John's point about SSL (TLS) was with regards to the CA system I think (he would be able to confirm/deny this in a suitable piece of Haiku). The CA System requires you to trust some of the world's largest (and US based) corporations not to share Certificate private keys with TLA's or the highest bidders. How could it possibly go wrong :D On 08/10/15 07:12, Cathal (Phone) wrote:

Everything John says is weird, and he's shown a wilful disregard for even the most basic forms of visitor security all along, from initially refusing SSL onwards. This is *entirely* in character for the caricature-JY I know through this list.

On 8 October 2015 07:05:51 IST, Georgi Guninski <guninski@guninski.com> wrote:

...

John's replies appear weird to me.

Don't exclude the possibility the web server to be compromised (and likely all John's boxen, he had some troubles with PGP keys) and someone included the alleged logs on purpose.

Recently read leaked presentation that TLAs use such operations.

On 10/7/15, Cathal (Phone) <cathalgarvey@cathalgarvey.me> wrote:

Everything John says is weird, and he's shown a wilful disregard for even the most basic forms of visitor security all along, from initially refusing SSL onwards. This is *entirely* in character for the caricature-JY I know through this list.

if this was slander and slight, i agree completely! if meant to excuse the untoward behavior of one JYA, i vehemently disavow it.

-- Sent from my Android device with K-9 Mail. Please excuse my brevity.

aha! PAPA SMURF strikes again. i thought this empty chime was un-characteristic of my good friend and long time pal "Cathal (Phone)"; my suspicions justified in the utmost! please bit bucket this thread in its entirety. there is no signal here! best regards,

On 8 Oct 2015 07:15, "grarpamp" <grarpamp@gmail.com> wrote:

At the previously mentioned Masked Halloween Ball, Cryptome may welcome a systems and methodology review by a qualified local admin. Or not. If you are such a person, ask Cryptome.

I can't think of a more futile task. Watch out for JY's "outing" of any such person as a TLA stooge in the next few months. Mark

On 08/10/15 07:29, Mark Steward wrote:

On 8 Oct 2015 07:15, "grarpamp" <grarpamp@gmail.com> wrote:

...

At the previously mentioned Masked Halloween Ball, Cryptome may welcome a systems and methodology review by a qualified local admin. Or not. If you are such a person, ask Cryptome.

I can't think of a more futile task. Watch out for JY's "outing" of any such person as a TLA stooge in the next few months.

So, a helpful chap approaches JY, offers to asist with auditing systems and processes in private so no risk of embarassment (if there is any). Does job, assists JY in fixing issues without publicising any details. JY announces an audit was done and some issues were resolved. Everyone goes back to BAU. Now, as part of total disclosure, this misses a valuable part of the process which is to publicise the audit and detailed issues found and fixed but DOES have an overall positive effect without too much grumbling and moaning. Of course, we could just slag JY off instead and expect a positive result?

Mark

On Oct 8, 2015, at 6:23 AM, John Young <jya@pipeline.com> wrote:

We also told Best log files are the dirtiest secret of the Internet, none are secure, none private, none singular, admins and websites lie about using them, exploiting them, deleting them, needing them, stealing them, accusing about them, inflating them, rigging them. They pay for the Net, thus not ever going away or kept secure.

Information that is only valuable because of book-entry transaction settlement, by the way. Like, say, (for the current generation of ancom cypherpunks, who don’t know commerce from the dictatorship of the proletariat) checks, credit cards, and, yes, bitcoin. The blockchain is merely :-) a cryptographically secure inviolate public ledger, remember. It may be possible to hide transactions there, but I wouldn’t bet my life on it. Because we *need* biometricly-provable is-a-physical-person and-then-you-go-to-jail-if-you-lie identity in order for transactions to even execute, much clear and settle, we’ve created an entire industry based on the leftover information exhaust, dovetailing nicely with our former practice of massive industrial production runs of exactly identical goods, and thus the transfer-pricing of ostensibly marketable (as in free exchange, not as in advertising) assets, now migrated to the internet with a vengeance, to be used as evidence against us in a court of law, Arlo. Instantaneously-settled transactions, like, say, with blind signatures, which, not coincidentally, required no counterparty identity to function, only a linked list of expired certificates, only readable at the time of double spending, is why I joined the original cypherpunks list to begin with. In 1994. We’ve been at this a long time. At the time, I had digital good that I could email to someone, like say, Oak Ridge Labs, but they could only send me a paper purchase order by return mail. Which I then had to reply to that purchase order, by mail, with a paper invoice, which they would then send me a paper check, also in the mail, which would then clear. Within five business days. Usually. So now we’re learning, in increasingly intimate detail, something I first observed in public at the last Financial Cryptography Conference I went to, almost ten years ago: the closer you get to T-0 transaction settlement you get, the more dangerous identity-based finance becomes. And that’s also why I still say that financial cryptography is the only cryptography that matters. Cheers, RAH

On 10/7/15, Georgi Guninski <guninski@guninski.com> wrote:

John's replies appear weird to me.

i find that understanding of John's replies is best achieved through a structured series of mind altering substances ingested, inhaled, or transdermally diffused in linear symphony of chemical augmentation... note that understanding is separate from Cryptome patron risk, however. best regards,

Agreed but we do still have pirate bay and the drug pushing parasites are not omnipotent - do not be so willing to hand the power over in such a monolithic way Icelandic servers have a base of security because of the structure of law and it is being pushed for more And where are wikileaks servers i know there were issues in sweden but...? There is a meassure of protection in ecuador Legal shit has ramifications On Oct 9, 2015 6:19 AM, "Juan" <juan.g71@gmail.com> wrote:

On Thu, 8 Oct 2015 18:50:25 -0700 coderman <coderman@gmail.com> wrote:

...

On 10/7/15, Georgi Guninski <guninski@guninski.com> wrote:

...

John's replies appear weird to me.

i find that understanding of John's replies is best achieved through a structured series of mind altering substances ingested, inhaled, or transdermally diffused in linear symphony of chemical augmentation...

Despite the barroque style, JY's points are quite to the point.

"Cybersecurity" is bullshit. The bad guys and the majority(all?) of 'good' guys are scammers. It's all a big charade. And so on and so forth.

https://www.youtube.com/watch?v=8r-e2NDSTuE

...

note that understanding is separate from Cryptome patron risk, however.

best regards,

Steve Kinney wrote the only thing I've read so far worth a damn. YOU are responsible for YOUR OWN opsec, and global distribution has the effect of precluding the kind of misuse feared... Unless of course you have something to hide. In which case do like Osama, who disappeared off SIGINT radar in 1998. Use paper, pencil, and trusted couriers. They'll still get you if the want you bad enough. What was it some old Bolsheveik or another said?

"Revolutionaries are dead men on furlough."

RR On 10/08/2015 04:18 AM, Steve Kinney wrote:

The overall message I get from JYA's impressionistic essays on network security is that in his view there ain't no such animal. Add to this the well established security axiom across all contexts, "a trusted entity is one that can break your security model." In the present context, trusting Cryptome to protect your privacy is a sucker bet: Either you don't care, or your own OpSec is up to that task, or you are screwed. This context makes the issue at hand an object lesson in stating the obvious.

A rented, public facing, vendor configured and maintained web server instance appears to be 'leaking' its http logs to world + dog. That would mean data that is supposed to be available only to a few dozen intelligence services, tech support guise and marketing departments is world readable. A level playing field with equal access for all is worse than one where access is monopolized by a clusterfuck of privileged players why?

:o)

Resend of something I posted @9:02 AM. I think riseup was having problems at the time. Sorry if this is a dupe Steve Kinney wrote the only thing I've read so far worth a damn. YOU are responsible for YOUR OWN opsec, and global distribution has the effect of precluding the kind of misuse feared... Unless of course you have something to hide. In which case do like Osama, who disappeared off SIGINT radar in 1998. Use paper, pencil, and trusted couriers. They'll still get you if the want you bad enough. What was it some old Bolsheveik or another said?

"Revolutionaries are dead men on furlough."

RR On 10/08/2015 04:18 AM, Steve Kinney wrote:

The overall message I get from JYA's impressionistic essays on network security is that in his view there ain't no such animal. Add to this the well established security axiom across all contexts, "a trusted entity is one that can break your security model." In the present context, trusting Cryptome to protect your privacy is a sucker bet: Either you don't care, or your own OpSec is up to that task, or you are screwed. This context makes the issue at hand an object lesson in stating the obvious.

A rented, public facing, vendor configured and maintained web server instance appears to be 'leaking' its http logs to world + dog. That would mean data that is supposed to be available only to a few dozen intelligence services, tech support guise and marketing departments is world readable. A level playing field with equal access for all is worse than one where access is monopolized by a clusterfuck of privileged players why?

:o)

On Thu, Oct 8, 2015 at 2:12 PM, Razer <Rayzer@riseup.net> wrote:

They'll still get you if the want you bad enough.

If they get you, your game ain't good enough. Fuck em... do and be better at the game.

On 10/08/2015 07:42 PM, coderman wrote:

On 10/7/15, Michael Best <themikebest@gmail.com> wrote:

...

Let me begin by saying that Cryptome initially denied the leak, then that the data was stolen, then that the whole thing was a fake "a lie by [a] spy-newbie."

the lie is assuming these requests over plain-text were ever private :P

That is the key point! And anyway, all traffic to all websites is public.

...

Look at the data itself and examine the multiple sources, then decide for yourself.

i find that understanding data requires placing in the utmost context of additional data, thus leading to a cycle of expanding corpora.

i understand if this discussion is a bit forward to have a public, like some of your referrers. why did you install that toolbar? for shame...

...

It's important to note that the logs were not just found in the USBs John Young/Cryptome sent to me, but in the ones sent to "bandmon", who unless I'm mistaken is coderman@gmail.com

i'm not sure who bandmon is, but they're not coderman@gmail.com. i would however be amenable to uploading a list of sha-256 digests to verify components of similarity between the torrent and origin.

...

https://thepiratebay.mn/torrent/11113511/Cryptome_archive_2014-06-02

...

It was my strong preference **not** to post this, but since Cryptome has refused to validate the data, there is no other way to authenticate it than to release it to the public along with how to find that information in the Cryptome USBs/CDs and their various mirrors.

actually one may cross reference with their own requests and circuits, for high confidence of legitimacy.

i find it apropos to now quote the original disclaimer in full: ''' This is a trap, witting and unwitting. Do not use it or use at own risk. Source and this host is out to pwon and phuck you in complicity with global Internet authorities. ... Signed Batshit Cryptome and Host, 9 July 2014, 12:16ET." - cypherpunks/2014-July/005020.html, and true for FY-2014, too. '''

best regards,

On 09/10/15 10:52, rysiek wrote:

Dnia czwartek, 8 października 2015 20:45:50 Mirimir pisze:

...

On 10/08/2015 07:42 PM, coderman wrote:

...

On 10/7/15, Michael Best <themikebest@gmail.com> wrote:

...

Let me begin by saying that Cryptome initially denied the leak, then that the data was stolen, then that the whole thing was a fake "a lie by [a] spy-newbie."

the lie is assuming these requests over plain-text were ever private :P

That is the key point!

And anyway, all traffic to all websites is public.

Oh for fucks' sake. There are fuckers who do listen in and surveil, etc, but it is *not* okay to make their work easier. And it is *not* okay to make one's server logs broadly available in such a context.

Why the fuck are people on this list slamming Snowden and freedom.press for using Cloudflare, and at the same time defending JYA for sending out server logs with dates and IP addresses?

I feel the need to respond here although previously having sat and watched as I was involved quite heavily in the CF/freedom.press discussion. So, here's my viewpoint:- EVERYONE is responsible for their own OpSec and can trust NO website no matter who created/maintains it. You can't even trust the infrastructure that your data travels on - check out you cable/DSL router, the ISP has remote access to it and that's in your own property supposedly managed by you. Having said that, it is the duty of EVERY honest website owner to reduce the amount of user data they hold and/or expose - to do any different is reckless, inconsiderate and possibly dangerous. With respect to Cloudflare, there are a different set of problems:- 1) MiTM - they terminate your secure connections without letting you know BEFORE you connect or transfer confidential communications. 2) They sit in the path fo so much internet traffic that just CF alone can be used to correlate various bits of data/metadata with regards to someone that they are a one corp logging system for TLA's etc. This issue is far larger than the cryptome one although cryptome is going against what I wrote earlier about data reduction. freedom.press, like MANY other organisations around the world are using Cloudflare's services in full knowledge that they MiTM and provide a irresistable data collection and collation point for the TLA's. And yet, still claim to be fighting for the good guys. Snowden? He has his own agenda and is using the "leaks" (if they are real) to push that agenda - if you agree with what he wants "a conversation about mass surveillance" then cool, cheer him on (whether his data is crap or not), otherwise he can be ignored for the most part as your OpSec should assume EVERYTHING is compromised right down to discrete component level (think you can't fit an IC into the casing of a resistor or diode?). As for Best, as previously said, I haven't time at the moment to review the data he has presented to know if he has an angle or if he's just a good guy. Position clarified enough?

The hell is this bullshit?

On 10/09/2015 02:52 AM, rysiek wrote:

Why the fuck are people on this list slamming Snowden and freedom.press for using Cloudflare, and at the same time defending JYA for sending out server logs with dates and IP addresses? Because Cloudflare won't show anyone (except the feds) what they're logging.

That SEEMS to give the feds a (snigger) monopolistic advantage.

CloudFlare, which boasts that 4% of all web requests flows through its network, in essence serves as gatekeeper to control the flow of visitors to given sites and to verify that those visitors have a legitimate purpose in visiting them. It has advanced detection features that complicate (or thwart entirely) attempts by automated robots to scrape data from and monitor these forums, including browser tests and so -called “captcha codes.”

In fact, two of ISIS’ top three online chat forums — including the notorious Alplatformmedia.com — are currently guarded by CloudFlare. Without such protection from CloudFlare, these sites would almost certainly succumb to the same relentless online attacks that have completely collapsed several major jihadi web forums over the past two years. In 2013, after CloudFlare was contacted by journalists over allegations that their service was providing protection to terrorist websites, the company’s CEO Matthew Prince published a full explanation of their policy in this regard.

According to Prince, it would not “be right for us to monitor the content that flows through our network and make determinations on what is and what is not politically appropriate. Frankly, that would be creepy... Removing this, or any other site, from our network wouldn't remove the content from the Internet: it would simply slow its performance and make it more vulnerable to attack. ”

In his response, Prince also asserted:

...

“A website is speech. It is not a bomb. There is no imminent danger it creates and no provider has an affirmative obligation to monitor and make determinations about the theoretically harmful nature of speech a site may contain... There are lots of things on the web I find personally distasteful. I have political beliefs, but I don't believe those beliefs should color what is and is not allowed to flow over the network. As we have blogged about before, we often find ourselves on opposite sides of political conflicts. Fundamentally, we are consistent in the fact that our political beliefs will not color who we allow to be fast and safe on the web. ”

In June 2010, in the context of the case of Holder v. Humanitarian Law Project, the U.S. Supreme Court upheld a strict view of the “expert advice and assistance” clause of U.S. counter-terrorism laws, making even nonviolent advocacy potentially an illicit form of material support if it is carried out in conjunction with a proscribed terrorist organization. The case had specifically centered on a group of American civil rights activists who advertised their mission as helping such groups “find peaceful ways to achieve [their] goals.”

It is extremely difficult to reconcile the logical paradox that it is currently illegal to give pro-bono assistance to a terrorist group in order for them to adopt politics instead of violence, but it is perfectly legal for CloudFlare to commercially profit from a terrorist group by assisting them to communicate securely with recruits and to publicly disseminate recordings of mass murder. Indeed, CloudFlare CEO Matthew Prince has been adamant in his declarations that “ CloudFlare abides by all applicable laws in the countries in which we operate and we firmly support the due process of law.” Prince continues to insist, “ We have never received a request to terminate the site in question from any law enforcement authority, let alone a valid order from a court.”

In deference to CloudFlare, it is possible that the company has received a formal request from law enforcement to continue providing its services to such an illicit online forum. Yet, even as one who has repeatedly advocated leaving jihadi forums online in order to study those who use them, this possibility gives me pause for reflection. If so, there must be a careful assessment of the potential negative policy impacts of leaving ISIS recruitment platforms online and unmolested in light of the recognition that Western security services are abjectly failing to track, identify, and stop all of those who are using these sites. If so, there must be a careful assessment of the potential negative policy impacts of leaving ISIS recruitment platforms online and unmolested in light of the recognition that Western security services are abjectly failing to track, identify, and stop all of those who are using these sites.

Testimony of Evan F. Kohlmann with Laith Alkhouri and Alexandra Kassirer Before the House Committee on Foreign Affairs Subcommittee on Terrorism, Nonproliferation, and Trade "The Evolution of Terrorist Propaganda: The Paris Attack and Social Media" http://docs.house.gov/meetings/FA/FA18/20150127/102855/HHRG-114-FA18-Wstate-...

Dnia piątek, 9 października 2015 15:42:51 Travis Biehn pisze:

2) I hope IA and other parties don't know I was drooling over TS dox. Use an anonymizing platform. If you're relying on the operator to 'not keep logs' *you're doing it wrong*, not JY.

This is classic "blaming the victim" move. Should I take care of my own opsec? By all means. Is it okay to publish/sell logs by the service provider? No, no it isn't. -- Pozdrawiam, Michał "rysiek" Woźniak Zmieniam klucz GPG :: http://rys.io/pl/147 GPG Key Transition :: http://rys.io/en/147

On Sat, Oct 10, 2015 at 01:13:06PM +0200, rysiek wrote:

Dnia piątek, 9 października 2015 15:42:51 Travis Biehn pisze:

...

2) I hope IA and other parties don't know I was drooling over TS dox. Use an anonymizing platform. If you're relying on the operator to 'not keep logs' *you're doing it wrong*, not JY.

This is classic "blaming the victim" move.

And who is the victim?

Should I take care of my own opsec? By all means. Is it okay to publish/sell logs by the service provider? No, no it isn't.

Selling logs to the customers you logged and who (if they notice) likely will do the best to discredit you? https://en.wikipedia.org/w/index.php?title=Joint_Threat_Research_Intelligence_Group&oldid=670966374 Joint Threat Research Intelligence Group (JTRIG) --- In June 2015, NSA files published by Glenn Greenwald revealed new details about JTRIG's work at covertly manipulating online communities.[6] ---

Dnia sobota, 10 października 2015 15:27:45 Georgi Guninski pisze:

On Sat, Oct 10, 2015 at 01:13:06PM +0200, rysiek wrote:

...

Dnia piątek, 9 października 2015 15:42:51 Travis Biehn pisze:

...

2) I hope IA and other parties don't know I was drooling over TS dox. Use an anonymizing platform. If you're relying on the operator to 'not keep logs' *you're doing it wrong*, not JY.

This is classic "blaming the victim" move.

And who is the victim?

All whose IP addresses and metadata (date, time UA string, etc) got published within the logfiles.

...

Should I take care of my own opsec? By all means. Is it okay to publish/sell logs by the service provider? No, no it isn't.

Selling logs to the customers you logged and who (if they notice) likely will do the best to discredit you?

Selling logs with such data to anywone, really.

https://en.wikipedia.org/w/index.php?title=Joint_Threat_Research_Intelligenc e_Group&oldid=670966374

Joint Threat Research Intelligence Group (JTRIG)

--- In June 2015, NSA files published by Glenn Greenwald revealed new details about JTRIG's work at covertly manipulating online communities.[6] ---

Can you be more clear who you claim to be a JTRIGger here? -- Pozdrawiam, Michał "rysiek" Woźniak Zmieniam klucz GPG :: http://rys.io/pl/147 GPG Key Transition :: http://rys.io/en/147

On 10/10/2015 04:13 AM, rysiek wrote:

Dnia piątek, 9 października 2015 15:42:51 Travis Biehn pisze:

...

2) I hope IA and other parties don't know I was drooling over TS dox. Use an anonymizing platform. If you're relying on the operator to 'not keep logs' *you're doing it wrong*, not JY.

This is classic "blaming the victim" move.

No it isn't. It's called "Taking Responsibility instead of depending on others" ... It's SURVIVAL. Are you going to codepend on someone else for it?

Should I take care of my own opsec? By all means. Is it okay to publish/sell logs by the service provider? No, no it isn't.

On 10/09/2015 03:52 AM, rysiek wrote:

Dnia czwartek, 8 października 2015 20:45:50 Mirimir pisze:

...

On 10/08/2015 07:42 PM, coderman wrote:

...

On 10/7/15, Michael Best <themikebest@gmail.com> wrote:

...

Let me begin by saying that Cryptome initially denied the leak, then that the data was stolen, then that the whole thing was a fake "a lie by [a] spy-newbie."

the lie is assuming these requests over plain-text were ever private :P

That is the key point!

And anyway, all traffic to all websites is public.

Oh for fucks' sake. There are fuckers who do listen in and surveil, etc, but it is *not* okay to make their work easier. And it is *not* okay to make one's server logs broadly available in such a context.

Look, Cryptome did fuck up. First, by keeping logs for more than a day or so, whatever necessary for debugging and responding to attacks. Second, by sending them to a third party. And third, by being so obtuse with that third party that he felt compelled to publish them.

Why the fuck are people on this list slamming Snowden and freedom.press for using Cloudflare, and at the same time defending JYA for sending out server logs with dates and IP addresses?

You'll never catch me slamming Snowden or defending JYA ;) And I gotta say, Cloudflare starts looking good when your site is getting DOSed.

The hell is this bullshit?

Bullshit, mostly ;)

On 10/10/2015 10:23 AM, Razer wrote:

On 10/09/2015 05:58 PM, Mirimir wrote:

...

Cloudflare starts looking good when your site is getting DOSed

Tell me Cloudflare is the only op on the planet with dDos-defense technology and I'll kiss that pig.

Tell me about one that works for onion services, and I'll be grateful.