election problems. *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 27.57 ************************

1 0

[cryptome] Re: Tapping Angela Merkel
by John Young 24 Oct '13

24 Oct '13

All these passionate reports refer to the hyped Der Spiegel piece, slathered with additional hype, padded with dated filler, mused wanderings across the Snowden veldt. The key document that has set techies pushing "credible evidence" appears to be a two-page outline released by Le Monde titled "Close Access Sigads" which lists a batch of techie-like techniques used to intercept comms. http://cryptome.org/2013/10/nsa-close-access-sigads.pdf There has been discussion of these tricks around tech circles due to the sparsity of technical information in most of the Snowden releases in favor of generalities beloved tech-illiterate journalists and their readers. It is likely some techies fed tips and luridities to the German spies (most of whom are also tech-illiterate and must rely on tech-aware recruits and contractors who are treated with disdain by old HUMINT-seasoned salts). Given a bit of goose by the techie informants, the German spies saw a great way to boost their tech budget, and leaped into action. Same as in the US adminstration and Congress and their kind around the world. Devilish comsec techies are nothing if not opportunistic, MIT and Silicon Valley born and bred, and pray nightly many Mannings and Snowdens will continue to valorize their career of code and hack hoakum. Mea culpa maxima. Have you seen our media campaign? At 07:48 PM 10/23/2013, you wrote: >http://www.theguardian.com/world/2013/oct/23/us-monitored-angela-merkel-germ >an

1 0

EDRi-gram newsletter - Number 11.20, 23 October 2013
by EDRi-gram 23 Oct '13

23 Oct '13

====================================================================== EDRi-gram biweekly newsletter about digital civil rights in Europe Number 11.20, 23 October 2013 ======================================================================= Contents ======================================================================= 1. Data protection vote – one step forward, two big steps backwards 2. Tough negotiations for the law enforcement data protection directive 3. France is demanding explanations from the US over NSA surveillance 4. ECtHR: Internet news portal liable for the offensive online comments 5. Increased level of online censorship in Italy 6. European Court of Justice: Fingerprints in electronic passport are OK 7. After 3 years: French authority Hadopi keeps proving its uselessness 8. Skype is investigated in Luxembourg for its relations to NSA 9. Recommended Action 10. Recommended Reading 11. Agenda 12. About ======================================================================= 1. Data protection vote – one step forward, two big steps backwards ======================================================================= The European Parliament's Civil Liberties Committee held a crucial vote on Monday evening, 21 October 2013, on the future of privacy and data protection in Europe. We applaud Parliamentarians for supporting – and even improving - several important and valuable elements of the original Commission proposal. We are particularly happy that the Committee chose to overturn the Commission's proposal to allow Member States the scope to exempt themselves from the rules on profiling. Nonetheless, we are shocked and disappointed that Parliamentarians voted to introduce massive loopholes that undermine the whole proposal. “If allowed to stand, this vote would launch an 'open season' for online companies to quietly collect our data, create profiles and sell our personalities to the highest bidder” said Joe McNamee, Executive Director of European Digital Rights. “This is all the more disappointing because it undermines and negates much of the good work that has been done,” he added. Despite almost daily stories of data being lost, mislaid, breached and trafficked to and by foreign governments, our elected representatives adopted a text saying that corporate tracking and profiling of individuals should not be understood as significantly affecting our rights and our freedoms. The Committee extended the range of circumstances in which companies can process an individual's data without their consent - and made the rules far less easy to understand. These huge loopholes are all the more disappointing when we consider that MEPs agreed to support several positive measures elsewhere in the text. These measures include an adequate level of sanctions in case of abuses, data breach notifications, data portability and data protection by design and by default. The problematic compromises adopted are: Compromise 4 http://www.edri.org/files/eudatap/04COMPArticle04.pdf Compromise 6 http://www.edri.org/files/eudatap/06COMPArticle06.pdf Compromise 20 http://www.edri.org/files/eudatap/20COMPArticle20.pdf EDPS - An important and welcome step towards stronger and more effective data protection in Europe https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/E… ======================================================================= 2. Tough negotiations for the law enforcement data protection directive ======================================================================= On Monday, 21 October 2013 the Civil Liberties, Justice and Home Affairs Committee of the European Parliament adopted reports on the General Data Protection Regulation and the Directive for the police and justice sector. In the past months, the Directive covering personal data processed to prevent, investigate or prosecute criminal offences or enforce criminal penalties has not attracted as much attention as the Regulation, but is in fact part of the data protection package. The Directive aims to ensure that the Member States replace the existing fragmented legislation with a coherent legal framework for the processing and exchange of personal data within the EU and with third countries. The negotiating mandate for the Directive was adopted by 47 votes to four, with one abstention. The Parliament now has a clear mandate to start negotiations with the Member States and, according to the Committee’s homepage, it expects to reach a common agreement before the European elections in May 2014. The inter-institutional talks will start as soon as the Member States will have agreed on their own position. However, the upcoming negotiations with the European Commission, the Council and the Member States are likely to face fundamental difficulties. EDRi had insight into a document from the Working Party on Information Exchange and Data Protection (DAPIX) session from 4 October 2013, where the Member States discussed the proposed Directive. In this session, the Member States and the Commission focused discussions on articles one to seven. It became clear, that there are still fundamental reservations against the Directive. Germany, Great Britain, Denmark, the Czech Republic, Slovenia, Sweden and Austria raised the question of the added value compared to the Framework Decision 2008/977/JI. Several Member States consider the Directive as a defiance to the subsidiary principle and some referred to the lack of legal competences of the European Union - Denmark, the Czech Republic, Slovenia, Great Britain, Sweden, and Germany. Italy, Spain, Germany, Hungary, Poland and Portugal stated their reservations on the whole Directive. Only France supported the choice of instrument. There was widespread consent between the Member States to adopt stricter rules than laid out in the Directive and that there should be the establishment of minimum standards (mentioned explicitly by Germany, Great Britain, Czech Republic, Austria, Sweden, and the Netherlands). Furthermore, the majority of Member States claimed an extension of the scope to the protection against threats to public safety and maintenance of public order, according to a proposal put forward by Romania. Germany, the Czech Republic, Estonia and Hungary criticised that the EU institutions are not within the scope of the Directive. It became clear that article four (Principles relating to personal data processing) and article seven (Lawfulness of processing) - and the interaction of both articles in particular - needed further explanation. The deletion of articles five and six proposed by the Irish presidency was generally welcomed, especially by Belgium, Great Britain, the Czech Republic, Denmark, Germany and Sweden. Under article seven, the question whether the consent of the person concerned should be added or not was intensely discussed – apart from Austria all Member States seemed to be in favour. The Commission generally rejected this solution. The document we had access to only covered articles one to seven, but it definitely gives a foretaste of how complicated the negotiations after the Parliament’s adoption of the Directive with the Member States might become. Civil Liberties MEPs pave the way for stronger data protection in the EU (21.10.2013) http://www.europarl.europa.eu/news/en/news-room/content/20131021IPR22706/ht… EP LIBE Committee http://www.europarl.europa.eu/committees/en/libe/home.html Q&A on EU data protection reform (22.10.2013) http://www.europarl.europa.eu/news/en/news-room/content/20130502BKG07917/ht… Danish EU Presidency - Council working parties http://eu2012.dk/en/EU-and-the-Presidency/About-EU/Arbejdsgrupper/Beskrivel… Summary analysis of European Commission proposal for a Data Protection Directive in the law enforcement sector (19.09.2012) https://www.privacyinternational.org/sites/privacyinternational.org/files/f… (Contribution by Karim Khattab - EDRi intern & Kirsten Fiedler - EDRi) ======================================================================= 3. France is demanding explanations from the US over NSA surveillance ======================================================================= On 21 October 2013, the French government summoned Charles Rivkin, the US ambassador in France, demanding urgent explanation regarding the revelations by Le Monde that, according to the documents released by Edward Snowden, NSA has intercepted French citizens’ phone and internet communications, at a massive scale. Le Monde revealed on that day that, during a 30-day period in December 2012 and January 2013, more than 70 million French phone calls were intercepted and text messages were also swept based on keywords. The interceptions appear to have targeted not only people with suspected terrorist links but also people in business, politics and the French administration, under a programme codenamed US-985D. According to the information obtained by Le Monde, when a telephone number is used in France, it activates a signal which automatically triggers the recording of the call. It seems this type of surveillance system picks up SMS messages and their content as well, by using key words. NSA then apparently stores the history of the connections or the meta-data. The French prime minister, Jean-Marc Ayrault, demanded the US to provide "clear answers, justifying the reasons these practices were used and above all creating the conditions of transparency so these practices can be put to an end". The White House’s first response was that the US "gathers foreign intelligence of the type gathered by all nations". "These kinds of practices between partners, that violate privacy, are totally unacceptable. We must quickly assure that these practices aren't repeated," also stated French Foreign Minister Laurent Fabius at an EU foreign ministers meeting in Luxembourg on the same day. The day was rich in events as U.S. President Barack Obama and French President Francois Hollande also had a phone discussion on the subject. A news release from Hollande's office said he expressed his "deep disapproval with regard to these practices" and stated that such alleged activities would be unacceptable between allies and friends. The press release also states that the two presidents agreed that French and American intelligence services would cooperate to investigate the issue. "The President and President Hollande discussed recent disclosures in the press -- some of which have distorted our activities and some of which raise legitimate questions for our friends and allies about how these capabilities are employed. The President made clear that the United States has begun to review the way that we gather intelligence, so that we properly balance the legitimate security concerns of our citizens and allies with the privacy concerns that all people share," says a news release from the White House. This is not the only time France had issues with NSA spying activities. In July, Hollande threatened to suspend negotiations for a transatlantic free trade agreement after reports in the Guardian and Der Spiegel that the NSA spied on EU offices and European diplomatic missions in Washington and at the UN in New York. Yet, also in July, Le Monde reported that France runs its own vast electronic surveillance operation, intercepting and stocking data from citizens' phone and internet activity, using similar methods to the NSA's Prism programme. Snowden leaks: France summons US envoy over NSA surveillance claims (21.10.2013) http://www.theguardian.com/world/2013/oct/21/snowden-leaks-france-us-envoy-… France in the NSA's crosshair : phone networks under surveillance (21.10.2013) http://www.lemonde.fr/technologies/article/2013/10/21/france-in-the-nsa-s-c… How NSA spies on France (only in French, 21.10.2013) http://www.lemonde.fr/technologies/article/2013/10/21/comment-la-nsa-espion… Editorial of "Le Monde": fighting Big Brother (only in French, 21.10.2013) http://www.lemonde.fr/technologies/article/2013/10/21/editorial-du-monde-co… US spy agency targets French firms (21.10.2013) http://euobserver.com/justice/121833 Report: U.S. intercepts French phone calls on a 'massive scale' (22.10.2013) http://edition.cnn.com/2013/10/21/world/europe/france-nsa-spying/ ======================================================================= 4. ECtHR: Internet news portal liable for the offensive online comments ======================================================================= The European Court of Human Rights (ECtHR) ruled on 10 October 2013 in the case Delfi AS vs. Estonia that an Internet news portal was liable for the offensive comments that were posted by the readers underneath its online articles. The Court held that the finding of liability by the Estonian courts was a justified and proportionate restriction on the portal’s right to freedom of expression, in particular, because: - the comments were highly offensive; - the portal failed to prevent them from becoming public, profited from their existence, allowed their authors to remain anonymous; and, - the fine imposed by the Estonian courts was not excessive. Even though the portal had argued that the EU Directive on Electronic Commerce, as transposed into the Estonian law, had made the case exempt from liability, the Court found that it was for national courts to resolve issues of interpretation of domestic law, and therefore did not address the issue under EU law. The decision was heavily debated by the freedom of speech advocates that criticized the ruling for failing "to understand the role of Internet intermediaries as the gateway to the exercise of free expression." EDRi-member Article 19 pointed out that the decision is "a deeply concerning precedent for freedom of expression in several respects. It also displays a worrying lack of understanding of the issues surrounding intermediary liability and the way in which the Internet works." The Court has thus failed to appreciate the purpose of the EU E-Commerce Directive provisions concerning hosting liability and has considered that the news portal should have prevented defamatory and other clearly unlawful comments from being made public. But that is actually contradictory to article 15 of the Directive which prohibits Member States from imposing monitoring obligations on information society services, including actively seeking “facts or circumstances indicating illegal activity.” At the same time, the Court ignored the relevant international standards developed by the UN Special Rapporteur on Freedom of Expression in this area in his thematic report on the Internet where he clearly recommended that “censorship measures should never be delegated to private entities, and that no one should be held liable for content on the Internet of which they are not the author.” The decision of the Court Chamber is not final though. During the three-month period following its delivery, any party may request that the case be referred to the Grand Chamber of the Court. If such a request is made, a panel of five judges considers whether the case deserves further examination. In that event, the Grand Chamber will hear the case and deliver a final judgement. If the referral request is refused, the Chamber judgement will become final on that day. Press release - Making an Internet news portal liable for the offensive online comments of its readers was justified (10.10.2013) http://hudoc.echr.coe.int/sites/eng-press/pages/search.aspx?i=003-4529626-5… Full Text - DELFI AS v. ESTONIA (10.10.2013) http://hudoc.echr.coe.int/sites/eng/pages/search.aspx?i=001-126635 European Court strikes serious blow to free speech online (14.10.2013) http://www.article19.org/resources.php/resource/37287/en/european-court-str… European ruling spells trouble for online comment (11.10.2013) http://www.indexoncensorship.org/2013/10/european-ruling-spells-trouble-onl… ======================================================================= 5. Increased level of online censorship in Italy ======================================================================= AGECOM, Italy’s independent Electronic Communications Authority, is on the verge of undertaking the power of ordering the removal of any online content that it deems to be in violation of the copyright law, without the need of the parliament or court approval. Despite strong criticism from NGOs, ISPs, other companies or legal practitioners, the authority’ new Draft Regulation on Copyright Protection on Electronic Communication Networks allows it to black out foreign sites and take down Italian ones alleged to have infringed the copyright law, within 48 hours, without any court decision. The legislation is to be passed definitively in November 2013 after a decision from the European Union. AGCOM’s bill will give the authority the power to order Internet access providers to disclose private information about subscribers and give them to the right holders. Any website “inciting, aiding and abetting” copyright infringement, even indirectly” will permit its complete seizure. An alliance of organizations including the consumer groups, lawyers, and business have initiated a campaign to oppose the measures introduced by the bill which risk to turn ISPs into online censors, are totally inefficient and may lead to over-blocking and abuse. The alliance has also sent an open letter to Laura Boldrini, the president of the lower house of the Italian Parliament urging the assembly to take the matter into its own hands and suspend the draft regulation. On 1 October 2013, EDRi member Article 19 issued a detailed opinion on the bill showing concern that it “provides for the blocking of entire websites, domain names or IP addresses. These measures are both ineffective and deeply inimical to free expression due to the high risks of over-blocking. We are also concerned that blocking powers would be entrusted to a regulator rather than the courts.” In more disturbing news from Italy on the stupid IPR enforcement measures, on the 17 October 2013, following a complaint from the music industry group FIMI, several big torrent sites were put on the ISPs blacklist by orders of the Bergamo court. Besides ExtraTorrent, 1337x, H33T, TorrentHound, Italian ISPs may have to block a whole range of IP addresses associated with The Pirate Bay, including some with authorized content. (such as their mail server). The Observatory on The Internet Censorship In Italy counts now over 6000 websites that are being blocked in Italy. Freedom of the web at risk in Italy: Copyright to hide censorship (6.10.2013) http://www.fulviosarzana.it/en/blog-en/freedom-of-the-web-at-risk-in-italy-… Petition - Help us say NO to Italian internet censorship! http://sitononraggiungibile.info/?lang=en Italy: Draft Regulation on Copyright Protection on Electronic Communication (1.10.2013) http://www.article19.org/resources.php/resource/37271/en/italy:-draft-regul… Agcom, the new web sheriff does not listen to critics (only in Italian, 7.10.2013) http://www.fulviosarzana.it/blog/agcom-il-nuovo-sceriffo-del-web-non-ascolt… Open Letter to President Boldrini (only in Italian, 14.10.2013) http://it.finance.yahoo.com/notizie/diritto-d-autore-lettera-alla-111556139… Italian Court Orders ISPs to Block Several Major Torrent Sites (17.10.2013) http://torrentfreak.com/court-orders-isps-to-block-several-major-torrent-si… Observatory on The Internet Censorship In Italy http://censura.bofh.it/ The Major illicit portals obscured. Provincial Command Bergamo (only in Italian, 16.10.2013) http://www.gdf.gov.it/GdF/it/Stampa/Ultime_Notizie/Anno_2013/Ottobre_2013/i… ======================================================================= 6. European Court of Justice: Fingerprints in electronic passport are OK ======================================================================= The European Court of Justice ruled on 17 October 2013 that the inclusion of the fingerprints in the EU electronic passports is lawful. While the Court acknowledged that taking and storing of fingerprints in passports constitutes an infringement of the rights to respect for private life and the protection of personal data, it ruled that security is more important than privacy and such measures are justified for the purpose of preventing any fraudulent use of passports. The ruling also claims that the measure of taking fingerprints is not that sensitive, because it "involves no more than the taking of prints of two fingers, which can, moreover, generally be seen by others, so that this is not an operation of an intimate nature." The decision admits that the electronic passports are not flawless, but argues that "the fact that the method is not wholly reliable is not decisive. Although that method does not prevent all unauthorised persons from being accepted, it is enough that it significantly reduces the likelihood of such acceptance that would exist if that method were not used." At the same time, the Court emphasized that the Regulation allows the storage of fingerprints only in the electronic passport that will be held by the owner and that it cannot be interpreted "as providing a legal basis for the centralised storage of data collected or for the use of such data for purposes other than that of preventing illegal entry into the EU”. This is not the only case where the ECJ will be asked to rule on biometric passports, with another one where Dutch applicants had been refused the issuing of their passports because they did not accept to provide their fingerprints, that were stored in a database. Gus Hosein from Privacy International explained Bloomberg BNA that "the court had 'narrowly interpreted' EU law, and there was potential for challenges against the taking of fingerprints for inclusion in passports to be brought before the European Court of Human Rights. The court ruling was the 'perpetuation of a stupid mistake' made by the European Parliament when it approved the collection of fingerprints for passports." But the EU seems to try to get to the next level of fingerprinting regular people in its new 1 billion Euro Smart Borders proposal that would include all personal details and the 10 fingerprints of all non-EU citizens over 12 years old who want to enter the European Union. All being held in one database. Press release: Including fingerprints in passports is lawful (17.10.2013) http://curia.europa.eu/jcms/upload/docs/application/pdf/2013-10/cp130135en.… Full Judgement - Michael Schwarz vs. Stadt Bochum (17.10.2013) http://curia.europa.eu/juris/document/document.jsf?text=&docid=143189&pageI… Security trumps privacy, EU court says (17.10.2013) http://euobserver.com/news/121816 EU Collection of Fingerprints for Passports Threatens Privacy, but Is Lawful, ECJ Rules (21.10.2013) http://www.bna.com/eu-collection-fingerprints-n17179878805/ EDRi-gram: ECJ to rule on the biometric passports (10.10.2012) http://www.edri.org/edrigram/number10.19/ecj-rule-biometric-passports ======================================================================= 7. After 3 years: French authority Hadopi keeps proving its uselessness ======================================================================= After three years of existence, Hadopi French authority in charge with the infamous three-strikes gradual response system, has succeeded in proving nothing but a large waste of public money. To mark its 3-year anniversary, Hadopi has issued its activity report which shows that, to the day, it has succeeded in ordering 1 sole Internet disconnection and, on the other hand, it has experienced large bureaucratic problems and issues with identifying subscribers. Hadopi has sent a total of 1.912 million notifications to French Internet subscribers as strike one, 186 153 follow-up letters as strike 2 and has caused 1 disconnection as strike 3. Only for 2013, Hapodi costs the French taxpayers 5.4 million Euro, large part of it spent to answer subscribers who make request regarding the name of the works for which they receive the notification. As the Ministry of Culture refused to allow for the names of the works to be included in the notification, the law stipulates Hadopi has to answer to the subscribers upon request. Therefore, in 2012-2013, there were 73210 contacts by phone or email with Internet subscribers out of which 81.73% were related to the content of the notification. Hadopi believes that a modification of the legislation in this sense would be beneficial and would not affect the confidentiality of the communication if the receiver is the owner of the subscription. Moreover, to contact subscribers, Hadopi has to go via Internet ISPs. The initial amount of the first notifications was thus reduced to 7.718 million as, apparently, there were multiple allegations against the same subscriber. The report says that 88% of these allegations were successfully matched against named subscribers. Following the 186 453 letters sent for strike 2, there were 663 cases for which Hadopi was to decide whether to submit them to the court which resulted in 51 submissions to the courts for penalties. Most of these appear to have incurred a fine of between 35 and 450 Euro. Only one got a 15-day disconnection penalty. Furthermore, Hadopi had other further expenses with the so-called “educational” program which involves taking the message into schools and educational establishments. So, not only the system has proven inefficient for the declared purpose of cutting down illegal sharing of copyrighted works, but it also triggers high expenses from the public money. The French government intends to incorporate Hadopi within the Conseil supérieur de l'audiovisuel (CSA) which might cut down some expenses but which does not entirely eliminate the system. Hadopi: a blunt example of public money waste (only in French,10.10.2013) http://www.numerama.com/magazine/27203-hadopi-un-exemple-flagrant-de-gaspil… Hadopi turns three – bon anniversaire? (14.10.2013) http://www.iptegrity.com/index.php/france/908-hadopi-turns-three-bon-annive… HADOPI annual report for 2012-2013 http://www.hadopi.fr/sites/default/files/page/pdf/HADOPI_RapportAnnuel_2013… EDRi-gram: The French three strikes system gave up on Internet disconnection (17.03.2013) http://www.edri.org/edrigram/number11.14/french-3-strikes-without-disconnec… ======================================================================= 8. Skype is investigated in Luxembourg for its relations to NSA ======================================================================= Skype, owned now by Microsoft, has entered the attention of Gerard Lommel, Luxembourg’s Data Protection Commissioner, as a result of the documents revealed by Edward Snowden in the PRISM affair. Gerard Lommel has put Skype under investigation over its possible secret collaboration with NSA, within PRISM spy programme, and the company could face criminal and administrative sanctions, including a ban on passing users' communications to the US intelligence agency. If the investigation proves Skype has secretly shared personal data with the NSA, it could also be fined for being in violation of the country's data-protection laws, as the company has its headquarters in the European country. Luxembourg’s constitution has a strong legislation protecting the right to privacy and establishing that secrecy of correspondence as inviolable, except for cases allowed by the law which says that the surveillance of communications can occur only with judicial approval or by authorization of a tribunal selected by the prime minister. Skype was founded in Scandinavia in 2003 with the purpose to allow audio, video and chat conversations through an encrypted peer-to-peer internet connection, which was not routed over a centralised network like conventional phone calls. Due to its reputation for privacy and security Skype has started being used by millions of people, including journalists and activists. According to the NSA leaked documents, in February 2011, Skype got a directive to comply with NSA surveillance signed by the US attorney general. Skype was acquired by Microsoft in May 20111 when it appears that its relationship with the NSA has intensified. In a letter obtained by the Guardian, sent to Privacy International in September 2012, Skype's corporate vice president Mark Gillett suggested that group video calls and instant messages could be obtained by law enforcement as they were routed through its central servers and "may be temporarily stored." Yet, Gillett also stated on another occasion that audio and one-to-one video calls made by using Skype's "full client" on computers were encrypted and did not pass through central servers, which implies that the company could not help authorities intercept them. "Skype promoted itself as a fantastic tool for secure communications around the world, but quickly caved to government pressure and can no longer be trusted to protect user privacy," said Eric King, head of research at human rights group Privacy International. Skype told the Guardian that it would not comment upon its compliance with US surveillance or answer to technical questions about how it turns over calls to the authorities. It also stated that the world needed "a more open and public discussion" about the balance between privacy and security while accusing the US government of opposing it. "Microsoft believes the US constitution guarantees our freedom to share more information with the public, yet the government is stopping us," said a spokesperson for Skype referring to an ongoing legal case in which Microsoft is seeking permission to disclose more information about the number of surveillance requests it receives. Skype under investigation in Luxembourg over link to NSA (11.10.2013) http://www.theguardian.com/technology/2013/oct/11/skype-ten-microsoft-nsa Skype faces Luxembourg probe over NSA Prism program – report (11.10.2013) http://news.cnet.com/8301-1023_3-57607062-93/skype-faces-luxembourg-probe-o… ======================================================================= 9. Recommended Action ======================================================================= Say your views on the Europe & the Internet in a global context Deadline: 8 November 2013 https://ec.europa.eu/digital-agenda/en/content/europe-and-internet-global-c… Internet Governance: I want your views! (9.10.2013) http://ec.europa.eu/commission_2010-2014/kroes/en/content/internet-governan… ======================================================================= 10. Recommended Reading ======================================================================= MEPs call for suspension of EU-US bank data deal in response to NSA snooping (23.10.2013) http://www.europarl.europa.eu/news/en/news-room/content/20131021IPR22725/ht… Russia: FSB wants more access to Internet users’ information (21.10.2013) http://themoscownews.com/russia/20131021/191995741/FSB-wants-full-access-to… Will The Canada-EU Trade Agreement Harm Our Freedoms Online? (20.10.2013) https://www.laquadrature.net/en/will-the-canada-eu-trade-agreement-harm-our… A Copyright Masquerade - How Corporate Lobbying Threatens Online Freedoms by Monica Horten (10.2013) http://www.zedbooks.co.uk/paperback/a-copyright-masquerade Results of the consultation on Open Research Data http://ec.europa.eu/digital-agenda/node/67533 Working Document 02/2013 providing guidance on obtaining consent for cookies (WP208) http://ec.europa.eu/justice/data-protection/article-29/documentation/opinio… 100 questions on surveillance to Polish authorities (10.2013) http://www.panoptykon.org/node/6598 ======================================================================= 11. Agenda ======================================================================= 21-27 October 2013, Worldwide Open Access week http://www.openaccessweek.org/events 22-25 October 2013, Bali, Indonesia Internet Governance Forum 2013 http://igf2013.or.id/ 24-25 October 2013, Barcelona, Spain Oxcars and Free Culture Forum 2013 http://oxcars13.whois--x.net http://2013.fcforum.net 24 October 2013, Ljubljana, Slovenia The LAPSI 2.0 Conference: “The new PSI directive: What’s next?” http://www.lapsi-project.eu/lapsi-20-conferences 25-27 October 2013, Siegen, Germany Cyberpeace - FIfF Annual Meeting 2013 http://www.fiff.de/ 19-20 November 2013, Berlin, Germany Berlin Open Access Conference: 10th anniversary of the Berlin Declaration http://www.berlin11.org/ 27–30 December 2013, Hamburg, Germany 30C3 – 30th Chaos Communication Congress https://events.ccc.de/congress/2013/wiki/Main_Page 22-24 January 2014, Brussels, Belgium CPDP 2014: Reforming data protection: The Global Perspective http://www.cpdpconferences.org/ 3-5 March 2014, San Francisco, California, USA RightsCon: Silicon Valley https://www.rightscon.org/ 19-20 March 2014, Athens, Greece European Data Forum 2014 (EDF2014) CfP by 10 December 2013 http://2014.data-forum.eu 24-25 April 2014, Barcelona, Spain SSN 2014: Surveillance Ambiguities & Asymmetries http://www.ssn2014.net/ 28-29 April 2014, Newcastle upon Tyne, United Kingdom OER14: building communities of open practice http://www.oer14.org/ ============================================================ 12. About ============================================================ EDRi-gram is a biweekly newsletter about digital civil rights in Europe. Currently EDRi has 35 members based or with offices in 21 different countries in Europe. European Digital Rights takes an active interest in developments in the EU accession countries and wants to share knowledge and awareness through the EDRi-gram. All contributions, suggestions for content, corrections or agenda-tips are most welcome. Errors are corrected as soon as possible and are visible on the EDRi website. This EDRi-gram has been published with financial support from the EU's Fundamental Rights and Citizenship Programme. Except where otherwise noted, this newsletter is licensed under the Creative Commons Attribution 3.0 License. See the full text at http://creativecommons.org/licenses/by/3.0/ Newsletter editor: Bogdan Manolea <edrigram(a)edri.org> Information about EDRi and its members: http://www.edri.org/ European Digital Rights needs your help in upholding digital rights in the EU. If you wish to help us promote digital rights, please consider making a private donation. http://www.edri.org/about/sponsoring http://flattr.com/thing/417077/edri-on-Flattr - EDRI-gram subscription information subscribe by e-mail To: edri-news-request(a)mailman.edri.org Subject: subscribe You will receive an automated e-mail asking to confirm your request. Unsubscribe by e-mail To: edri-news-request(a)mailman.edri.org Subject: unsubscribe - EDRI-gram in Macedonian EDRI-gram is also available partly in Macedonian, with delay. Translations are provided by Metamorphosis http://www.metamorphosis.org.mk/mk/vesti/edri - EDRI-gram in German EDRI-gram is also available in German, with delay. Translations are provided by Andreas Krisch from the EDRI-member VIBE!AT - Austrian Association for Internet Users http://www.unwatched.org/ - Newsletter archive Back issues are available at: http://www.edri.org/edrigram - Help Please ask <edrigram(a)edri.org> if you have any problems with subscribing or unsubscribing.

1 0

[tor-relays] Traceroute measurement from Tor relays
by Karsten Loesing 23 Oct '13

23 Oct '13

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Tor relay operators, We could use your help in a pilot project to improve Tor security. As you may be aware, the anonymity of a connection over Tor is vulnerable to an adversary who can observe it in enough places along its route. For example, traffic that crosses the same country as it enters and leaves the Tor network can potentially be deanonymized by an authority in that country who can monitor all network communication. Researchers have been working to figure out how Tor traffic gets routed over the Internet [0-3], but determining routes with high confidence has been difficult. That's where you come in. To figure out where traffic travels from your relay, we'd like you to run a bunch of "traceroutes" - network measurements that show the paths traffic takes. This is a one-time experiment for now, but, depending on what we find out, regularly making such measurements may become a part of Tor itself. We have already gotten some results thanks to Linus Nordberg of DFRI and Moritz Bartl of torservers.net, and now it's time to ask all relay operators to help. We would like to start this right away. We have written some shell scripts to automate most of the process. The easiest way for you to get them is with git, using the following commands: git clone https://bitbucket.org/anupam_das/traceroute-from-tor-relays git checkout f253f768d14e3368e4fe4de9895acd2715a19412 You can also just download the files directly by visiting [4]. Detailed instructions for setting up and running the experiment are in the README. Basically the experiment does traceroutes to three groups: all "routable IP prefixes", all Tor relays, and then all /24 subnets. These kinds of measurements are not uncommon, and they will not be done at a high rate. By default the scripts will periodically move the results to our server [5] via SSH, although you can keep the results around and/or not send them automatically if you wish (see the README). The traceroute data recorded is not sensitive or private at all. We plan to make the code and data public, following Tor's practice of open cooperation with the research community [6]. The measurements will work best if you have the "scamper" tool from the Cooperative Association for Internet Data Analysis (CAIDA) installed (see the README for installation instructions). This is a standard and open-source tool that handles the many modern complexities of Internet routing measurement. If you are not able to run scamper, the script will also work with the more-common but less-accurate and slower "traceroute" utility. We do not currently have support for Windows relays. The output will take up around 500KB (110MB if you disable automatic removal after upload) disk space if you use scamper; on the other hand if you use "traceroute" utility each output will be around 4MB (1GB with automatic removal after upload disabled). * *Depending on whether you run scamper or traceroute the total time required varies but results for traceroutes to "routable IP prefixes" and all Tor relays should finish within one week (possibly earlier). We would like to request relay operators to upload those results once finished.* * This experiment is in collaboration with several researchers, but the leads are Anupam Das, a Ph.D. student at the University of Illinois at Urbana-Champaign, and his advisor Nikita Borisov. Based on a review of the scripts of commit f253f768d14e3368e4fe4de9895acd2715a19412, we believe that they operate as described above. Please do read through them yourself, and let us know if you have any questions or concerns. And also feel free to contact any of us for help or with suggestions. Because of you, Tor is the "king" of anonymous communication. With your help, we will keep improving to face the new challenges to privacy and freedom online. Thank you, Karsten Loesing <karsten(a)torproject.org> Anupam Das <das17(a)illinois.edu> Nikita Borisov <nikita(a)illinois.edu> [0] "Protecting anonymity in the presence of autonomous system and internet exchange level adversaries" by Joshua Juen. Master's Thesis, UIUC. 2012. <https://www.ideals.illinois.edu/handle/2142/34363> [1] "Users Get Routed: Traffic Correlation on Tor by Realistic Adversaries" by Aaron Johnson, Chris Wacek, Rob Jansen, Micah Sherr, and Paul Syverson. ACM CCS 2013. <http://freehaven.net/anonbib/cache/ccs2013-usersrouted.pdf> [2] "AS-awareness in Tor path selection" by Matthew Edman and Paul F. Syverson. ACM CCS 2009. <http://freehaven.net/anonbib/cache/DBLP:conf/ccs/EdmanS09.pdf> [3] "Sampled Traffic Analysis by Internet-Exchange-Level Adversaries" by Steven J. Murdoch and Piotr Zieliński. PETS 2007. <http://freehaven.net/anonbib/cache/murdoch-pet2007.pdf> [4] https://bitbucket.org/anupam_das/traceroute-from-tor-relays/downloads [5] ttat-control.iti.illinois.edu [6] https://metrics.torproject.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJSZ+aXAAoJEMIuYwomKaxNouoH/AyS9oUXuilXH5Wat4l41OGy Zdx8I4VOIox4MPpEEvgulzxJUg5+XvEcMwECwe9/fiIw1M0RAALzicme8xGbG5c7 6OndBNqtTg2dN+4SXC90bMPHtaTS7KiNxkvq4h3z5EqFg38Nymwm2xA7dsEIE7Mh T/k7wch/uE++wWKFXpa8MNKUCC+RpIWUdx00F717F8av/fLlhFuwmjKiMqqNDH5D ntLn2i67Tqe17hOJxVNgPJuf7MDfsTgMTGVCClSWtn95EDrL6WMh2RIteUt+Gb94 3KxS7uIqzyXIN2BhcZ+kk55g7LAWmL+AMKGyGsa88+j8c782hVzRSoL9ii+EZ0U= =ygb9 -----END PGP SIGNATURE----- _______________________________________________ tor-relays mailing list tor-relays(a)lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

1 0

[cryptome] shock absorber
by taxakis 23 Oct '13

23 Oct '13

When your lunch didn't work out well. You can always laugh it off. Someone has been consuming mind-flogging substances. James R. Clapper, the United States director of national intelligence, late Tuesday disputed reports in a French newspaper that American spies recorded data from 70 million phone calls in France in a single 30-day period, calling the reports "misleading," The Associated Press reported. http://www.nytimes.com/2013/10/24/world/europe/united-states-intelligence-of ficial-disputes-spying-report-in-french-newspaper.html?hp&_r=0

2 1

[tor-talk] Tor Weekly News — October 23th, 2013
by Lunar 23 Oct '13

23 Oct '13

======================================================================== Tor Weekly News October 23th, 2013 ======================================================================== Welcome to the seventeenth issue of Tor Weekly News, the weekly newsletter that covers what is happening in the guarding Tor community. Tor’s anonymity and guards parameters ------------------------------------- In a lengthly blog post [1], Roger Dingledine looked back on three research papers published in the past year. Some of them have been covered and most of the time misunderstood by the press. A good recap of the research problems, what the findings mean and possible solutions hopefully will help everyone understand better. Introduced in 2005 [2], entry guards were added to recognise that “some circuits are going to be compromised, but it’s better to increase your probability of having no compromised circuits at the expense of also increasing the proportion of your circuits that will be compromised if any of them are.” Roger “originally picked ‘one or two months’ for guard rotation” but the initial parameters called for more in-depth research [3]. That call was heard by “the Tor research community [4], and it’s great that Tor gets such attention. We get this attention because we put so much effort into making it easy [5] for researchers to analyze Tor.” In his writing Roger highlights the finding of three papers. Two of them published at WPES 2012 and Oakland 2013, and another upcoming at CCS 2013. These research efforts highlighted several issues in the way Tor handles entry guards. Roger details five complementary fixes: using fewer guards, keeping the same guards for longer, better handling of brief unreachability of a guard, making the network bigger, and smarter assignment of the guard flag to relays. Some will require further research to identify the best solution. There are also other aspects regarding systems which don’t currently record guards such as Tails, how pluggable transports could prevent attackers from recognising Tor users, or enhancing measurements from the bandwidth authorities… The whole blog post is insightful and is a must read for everyone who wishes to better understand some of Tor’s risk mitigation strategies. It is also full of little and big things where you could make a difference! [1] https://blog.torproject.org/blog/improving-tors-anonymity-changing-guard-pa… [2] https://blog.torproject.org/blog/top-changes-tor-2004-design-paper-part-2 [3] https://blog.torproject.org/blog/research-problem-better-guard-rotation-par… [4] http://freehaven.net/anonbib/ [5] https://research.torproject.org/ Hidden Service research ----------------------- George Kadianakis posted a list of items that need work in the Hidden Service area [6]. Despite not being exhaustive, the list contains many items that might help with upgrading the Hidden Service design, be it around security, performance, guard issues or “petname” systems. Help and comments are welcome! [6] https://lists.torproject.org/pipermail/tor-dev/2013-October/005637.html Usability issues in existing OTR clients ---------------------------------------- The consensus after the first round of discussions and research done in the prospect of providing a new secure instant-messaging Tor bundle [7] is to use Mozilla Instantbird at its core. Arlo Breault sent out a draft plan [8] on how to do so. Instantbird currently lacks a core feature to turn it into the Tor Messenger: support for the OTR [9] protocol for encrypted chat. Now is thus a good time to gather usability issues in existing OTR clients. Mike Perry kicked off the discussion [10] by pointing out several deficiencies regarding problems with multiple clients, key management issues, and other sub-optimal behaviour. Ian Goldberg — original author of the pervasive OTR plugin for Pidgin — pointed out [11] that at least one of the behaviour singled out by Mike was “done on purpose. The thing it’s trying to prevent is that Alice and Bob are chatting, and Bob ends OTR just before Alice hits Enter on her message. If Alice’s client went to ‘Not private’ instead of ‘Finished’, Alice’s message would be sent in the clear, which is undesirable. Switching to ‘Finished’ makes Alice have to actively acknowledge that the conversation is no longer secure.” This tradeoff is a good example of how designing usable and secure user interfaces can be hard. Usability, in itself, is an often overlooked security feature. Now is a good time to contribute your ideas! [7] https://trac.torproject.org/projects/tor/wiki/org/sponsors/Otter/Attentive [8] https://lists.torproject.org/pipermail/tor-dev/2013-October/005616.html [9] https://otr.cypherpunks.ca/ [10] https://lists.torproject.org/pipermail/tor-dev/2013-October/005636.html [11] https://lists.torproject.org/pipermail/tor-dev/2013-October/005640.html Tor Help Desk Roundup --------------------- The Tor Help Desk continues to be bombarded with help requests from users behind university proxies who cannot use ORPort bridges or the Pluggable Transports Browser to circumvent their network’s firewall. Although the cases are not all the same, bridges on port 443 or port 80 do not always suffice to circumvent such proxies. Ubuntu 13.10 (Saucy Salamander) was released this week. One user reported their Tor Browser Bundle behaving unusually after updating their Ubuntu operating system. This issue was resolved by switching to the Tor Browser Bundle 3. Another user asked when Tor APT repositories would have packages for Saucy Salamander. Since then, packages for the latest version of Ubuntu have been made available from the usual deb.torproject.org. Miscellaneous news ------------------ Tails has issued a call for testing [12] of its upcoming 0.21 release. The new version contains two security fixes regarding access to the Tor control port and persistent settings [13] among other improvements and package updates [14]. “Test wildly!” as the Tails team wrote. [12] https://tails.boum.org/news/test_0.21-rc1/ [13] https://git-tails.immerda.ch/tails/plain/wiki/src/doc/first_steps/persisten… [14] https://git-tails.immerda.ch/tails/plain/debian/changelog?id=0.21-rc1 Andrew Lewman was invited to speak at SECURE Poland 2013 [15] and sent a report on his trip [16] to Warsaw. [15] http://www.secure.edu.pl/ [16] https://lists.torproject.org/pipermail/tor-reports/2013-October/000364.html Tails developers are looking for Mac and PC hardware with UEFI [17]. If you have some spare hardware, please consider a donation! [17] https://tails.boum.org/news/Mac_and_PC_UEFI_hardware_needed/ Ximin Luo has been the first to create a ticket with 5 digits [18] on Tor tracker. At the current rate, ticket #20000 should happen by the end of 2015… Or will the project’s continued growth make this happen sooner? [18] https://bugs.torproject.org/10000 Roger Dingledine reported [19] on his activities for September and October. Arturo Filastò also reported [20] on his September. [19] https://lists.torproject.org/pipermail/tor-reports/2013-October/000365.html [20] https://lists.torproject.org/pipermail/tor-reports/2013-October/000366.html Runa Sandvik continues her work on the new, more comprehensible Tor User Manual [21]. The first draft is already out [22]. Please review and contribute. [21] https://lists.torproject.org/pipermail/tor-dev/2013-October/005649.html [22] https://bugs.torproject.org/5811 Aaron published a branch with his work on a Tor exit scanner based on OONI [23]. [23] https://github.com/TheTorProject/ooni-probe/tree/feature/tor_test_template Upcoming events --------------- Oct 25 | Matt @ EPIC and Public Citizen’s CryptoParty | Washington, DC, USA | https://epic.org/events/cryptoparty/ | Nov 04 | Workshop on Privacy in the Electronic Society | Berlin, Germany | http://wpes2013.di.unimi.it/ | Nov 04-05 | 20th ACM Conference on Computer and Communications Security | Berlin, Germany | http://www.sigsac.org/ccs/CCS2013/ This issue of Tor Weekly News has been assembled by Lunar, Matt Pagan, dope457, George Kadianakis, Philipp Winter and velope. Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page [24], write down your name and subscribe to the team mailing list [25] if you want to get involved! [24] https://trac.torproject.org/projects/tor/wiki/TorWeeklyNews [25] https://lists.torproject.org/cgi-bin/mailman/listinfo/news-team -- tor-talk mailing list - tor-talk(a)lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

1 0

Re: [Cryptography] programable computers inside our computers (was: Hasty PRISM proofing considered harmful)
by Jerry Leichter 23 Oct '13

23 Oct '13

On Oct 22, 2013, at 9:50 PM, John Ioannidis wrote: > And to add another, there was a presentation on ARM TrustZone, the OS > inside your CPU, that's seems so designed for backdoors that ARM > actually gives tips for running TrustZone invisible to the normal OS. > https://www.hackinparis.com/sites/hackinparis.com/files/Slidesthomasroth.pdf > > > TrustZone sounds like Palladium from 15 or so ago. Have we learned *nothing*? Actually, there is a difference: Palladium had remote attestation built in - it was a selling point. People concentrated on that as the "bad" part, thought the rest could actually be useful. The reference designs let you do whatever you wanted with your own device - you have full access to the trusted elements, could sign your own boot loader if you wanted. Of course, someone providing DRM'ed material could refuse to talk to your system if it didn't attest to running "acceptable" code. The new technologies don't build remote attestation in, so avoid the whole debate. And the base technologies are neutral on the issue of whether you can write your own trusted code. It's the specific implementations that block you from changing the keys, the bootloader, any of the code running in the secure element, etc. The net effect is similar. Nothing keeps a system builder from including remote attestation, but because of the nature of the devices, who is doing the controlling (the cell service providers), and the much higher level of integration of the components (making it harder to pull pieces out of the controlled environment) it really doesn't much matter: If you're successfully talking to the cell network at all, they assume you have "approved" hardware. (Should people start building their own cell hardware from the ground up - certainly possible if you don't care about how practical the device is as a *cell phone*, but extremely difficult if you want something practical - they could always add remote attestation, or some simplified variant that's good enough for the cell provider's purposes, later.) Palladium was subject to political attack because it was open about what it could do for DRM suppliers. The new technologies are harder to attack this way because the responsibility is diffused, and the good and the bad are very thoroughly mixed together. The availability of secure modes in the hardware can be explained as necessary to allow for safe operation in an unsafe world, and in and of themselves harmless - just a safer extension of user space/kernel space isolation. The system builders build things to keep the systems safe from malware, a known and growing problem. The network providers want to protect their networks. Everyone sees the need for heavy protection - including from the device owner - of internal "wallets". -- Jerry _______________________________________________ The cryptography mailing list cryptography(a)metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography

1 0