From jya at pipeline.com Sat Dec 1 05:06:51 2012 From: jya at pipeline.com (John Young) Date: Sat, 01 Dec 2012 08:06:51 -0500 Subject: Julian Assange: Cryptographic Call to Arms Message-ID: Julian's 7-page introduction to "Cypherpunks: Future and Freedom of the Internet," titled "A Cryptographic Call to Arms." http://cryptome.org/2012/12/assange-crypto-arms.htm Our review of the book: http://cryptome.org/2012/11/cypherpunks-ffi.htm A pretty good book well above the usual journalistic skim-coating of crypto influence on technology, politics, economics. Reminds that most publication on crypto is not by the actors but by word smith marketers of publicity and reputation. Some of that in the book, but offers exceptionally astute observations among the four panelists who don't always agree. A wee bit of humor, a bit more about Manning, a good bit of flattery of Julian, and zero about the Swedish cloud overhanging Julian in favor of obsession with US threats. Jeremie Zimmermann is quite thoughtful and eloquent. Pay attention to his comments. Jacob Appelbaum calls the three youngsters "third-generation cypherpunks." And pukes over the Navy cheerleading hacker trainees with patriotic bombast. Andy Muller-Murhgum notes the diversity in those opposing authority by contrasts Italian hackers love of food with the German hackers love of structure. Julian's cloaking the book in Cypherpunks couture is worth pondering. From Shawn at chaletgruyere.com Sat Dec 1 01:28:29 2012 From: Shawn at chaletgruyere.com (Daniel Jones) Date: Sat, 01 Dec 2012 10:28:29 +0100 Subject: Daniel Jones sent you a message Message-ID: <1399399F.8E1E4C5E@chaletgruyere.com> A non-text attachment was scrubbed... Name: not available Type: text/html Size: 4633 bytes Desc: not available URL: From eugen at leitl.org Sat Dec 1 03:27:46 2012 From: eugen at leitl.org (Eugen Leitl) Date: Sat, 1 Dec 2012 12:27:46 +0100 Subject: Feds Monitor Facebook "Likes," Infiltrate Skype Chats To Build Terrorism Case Message-ID: <20121201112746.GR9750@leitl.org> http://www.slate.com/blogs/future_tense/2012/11/29/facebook_likes_skype_used_to_build_fbi_case_against_california_terrorism.html Feds Monitor Facebook "Likes," Infiltrate Skype Chats To Build Terrorism Case By Ryan Gallagher Posted Thursday, Nov. 29, 2012, at 4:33 PM ET A "like" sign at the entrance of Facebook headquarters in Menlo Park, Calif. Photo by Stephen Lam/Getty Images Be careful what you blikeb on Facebookbbecause the feds may be watching. Earlier this month, the FBIbs Los Angeles field office revealed it had charged four men over alleged involvement in an al-Qaeda inspired terror cell based in and around California. Since 2010, the men had, according to the feds, been plotting ways to help provide bmaterial supportb to terrorists in order to kill American targets in Afghanistan. The FBIbs complaint against the group was under seal until it was released a few days ago, and it has since attracted attention from activists because of some of the shadowy law enforcement techniques it reveals. The document shows that aside from using the traditional method of paying a bconfidential source,b the FBI was also trying to infiltrate the group electronically. Using an bonline covert employee,b the feds posed as terrorism sympathisers in order to gauge the potential threat posed by certain individuals. In one case, they say they got a 21-year-old Mexico-born man to admit he was keen to pursue jihad in order to bstop the oppressors.b Other sections of the complaint detail how the FBI was somehow able to obtain audio and video recordings of Skype conversations in which their confidential informant participated. Given that it remains unclear whether it is technically possible to wiretap Skype due to its encryption, itbs possible that the FBI had installed some sort of spyware directly onto the terroristsb computer in order to bypass any eavesdropping barriers. But perhaps most interesting is how the feds monitored social networks. One part of the complaint, headed bDEFENDANTS' SOCIAL MEDIA,b lists Islamist content the men had blikedb, bsharedb, commented on or posted on their Facebook pages. The FBI details how Sohiel Omar Kabir, a U.S. citizen who appears to be the alleged ringleader of the group, posted bphotographs of himself, non-extremist content, radical Islamist content, and items reflecting a mistrust of mainstream media, abuses by the government, conspiracy theories, abuses by law enforcement, and the war in Afghanistan.b It adds, in reference to two of the other suspects, bKabir has bsharedb several postings with Santana and/or Deleon, both of whom have blikedb or commented on several other postings by Kabir.b This illustrates how important social media behavior is becoming for law enforcement agencies as they try to build cases against individuals. But it will also raise concerns about how social network monitoring could have a chilling effect on free speech, especially if blikingb or sharing any controversial content on Facebook becomes viewed by authorities as inherently suspicious or criminal. Other countries have already had to face up to controversy over how their law enforcement agencies monitor and penalize social network users. Earlier this month, for instance, two women were arrested in India: one for posting an boffensiveb comment on Facebook about a recently deceased political leader, the other for blikingb it. The women have since been released on bail and, the New York Times reports, a police investigation into why they were arrested in the first place has been ordered. From eugen at leitl.org Sat Dec 1 04:11:15 2012 From: eugen at leitl.org (Eugen Leitl) Date: Sat, 1 Dec 2012 13:11:15 +0100 Subject: Julian Assange now an official enemy of the US In-Reply-To: References: Message-ID: <20121201121115.GV9750@leitl.org> On Fri, Nov 30, 2012 at 06:34:06PM -0500, Tyler Durden wrote: > Anyone notice that Julian has published a book entitled "Cypherpunks"? Yes. > We'll probably be getting a steady stream of hot, young tail soon. Where's Tim > May at to send 'em reeling? Is he still posting on Usenet? I haven't looked in ages. > Julian Assange = King of the Cypherpunks. It's official, because the King of > the Anarchy said so. Anyone who can piss of the US Feds that much deserves all > praise. I think he's done good. The next generation of whistleblowers will be using a decentralized cryptographic filesystem. It's like trying to take down BitCoin vs. eGold. Now if only journalists weren't that technology challenged. But they'll learn, when their more savvy colleagues keep snatching up the big fat stories from under their noses. Wonder when the first joker will actually implement AP a la Silkroad. Hope not to soon, the authorities are already breathing down our general necks for no damn reason. From eugen at leitl.org Sat Dec 1 04:20:47 2012 From: eugen at leitl.org (Eugen Leitl) Date: Sat, 1 Dec 2012 13:20:47 +0100 Subject: Some notes toward a fully distributed, serverless socnet/communications network using CouchDB. Message-ID: <20121201122047.GX9750@leitl.org> ----- Forwarded message from Bryce Lynch ----- From eugen at leitl.org Sat Dec 1 04:29:35 2012 From: eugen at leitl.org (Eugen Leitl) Date: Sat, 1 Dec 2012 13:29:35 +0100 Subject: darknet into Syria Message-ID: <20121201122935.GA9750@leitl.org> I've been thinking what a bunch of (camouflaged) Ubiquiti point to point links to Syria, running a darknet that obscures the gateways behind a few hops would do. Solar-powered, and installed so that there is no lead to a particular warm body. Rest goes over dynamical Serval-on-smartphone things, so that you can link up to meshed relays up there on house roofs. It seems that locating end users would be tricky, and taking the thing down or jamming it expensive. Thoughts? From eugen at leitl.org Sat Dec 1 04:53:20 2012 From: eugen at leitl.org (Eugen Leitl) Date: Sat, 1 Dec 2012 13:53:20 +0100 Subject: [tor-talk] William was raided for running a Tor exit node. Please help if you can. Message-ID: <20121201125320.GI9750@leitl.org> ----- Forwarded message from Joe Btfsplk ----- From europus at gmail.com Sat Dec 1 12:05:00 2012 From: europus at gmail.com (Ulex Europae) Date: Sat, 01 Dec 2012 15:05:00 -0500 Subject: darknet into Syria In-Reply-To: <20121201122935.GA9750@leitl.org> References: <20121201122935.GA9750@leitl.org> Message-ID: <50ba62eb.2449420a.6155.ffff944e@mx.google.com> At 07:29 AM 12/1/2012, Eugen Leitl wrote: >I've been thinking what a bunch of (camouflaged) Ubiquiti point to point >links to Syria, running a darknet that obscures the gateways behind a >few hops would do. > >Solar-powered, and installed so that there is no lead to a particular >warm body. Rest goes over dynamical Serval-on-smartphone things, so >that you can link up to meshed relays up there on house roofs. > >It seems that locating end users would be tricky, and taking the thing >down or jamming it expensive. Thoughts? My first thought is, directional antennas attached to receivers operated by jackbooted thugs. Just like how the [Nazis|Soviets|FCC|insert proper noun] does or did it to locate the broadcast point of radio transmissions they didn't like. -ue From kheops at ceops.eu Sat Dec 1 15:30:47 2012 From: kheops at ceops.eu (KheOps) Date: Sun, 02 Dec 2012 00:30:47 +0100 Subject: [liberationtech] Censorship hardware - BLUECOAT IN SYIA Message-ID: Hi everyone, Le 01/12/2012 20:36, Bernard Tyers a icrit : > About the photo: is there any idea where that photo was taken, and what > date? Is it possible to get photos of the back of the rack? A similar picture was seen quite a while ago, on what was said to be the official Tarassul (main ISP in Syria, strongly linked to STE) Facebook page. Here it is: https://resources.telecomix.ceops.eu/material/bluecoat-Syria/tarassul-datacenter.jpg Clearly shows a number of BlueCoat appliances too, in a technical center containing servers etc. The BlueCoats are known to be technically on the Tarassul network, even though they are used for more than just this ISP. Cheers, KheOps -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From drwho at virtadpt.net Sat Dec 1 21:54:12 2012 From: drwho at virtadpt.net (The Doctor) Date: Sun, 02 Dec 2012 00:54:12 -0500 Subject: Some notes toward a fully distributed, serverless socnet/communications network using CouchDB. In-Reply-To: References: <20121201122047.GX9750@leitl.org> Message-ID: <50BAED04.5010007@virtadpt.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/01/2012 09:43 PM, Karel Bmlek wrote: > maybe it's off topic, but did any of you tried RetroShare? A few times. It doesn't play well with multiple layers of NAT, and it doesn't seem to be compatible with some of the experiments we want to run in the near future. Plus, it's drawing a certain amount of heat in Germany, which implies that other countries will be paying closer attention to it. Trying to explain that we're using RetroShare for its distributed forum capability rather than piracy is probably not going to be believed. > I like how every data jumps only between trusted friends, so you > can't really share your IP with authorities. As I understand it, RetroShare uses your current public IP to contact other current public IPs. It uses PGP public keys for authentication and encryption, and tying those to IP addresses that ISPs can use to ID people may not be something some of us are interested in doing. I'd rather consider the folks who are not okay with this preferentially because the reverse can alienate people (I've lost a few good friends that way, and learned that lesson the hard way). > Yeah, it has a negative side- you need to have trusted friends who > use it (of which I have zero sadly) and those must also be "well > connected". and if you add someone evil as a friend, he can watch > you. Those are things I'd taken into account. > but I really like the idea. Thank you. I hope it's feasible; I plan on starting experimentation in the reasonably near future (December of 2012). - -- The Doctor [412/724/301/703] [ZS (MED)] Developer, Project Byzantium: http://project-byzantium.org/ PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F DD89 3BD8 FF2B 807B 17C1 WWW: https://drwho.virtadpt.net/ On the Internet, nobody knows you're an AGI. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlC67QQACgkQO9j/K4B7F8GSxgCeINef/eLtsPTQ4SLIoT7TDfPG TIUAnRtKt0B6gZjCjMgvpLAyux1PJOed =QamG -----END PGP SIGNATURE----- From kb at karelbilek.com Sat Dec 1 18:43:19 2012 From: kb at karelbilek.com (=?ISO-8859-1?Q?Karel_B=EDlek?=) Date: Sun, 2 Dec 2012 03:43:19 +0100 Subject: Some notes toward a fully distributed, serverless socnet/communications network using CouchDB. In-Reply-To: <20121201122047.GX9750@leitl.org> References: <20121201122047.GX9750@leitl.org> Message-ID: maybe it's off topic, but did any of you tried RetroShare? I like how every data jumps only between trusted friends, so you can't really share your IP with authorities. Yeah, it has a negative side- you need to have trusted friends who use it (of which I have zero sadly) and those must also be "well connected". and if you add someone evil as a friend, he can watch you. but I really like the idea. On 12/1/12, Eugen Leitl wrote: > ----- Forwarded message from Bryce Lynch ----- > > From: Bryce Lynch > Date: Fri, 30 Nov 2012 18:58:53 -0500 > To: doctrinezero at googlegroups.com, zs-p2p at googlegroups.com > Subject: Re: Some notes toward a fully distributed, serverless > socnet/communications network using CouchDB. > Reply-To: zs-p2p at googlegroups.com > > More notes. I do my best thinking when I'm stuck in traffic, it seems. > Again, this will need discussion, and at this point with people who've > built CouchApps and can actually speak to how they do or do not work, and > under what circumstances. I'm also probably missing some important stuff. > > ----- > > problem: addressing > > practically everybody is behind at least one NATting firewall these days > > IP addresses are dynamic, so you can't count on a buddy being reachable at > the same IP for very long > > having the Network25 app post its current IP address somewhere (a field on > a blog, to a mailing list, Tweet) or get a dynamic DNS hostname every time > isn't really workable. in fact, it outs the user in obvious ways, and not > everyone is okay with that > > another problem: Port forwarding. there are some solutions to this, but > not all of them work well, work at all, or are suitable. multiple layers > of NAT make this solution suck. > > solution used by TorChat, which would probably work for us: Tor hidden > service addresses > > TorChat creates a unique hidden service address for you when you set it > up. when you add people to your buddy list, it stores .onion > in the list, and it's up to you to set an alias ("qwertyuiopasdfgh.onion" > == "Bryce A. Lynch") on it > > Network25 should be able to do the same thing > > the Zero State is talking about using Tor for general communications in the > future, anyway, this would be a perfect time to start > > When the Network25 socnet software starts up, it looks to see if Tor is > running, if it has any hidden services configured, and if any of those > services correspond to a unique port that Network25 uses > > shell/batch scripts FTW > > if not found, it tells the Tor daemon to create a hidden service > descriptor, copies the public key/.onion hostname into the user's Network25 > profile, and announces it to that person's friends so they know where to > find zir and can start synching databases > > the name of the hidden service is then added to a field in your profile > document, so when people friend you on the network they know how to reach > you: > public profile document (gets replicated) > { > _id: "Bryce A. Lynch", > _interests: ["long walks on the beach", "moonlit nights", "massively > distributed systems", "tor", "writing stuff about CouchApps in Tomboy"], > _friends: ["friend", "friend", ...], > _publickey: "", > _toraddress: "qwertyuiopasdfgh.onion", > ... > } > > this means that CouchDB (configured to use Tor rather than IP address/ports > combos) knows how to reach your copy of the socnet software and sync its > copies of users' databases (profile, timeline, forums/communities/mailing > lists/distribution lists/news feeds) > > this also helps authenticate users, in the same way that hidden services > are authenticated (there is a corresponding private key which is never > shared by Tor). if the public key (.onion) and private key (on your box) > don't match, then the service isn't trusted > > because database creation in CouchDB is cheap, there is no reason why there > can't be multiple databases in every user's profile > b" user profile > b" shared public forum (anologous to the Doctrine Zero mailing list) > b" specific forums (public or not) (anologous to zs-p2p, zs-arg mailing > lists) > b" personal blog > b" blogs specific to the projects the user is working on (which themselves > can have multiple people posting to them, because they're distributed) > b" private blogs/chat forums for specific people > b" blog/news feed/private messages from everyone the user has friended in > Network25 > b database: amon_zero_public_feed > b database: amon_zero_private_messages > b database: amon_zero_philosophical_pontification > b database: bryce_a_lynch_public_feed > b database: bryce_a_lynch_project_byzantium > b database: bryce_a_lynch_3d_printing > b database: bryce_a_lynch_private_messages > b database: zs_med_discussion > b database: zs_arg_plot > > restricted databases are only replicated by members that are part of that > project or group > > a list of authorized users and their corresponding public keys are part of > the database for every forum > > a majority of people in a private forum have to vote to include that > person? > > all messages are encrypted to the public keys of everyone authorized to > participate in that form/replicate that database > > private databases are only replicated by people they're shared with, i.e., > a personal chat feed for one other person is only in two places in the > Network25 socnet, your machine and theirs > > consider making private databases purgeable, i.e., either or both people > can have their copy of the socnet software dump the database so that there > is no record of the discussion on either side > > this is where PKE or OTR would come into play - even if the database were > recovered somehow, it should be difficult for the attacker to figure out > what the cyphertext is > > I don't know how easy, or how safe implementing crypto at the level of a > CouchApp is. > > all of us are going to have running copies of the Tor Browser Bundle, and > all of us are going to have copies of the CouchDB stack and Network25 app, > so it would be possible to use a crypto.cat-like plugin for the TBB which > implements the encryption/decryption/acquisition of a buddy's public > key/addition of key to the user's profile database > > how much disk space will this take up? I don't know yet. > > will CouchDB contact other nodes over Tor? I don't know yet. have to test > it out. > > encryption/decryption of data before it enters/leaves the CouchApp? good > question. I don't have enough experience yet with CouchApps to say, but > would love to talk to someone who does > > -- > The Doctor [412/724/301/703] [ZS (MED)] > https://drwho.virtadpt.net/ > "I am everywhere." > > -- > You received this message because you are subscribed to the Google Groups > "ZS-P2P" group. > To post to this group, send email to zs-p2p at googlegroups.com. > To unsubscribe from this group, send email to > zs-p2p+unsubscribe at googlegroups.com. > For more options, visit https://groups.google.com/groups/opt_out. > > > > ----- End forwarded message ----- > -- > Eugen* Leitl leitl http://leitl.org > ______________________________________________________________ > ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org > 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From eugen at leitl.org Sun Dec 2 02:09:36 2012 From: eugen at leitl.org (Eugen Leitl) Date: Sun, 2 Dec 2012 11:09:36 +0100 Subject: [liberationtech] Censorship hardware - BLUECOAT IN SYIA Message-ID: <20121202100936.GL9750@leitl.org> ----- Forwarded message from KheOps ----- From gfoster at entersection.org Sun Dec 2 11:46:12 2012 From: gfoster at entersection.org (Gregory Foster) Date: Sun, 02 Dec 2012 13:46:12 -0600 Subject: [drone-list] "The DIY Kid-tracking drone" Message-ID: IEEE Spectrum (Dec 1) - "The DIY Kid-tracking drone" by Paul Wallich: http://spectrum.ieee.org/geek-life/hands-on/the-diy-kidtracking-drone A good technical summary of contemporary off-the-shelf quadcopter construction. And a not-so-subtle commentary on the degree to which convenience can trump privacy. gf -- Gregory Foster || gfoster at entersection.org @gregoryfoster <> http://entersection.com/ _______________________________________________ drone-list mailing list drone-list at lists.stanford.edu Should you need to change your subscription options, please go to: https://mailman.stanford.edu/mailman/listinfo/drone-list If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?" You will need the user name and password you receive from the list moderator in monthly reminders. Should you need immediate assistance, please contact the list moderator. ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From james at jamesvasile.com Sun Dec 2 11:45:23 2012 From: james at jamesvasile.com (James Vasile) Date: Sun, 02 Dec 2012 14:45:23 -0500 Subject: [liberationtech] CryptoParty in Tunis tomorrow (Saturday, 1st December) Message-ID: Hey all, Some of you know me. For those of you who don't, I'm James Vasile, and at OpenITP the buck stops with me. So whatever your complaints about our work in Tunis, I'm the right person to yell at. First of all, everybody on the OpenITP team agreed that the real names policy was terrible. The policy was layered on by USAID as a condition of InformSec bringing in a group of Syrian activists who had specific security concerns (and they'd had a recent security breach that was causing people to freak out a little). From the beginning, we regretted it and have been saying internally that we wouldn't ever put oursevles in a position to have to request real names again. Our intent was not to bar pseudononymous people. We had several pseudononymous participants, albeit all people several members of my team had experience with. Rather, we were trying to get a handle on who was there and how much separation we were going to have to build in for our Syrian contingent if their comfort demanded it. In the end, we limited the real names policy as much as we could and then decided we didn't want to choose between the CryptoParty and Syrian guests. In retrospect, we should have just made the hard choice then and not tried to combine a CryptoParty with people who had elevated security concerns. So, yeah, the policy was a mistake. I thought it was a crappy tradeoff but that the value of getting all those people in a room would make it worthwhile. I figured some people would avoid the event because of it, but my hope was the enough people would want to have the conversation that the compromise would end up being a footnote. Instead, people (most especially the local Tunisian community we had been really excited to meet) took exception to the policy and we had zero outside participation in the CryptoParty. That really made me unhappy, and it underscored how big a mistake the policy had been. Just to be clear: We checked no IDs. We gave no list of names of CryptoParty attendees to USAID. We had several people participating under pseudonyms, and we reached a comfort level that allowed everybody to mix freely by the end of the event. So that's what happened. I'm really sorry we made the wrong policy choice. And I'm really sorry we did a shit job at explaining it. I'll try hard not let it happen again. OpenITP will be hosting a meetup in NY on December 17. If anybody wants to come by and talk about it, I'm game. No real names required. Peace, James -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From rubiojr at frameos.org Sun Dec 2 09:03:10 2012 From: rubiojr at frameos.org (Sergio Rubio) Date: Sun, 2 Dec 2012 18:03:10 +0100 Subject: [tahoe-dev] Tahoe-LAFS Desktop Indicator Message-ID: > Sergio, > > This indicator looks pretty neat. Thanks for sharing this on tahoe-dev! It is my pleasure to post here. Tahoe-LAFS is a truly unique piece of free software, cryptography for the masses. I should be the one to thank you guys for that. > > The demo video shows you using a > commandline tool called filefm, which I have hot heard of before as well. > > A quick search on the tahoe trac did not yield any results about that > either. Would you mind explaining this tool, its advantages over > standard tahoe cli and your setup as well? Yeah, it's still under heavy development and unreleased (the Tahoe bits). It's pretty much like 'tahoe cp' I guess, you can upload and download files and directories (recursively). The main difference is that it's both a CLI command and a library, and also supports OpenStack Swift and Rackspace Cloudfiles using a uniform API, with AWS S3 support comm coming ing soon. I'm a Swift cluster maintainer myself (day job) and I used to run a Swift cluster for myself too, now being replaced with Tahoe, since I like to host my servers with different providers world wide and I love my data to be encrypted there. Currently I'm running a small Tahoe cluster with 5 storage nodes (2 @home, 3 elsewhere, ~1TB of storage) with a public SFTP gateway and a private HTTP one (in my laptop). The easy of setup and maintenance (compared to Swift) and the built-in encryption just blows my mind away. As I said before, a truly unique piece of software. I'm currently interested in making Tahoe-LAFS easier to use for some folks who don't like CLI that much but still wanna join my network and share stuff, so I created the AppIndicator. Currently pretty dumb, but I plan to add some more features to it, so they can setup the whole thing without having to resort to the CLI (local gateway setup via wizard, easy creation and upload of files/folders, preferences GUI to customize tahoce.cfg, etc). I've got plans to create a roadmap for it and share it here, if that's of interest to you guys. Thanks for the kind words. > Thanks! > Frederik _______________________________________________ tahoe-dev mailing list tahoe-dev at tahoe-lafs.org https://tahoe-lafs.org/cgi-bin/mailman/listinfo/tahoe-dev ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From eugen at leitl.org Sun Dec 2 09:15:17 2012 From: eugen at leitl.org (Eugen Leitl) Date: Sun, 2 Dec 2012 18:15:17 +0100 Subject: [tahoe-dev] Tahoe-LAFS Desktop Indicator Message-ID: <20121202171517.GP9750@leitl.org> ----- Forwarded message from Sergio Rubio ----- From eugen at leitl.org Sun Dec 2 11:53:11 2012 From: eugen at leitl.org (Eugen Leitl) Date: Sun, 2 Dec 2012 20:53:11 +0100 Subject: [liberationtech] CryptoParty in Tunis tomorrow (Saturday, 1st December) Message-ID: <20121202195311.GQ9750@leitl.org> ----- Forwarded message from James Vasile ----- From eugen at leitl.org Sun Dec 2 11:53:22 2012 From: eugen at leitl.org (Eugen Leitl) Date: Sun, 2 Dec 2012 20:53:22 +0100 Subject: [drone-list] "The DIY Kid-tracking drone" Message-ID: <20121202195322.GR9750@leitl.org> ----- Forwarded message from Gregory Foster ----- From StealthMonger at nym.mixmin.net Sun Dec 2 15:11:16 2012 From: StealthMonger at nym.mixmin.net (StealthMonger) Date: Sun, 2 Dec 2012 23:11:16 +0000 (GMT) Subject: Fwd: [IP] Darn thing works -- Application that provides [Open]PGP for Webmail References: <50b7f58e.420c3c0a.6b6e.ffff8114@mx.google.com> Message-ID: <20121202231116.CC2B5EAAEB@snorky.mixmin.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ulex Europae writes: >>From: David Farber >>Subject: [IP] Darn thing works -- Application that provides [Open]PGP for >> Webmail >>Date: Thu, 29 Nov 2012 11:50:38 -0500 >>To: "ip" >>Begin forwarded message: >>http://www.mailvelope.com/ > for dissection and commentary. Off the cuff, I do not see where the > security comes from if the webmail server is compromised in the > first damn place. Assuming the correspondents exchange keys out of band, this looks like true end-to-end encryption, the keys residing on the users' respective machines. If so, server compromise can cause loss of service but no confidentiality or authentication breach. Please correct me if I'm wrong. Otherwise, this looks like an important new option for those who love their webmail, especially after the Firefox version becomes available. - -- -- StealthMonger Long, random latency is part of the price of Internet anonymity. anonget: Is this anonymous browsing, or what? http://groups.google.ws/group/alt.privacy.anon-server/msg/073f34abb668df33?dmode=source&output=gplain stealthmail: Hide whether you're doing email, or when, or with whom. mailto:stealthsuite at nym.mixmin.net?subject=send%20index.html Key: mailto:stealthsuite at nym.mixmin.net?subject=send%20stealthmonger-key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Processed by Mailcrypt 3.5.9 iEYEARECAAYFAlC7xXwACgkQDkU5rhlDCl5hSwCfesrmWfRMjPHFVcljrgQDUVhC ZxIAn0zA07TNP5mG01HearMhvCxUC3Cb =fVL7 -----END PGP SIGNATURE----- From drwhax at 2600nl.net Sun Dec 2 15:28:24 2012 From: drwhax at 2600nl.net (Jurre van Bergen) Date: Mon, 03 Dec 2012 00:28:24 +0100 Subject: Fwd: [OTR-dev] [RELEASE] irssi-otr 1.0.0-alpha1 In-Reply-To: <50BBD22E.5000506@ev0ke.net> References: <50BBD22E.5000506@ev0ke.net> Message-ID: <50BBE418.6060006@2600nl.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------- Original Message -------- Subject: [OTR-dev] [RELEASE] irssi-otr 1.0.0-alpha1 Date: Sun, 02 Dec 2012 17:11:58 -0500 From: David Goulet To: otr-dev at lists.cypherpunks.ca Hi everyone, We are happy to announce the "rebirth" of irssi-otr now only supporting libotr4 with some enhancement to the last version of 2009. :) It's an alpha one version meaning that we want to get it out there, reviewed, tested, broken down, etc... before any stable tag is set. Any comments/contributions on build system, compilation, usability, fixes, security, OTR usage, bugs!, etc... any feedbacks is more than welcome. Don't hesitate to email or fill up a bug on github. https://github.com/cryptodotis/irssi-otr Download: https://github.com/cryptodotis/irssi-otr/archive/v1.0.0-alpha1.zip We hope to be able to quickly push packages for distros and get it out there once stable! Thanks a lot everyone! David _______________________________________________ OTR-dev mailing list OTR-dev at lists.cypherpunks.ca http://lists.cypherpunks.ca/mailman/listinfo/otr-dev -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQu+QIAAoJELc5KWfqgB0CqkoIAKTXqof350K0Qa6CkgxF9GU5 WGDw7CfsyT2ApwYCJ0Xd47aVjsAe/cDmd8rQblgtKi5N8fbnsnJNzM6HS+3y7Jyi U4cFekrvaKsUQ14JiSeXaAeffqHG8feTvOXnegSJZxVg16zCMuAQyh9tw/rK7kDa /9GZUijgAE44gVzS8eeGocpo/jXS6Wi7GXlNnf3P5d2QkdqJ5hbxResQfS9R2Vmw BOfCxSqpeBQocrHPCC8Xf4XgwkW6R2ZEOTVPBkxsGVSeSx29UeRrq7fkX78MipDV YXNxj3bNd2+ewMEvZJhR1+rhnJec/iI2FKkhDai1UqADzOw7C6M6vqywk9ml6II= =RZVQ -----END PGP SIGNATURE----- From sdw at lig.net Mon Dec 3 00:39:17 2012 From: sdw at lig.net (Stephen Williams) Date: Mon, 03 Dec 2012 00:39:17 -0800 Subject: [FoRK] Hollywood whodunit: What's eating emails in iCloud? Message-ID: Crazy. This is why I run my own email server. Our new CEO just switched us from corporate Gmail to Office365 / Outlook.com, for no good reason apparently. Although Microsoft's published information says that imap isn't available and their online support says you must use Outlook, Thunderbird works reasonably well with it. Although it is slow at peak times (unlike Gmail). And they have a severe bug, apparently has always been there for all forms of Outlook, where they don't update the view of folders with deleted messages until they are purged. Therefore, the Outlook.com web email is mostly useless because it is always out of date if you also use an Imap client. And they still remove email addresses in the header of forwarded messages. How does no one notice? http://www.infoworld.com/t/cringely/hollywood-whodunit-whats-eating-emails-in-icloud-207335?source=IFWNLE_nlt_cloud_2012-11-19 November 19, 2012 Hollywood whodunit: What's eating emails in iCloud? A reader in show biz writes in with a puzzle: His iCloud attachments aren't coming through -- perhaps by Apple's design By Robert X. Cringely | InfoWorld . Here's a mystery worthy of a Hollywood thriller. I recently got an email from a reader named Steven G., an Academy Award-winning developer of screenplay-writing software used by major movie honchos. Steven told me his customers had been encountering a bizarre issue with Apple's iCloud service. [ Apple's control freak tendencies go back a long way. Witness: The 7 words you can't say on iTunes. | For a humorous take on the tech industry's shenanigans, subscribe to Robert X. Cringely's Notes from the Underground newsletter. | Get the latest insight on the tech news that matters from InfoWorld's Tech Watch blog. ] Steven wrote: A screenwriter was delivering a PDF attachment of a draft of his script to the project's director, by emailing it from his iCloud/MobileMe account to Gmail. The problem? The script would never arrive, no matter how many times he would send it. But sending other PDF documents worked fine. I figured, wow -- is this some sort of spectacular failure of our screenwriting software (Movie Magic Screenwriter)? Our software had generated the PDF, so maybe we had accidentally generated information that was somehow matching the profile of a virus, or malware, causing the document to be rejected by Apple's mail servers. After obtaining a copy of the PDF (sent via Gmail to our Microsoft Exchange server), we confirmed the exact same behavior when we tried to send it to our own iCloud mailbox. The email never arrived, nor did we receive any return notification. He began experimenting to find out what was going on. First, he compressed the screenplay PDF into a Zip file and sent that. It also disappeared. Next, he compressed it using Apple's encrypted archive format. That attachment made it through, but it came with an unusual comment: "[not Virus Scanned]" appended to the subject field. >From this he deduced that something inside the file was causing it to get flagged and flushed. He cut the file in half and sent the first 59 pages as an attachment. It got deleted. His breakthrough arrived, in dramatic Hollywood fashion: AND THEN I SAW IT -- a line in the script, describing a character viewing an advertisement for a pornographic site on his computer screen. Upon modifying this line, the entire document was delivered with no problem. It seemed not only was Apple scanning messages for malware, it was also scanning the content of each attachment and exercising some kind of rule about it. Apple wasn't merely flagging the message or sending to a spam folder, but deleting it outright. He wasn't done. He created another PDF containing a variation of the offending line from the screenplay: "All my children are barely legal teens -- why would I want to let them drive by themselves?" Yes, you guessed it. That attachment got sent to email hell. To be certain, Steven created an email with that line in the body of the message and sent it from his Exchange server to his personal iCloud account. That too disappeared into the ether. _______________________________________________ FoRK mailing list http://xent.com/mailman/listinfo/fork ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From eugen at leitl.org Mon Dec 3 01:32:14 2012 From: eugen at leitl.org (Eugen Leitl) Date: Mon, 3 Dec 2012 10:32:14 +0100 Subject: [FoRK] Hollywood whodunit: What's eating emails in iCloud? Message-ID: <20121203093214.GY9750@leitl.org> I doubt anyone here uses Cupertinoware, but this takes the cake. ----- Forwarded message from Stephen Williams ----- From virtualadept at gmail.com Mon Dec 3 08:07:27 2012 From: virtualadept at gmail.com (Bryce Lynch) Date: Mon, 3 Dec 2012 11:07:27 -0500 Subject: [ZS] Re: Culture of envy & the societal value of free citizen Message-ID: On Sun, Dec 2, 2012 at 4:11 PM, Lodewijk andri de la porte wrote: > 2012/12/2 R|diger Koch : > > People actually believe that you need a bank account, for example. > Good luck receiving your paycheck without one. > Unemployment is distributed in several areas in the United States (Maryland, Pennsylvania, Washington state that I know of) in the form of pre-paid debit cards (through Mastercard). There aren't many reasons that other sources of payment might follow that path. Don't expect them to be so easy to get hold of and use for much longer. They're already considered unusual and worthy of further scrutiny: http://www.huffingtonpost.com/2011/05/23/prepaid-cards-being-used-to-launder_n_865464.html http://www.forbes.com/sites/jonmatonis/2012/11/07/department-of-homeland-security-to-scan-payment-cards-at-borders-and-airports/ http://openchannel.nbcnews.com/_news/2011/09/01/7526748-us-aims-to-track-untraceable-prepaid-cash-cards?lite -- The Doctor [412/724/301/703] [ZS (MED)] https://drwho.virtadpt.net/ "I am everywhere." -- -- Zero State mailing list: http://groups.google.com/group/DoctrineZero ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From eugen at leitl.org Mon Dec 3 04:14:57 2012 From: eugen at leitl.org (Eugen Leitl) Date: Mon, 3 Dec 2012 13:14:57 +0100 Subject: Julian Assange: A Call to Cryptographic Arms Message-ID: <20121203121457.GE9750@leitl.org> http://cryptome.org/2012/12/assange-crypto-arms.htm 1 December 2012 Julian Assange: A Call to Cryptographic Arms Excerpted from Cypherpunks: Freedom and the Future of the Internet, by Julian Assange with Jacob Appelbaum, Andy M|ller-Maguhn and Jirimie Zimmermann. OR Books, New York, 2012, 186 pages, Paper. Buy online. Cryptome review of the book. Pages 1-7. INTRODUCTION: A CALL TO CRYPTOGRAPHIC ARMS This book is not a manifesto. There is not time for that. This book is a warning. The world is not sliding, but galloping into a new transnational dystopia. This development has not been properly recognized outside of national security circles. It has been hidden by secrecy, complexity and scale. The internet, our greatest tool of emancipation, has been transformed into the most dangerous facilitator of totalitarianism we have ever seen. The internet is a threat to human civilization. These transformations have come about silently, because those who know what is going on work in the global surveillance industry and have no incentives to speak out. Left to its own trajectory, within a few years, global civilization will be a postmodern surveillance dystopia, from which escape for all but the most skilled individuals will be impossible. In fact, we may already be there. While many writers have considered what the internet means for global civilization, they are wrong. They are wrong because they do not have the sense of perspective that direct experience brings. They are wrong because they have never met the enemy. No description of the world survives first contact with the enemy. We have met the enemy. Over the last six years WikiLeaks has had conflicts with nearly every powerful state. We know the new surveillance state from an insider's perspective, because we have plumbed its secrets. We know it from a combatant's perspective, because we have had to protect our people, our finances and our sources from it. We know it from a global perspective, because we have people, assets and information in nearly every country. We know it from the perspective of time, because we have been fighting this phenomenon for years and have seen it double and spread, again and again. It is an invasive parasite, growing fat off societies that merge with the internet. It is rolling over the planet, infecting all states and peoples before it. What is to be done? Once upon a time in a place that was neither here nor there, we, the constructors and citizens of the young internet discussed the future of our new world. We saw that the relationships between all people would be mediated by our new world, and that the nature of states, which are defined by how people exchange information, economic value, and force, would also change. We saw that the merger between existing state structures and the internet created an opening to change the nature of states. First, recall that states are systems through which coercive force flows. Factions within a state may compete for support, leading to democratic surface phenomena, but the underpinnings of states are the systematic application, and avoidance, of violence. Land ownership, property, rents, dividends, taxation, court fines, censorship, copyrights and trademarks are all enforced by the threatened application of state violence. Most of the time we are not even aware of how close to violence we are, because we all grant concessions to avoid it. Like sailors smelling the breeze, we rarely contemplate how our surface world is propped up from below by darkness. In the new space of the internet what would be the mediator of coercive force? Does it even make sense to ask this question? In this otherworldly space, this seemingly platonic realm of ideas and information flow, could there be a notion of coercive force? A force that could modify historical records, tap phones, separate people, transform complexity into rubble, and erect walls, like an occupying army? The platonic nature of the internet, ideas and information flows, is debased by its physical origins. Its foundations are fiber optic cable lines stretching across the ocean floors, satellites spinning above our heads, computer servers housed in buildings in cities from New York to Nairobi. Like the soldier who slew Archimedes with a mere sword, so too could an armed militia take control of the peak development of Western civilization, our platonic realm. The new world of the internet, abstracted from the old world of brute atoms, longed for independence. But states and their friends moved to control our new world -- by controlling its physical underpinnings. The state, like an army around an oil well, or a customs agent extracting bribes at the border, would soon learn to leverage its control of physical space to gain control over our platonic realm. It would prevent the independence we had dreamed of, and then, squatting on fiber optic lines and around satellite ground stations, it would go on to mass intercept the information flow of our new world -- its very essence even as every human, economic, and political relationship embraced it. The state would leech into the veins and arteries of our new societies, gobbling up every relationship expressed or communicated, every web page read, every message sent and every thought googled, and then store this knowledge, billions of interceptions a day, undreamed of power, in vast top secret warehouses, forever. It would go on to mine and mine again this treasure, the collective private intellectual output of humanity, with ever more sophisticated search and pattern finding algorithms, enriching the treasure and maximizing the power imbalance between interceptors and the world of interceptees. And then the state would reflect what it had learned back into the physical world, to start wars, to target drones, to manipulate UN committees and trade deals, and to do favors for its vast connected network of industries, insiders and cronies. But we discovered something. Our one hope against total domination. A hope that with courage, insight and solidarity we could use to resist. A strange property of the physical universe that we live in. The universe believes in encryption. It is easier to encrypt information than it is to decrypt it. We saw we could use this strange property to create the laws of a new world. To abstract away our new platonic realm from its base underpinnings of satellites, undersea cables and their controllers. To fortify our space behind a cryptographic veil. To create new lands barred to those who control physical reality, because to follow us into them would require infinite resources. And in this manner to declare independence. Scientists in the Manhattan Project discovered that the universe permitted the construction of a nuclear bomb. This was not an obvious conclusion. Perhaps nuclear weapons were not within the laws of physics. However, the universe believes in atomic bombs and nuclear reactors. They are a phenomenon the universe blesses, like salt, sea or stars. Similarly, the universe, our physical universe, has that property that makes it possible for an individual or a group of individuals to reliably, automatically, even without knowing, encipher something, so that all the resources and all the political will of the strongest superpower on earth may not decipher it. And the paths of encipherment between people can mesh together to create regions free from the coercive force of the outer state. Free from mass interception. Free from state control. In this way, people can oppose their will to that of a fully mobilized superpower and win. Encryption is an embodiment of the laws of physics, and it does not listen to the bluster of states, even transnational surveillance dystopias. It isn't obvious that the world had to work this way. But somehow the universe smiles on encryption. Cryptography is the ultimate form of non-violent direct action. While nuclear weapons states can exert unlimited violence over even millions of individuals, strong cryptography means that a state, even by exercising unlimited violence, cannot violate the intent of individuals to keep secrets from them. Strong cryptography can resist an unlimited application of violence. No amount of coercive force will ever solve a math problem. But could we take this strange fact about the world and build it up to be a basic emancipatory building block for the independence of mankind in the platonic realm of the internet? And as societies merged with the internet could that liberty then be reflected back into physical reality to redefine the state? Recall that states are the systems which determine where and how coercive force is consistently applied. The question of how much coercive force can seep into the platonic realm of the internet from the physical world is answered by cryptography and the cypherpunks' ideals. As states merge with the internet and the future of our civilization becomes the future of the internet, we must redefine force relations. If we do not, the universality of the internet will merge global humanity into one giant grid of mass surveillance and mass control. We must raise an alarm. This book is a watchman's shout in the night. On March 20, 2012, while under house arrest in the United Kingdom awaiting extradition, I met with three friends and fellow watchmen on the principle that perhaps in unison our voices can wake up the town. We must communicate what we have learned while there is still a chance for you, the reader, to understand and act on what is happening. It is time to take up the arms of our new world, to fight for ourselves and for those we love. Our task is to secure self-determination where we can, to hold back the coming dystopia where we cannot, and if all else fails, to accelerate its self-destruction. -- Julian Assange, London, October 2012 From eugen at leitl.org Mon Dec 3 08:11:53 2012 From: eugen at leitl.org (Eugen Leitl) Date: Mon, 3 Dec 2012 17:11:53 +0100 Subject: [ZS] Re: Culture of envy & the societal value of free citizen Message-ID: <20121203161153.GK9750@leitl.org> ----- Forwarded message from Bryce Lynch ----- From lucianateresia at debitel.net Mon Dec 3 08:47:53 2012 From: lucianateresia at debitel.net (Lael) Date: Mon, 03 Dec 2012 19:47:53 +0300 Subject: Secrets to Increase Penis Size Naturally - Enlarge Your Penis and Have Long Lasting Great Sex y560jh2bpc Message-ID: <53i36l71z49-23559571-244s6l66@zjxktfak> Secrets to Increase Penis Size Naturally - Enlarge Your Penis and Have Long Lasting Great Sex http://anoom.ru From gnu at toad.com Mon Dec 3 22:21:04 2012 From: gnu at toad.com (John Gilmore) Date: Mon, 03 Dec 2012 22:21:04 -0800 Subject: [Freedombox-discuss] Thoughts on MAC Addresses Message-ID: It is worthwhile considering the privacy implications of MAC addresses. Here's some info. * MAC addresses on Ethernet gear come in two parts: the company ID number, and the manufacturer-assigned extension number. The company ID reveals who built the Ethernet gear; the extension number is similar to a serial number. So, a database of MAC addresses can be used to find equipment made by particular manufacturers, for example if you know a vulnerability in that product as shipped and want to exploit it; or if you are a malevolent government intending to confiscate all hardware that's likely to be running FreedomBox software. * Apple iPhones record the MAC addresses that are nearby, report these to Apple, and Apple uses them to return a physical position fix. This is used to more rapidly cause the GPS algorithm to converge on a position, and also used when GPS isn't working. The phones often report their GPS position and any nearby MAC addresses back to Apple servers. (Apple formerly used startup Skyhook Wireless for this service, but ended up disintermediating them by covertly using their customers' iPhones to collect an equivalent database.) See: https://en.wikipedia.org/wiki/Skyhook_Wireless It's easy for hackers to query that database of MAC addresses and locations, by pretending to be an iPhone seeking its location. * Google Street View vehicles recorded the MAC addresses of all accessible WiFi access points that they passed. Google then used this database to guess at the physical location of Android mobile phones who can also hear beacons from the same MAC addreses. Android phones may now be doing what iPhones do, reporting nearby MAC addresses plus the phone's GPS location to a Google server. * By default, every IPv6 interface's MAC address is in the low order bits of its IPv6 address. See RFC 4291 (IPv6 Addressing Architecture) Section 2.5.1 and Appendix A; RFC 2464 (Transmission of IPv6 Packets over Ethernet Networks); RFC 4862 (IPv6 Stateless Address Autoconfiguration); RFC 4941 (Privacy Extensions for Stateless Address Autoconfiguration in IPv6). So, anyone who ever communicates with a machine via IPv6 will generally learn the MAC address of one of its interfaces, unless that machine specifically uses the RFC 4941 privacy extensions to generate a temporary random address and change it periodically. (In Linux, the default is to not use such temporary addresses; you can change that default by writing 1 to /proc/sys/net/ipv6/conf/default/use_tempaddr. You can change it for all current devices by writing to /proc/sys/net/ipv6/conf/all/use_tempaddr. If you want privacy, it's probably good to write a 1 to both.) * If someone who is in radio range of a WiFi access point can send it packets that cause it to communicate over the Internet, that someone can figure out the correlation between the access point's MAC address and the IP address (v4 or v6) it uses over the Internet. For example, connecting to the access point and then sending a DNS query for your own domain, will cause a DNS query packet to be forwarded to your own domain server, from the global IP address of the access point. Your domain server can then log that packet and correlate it with the access point's MAC address seen by the wireless device that generated it. Many closed access points handle DNS packets even before authentication, since they rely on Web page spoofing to force people to "log in" or "check a box to agree to terms". It's even simpler if the access point is open. If a police car crusing past a FreedomBox can cause it to access a police Internet DNS site, they can map the MAC address to the IP address of that FreedomBox. So, there are two aspects of MAC addresses that are problematic: that they are long-term identifiers, and that they actually reveal things about that device. If upon installation the FreedomBox software merely changed each machine's MAC address to a random value, we'd solve the second problem (avoid revealing who made the device). However it's trickier than that, since we may not have a good source of randomness at installation time (making our addresses too predictable), and also, devices that have a random MAC address (instead of one assigned to a company on the IEEE-maintained registry of Ethernet manufacturers) might make it too obvious that the manufacturer's MAC address had been overwritten, which would lead totalitarians to pay more attention. We could carefully pick a random number and then package it into a MAC address that looks like it comes from a popular manufacturer. For example, we could have a table of a hundred big manufacturers, and for each, the known range of "serial number" bits that they shipped. We'd use part of our random number to pick a manufacturer, and another part to pick a valid-looking serial number within that manufacturer's products. To avoid drawing scrutiny, we might have to be more selective, e.g. avoid putting a MAC address from a 10-megabit 1990s 3Com Ethernet card onto a 2010s WiFi link. Changing the MAC address to a packaged random value *periodically* -- perhaps daily or weekly -- would solve the first problem of its being a long-term identifier. IPv6 can cope with that without trouble; it encourages interfaces to have multiple IPv6 addresses, deprecating old ones while allowing existing communications to work. IPv4 can also cope with changed MAC addresses; within seconds, any neighbor on the Ethernet or radio who is communicating with the node will know the new MAC address that matches the same old IPv4 address. We would have to test any new candidate MAC address, before using it, by trying to communicate with it and seeing if anything responds. See the "Duplicate Address Detection" algorithm in RFC 4862. > *If* preventing people from being identified by MAC addresses should be > a goal, how do we accomplish that? The MAC address can, but shouldn't > be set in the firmware, we can't change it or set it, from the running > system, there. That's good, because it means the bootloader can't be > changed on a running system. MAC addresses in all modern networking chips can be set from software. I think what you mean is that the *default* MAC address is stored in flash, near where the boot firmware is stored, and that some boards running Linux can't rewrite that flash memory. "Can't" is probably too strong a word -- many can, but how to do so is often merely undocumented, providing a little security-by-obscurity. > So, where can we set the MAC address? The obvious solution is to put it > into /etc/networking/interfaces, but that'll harm folks who want some > form of anonymity. We can use 0:0:0:0:0:0 as a default MAC address in > /etc/networking/interfaces and folks who want to set a static one can > edit the file to set it there, while folks who want to use a MAC changer > can run a service hooked through Plinth. "ifconfig DEV hwaddr xx:xx:xx:xx:xx:xx" or "ip link set DEV xx:xx:xx:xx:xx:xx" lets you set the MAC address of DEV at any time from a shell, as root. There is also an equivalent low level interface. We can't set 0:0:0:0:0:0 as every interface's MAC address. There is good reason to have unique addresses on Ethernet interfaces. On a given Ethernet, or in a given WiFi radio range, communication will fail if multiple interfaces have the same address (unless those interfaces specifically coordinate with each other, e.g. are plugged into the same node and use custom software to pretend to be a single interface). If you and your neighbor both have a FreedomBox with WiFi address 0:0:0:0:0:0, there will be no way to send a packet to YOUR FreedomBox; your neighbor's box will also receive the packet and is just as likely to respond to it -- which will confuse the communication when BOTH boxes respond to it. John _______________________________________________ Freedombox-discuss mailing list Freedombox-discuss at lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From providedjo8801 at realtracs.com Mon Dec 3 20:44:42 2012 From: providedjo8801 at realtracs.com (=?koi8-r?B?IvPVzcvJIMnaIOnUwczJySDczMnUztnIIMLSxc7Ez9ci?=) Date: Tue, 4 Dec 2012 10:14:42 +0530 Subject: =?koi8-r?B?9sXO08vJxSDJIM3V1tPLycUg09XNy8kgydog6dTBzMnJKPDSwcTBLCD7?= =?koi8-r?B?wc7FzNggySDE0ikhIPPLycTLySE=?= Message-ID: Женские и мужские сумки из Италии элитных брендов от 6 700 рублей! Сегодня скидки на сайте http://www.сумки-длявсех.рф From drwho at virtadpt.net Tue Dec 4 09:02:36 2012 From: drwho at virtadpt.net (The Doctor) Date: Tue, 04 Dec 2012 12:02:36 -0500 Subject: [drone-list] Using UAVs in Humanitarian Crises to Restore Connectivity Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/04/2012 07:34 AM, Joseph Pollack wrote: > I'm looking into how tough and expensive and illegal it would be to > use DIY or low-cost UAVs to restore connectivity or "gather" > messages (SOS or otherwise) from populations affected by > humanitarian crises. Any thoughts or suggestions? Looking at the illegal bit first, if somewhere is in bad enough shape that you have to set up a guerilla communications network to assist in disaster relief, chances are you've got a pretty good leg to stand on. IANAL, call your own, #include That said, it's something a few of us have worked on. There are a couple of drones that are relatively low cost (most of them quadcopters) that appear to have enough lift to transport small mesh nodes for short distances and perch someplace to conserve motor power. The 3d printed quadcopters that Telecomix were examining might work for this purpose (http://www.thingiverse.com/thing:17612). To my knowledge, we haven't examined this one (http://www.thingiverse.com/thing:22537) closely because I haven't had time to spend on HacDC's 3D printers. For both models, the possibility of using hacked Android devices for the network nodes themselves came up a number of times. There is also a hacker working on porting Byzantium Linux to the ARM platform, because he wants to try it on the RaspberryPi. We don't know where he's at with that project right now. It should also be relatively easy to repurpose a more conventional model craft (like the toy quadcopters resembling Thingiverse entry #22537 above) into mobility platforms for mesh nodes. So long as the network node had sufficient power (I kind of like the idea of the solar charger in an envelope kits that were going around at HOPE9 - I forget who manufactured them but they're cheap and designed to be used as trickle chargers) for wireless and the motors of the drone could be shut down to conserve their power cells, the keys would be positioning and stability of perch. - -- The Doctor [412/724/301/703] [ZS (MED)] Developer, Project Byzantium: http://project-byzantium.org/ PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F DD89 3BD8 FF2B 807B 17C1 WWW: https://drwho.virtadpt.net/ If patience is bitter, the result is sweet. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlC+LKwACgkQO9j/K4B7F8E0yQCgq0P9VS9h4EsaWcB990fy576E vcsAnRtA6ARe5ftIO0sxJECc2AdyJ5jh =nCFc -----END PGP SIGNATURE----- _______________________________________________ drone-list mailing list drone-list at lists.stanford.edu Should you need to change your subscription options, please go to: https://mailman.stanford.edu/mailman/listinfo/drone-list If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?" You will need the user name and password you receive from the list moderator in monthly reminders. Should you need immediate assistance, please contact the list moderator. ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From josephrichardpollack at gmail.com Tue Dec 4 04:34:30 2012 From: josephrichardpollack at gmail.com (Joseph Pollack) Date: Tue, 4 Dec 2012 13:34:30 +0100 Subject: [drone-list] Using UAVs in Humanitarian Crises to Restore Connectivity Message-ID: Dear List, I'm looking into how tough and expensive and illegal it would be to use DIY or low-cost UAVs to restore connectivity or "gather" messages (SOS or otherwise) from populations affected by humanitarian crises. Any thoughts or suggestions? Warm Regards, -Joseph. _______________________________________________ drone-list mailing list drone-list at lists.stanford.edu Should you need to change your subscription options, please go to: https://mailman.stanford.edu/mailman/listinfo/drone-list If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?" You will need the user name and password you receive from the list moderator in monthly reminders. Should you need immediate assistance, please contact the list moderator. ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From wilcoxjg at gmail.com Tue Dec 4 13:34:31 2012 From: wilcoxjg at gmail.com (Josh Wilcox) Date: Tue, 4 Dec 2012 13:34:31 -0800 Subject: [tahoe-dev] Tahoe, The Least Authority File System, Thursday Night Hack Meet Message-ID: The Tahoe Least Authority File System is a peer-to-peer system that stores data redundantly with agents who cannot read the data contents. These agents are granted close to the *minimum* authority necessary to support requests about the data. This design is motivated by the "Principle of Least Authority". https://en.wikipedia.org/wiki/Principle_of_least_authority This Thursday (2012-12-06) at 19:00 PST, members of the Tahoe community will have a physical meetup at "The Big Noisebridge Table". We'll project a basic state diagram (https://en.wikipedia.org/wiki/State_diagram) depicting the behaviour of the distributed "Lease Database" that the "storage server" agents in the Tahoe network use to manage the encrypted data that they store. During our meeting we'll add correct and useful content to the diagram. An overview of the design, including the basic state diagram, can be found here: https://github.com/davidsarah/tahoe-lafs/blob/1819-cloud-merge/docs/proposed/leasedb.rst For a general introduction to Tahoe check this out: https://tahoe-lafs.org Gimme the code!! To understand the behavior of the "lease data base" we'll be inspecting this code (you might want to look at this before Thursday!): https://github.com/davidsarah/tahoe-lafs/tree/master/src/allmydata/ storage/leasedb.py storage/account.py storage/accountant.py storage/accounting_crawler.py storage/server.py (less important) No punch... no pie... just a group building a better Information Super Highway (a series of tubes in The Cyber)! -- Za <--> X8 A question: "What can I buy with bitcoin?" A better question: "What can I sell _for_ bitcoin?" "I want people to see the truth... regardless of who they are... because without information, you cannot make informed decisions as a public" *-- Bradley Manning* _______________________________________________ tahoe-dev mailing list tahoe-dev at tahoe-lafs.org https://tahoe-lafs.org/cgi-bin/mailman/listinfo/tahoe-dev ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From eugen at leitl.org Tue Dec 4 04:51:46 2012 From: eugen at leitl.org (Eugen Leitl) Date: Tue, 4 Dec 2012 13:51:46 +0100 Subject: [drone-list] Using UAVs in Humanitarian Crises to Restore Connectivity Message-ID: <20121204125146.GD9750@leitl.org> ----- Forwarded message from Joseph Pollack ----- From frank at journalistsecurity.net Tue Dec 4 13:13:23 2012 From: frank at journalistsecurity.net (frank at journalistsecurity.net) Date: Tue, 04 Dec 2012 14:13:23 -0700 Subject: [liberationtech] NYT: For Syriabs Rebel Movement, Skype Is a Useful and Increasingly Dangerous Tool Message-ID: This piece from NYT over the weekend should be of interest here, and, unless I missed it, I don't think it's been yet posted. Excerpt: "If the uprisings in Tunisia and Egypt were Twitter Revolutions, then Syria is becoming the Skype Rebellion. To get around a near-nationwide Internet shutdown, rebels have armed themselves with mobile satellite phones and dial-up modems." Quotes CL and EFF's Eva on risks. Main news here that sticks out for me is that Syrian activists largely seem aware of the risks, yet many are still using Skype due to a lack of alternatives. http://www.nytimes.com/2012/12/01/world/middleeast/syrian-rebels-turn-to-skype-for-communications.html For Syriabs Rebel Movement, Skype Is a Useful and Increasingly Dangerous Tool By AMY CHOZICK Published: November 30, 2012 In a demonstration of their growing sophistication and organization, Syrian rebels responded to a nationwide shutdown of the Internet by turning to satellite technology to coordinate within the country and to communicate with outside activists. When Syriabs Internet service disappeared Thursday, government officials first blamed rebel attacks. Activist groups blamed the government and viewed the blackout as a sign that troops would violently clamp down on rebels. But having dealt with periodic outages for more than a year, the opposition had anticipated a full shutdown of Syriabs Internet service providers. To prepare, they have spent months smuggling communications equipment like mobile handsets and portable satellite phones into the country. bWebre very well equipped here,b said Albaraa Abdul Rahman, 27, an activist in Saqba, a poor suburb 20 minutes outside Damascus. He said he was in touch with an expert in Homs who helped connect his office and 10 others like it in and around Damascus. Using the connection, the activists in Saqba talked to rebel fighters on Skype and relayed to overseas activists details about clashes with government forces. A video showed the rebelsb bare-bones room, four battery backups that could power a laptop for eight hours and a generator set up on a balcony. For months, rebels fighting to overthrow President Bashar al-Assad have used Skype, a peer-to-peer Internet communication system, to organize and talk to outside news organizations and activists. A few days ago, Jad al-Yamani, an activist in Homs, sent a message to rebel fighters that tanks were moving toward a government checkpoint. He notified the other fighters so that they could go observe the checkpoint. bThrough Skype you know how the army moves or can stop it,b Mr. Yamani said. On Friday, Dawoud Sleiman, 39, a member of the antigovernment Ahrar al-Shamal Battalion, part of the Free Syrian Army, reached out to other members of the rebel group. They were set up at the governmentbs Wadi Aldaif military base in Idlib, a province near the Turkish border that has seen heavy fighting, and connected to Skype via satellite Internet service. Mr. Sleiman, who is based in Turkey, said the Free Syrian Army stopped using cellphone networks and land lines months ago and instead relies almost entirely on Skype. bBrigade members communicate through the hand-held devices,b he said. This week rebels posted an announcement via Skype that called for the arrest of the head of intelligence in Idlib, who is accused of killing five rebels. bA big financial prize will be offered to anyone who brings the head of this guy,b the message read. bOne of our brothers abroad has donated the cash.b If the uprisings in Tunisia and Egypt were Twitter Revolutions, then Syria is becoming the Skype Rebellion. To get around a near-nationwide Internet shutdown, rebels have armed themselves with mobile satellite phones and dial-up modems. In many cases, relatives and supporters living outside Syria bought the equipment and had it smuggled in, mostly through Lebanon and Turkey. That equipment has allowed the rebels to continue to communicate almost entirely via Skype with little interruption, despite the blackout. bHow the government used its weapons against the revolution, that is how activists use Skype,b Mr. Abdul Rahman said. bWe havenbt seen any interruption in the way Skype is being used,b said David Clinch, an editorial director of Storyful, a group that verifies social media posts for news organizations, including The New York Times (Mr. Clinch has served as a consultant for Skype). Mr. Assad, who once fashioned himself as a reformer and the father of Syriabs Internet, has largely left the countrybs access intact during the 20-month struggle with rebels. The government appeared to abandon that strategy on Thursday, when most citizens lost access. Some Syrians could still get online using service from Turkey. On Friday, Syrian officials blamed technical problems for the cutoff. The shutdown is only the latest tactic in the escalating technology war waged in Arab Spring countries. But several technology experts warned that the use of the Internet by rebels in Syria, even those relying on Skype, could leave them vulnerable to government surveillance. Introduced in 2003, Skype encrypts each Internet call so that they are next to impossible to crack. It quickly became the pet technology of global organizers and opposition members in totalitarian countries. And while Skypebs encryption secrets remain elusive, in recent months the Assad government, often with help from Iran, has developed tools to install malware on computers that allows officials to monitor a userbs activity. bSkype has gone from in the mid-2000s being the tool most widely used and promoted by human rights activists to now when people ask me I say, bDefinitely, donbt use it,b b said Ronald J. Deibert, director of Citizen Lab, a research group at the University of Toronto that monitors human rights and cybersecurity. Using satellite phone service to connect makes Skype potentially more dangerous since it makes it easier to track a userbs location, said Eva Galperin of the Electronic Frontier Foundation, a civil liberties group in San Francisco. The Syrian government has bgone from passive surveillance to more active surveillance in which theybre gaining access to dissidentsb and opposition membersb computers,b Ms. Galperin said. The pro-government Syrian Electronic Army has largely led the response to early cyberattacks by rebels and overseas sympathizers. At checkpoints in government-controlled regions, Assad forces examined laptops for programs that would allow users to bypass government spyware, several activists said. In cafes where the Internet was available, government officials checked usersb identification. Rebels are starting to suspect that the governmentbs efforts are paying off. A media activist in Idlib named Mohamed said a rebel informant working for the government was killed in Damascus six months ago after sending warnings to the Free Syrian Army on Skype. bI saw this incident right in front of my eyes,b Mohamed said. bWe put his info on Skype so he was arrested and killed.b In August, an activist named Baraa al-Boushi was killed during shelling in Damascus. Activists later circulated a report saying that a Saudi Arabian claiming to support the revolution was actually a government informant who determined Mr. Boushibs location after a long conversation on Skype. A Skype spokesman, Chaim Haas, said calls via the service between computers, smartphones and other mobile devices are automatically encrypted. But just like e-mail and instant messaging can be compromised by spyware and Trojan horses, so can Skype. bTheybre listening to the conversation before it gets encrypted,b Mr. Haas said. bThat has nothing to do with Skype at all.b Liam Stack contributed reporting from New York; Hala Droubi from Dubai, United Arab Emirates; and Hwaida Saad from Beirut, Lebanon. A version of this article appeared in print on December 1, 2012, on page A12 of the New York edition with the headline: For Syriabs Rebel Movement, Skype Is a Useful and Increasingly Dangerous Tool. SAVE E-MAIL SHARE -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From eva at eff.org Tue Dec 4 15:24:15 2012 From: eva at eff.org (Eva Galperin) Date: Tue, 04 Dec 2012 15:24:15 -0800 Subject: [liberationtech] NYT: For Syriabs Rebel Movement, Skype Is a Useful and Increasingly Dangerous Tool Message-ID: Frank wrote: "Main news here that sticks out for me is that Syrian activists largely seem aware of the risks, yet many are still using Skype due to a lack of alternatives." In my conversations with Syrian activists, this is not the impression I have gotten from them at all. The Syrian activists I have spoken to often believe that Skype is "secure," and they are not aware that there are companies such as Bitek and Bluecoat that sell products to governments that can track the meta-data about their Skype calls--including who they're calling and for how long. Google Hangouts reportedly works in Syria and I would consider suggesting it to Syrians as an alternative to Skype, but most Syrians are not looking for alternatives because they are not aware that there may be a significant security risk. Andrew is right to point out that this is separate from the problem of out malware/out-of-band recording. ************************************************ Eva Galperin International Freedom of Expression Coordinator Electronic Frontier Foundation eva at eff.org (415) 436-9333 ex. 111 ************************************************ On 12/4/12 1:13 PM, frank at journalistsecurity.net wrote: > This piece from NYT over the weekend should be of interest here, and, > unless I missed it, I don't think it's been yet posted. > > Excerpt: "If the uprisings in Tunisia and Egypt were Twitter > Revolutions, then Syria is becoming the Skype Rebellion. To get around a > near-nationwide Internet shutdown, rebels have armed themselves with > mobile satellite phones and dial-up modems." > > Quotes CL and EFF's Eva on risks. Main news here that sticks out for me > is that Syrian activists largely seem aware of the risks, yet many are > still using Skype due to a lack of alternatives. > > http://www.nytimes.com/2012/12/01/world/middleeast/syrian-rebels-turn-to-skype-for-communications.html > > For Syriabs Rebel Movement, Skype Is a Useful and Increasingly > Dangerous Tool > By AMY CHOZICK > Published: November 30, 2012 > > In a demonstration of their growing sophistication and organization, > Syrian rebels responded to a nationwide shutdown of the Internet by > turning to satellite technology to coordinate within the country and to > communicate with outside activists. > > When Syriabs Internet service disappeared Thursday, government > officials first blamed rebel attacks. Activist groups blamed the > government and viewed the blackout as a sign that troops would violently > clamp down on rebels. > > But having dealt with periodic outages for more than a year, the > opposition had anticipated a full shutdown of Syriabs Internet service > providers. To prepare, they have spent months smuggling communications > equipment like mobile handsets and portable satellite phones into the > country. > > bWebre very well equipped here,b said Albaraa Abdul Rahman, 27, an > activist in Saqba, a poor suburb 20 minutes outside Damascus. He said he > was in touch with an expert in Homs who helped connect his office and 10 > others like it in and around Damascus. > > Using the connection, the activists in Saqba talked to rebel fighters on > Skype and relayed to overseas activists details about clashes with > government forces. A video showed the rebelsb bare-bones room, four > battery backups that could power a laptop for eight hours and a > generator set up on a balcony. > > For months, rebels fighting to overthrow President Bashar al-Assad have > used Skype, a peer-to-peer Internet communication system, to organize > and talk to outside news organizations and activists. A few days ago, > Jad al-Yamani, an activist in Homs, sent a message to rebel fighters > that tanks were moving toward a government checkpoint. > > He notified the other fighters so that they could go observe the > checkpoint. bThrough Skype you know how the army moves or can stop > it,b Mr. Yamani said. > > On Friday, Dawoud Sleiman, 39, a member of the antigovernment Ahrar > al-Shamal Battalion, part of the Free Syrian Army, reached out to other > members of the rebel group. They were set up at the governmentbs Wadi > Aldaif military base in Idlib, a province near the Turkish border that > has seen heavy fighting, and connected to Skype via satellite Internet > service. > > Mr. Sleiman, who is based in Turkey, said the Free Syrian Army stopped > using cellphone networks and land lines months ago and instead relies > almost entirely on Skype. bBrigade members communicate through the > hand-held devices,b he said. > > This week rebels posted an announcement via Skype that called for the > arrest of the head of intelligence in Idlib, who is accused of killing > five rebels. bA big financial prize will be offered to anyone who > brings the head of this guy,b the message read. bOne of our brothers > abroad has donated the cash.b > > If the uprisings in Tunisia and Egypt were Twitter Revolutions, then > Syria is becoming the Skype Rebellion. To get around a near-nationwide > Internet shutdown, rebels have armed themselves with mobile satellite > phones and dial-up modems. > > In many cases, relatives and supporters living outside Syria bought the > equipment and had it smuggled in, mostly through Lebanon and Turkey. > > That equipment has allowed the rebels to continue to communicate almost > entirely via Skype with little interruption, despite the blackout. > bHow the government used its weapons against the revolution, that is > how activists use Skype,b Mr. Abdul Rahman said. > > bWe havenbt seen any interruption in the way Skype is being used,b > said David Clinch, an editorial director of Storyful, a group that > verifies social media posts for news organizations, including The New > York Times (Mr. Clinch has served as a consultant for Skype). > > Mr. Assad, who once fashioned himself as a reformer and the father of > Syriabs Internet, has largely left the countrybs access intact > during the 20-month struggle with rebels. The government appeared to > abandon that strategy on Thursday, when most citizens lost access. Some > Syrians could still get online using service from Turkey. On Friday, > Syrian officials blamed technical problems for the cutoff. > > The shutdown is only the latest tactic in the escalating technology war > waged in Arab Spring countries. > > But several technology experts warned that the use of the Internet by > rebels in Syria, even those relying on Skype, could leave them > vulnerable to government surveillance. > > Introduced in 2003, Skype encrypts each Internet call so that they are > next to impossible to crack. It quickly became the pet technology of > global organizers and opposition members in totalitarian countries. And > while Skypebs encryption secrets remain elusive, in recent months the > Assad government, often with help from Iran, has developed tools to > install malware on computers that allows officials to monitor a userbs > activity. > > bSkype has gone from in the mid-2000s being the tool most widely used > and promoted by human rights activists to now when people ask me I say, > bDefinitely, donbt use it,b b said Ronald J. Deibert, director > of Citizen Lab, a research group at the University of Toronto that > monitors human rights and cybersecurity. > > Using satellite phone service to connect makes Skype potentially more > dangerous since it makes it easier to track a userbs location, said > Eva Galperin of the Electronic Frontier Foundation, a civil liberties > group in San Francisco. > > The Syrian government has bgone from passive surveillance to more > active surveillance in which theybre gaining access to dissidentsb > and opposition membersb computers,b Ms. Galperin said. > > The pro-government Syrian Electronic Army has largely led the response > to early cyberattacks by rebels and overseas sympathizers. At > checkpoints in government-controlled regions, Assad forces examined > laptops for programs that would allow users to bypass government > spyware, several activists said. In cafes where the Internet was > available, government officials checked usersb identification. > > Rebels are starting to suspect that the governmentbs efforts are > paying off. A media activist in Idlib named Mohamed said a rebel > informant working for the government was killed in Damascus six months > ago after sending warnings to the Free Syrian Army on Skype. > > bI saw this incident right in front of my eyes,b Mohamed said. bWe > put his info on Skype so he was arrested and killed.b > > In August, an activist named Baraa al-Boushi was killed during shelling > in Damascus. Activists later circulated a report saying that a Saudi > Arabian claiming to support the revolution was actually a government > informant who determined Mr. Boushibs location after a long > conversation on Skype. > > A Skype spokesman, Chaim Haas, said calls via the service between > computers, smartphones and other mobile devices are automatically > encrypted. But just like e-mail and instant messaging can be compromised > by spyware and Trojan horses, so can Skype. > > bTheybre listening to the conversation before it gets encrypted,b > Mr. Haas said. bThat has nothing to do with Skype at all.b > > > Liam Stack contributed reporting from New York; Hala Droubi from Dubai, > United Arab Emirates; and Hwaida Saad from Beirut, Lebanon. > A version of this article appeared in print on December 1, 2012, on page > A12 of the New York edition with the headline: For Syriabs Rebel > Movement, Skype Is a Useful and Increasingly Dangerous Tool. > > SAVE > E-MAIL > SHARE > > -- > Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From contraband8 at rei.com Tue Dec 4 00:36:46 2012 From: contraband8 at rei.com (=?koi8-r?B?IvPPwtPUxdfOzsnLINDP08XMy8Ei?=) Date: Tue, 4 Dec 2012 15:36:46 +0700 Subject: =?koi8-r?B?4sXaINDP09LFxM7Fy8/XLCDTIMjP0s/bxcog08vJxMvPyiwg0NLPxMHN?= =?koi8-r?B?ICDV3sHT1M/LINDPIOvJxdfTy8/N1SDbLg==?= Message-ID: <000d01cdd1fa$7efc1010$6400a8c0@contraband8> Продаю участки в своем поселке с хорошей скидкой сйчас! Участки в живописном коттеджном поселке по Киевскому ш. 90 км от Москвы! Продаю без наценки и посредников! Звоните раскажу подробнее 8 903 193 -0 6 -2 3 From eugen at leitl.org Tue Dec 4 06:52:46 2012 From: eugen at leitl.org (Eugen Leitl) Date: Tue, 4 Dec 2012 15:52:46 +0100 Subject: [Freedombox-discuss] Thoughts on MAC Addresses Message-ID: <20121204145246.GL9750@leitl.org> ----- Forwarded message from John Gilmore ----- From eugen at leitl.org Tue Dec 4 07:09:13 2012 From: eugen at leitl.org (Eugen Leitl) Date: Tue, 4 Dec 2012 16:09:13 +0100 Subject: Cops to Congress: We need logs of Americans' text messages Message-ID: <20121204150913.GP9750@leitl.org> http://news.cnet.com/8301-13578_3-57556704-38/cops-to-congress-we-need-logs-of-americans-text-messages/ Cops to Congress: We need logs of Americans' text messages State and local law enforcement groups want wireless providers to store detailed information about your SMS messages for at least two years -- in case they're needed for future criminal investigations. by Declan McCullagh December 3, 2012 9:00 AM PST Follow @declanm (Credit: Greg Sandoval/CNET) AT&T, Verizon Wireless, Sprint, and other wireless providers would be required to record and store information about Americans' private text messages for at least two years, according to a proposal that police have submitted to the U.S. Congress. CNET has learned a constellation of law enforcement groups has asked the U.S. Senate to require that wireless companies retain that information, warning that the lack of a current federal requirement "can hinder law enforcement investigations." They want an SMS retention requirement to be "considered" during congressional discussions over updating a 1986 privacy law for the cloud computing era -- a move that could complicate debate over the measure and erode support for it among civil libertarians. As the popularity of text messages has exploded in recent years, so has their use in criminal investigations and civil lawsuits. They have been introduced as evidence in armed robbery, cocaine distribution, and wire fraud prosecutions. In one 2009 case in Michigan, wireless provider SkyTel turned over the contents of 626,638 SMS messages, a figure described by a federal judge as "staggering." Chuck DeWitt, a spokesman for the Major Cities Chiefs Police Association, which represents the 63 largest U.S. police forces including New York City, Los Angeles, Miami, and Chicago, said "all such records should be retained for two years." Some providers, like Verizon, retain the contents of SMS messages for a brief period of time, while others like T-Mobile do not store them at all. Along with the police association, other law enforcement groups making the request to the Senate include the National District Attorneys' Association, the National Sheriffs' Association, and the Association of State Criminal Investigative Agencies, DeWitt said. Excerpts from court opinion in Rhode Island murder case "Sgt. Gates sent a letter to T-Mobile in advance of obtaining the warrant for the T-Mobile phone records to ask the service provider to preserve the information that he expected to request by the warrant. T-Mobile produced the requested information on October 20, 2009, and the records show that Defendant's use of the T-Mobile cell phone was almost exclusively for text messaging. The results also reveal that T-Mobile does not store, and has no capacity to produce, the content of subscriber text messages. "Unlike T-Mobile, Verizon was able to produce records with text messaging content in them. The content of the LG cell phone matches the photographs taken on October 4, 2009 by Det. Cushman, including a text message which reads, 'Wat if I got 2 take him 2 da hospital wat do I say and dos marks on his neck omg,' which is the message that Sgt. Kite testified to having seen that morning. "Sprint/Nextel responded on October 13, 2009. It produced two preserved text messages, both of which were unrelated to this case, and no voice mail messages." "This issue is not addressed in the current proposal before the committee and yet it will become even more important in the future," the groups warn. That's a reference to the Senate Judiciary committee, which approved sweeping amendments to the Electronic Communications Privacy Act last week. Unlike earlier drafts, the latest one veers in a very privacy-protective direction by requiring police to obtain a warrant to read the contents of e-mail messages; the SMS push by law enforcement appears to be a way to make sure it includes one of their priorities too. It wasn't immediately clear whether the law enforcement proposal is to store the contents of SMS messages, or only the metadata such as the sender and receiver phone numbers associated with the messages. Either way, it's a heap of data: Forrester Research reports that more than 2 trillion SMS messages were sent in the U.S. last year, over 6 billion SMS messages a day. The current policies of wireless providers have been highlighted in some recent cases. During a criminal prosecution of a man for suspected murder of a 6-year old boy, for example, police in Cranston, R.I., tried to obtain copies of a customer's text messages from T-Mobile and Verizon. Superior Court Judge Judith Savage said that, although she was "not unfamiliar with cell phones and text messaging," she "was stunned" to learn that providers had such different policies. While the SMS retention proposal opens a new front in Capitol Hill politicking over surveillance, the principle of mandatory data retention is hardly new. The Justice Department has publicly called for new laws requiring Internet service providers to record data about their customers, and a House of Representatives panel approved such a requirement last summer. "We would oppose any mandatory data retention mandate as part of ECPA reform," says Christopher Calabrese, legislative counsel for the American Civil Liberties Union. That proposal is "a different kettle of fish -- it doesn't belong in this discussion," he says. An internal Justice Department document (PDF) that the ACLU obtained through the Freedom of Information Act shows that, as of 2010, AT&T, T-Mobile, and Sprint did not store the contents of text messages. Verizon did for up to five days, a change from its earlier no-logs-at-all position, and Virgin Mobile kept them for 90 days. The carriers generally kept metadata such as the phone numbers associated with the text for 90 days to 18 months; AT&T was an outlier, keeping it for as long as seven years, according to the chart. A review of court cases by CNET suggests that Justice Department document is out of date. While Sprint is listed as as not storing text message contents, the judge in Rhode Island noted that the company turned over "preserved text messages." And in an unrelated Connecticut case last year, a state judge noted that Sprint provided law enforcement with "text messages involving the phone numbers." An e-mail message from a detective in the Baltimore County Police Department, leaked by Antisec and reproduced in a Wired article last year, says that Verizon keeps "text message content on their servers for 3-5 days." And: "Sprint stores their text message content going back 12 days and Nextel content for 7 days. AT&T/Cingular do not preserve content at all. Us Cellular: 3-5 days Boost Mobile LLC: 7 days" Sprint and Verizon referred calls last week to CTIA - The Wireless Association, which declined to comment. So did the Justice Department. T-Mobile and AT&T representatives did not respond to a request for comment. Katie Frey, a spokeswoman for U.S. Cellular, said: Due to the volume of text messages sent by our customers every day, text messages are stored in our systems for approximately three to five days. The content of text messages can only be disclosed subject to a lawful request. We comply with every lawful request from authorities. We have a dedicated team of associates who are available 24 hours a day, every day of the year, to handle requests for information in emergency situations. Law enforcement must be able to show that it's an emergency and complete an Exigent Circumstance Form prior to receiving data. If a situation is not an emergency, law enforcement must submit a lawful request to receive the data. Over the past five years, U.S. Cellular has received more than 103,000 requests in the form of subpoenas, court orders, search warrants and letters regarding customers' phone accounts and usage. Hanni Fakhoury, a staff attorney at the Electronic Frontier Foundation, said he would be skeptical of the need for a law mandating that text messaging data be retained. "These data retention policies serve one purpose: to require companies to keep databases on their customers so law enforcement can fish for evidence," he said. "And this would seem to be done against the wishes of the providers, presumably, since...some of the providers don't keep SMS messages at all." Last updated at 9:10 a.m. PT From eugen at leitl.org Tue Dec 4 09:17:39 2012 From: eugen at leitl.org (Eugen Leitl) Date: Tue, 4 Dec 2012 18:17:39 +0100 Subject: [drone-list] Using UAVs in Humanitarian Crises to Restore Connectivity Message-ID: <20121204171739.GZ9750@leitl.org> ----- Forwarded message from The Doctor ----- From aerialistsnvj91 at reddotcorp.com Tue Dec 4 03:36:49 2012 From: aerialistsnvj91 at reddotcorp.com (=?koi8-r?B?IuHKxs/O2SAg0tXezs/KINLBws/U2SDP1CA4NiAwMDAi?=) Date: Tue, 4 Dec 2012 18:36:49 +0700 Subject: =?koi8-r?B?aVBIT05FIDUgySA0UyAg1yD6z8zP1MUgySDTIMTSwcfPw8XOztnNySDL?= =?koi8-r?B?wc3O0c3JIMnaIOnUwczJySE=?= Message-ID: <93BDB1C90CF74F25A0D02ECF91076858@PC07> Драгоценные телефоны iPHONE 5 и iPHONE 4s ручной работы от известного итальянского дизайнера - Илии Джакометти Цена от 86 000 рублей АКЦИЯ, при покупке двух золотых iPhone 5, в ПОДАРОК золотой iPhone 4s Наш сайт: http://www.голд-айфон.рф From eugen at leitl.org Tue Dec 4 13:31:52 2012 From: eugen at leitl.org (Eugen Leitl) Date: Tue, 4 Dec 2012 22:31:52 +0100 Subject: [liberationtech] NYT: For =?utf-8?Q?Syria?= =?utf-8?B?4oCZcyBSZWJl?= =?utf-8?Q?l?= Movement, Skype Is a Useful and Increasingly Dangerous Tool Message-ID: <20121204213152.GK9750@leitl.org> ----- Forwarded message from frank at journalistsecurity.net ----- From unveiledwibj731 at rentvri.com Tue Dec 4 06:44:07 2012 From: unveiledwibj731 at rentvri.com (=?koi8-r?B?IuHKxs/O2SAg0tXezs/KINLBws/U2SDP1CA4NiAwMDAi?=) Date: Tue, 4 Dec 2012 22:44:07 +0800 Subject: =?koi8-r?B?aVBIT05FIDUgySA0UyAg1yD6z8zP1MUgySDTIMTSwcfPw8XOztnNySDL?= =?koi8-r?B?wc3O0c3JIMnaIOnUwczJySE=?= Message-ID: <472243866.71828402650313@rentvri.com> Драгоценные телефоны iPHONE 5 и iPHONE 4s ручной работы от известного итальянского дизайнера - Илии Джакометти Цена от 86 000 рублей АКЦИЯ, при покупке двух золотых iPhone 5, в ПОДАРОК золотой iPhone 4s Наш сайт: http://www.голд-айфон.рф From eugen at leitl.org Tue Dec 4 14:05:34 2012 From: eugen at leitl.org (Eugen Leitl) Date: Tue, 4 Dec 2012 23:05:34 +0100 Subject: [tahoe-dev] Tahoe, The Least Authority File System, Thursday Night Hack Meet Message-ID: <20121204220534.GN9750@leitl.org> ----- Forwarded message from Josh Wilcox ----- From noreply at bortonwallace.com Tue Dec 4 18:29:16 2012 From: noreply at bortonwallace.com (Canadian-Drugs) Date: Wed, 5 Dec 2012 00:29:16 -0200 Subject: =?windows-1251?Q?Whatever_your_illness_or_disorder_is_it=92s_better_to_be?= =?windows-1251?Q?_sure_of_the_medications_you_take!?= Message-ID: <71905ECB7EACBD1B9E052A6DCE4A44940FADE9F7@bortonwallace.com> Me ds hf or hM en Vi Ci Ci Le Pr ag al al vi op ra is is tr ec S a ia of t Ta bs $1 $1 $2 $2 $0 .8 .7 .5 .5 .5 5 5 0 0 2 (65+) See more... Me ds hf or hW om en Ac Cl De Fe Fe om om fl ma ma pl id uc le le ia an C V ia ia li gr s a $1 $0 $0 $1 $0 .8 .4 .7 .1 .9 1 5 2 1 7 (45+) See more... An ti bi ot ic s Am Au Ba Ce Ci ox gm ct ph pr ic en ri al o il ti m ex li n in n $0 $1 $0 $0 $0 .5 .5 .4 .2 .3 2 9 0 4 5 (60+) See more... Pa in ki ll er s Ar Ce Di Fl To co le cl ex ra xi br of er do a ex en il l ac G el $0 $0 $9 $0 $0 .3 .5 .0 .8 .5 8 9 0 9 9 (39+) See more... As th ma h font-size:13pt; font-weight:bold; color:white'>hA ll er gy Ad Fl Na Se Si va ov so re ng ir en ne ve ul t x nt ai r $2 $1 $1 $1 $2 4. 9. 7. 8. .0 95 95 99 95 9 (32+) See more... De al in gh wi th hD ep re ss io n Ce Cy Le Pr Pr le mb xa is oz xa al pr ti ac ta o q $0 $1 $0 $1 $0 .5 .1 .4 .1 .4 0 3 1 1 1 (24+) See more... Ge ne ra lh Me ds Ar Gr Li Pl Pr mo ow pi av ed ur th to ix ni H r so or lo mo ne ne $0 $4 $0 $0 $0 .2 3. .3 .8 .2 2 37 5 5 0 (55+) See more... Be st hB uy Am Ci Fe Le Tr ox al ma vi am ic is le tr ad il V a ol li ia n gr a $0 $1 $0 $2 $1 .5 .7 .9 .5 .5 2 5 7 0 0 (600+) See more... Unsubscribe [1] Links: ------ [1] http://www.giuni.it/f5069.html?act=Unsubscribe -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 34259 bytes Desc: not available URL: From jackhammerubvv0 at riverstates.com Tue Dec 4 16:02:16 2012 From: jackhammerubvv0 at riverstates.com (=?koi8-r?B?Iv7B09kgydog5dfSz9DZICDP1CA5IDk5OSDS1cIuIg==?=) Date: Wed, 5 Dec 2012 07:02:16 +0700 Subject: =?koi8-r?B?9M/M2MvPIDEwMCVyZWYg3MzJ1M7ZyCAg+9fFysPB0tPLycXIIN7B08/X?= Message-ID: <000d01cdd27b$c9930bc0$6400a8c0@jackhammerubvv0> VIP реплики мужских и женских Швейцарских часов от 9 999 рублей. Производятся только в Европе и только швейцарские механизмы! Сегодня скидки! Наш сайт: http://www.часы-тут.рф From bozok2 at roycedesign.com Wed Dec 5 12:18:13 2012 From: bozok2 at roycedesign.com (=?koi8-r?B?IuHKxs/O2SAg0tXezs/KINLBws/U2SDP1CA4NiAwMDAi?=) Date: Wed, 5 Dec 2012 08:18:13 -1200 Subject: =?koi8-r?B?aVBIT05FIDUgySA0UyAg1yD6z8zP1MUgySDTIMTSwcfPw8XOztnNySDL?= =?koi8-r?B?wc3O0c3JIMnaIOnUwczJySE=?= Message-ID: <278455130.65866542332484@roycedesign.com> Драгоценные телефоны iPHONE 5 и iPHONE 4s ручной работы от известного итальянского дизайнера - Илии Джакометти Цена от 86 000 рублей АКЦИЯ, при покупке двух золотых iPhone 5, в ПОДАРОК золотой iPhone 4s Наш сайт: http://www.голд-айфон.рф From eugen at leitl.org Wed Dec 5 01:12:06 2012 From: eugen at leitl.org (Eugen Leitl) Date: Wed, 5 Dec 2012 10:12:06 +0100 Subject: [liberationtech] NYT: For =?utf-8?Q?Sy?= =?utf-8?B?cmlh4oCZcyBSZWJl?= =?utf-8?Q?l?= Movement, Skype Is a Useful and Increasingly Dangerous Tool Message-ID: <20121205091206.GC9750@leitl.org> ----- Forwarded message from Eva Galperin ----- From eugen at leitl.org Wed Dec 5 01:27:53 2012 From: eugen at leitl.org (Eugen Leitl) Date: Wed, 5 Dec 2012 10:27:53 +0100 Subject: /. ITU Approves Deep Packet Inspection Message-ID: <20121205092753.GE9750@leitl.org> http://yro.slashdot.org/story/12/12/05/0115214/itu-approves-deep-packet-inspection ITU Approves Deep Packet Inspection Posted by Soulskill on Tuesday December 04, @08:19PM from the inspect-my-encryption-all-you'd-like dept. dsinc sends this quote from Techdirt about the International Telecommunications Union's ongoing conference in Dubai that will have an effect on the internet everywhere: "One of the concerns is that decisions taken there may make the Internet less a medium that can be used to enhance personal freedom than a tool for state surveillance and oppression. The new Y.2770 standard is entitled 'Requirements for deep packet inspection in Next Generation Networks', and seeks to define an international standard for deep packet inspection (DPI). As the Center for Democracy & Technology points out, it is thoroughgoing in its desire to specify technologies that can be used to spy on people. One of the big issues surrounding WCIT and the ITU has been the lack of transparency b or even understanding what real transparency might be. So it will comes as no surprise that the new DPI standard was negotiated behind closed doors, with no drafts being made available." From eugen at leitl.org Wed Dec 5 01:30:58 2012 From: eugen at leitl.org (Eugen Leitl) Date: Wed, 5 Dec 2012 10:30:58 +0100 Subject: When in China, don't leave your laptop alone Message-ID: <20121205093058.GF9750@leitl.org> http://www.infoworld.com/d/security/when-in-china-dont-leave-your-laptop-alone-208168 When in China, don't leave your laptop alone By Bob Violino Created 2012-12-04 03:00AM You're traveling in China on business, and after checking into your hotel room you decide to grab a bite at a local restaurant. You're not planning to work, so you leave your laptop on the dresser, lock the door, and exit, feeling confident that your possessions are safe. An hour and half later you return and note that all your stuff, including the laptop, is just where you left it. Everything seems fine, and you go about your business, conducting meetings with potential clients over the next few days before returning home. But everything is not fine. While you were out to dinner that first night, someone entered your room (often a nominal hotel staffer), carefully examined the contents of your laptop, and installed spyware on the computer -- without your having a clue. [ Bob Violono reveals how cyber spies try to harpoon your execs' PCs [1] to steal your data. | Prevent corporate data leaks with Roger Grimes' "Data Loss Prevention Deep Dive [2]" PDF expert guide, only from InfoWorld. ] Malware Deep Dive [3] The result? Exposure of information, including customer data, product development documentation, countless emails, and other proprietary information of value to competitors and foreign governments. Perhaps even, thanks to the spyware, there's an ongoing infection in your corporate network that continually phones home key secrets for months or years afterward. Because so many users never detect that they've been compromised and few report the issue publicly, it's not clear how common this sort of spying is, but it does happen, say cyber security experts. In fact, you should simply assume your computer will be breached if you go to high-risk countries such as China to conduct business, says Israel Martinez, a private-sector board member at the U.S. National Cyber Security Council, a defense industry group. Cyber attacks overseas can happen in a variety of ways. In May 2012, the Internet Crime Complaint Center (IC3), a partnership between the FBI and the National White Collar Crime Center, issued an intelligence note saying recent analysis from government agencies shows that "malicious actors" were going after travelers abroad. There were recent instances of travelers' laptops being infected with malicious software while they were using hotel Internet connections, the report noted. Beware these high-risk regions for cyber attacks "We have found that travelers going to countries in Asia, the Russian Federation, the Baltic states, and even parts of South America have their systems attacked and most likely breached while abroad," says Jerry Irvine, CIO at IT outsourcing provider Prescient Solutions and a member of the National Cyber Security Partnership, an organization established to develop shared strategies and programs to better secure critical information infrastructure in the United States. "While these things happen in the U.S., the difference is that, in addition to normal criminal activity, these countries also have government-sanctioned cyber espionage to back these thieves," Irvine says. China and Russia are the two countries most frequently identified [4] as being high risks, notes Emilian Papadopoulos, chief of staff at Good Harbor Security Risk Management, a security consultancy. Other high-risk countries include those with significant cyber capabilities, those known to conduct cyber espionage, and those known for corporate espionage and stealing business secrets and intellectual property, Papadopoulos says. "Countries with significant state control of private industry, especially in telecommunications, may also be higher risk," he says. How to keep the spies out of your computer Fortunately, you can take steps to prevent these sorts of spying attacks and other security threats or remediate them after the fact. Here are some tips from security experts and practitioners: 1. Leave your own laptop at home; bring a loaner instead. The best way you can guard against losing valuable data or having it compromised is to bring a temporary laptop or other computing device when going overseas. "Upon returning home, the devices can be wiped to remove any malicious software," says Ben Piper, president of Ben Piper Consulting, which focuses on security. If a temporary device isn't an option, remove all data from your device before leaving on the trip, except for what is absolutely needed, Piper advises. Have your company email forwarded to a temporary email account. Log into that account when overseas; if it's compromised, only that forwarded email is stolen and the attackers don't get access to your company email account. Whatever you do, don't connect your devices to your personal or corporate networks or services upon returning from a trip until you have a security pro ensure there's no malicious software on the devices. "The goal of spyware is to steal information, whether by accessing it directly from the device or sitting latent until the device is connected to the company network, where the malicious software can infect other devices," Piper says. Note that traditional antispyware tools have difficulty detecting the kind of spyware that foreign governments and sophisticated organized crime rings install, Martinez says. You might even use an inexpensive laptop that you throw away upon return rather than risk not detecting the spyware -- much as criminals use disposal ("burner") cellphones to evade police and leave no records. 2. If you must bring your regular computer on a trip, don't leave it unattended or vulnerable to tampering. When the situation calls for you to bring a laptop or mobile device on a business trip, always carry it with you, rather than leaving it in a hotel room or airport club, even for short durations. And -- seriously -- keep it under your pillow while sleeping. If you leave it unattended, "assume it has been tampered with and when returning from overseas, hand it over to the IT security team at your organization, detailing the day and amount of time you left it unaccompanied," says Lance James, director of intelligence at Vigilant, a provider of managed security services provider. In those instances where keeping your laptop with you at all times is not practical, you might use the safe in your hotel room or at the front desk. Just be clear that this won't protect you from state-sponsored spies, who will have access to such safes. "Although hotel safes are not a perfect solution, they do raise the security bar beyond the level of the casual thief," says Raymond McDonald, senior security consultant at Akibia, a security consulting firm. Employees, including executives, should be versed in data classification and handling procedures as a part of an established security training and awareness program, McDonald says. This helps ensure they understand what types of data they're authorized to maintain on their laptops at any time and what steps they must take to protect it. 3. Be cautious with smartphones and other mobile devices. Smartphones can also be targets for espionage. For example, a customer of security products company KoolSpan brought his Android smartphone on a recent trip to China, and as a precaution noted the operating system version and radio stack version of his phone after arriving and before going to sleep. When he woke up, the OS and radio stack version had been changed, says Glenn Schoonover, senior director of security solutions at KoolSpan and former chief of network security at the Pentagon. "The operating systems was updated over the air without the consent of the phone owner," he says. The customer suspects it was done by the Chinese government, which controls the telecommunications service in China, Schoonover says. "With the right software they could turn on the microphone without alerting him, thus enabling them to listen to any of his conversations, not just phone calls," Schoonover says -- or even remotely control his device to monitor emails, read stored files, and so on. Even devices with a reputation for having strong security, such as Research in Motion's BlackBerry, need to be carefully guarded. For example, the last time security technology company Cylance had an executive travel overseas, he wiped his BlackBerry and used the cleaned smartphone for phone calls only, says Stuart McClure, Cylance's CEO. When the executive returned home, the BlackBerry did not properly boot up, so the company had to do a full firmware refresh, McClure says. "We are still working on the forensics image to determine root cause, but it is clear that something happened to the firmware image, which can only be done with an invisible update from RIM -- which is not likely -- or an attack," he says. 4. Apply encryption generously. If your laptop or mobile device has personally identifiable information or external access to personal and corporate systems, it's imperative that the devices be totally encrypted, says Prescient Solutions' Irvine. Vendors such as Microsoft, Check Point, and Symantec have products to totally encrypt data [5] on hard drives and portable storage devices, Irvine says. Apple includes such full-disk encryption in its OS X [6], though you may want to use a defense-grade product instead. On mobile devices, Apple's iOS is encrypted by default, and that encryption can't be turned off. But it's not defense-grade encryption, so state-sponsored cyber thieves can get around it. That's also true of Android's encryption, which must be enabled by the user. The new Windows Phone 8 [7] also includes device encryption, which is on by default as in iOS. All three mobile OSes use SSL encryption for data sent over the Internet; Apple provides S/MIME encryption for email as well. To get better encryption of data on mobile devices, look to mobile management tools providers, several of which offer app containers that have a higher level of encryption around the data and apps running within them; examples include AirWatch, Good Technology, and MobileIron. And every mobile device management (MDM) [8] tool can ensure that native device encryption is enabled. Keep in mind that encryption isn't foolproof when it comes to thwarting highly skilled spies. "Operate with the awareness that even encrypted communication may not be completely private, and therefore limit any nonpublic activities while overseas," says Vigilant's James. 5. Limit remote access to devices and wireless communications when overseas. You should disable access to and from Bluetooth and Wi-Fi devices while traveling, Irvine says. "All Bluetooth devices have some vulnerabilities inherent to them," Irvine says. Older versions of Bluetooth are more susceptible to hacking and eavesdropping, he notes, so "if your device is older than a year or so, it's time to upgrade.". "Wi-Fi hotspots and even hard-cable-based Internet access at untrusted locations should not be used," Irvine says. While cellular still may be suspect in foreign countries, he says, it remains the safer alternative. Do not work in Internet cafis and other public hotspots. In countries like China, "these are not places where employees should be working on sensitive information or connecting and sending private or company restricted information via email or other forms of social media," says McDonald's Akibia. If possible, work on networks that you trust, such as those in your own facilities or those operated by trusted business partners. In addition, if you're planning to travel internationally, you should change all passwords on systems before leaving, to make sure that passwords on devices are not the same as any other passwords you have on personal or corporate systems back home. Also, use totally different passwords [9] than normal, so a password stolen overseas doesn't help the cyber thief figure out your everyday passwords. "If possible, IT departments should disable access to systems while they are abroad, so if [identity] or passwords are compromised, nothing can be accessed," Irvine says. If wireless communication is necessary, all communications via mobile devices should use strong encryption and be limited where there is a concern that any potential adversary has significant cryptologic capabilities, says Timothy Ryan, a managing director at Kroll Advisory Solutions. Consider using VPNs with two-factor authentication. "If sensitive matters must be discussed, blend out-of-band communications such as voice and chat to increase the difficulty of your adversary monitoring your communications," he says. 6. Make sure your systems are up to date with antivirus software. Failing to keep antivirus definitions current is virtually a guaranteed path to system compromise. "Individuals engaging in the theft of proprietary information use malware, and morphed attacks via ports and services that cannot be blocked from the Internet," McDonald says. "These types of attacks take advantage of systems that are unpatched and behind on antivirus" updates. Don't assume that antivirus tools are the only defense you need, says the National Cyber Security Council's Martinez says. They are a first line of defense, but not a complete defense. To combat the hidden malware increasingly inserted into apps, websites, and other venues, he expects that companies will soon routinely collect intelligence about compromised assets containing malware that now regularly slip through networks and their traditional defenses. 7. Don't broadcast your whereabouts. Location-based tools are rapidly growing in popularity, thanks in part to the pinpoint accuracy of geolocation technology in today's mobile devices. These services can provide useful information on places to eat or other local services, but keep in mind that there are downsides to this technology. When users check in on a location-savvy social network, they effectively broadcast to the world vital information about their whereabouts, which might provide useful information to a competitor. A seemingly harmless check-in at an airport near a customer's headquarters could be all a savvy competitor or intelligence agency needs to plan its spying strategy, Ryan says. When you travel overseas, you're a target Clearly, if you're a business executive planning to travel overseas, you're a potential target for corporate and government spies. Take every precaution you can to protect corporate systems and data. That's a discomfiting reality you may be tempted to laugh off as paranoia or "it won't happen to me." Really, you shouldn't. This story, "When in China, don't leave your laptop alone [10]," was originally published at InfoWorld.com [11]. Follow the latest developments in security [12] at InfoWorld.com. For the latest developments in business technology news, follow InfoWorld.com on Twitter [13]. Security Laptops Cyber Crime Data Loss Prevention Data Security Endpoint Protection Mobile Security Malware Source URL (retrieved on 2012-12-04 11:40PM): http://www.infoworld.com/d/security/when-in-china-dont-leave-your-laptop-alone-208168 Links: [1] http://www.infoworld.com/d/security/how-stop-your-executives-being-harpooned-946?source=fssr [2] http://www.infoworld.com/t/data-loss-prevention/download-the-data-loss-prevention-deep-dive-168044?source=itself_fssr [3] http://www.infoworld.com/malware-deep-dive?idglg=ifwsite_editinline&source=ifwelg_49FE-spies [4] http://www.infoworld.com/d/security/us-report-warns-cyber-spying-russia-china-178013 [5] http://www.infoworld.com/d/security-central/your-laptop-data-not-safe-so-fix-it-553 [6] http://www.infoworld.com/t/mac-os-x/mac-os-x-lion-makes-the-security-grade-167961 [7] http://www.infoworld.com/d/mobile-technology/review-its-strike-3-microsofts-windows-phone-207710 [8] http://www.infoworld.com/byod [9] http://www.infoworld.com/d/security/creating-strong-passwords-easier-you-think-206865 [10] http://www.infoworld.com/d/security/dont-leave-your-laptop-alone-even-minute-the-spies-are-waiting-208168?source=footer [11] http://www.infoworld.com?source=footer [12] http://www.infoworld.com/d/security?source=footer [13] http://twitter.com/infoworld From eugen at leitl.org Wed Dec 5 02:50:24 2012 From: eugen at leitl.org (Eugen Leitl) Date: Wed, 5 Dec 2012 11:50:24 +0100 Subject: Custom Chips Could Be the Shovels in a Bitcoin Gold Rush Message-ID: <20121205105024.GK9750@leitl.org> http://www.technologyreview.com/news/508061/custom-chips-could-be-the-shovels-in-a-bitcoin-gold-rush/ Custom Chips Could Be the Shovels in a Bitcoin Gold Rush Devotees of the digital currency are ratcheting up their technology in a race to generate new coins. By Tom Simonite on December 5, 2012 Why It Matters Though Bitcoin has fallen from the public eye, the emergence of chips designed specifically to bmineb the virtual currency suggests it may have some staying power. The digital bcrypto-currencyb Bitcoin surged into the public eye last year, tantalizing enthusiasts with the promise of money unfettered by any government before falling victim to digital heists (see bCrypto-currency Security under Scrutinyb) and short media attention spans. But $130 million worth of bitcoins are still out there, tended by a dedicated community working to expand their use. More are still being bminedb in a process that rewards digital gold-diggers when their software solves mathematical puzzles involved in verifying transactions and regulating how the currency is used (see bWhat Bitcoin Is, and Why It Mattersb). Now some in that community are taking the expensive step of creating custom silicon chips dedicated to running the software that carries out that process. bItbs a business opportunity, and also because we believe in Bitcoin and what it can do,b says Josh Zerlan, COO of Butterfly Labs, a Kansas City company that is waiting for its first batch of custom chips to come back from an Asian manufacturer. These chips will be resold to Bitcoin enthusiasts in a line of products that plug into a computer via USB and supercharge its efforts to mine the currency. They range in price from $149 to $29,899, and in early 2013 they will start shipping to over a thousand customers who placed advance orders. Butterfly has competition from several other companies working on application-specific integrated circuits, or ASICsbthe industry term for such specialized chips. The stiffest competition seems likely to come from another U.S. company, New Yorkbbased BTCFPGA, and two based in China, Avalon and ASICMiner. All three promise to send out products based on their custom chips early next year. Having an ASIC fabricated is a highly technical and expensive proposition, typically beginning at the low hundreds of thousands of dollars. Thatbs primarily because contractorsbalmost always overseasbcharge high prices to operate facilities containing the complex equipment needed to carve chips out of silicon wafers. ASICs are etched from blocks of silicon with microscopic precision. Butterfly Labs says it has paid for chips with features as small as 65 nanometers; BTCFPGA and some others say they have opted for a cheaper 90-nanometer production process. Butterfly Labs occupies a large facility in Overland Park, Kansas, where it has bought equipment to manufacture products based on its chip, says Zerlan. That includes a pick-and-place machine to solder the 7.5-millimeter-square chips onto circuit boards and three production lines to assemble the final products. Zerlan wonbt say how much it all cost, but he says the company paid for the project with profits from previous products and funds from unnamed venture capitalists. The public voice of ASICMiner, who goes by the name Friedcat online, says that no leading-edge technology is required to speed up the mining process significantly, making the challenge baffordableb for relatively small teams. bMost people consider ASICs to be a highly capital-intensive industry,b he wrote in a message. bIt is not for Bitcoin-mining devices, because even [chip] technology 10 years old is much better than current mining devices.b Engineers who worked on the ASICMiner design have experience creating significantly more complex chips at national labs and startups, says Friedcat. The emergence of bitcoin-mining ASICs is part of a computational arms race rooted in the complex cryptographic scheme designed by Bitcoinbs anonymous inventor, known only by the online name Satoshi Nakamoto. Under Nakamotobs rules, which are what allow the currency to function without control by a central bank, miners run free software that communicates over the Internet to maintain a distributed global log of all Bitcoin transactions. That process is also a competition, with the miner whose software completes the next section of the logbknown as a blockbbeing rewarded with newly minted bitcoins. The reward is now 25 bitcoins, currently worth $316. Completing a block requires solving a cryptographic puzzle through brute force, so the faster the software can run, the more likely the miner is to win rewards. Nakamotobs rules also state that only 21 million bitcoins will ever be released, and at an ever-decreasing rate. That schedule is enforced by making the work of mining bitcoins harder and periodically halving the reward for completing a new block. As Bitcoin gained popularity, some people began spending thousands on heavily customized bmining rigsb capable of performing mining calculations faster than ordinary PCs. Initially relying on high-powered processors, they soon began making use of GPUs, speedy graphics processors that are also popular with the builders of supercomputers. Small businesses popped up to sell mining rigs and the latest GPUs to other miners. This spring, that arms race took a more serious turn when Butterfly Labs and some other suppliers moved on to FPGAs, chips with a reconfigurable design. Programming FPGAs to perform mining calculations resulted in significant speed increases. But ASICs, with their fixed design, promise to be at least 100 times faster than FPGAs, and thousands of times faster than GPU-based mining rigs. bASICs run faster, consume lower power, and offer better area efficiency over FPGAs,b says Simha Sethumadhavan, an assistant professor of computer science at Columbia University, who challenged students in his hardware class to design their own mining chips. One reason ASICs run so fast is that the same circuits can be fitted into smaller spaces than is possible with an FPGA, he says. Sethumadhavan notes that the profitability of mining is also determined by Bitcoin exchange rates, electricity costs, and the up-front cost of hardware. However, using ballpark figures makes it possible to illustrate how much more a miner could make using an ASIC. An FPGA-based product that Butterfly Labs sells for $599 could pull in $1.50 worth of Bitcoins a day based on todaybs exchange rate, excluding electricity costs. A product with one of its new ASICs inside, priced at $649, is expected to work fast enough to earn $55 a day based on the same criteria. When ASICs do arrive, they could force many bitcoin miners to give up. Since Nakamotobs system adjusts the difficulty of mining to keep the rate of production constant, it will become significantly more difficult once the new chips go online. Many small-time miners will find that their outmoded equipment will no longer be able to pay for its own electricity bills. bIt will become more of a business,b says Butterfly Labsb Zerlan. He believes that will help strengthen the Bitcoin economy and enable it to be taken more seriously. But none of that can happen until Zerlan and his competitors deliver their chips. All the most credible-looking ASIC projects have experienced delays and retreated from initial promises that their products would ship in late 2012, citing technical difficulties. If the products do make it to customers, the competitors may find themselves caught up in a race to release newer, faster versions. Columbiabs Sethumadhavan says custom ASICs may soon face a challenge from chips for mobile devices with circuits dedicated to performing encryption operations. These chips, expected next year, will probably be designed to a standard higher than the miners can reach and could be used to build powerful mining rigs without ASICs. Meanwhile, the Bitcoin economy is still based more on speculation than on actual business transactions. Blog host Wordpress became the closest thing to a major brand that accepts bitcoins this month, but although anything from alpaca socks to e-mail hosting can be bought using the currency, most such products are offered by enthusiasts inside the Bitcoin community. Unlike real gold, the bitcoins pursued by those building ASICs may not always glitter. From eugen at leitl.org Wed Dec 5 02:54:17 2012 From: eugen at leitl.org (Eugen Leitl) Date: Wed, 5 Dec 2012 11:54:17 +0100 Subject: Bitcoin Not Bombs Message-ID: <20121205105417.GL9750@leitl.org> http://dailyanarchist.com/2012/12/04/bitcoin-not-bombs/ Bitcoin Not Bombs December 4th, 2012 Submitted by Davi Barker A handful of articles have entered my head this week, and as we speak they are mixing together like volatile chemicals about to explode. Ibve been on the Bitcoin bandwagon for less than a year, but I am constantly blown away by the innovations made possible by what is fundamentally a very simple idea. In the beginning I pretty much only used it to buy baklava. Now Ibm buying gold and silver bullion with Bitcoin, and accepting it as payment for the various things that I sell. So, I have a pretty good sense of how the system works and Ibm just starting to really get the economic ramifications of a digital peer-to-peer currency. I theoretically understand the impact it could have politically, at least domestically, but Ibm just starting to get the first inkling of what the international political ramifications of Bitcoin might be. This rabbit hole begins with US sanctions against Iran. The people who argue in favor of sanctions against Iran usually strike me as economic buffoons. The same person who tells me the US needs to prevent Iran from engaging in international trade to weaken their economy will usually also tell me the US needs to stop engaging in international trade to strengthen its own economy. So this is where our journey begins. Last month Turkeybs Deputy Prime Minister and top economic policy maker Ali Babacan confirmed that Turkey was circumventing sanctions by trading Iranian crude oil for Turkish gold instead of dollars. In fact, in the last nine months Turkey, ostensibly a strong ally of the US, has tripled its pre-sanctions exports to Iran. Itbs essentially a thumb in the eye to US legitimacy, and the global banking system. Good for them, I thought. Itbs a powerful proof of concept for the efficacy of alternative currency. But then I remembered another recent story about gold in Iran. In October hundreds of currency protesters gathered in Tehranbs historic Grand Bazaar outraged over the plunging Iranian rial. In response hundreds of riot police stormed Tehranbs currency exchange district arresting billegal money changers.b Imagine that. It is a crime for honest merchants to exchange one baseless paper note for another baseless paper note because the sociocrats that issue those notes donbt get along. Whatbs interesting is that the 80% drop in the rialbs value was largely blamed on sanctions, but the head of the national police said that people holding stashes of gold was bperturbing the currency market.b So, itbs perfectly fine for States to use gold to protect themselves from economic sanctions, but not for the lowly civilians. But more importantly, holding stashes of precious metals may be an adequate protection against foreign sanctions, but not against your own State. Well, what are the Iranian people to do? I found the answer. Iranian Musician Mohammad Rafigh has translated some Bitcoin software into Farsi and is talking up Bitcoin in Iran. Rafigh accepted Bitcoin for his latest album. He wrote bI wish the culture of using digital money spreads all over the world, because it does not have any dependency on anything like politics.b Using Bitcoin Iranians living abroad can send money to their families, or exchange them for rials or dollars. It allows them to store their wealth digitally where the currency police canbt seize it, and most importantly it allows the people of Iran, at the individual level, to skirt US sanctions and maintain an economic connection to the outside world. When US sanction against Iraq killed an estimated 1 million innocent civilians in the 90s itbs easy to see how important that is. All the pieces came together when I read that AntiWar.com now accepts Bitcoin donations. PayPal and many credit card companies block access in over 60 countries for largely political reasons. Bitcoin offers what no other currency can. Access to everyone, everywhere. AntiWar.com was launched in 1995, to oppose the Bosnian war under the Clinton administration, but as wars have escalated so has apposition to war. Today the site is the leading hub of anti-war news and activism in the liberty movement, devoted not only to opposing war, but also the assaults on freedom that result from it. Bitcoin was created in 2009 by an infamous programmer names Satoshi Nakamoto, but it is unlike any other currency in the world in that it is not issued by any central bank or ruling State. In fact, itbs incredibly difficult if not impossible to track, regulate or block. What this means is that right now, in the world we live in, it is possible for civilians living in Iran to donate to the anti-war movement in the US, and it is possible for civilians in the US to donate to the relief efforts in the countries the US bombs. People can now cooperate across national boundaries, and there is virtually nothing that States can do to prevent it. Bitcoin has already changed the world, and it will continue to do so in fantastic and unpredictable ways. Given that wars must be funded by taxes, national debt or currency debasement, all of which can be protected against with Bitcoin, itbs going to be increasingly difficult for imperial powers to fund their military budgets. French economist Frederic Bastiat once said, bIf goods don t cross borders, armies will.b I suggest that when States can no longer prevent goods from crossing borders, armies wonbt. The AntiWar.com donation address is: 1M87hiTAa49enJKVeT9gzLjYmJoYh9V98 Tags: AntiWar.com, Bitcoin, Iran, Iran Sanctions, Mohammad Rafigh From hakkarpq56 at rathmell.com Tue Dec 4 20:04:06 2012 From: hakkarpq56 at rathmell.com (=?koi8-r?B?Iv7B09kgydog5dfSz9DZICDP1CA5IDk5OSDS1cIuIg==?=) Date: Wed, 5 Dec 2012 12:04:06 +0800 Subject: =?koi8-r?B?9M/M2MvPIDEwMCVyZWYg3MzJ1M7ZyCAg+9fFysPB0tPLycXIIN7B08/X?= Message-ID: <000d01cdd29d$91f03770$6400a8c0@hakkarpq56> VIP реплики мужских и женских Швейцарских часов от 9 999 рублей. Производятся только в Европе и только швейцарские механизмы! Сегодня скидки! Наш сайт: http://www.часы-тут.рф From bzs at world.std.com Wed Dec 5 09:22:02 2012 From: bzs at world.std.com (Barry Shein) Date: Wed, 5 Dec 2012 12:22:02 -0500 Subject: Six Strike Rule (Was: William was raided...) Message-ID: On December 4, 2012 at 11:10 jason at thebaughers.com (Jason Baugher) wrote: > We don't do content inspection. We don't really want to know what our > customers are doing, and even if we did, there's not enough time in the day > to spend paying attention. When we get complaints from the various > copyright agencies, we warn the customer to stop. When we hit a certain > number of complaints, its bye-bye customer. This is why there's a need for some sort of reasonable, organized response outlined in writing. In my experience law enforcement (and others) will try to shift whatever investigative tasks are convenient to them to anyone in the loop. Why not, it costs them nothing to have you running around all day and night doing investigative work for them. They will generally cite the seriousness of the underlying crime as (bottomless) justification for your contribution. The rational response is to sit down as a group within some framework and come to some agreement* with them as to what is a reasonable and sufficient response in these cases. Otherwise you're just the complaint desk at Macy's taking all comers and subject to whatever they can dream up to try to get you to solve their problems. * Agreement with LEOs is best, a unilateral document would at least open discussion one would hope and move towards that end. -- -Barry Shein The World | bzs at TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada Software Tool & Die | Public Access Internet | SINCE 1989 *oo* ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From reprocess at rossmoregroup.com Wed Dec 5 02:29:46 2012 From: reprocess at rossmoregroup.com (=?koi8-r?B?Iv7B09kgz9QgNSA5OTkg0tXCzMXKIg==?=) Date: Wed, 5 Dec 2012 12:29:46 +0200 Subject: =?koi8-r?B?+8nLwdLO2cUg3sHT2SDTIPvXxcrDwdLTy8nNySDJIPHQz87Ty8nNySDN?= =?koi8-r?B?xcjBzsnazcHNyQ==?= Message-ID: <99922AD9B3F3420FABD7DB52DD314573@user> Высококачественные копии Швейцарских Часов с швейцарсикми и японскими механизмами! От 6 000 рублей. Сегодня скидки! Наш сайт: http://www.часы-бутик.рф From nick at nclarkjudd.com Wed Dec 5 10:11:08 2012 From: nick at nclarkjudd.com (Nicholas Judd) Date: Wed, 5 Dec 2012 13:11:08 -0500 Subject: [liberationtech] /. ITU Approves Deep Packet Inspection Message-ID: Hi list, Nick from techPresident here. If I could tap into your hive-mind intelligence for a moment to help me be more precise about explaining why this is an issue, I would appreciate it ... Governments, intelligence organizations and assorted nogoodniks already use deep-packet inspection, so the declaration of a standard for DPI comes off as vaguely Orwellian but not news. I'm searching for a way to explain the privacy-advocate position on this is both accurately and concisely. The sense I get from CDT's blog post is that there are three reasons why this is more than just creepy in principle: 1. The standard outlines ways that, in the ITU's view, ISPs should structure their operations so that highly invasive surveillance can function; 2. Under current governance, this standard could be as widely ignored as the tag, but ISPs could be forced to comply if the ITU becomes a must-follow standards-making body for the Internet b meaning all traffic in every ITU member state, in this extreme example, would be vulnerable by design; 3. On principle, IETF and W3C don't address standards for surveillance, highlighting another way the ITU is ideologically removed from the way the Internet is now governed. Am I on target here? On Dec 5, 2012, at 12:41 PM, Cynthia Wong wrote: > The final version of the standard should show up here... eventually: > > http://www.itu.int/en/ITU-T/publications/Pages/latest.aspx > > http://www.itu.int/dms_pages/itu-t/rec/T-REC-RSS.xml > > > > -----Original Message----- > From: liberationtech-bounces at lists.stanford.edu [mailto:liberationtech-bounces at lists.stanford.edu] On Behalf Of Asher Wolf > Sent: Wednesday, December 05, 2012 7:38 AM > To: liberationtech at lists.stanford.edu > Subject: Re: [liberationtech] /. ITU Approves Deep Packet Inspection > > From http://committee.tta.or.kr : > Revision of Y.2770 Requirements for #DPI in Next Generation Networks http://bit.ly/Yx0Sya (via @BetweenMyths) > > On 5/12/12 9:25 PM, Andre Rebentisch wrote: >> Am 05.12.2012 10:27, schrieb Eugen Leitl: >>> http://yro.slashdot.org/story/12/12/05/0115214/itu-approves-deep-pack >>> et-inspection >>> >>> >>> ITU Approves Deep Packet Inspection >>> >>> Posted by Soulskill on Tuesday December 04, @08:19PM >>> >>> from the inspect-my-encryption-all-you'd-like dept. >>> >>> dsinc sends this quote from Techdirt about the International >>> Telecommunications Union's ongoing conference in Dubai that will have >>> an effect on the internet everywhere: >> The WCIT is a "diplomatic conference" for the rules governing the ITU, >> the ITRs. It seems wrong to mix that with ongoing specific >> standardisation work of the ITU. >> >> Anyway, interesting discussions over at circleid.com: >> http://www.circleid.com/posts/20121203_wcit_off_to_a_flying_start/ >> Apparently ITU fellows are disgruntled that they cannot control the >> media coverage and complain about all the "misinformation". >> >> Best, >> AndrC) >> >> >> -- >> Unsubscribe, change to digest, or change password at: >> https://mailman.stanford.edu/mailman/listinfo/liberationtech > > -- > Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech > -- > Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From jya at pipeline.com Wed Dec 5 10:23:38 2012 From: jya at pipeline.com (John Young) Date: Wed, 05 Dec 2012 13:23:38 -0500 Subject: Assange-WikiLeaks Crypto Arms Call Triple Cross Message-ID: Assange-WikiLeaks Crypto Arms Call Triple Cross Applying cryptography's bag of tricks to Julian Assange's introduction to the new book, Cypherpunks: Freedom and the Future of the Internet, entitled "A Call to Cryptographic Arms," it could be taken as a "A Cryptographic Call to Arms," that is, an encrypted warning contained within the plain text. Assange and WikiLeaks, like cypherpunks, is masterfully wily at practicing the characteristic cryptography feature of duplicity, never revealing what is going on beneath public assurances of trustworthiness. Assange and WikiLeaks, like cypherpunks, invoke open-closed cryptographic duplicity as his personal behavior and as the policy of the WikiLeaks initiative. Concealing, obscuring and diverting his personal affairs while seeking publicity, and concealing, obscuring and diverting the inner affairs of the operation for disclosing documents openly. This is cryptography in action. In the same fashion Assange-WikiLeaks has periodically published encrypted packages as "insurance" against takedown, it has also released the unredacted State Department cables by way of a complicated, presumably, orchestrated, leak. The leak of the password to the cable collection by giving it to journalists to publish is a classic instance of cryptographic dupery. Cryptography formulates threats, ruses, disclosures, ploys, diversions, deceptions, double-crosses, triple-crosses to hide strengths and weaknesses, attacks and defenses, lies and dissimulations, assurances of innocence and candor. Crypto AG is a classic instance of NSA deception, among many, to install a backdoor in a widely adopted encrypted system, then leaked decades later as a warning to those who think they can obtain fully secure communication systems. A recent example if that of open source cryptography promoted as means to verify encryption systems by public disclosure and examination. Its shortcoming, and virtue to the wily, is that far from all cryptographers subscribe to the sharing venture -- notably those associated with governments, corporations and mendacious individual efforts, instead take open source and not reveal what is found of its weaknesses (to be exploited in secret) nor what is done with the gift. US spies have admitted they take open source but do not give back. The same could be said of leak sites, anonymizers, IRC, news and mail groups, social media, Skype, varieties of comsec offerings, and the Internet itself among its many levels of access. Offer services, free, paid, purloined or onioned, for which the take is much greater than the offerings -- the standard asymmetric-warfare model, derived from governance, education, non-profits and history's all-time leader, religion, the latter exceeded only by wily hyenas patrolling the herd to mount novel attacks to take down over-confident herdmasters. Cryptographers do not trust one another. Cypherpunks triple cross as ruse. Consider that the Assange-WikiLeaks book Cypherpunks is a cryptographic ruse which conveys an encrypted body of secrets, additional insurance against the takedown of Assange and WikiLeaks to be declared after the volume is widely distributed in print and e-book form. A modern Lutherian proclamation of open and encrypted dissent against the corruption of closed and secret authority. Further, imagine that Assange-WikiLeaks is planting encrypted bits in all its releases which can be decrypted at a future time, to re-assemble into a larger disclosure. In the world of cryptography this would be expected. Cypherpunks advocate this encrypted concealment, dispersion, distribution and future coalescence. Pre-positioning attacks and defenses well before they are needed is conventional warfare -- as well as political, economic and philosophical enterprise. Cypherpunks, before, during and after WikiLeaks, has pre-positioned encrypted packs of arms demurely clothed in dissent from and opposition to governance, finance and faith. This cryptographic call to arms is a triple-cross under a double-cross planted in roots of trust, openness masquerading for multi-level deception, in short, the essence of heavily-armored cryptography. From joidierdre at laposte.net Wed Dec 5 01:29:48 2012 From: joidierdre at laposte.net (Ernestina Signe) Date: Wed, 05 Dec 2012 13:29:48 +0400 Subject: NO PRIOR PRESCRIPTION NEEDED! Cialis 20mg/90 pills $133 US-US 3-5 day. We accept VISA. Shipping: EMS/USPS, Airmail, Courier. rxprp Message-ID: <32w64i57c65-02000306-145y1d19@onhfxrcbod> Cialis 20mg/90 pills $133 US-US 3-5 days, Ship to all countries too NO PRIOR PRESCRIPTION NEEDED! We accept VISA. Shipping: EMS/USPS, Airmail, Courier. http://rxdiscounttablets.ru From sallowestq363 at rogerscasey.com Tue Dec 4 22:36:28 2012 From: sallowestq363 at rogerscasey.com (=?koi8-r?B?IvPVzcvJIMnaIOnUwczJySDczMnUztnIIMLSxc7Ez9ci?=) Date: Wed, 5 Dec 2012 13:36:28 +0700 Subject: =?koi8-r?B?9sXO08vJxSDJIM3V1tPLycUg09XNy8kgydog6dTBzMnJKPDSwcTBLCD7?= =?koi8-r?B?wc7FzNggySDE0ikhIPPLycTLySE=?= Message-ID: Женские и мужские сумки из Италии элитных брендов от 6 700 рублей! Сегодня скидки на сайте http://www.сумки-длявсех.рф From eugen at leitl.org Wed Dec 5 04:50:26 2012 From: eugen at leitl.org (Eugen Leitl) Date: Wed, 5 Dec 2012 13:50:26 +0100 Subject: [liberationtech] /. ITU Approves Deep Packet Inspection Message-ID: <20121205125026.GR9750@leitl.org> ----- Forwarded message from Asher Wolf ----- From eugen at leitl.org Wed Dec 5 05:10:30 2012 From: eugen at leitl.org (Eugen Leitl) Date: Wed, 5 Dec 2012 14:10:30 +0100 Subject: New 25 GPU Monster Devours Passwords In Seconds Message-ID: <20121205131030.GT9750@leitl.org> (if these BitCoin ASICs land they'll probably even more SHA-256 based password hashing schemes) http://securityledger.com/new-25-gpu-monster-devours-passwords-in-seconds/ New 25 GPU Monster Devours Passwords In Seconds December 4, 2012 7:12 pm 7 comments Author: ledgeditor Tags: conferences critical infrastructure Government hacking password There needs to be some kind of Moorebs law analog to capture the tremendous advances in the speed of password cracking operations. Just within the last five years, therebs been an explosion in innovation in this ancient art, as researchers have realized that they can harness specialized silicon and cloud based computing pools to quickly and efficiently break passwords. Password Cracking HPC Gosneybs set-up uses a pool of 25 virtual AMD GPUs to brute force even very strong passwords. A presentation at the Passwords^12 Conference in Oslo, Norway (slides available here - PDF), has moved the goalposts, again. Speaking on Monday, researcher Jeremi Gosney (a.k.a epixoip) demonstrated a rig that leveraged the Open Computing Language (OpenCL) framework and a technology known as Virtual Open Cluster (VCL) to run the HashCat password cracking program across a cluster of five, 4U servers equipped with 25 AMD Radeon GPUs and communicating at 10 Gbps and 20 Gbps over Infiniband switched fabric. Gosneybs system elevates password cracking to the next level, and effectively renders even the strongest passwords protected with weaker encryption algorithms, like Microsoftbs LM and NTLM, obsolete. In a test, the researcherbs system was able to churn through 348 billion NTLM password hashes per second. That renders even the most secure password vulnerable to compute-intensive brute force and wordlist (or dictionary) attacks. A 14 character Windows XP password hashed using NTLM (NT Lan Manager), for example, would fall in just six minutes, said Per Thorsheim, organizer of the Passwords^12 Conference. bPasswords on Windows XP? Not good enough anymore,b Thorsheim said. Tools like Gosneybs GPU cluster arenbt suited for an bonlineb attack scenario against a live system. Rather, theybre used in bofflineb attacks against collections of leaked or stolen passwords that were stored in encrypted form, Thorsheim said. In that situation, attackers arenbt limited to a set number of password attempts b hardware and software limitations are all that matter. The clustered GPUs clocked impressive speeds against more sturdy hashing algorithms as well, including MD5 (180 billion attempts per second, 63 billion/second for SHA1 and 20 billion/second for passwords hashed using the LM algorithm. So called bslow hashb algorithms fared better. The bcrypt (05) and sha512crypt permitted 71,000 and 364,000 per second, respectively. Benchmarks - Fast Hash Cracking Published benchmarks against common hashing algorithms using the 25 GPU HPC cluster In an IRC chat with Security Ledger, Gosney said he has been developing the new platform since April, after trying his hand at pooling traditional CPUs for password cracking. bI was extremely disappointed that setting up a clustered VMware instance wouldnbt allow me to create a VM that spanned all the hosts in the cluster. E.g. if i had five VMware ESX hosts with 8 processor cores, I wanted to be able to create a single vm with 40 cores and use all nodes in the cluster,b he wrote. Then he came across VCL, or Virtual Open Cluster, a small and heretofore little recognized project from the scientists who manage the MOSIX distributed operating system first released in the 1970s. bIt did just what I wanted, not with an entire OS per se, but with an entire OpenCL application. and thatbs good enough for me.b After playing around with VCL for a while, Gosney approached Prof. Amnon Barak, one of Mosixbs creators. Gosney was interested in adding features to VCL that would allow it to run the HashCat password cracking tool. bOnce we convinced Amnon that we did not aspire to turn the world into one giant botnet, he was very cooperative in working with (us) to resolve issues with VCL that was preventing it from working 100% with hashcat,b he said. VCL makes load balancing across the cluster b once an arduous task that required months of custom scripting b a trivial matter. As a result, Gosney said that his team is at a point where their implementation of Hashcat on VCL could be scaled up far above the 25GPU rig he has created b supporting bat least 128 AMD GPUs.b bIt really is the marriage of two absolutely fantastic programs, which allows us to do unprecedented things,b he wrote. Gosney is no stranger to password cracking. After 6.4 million Linkedin password hashes were leaked online, Gosney was one of the first researchers to decrypt them and analyze the findings. He and a partner were ultimately able to crack between 90% and 95% of the password values. Gosneybs GPU cluster is just the latest leap forward in password cracking in a year that has already seen prominent encryption algorithms deemed compromised by an onslaught of cheap compute power. In June, Poul-Henning Kamp, creator of the md5crypt() function used by FreeBSD and other Linux-based operating systems was forced to acknowledge that the hashing function is no longer suitable for production use - a victim of GPU powered systems that could perform bclose to 1 million checks per second on COTS (commercial off the shelf) GPU hardware,b he wrote. Gosneybs cluster cranked out more than 70 times that number - 77 million brute force attempts per second against MD5crypt. Recent years have also seen the launch of services like Moxie Marlinspikebs WPACracker and then CloudCracker, a cloud-based platform for penetration testers that can do lookups of password hashes and other encrypted content against a dictionary of over hundreds of millions b or even billions b of potential matches b all for under $200. And if that price is too rich, a team of U.S. based researchers have shown how you can do the same thing b on the cheap - by leveraging Googlebs MapReduce and cloud based browsers. Then, in 2011, researcher Thomas Roth, who developed the Cloud Cracking Suite (CCS) b a tool that leveraged eight Amazon EC2-based Nvidia GPU instances to crack the SHA1 encryption algorithm and dispense with tens of thousands of passwords per second. Gosney said he plans to bmake a bit of moneyb off his invention, either by renting out time on it or by offering it as a paid password recovery and domain auditing service. bI have way too much invested in this to not get some kind of return out of it,b he wrote. From eugen at leitl.org Wed Dec 5 06:52:43 2012 From: eugen at leitl.org (Eugen Leitl) Date: Wed, 5 Dec 2012 15:52:43 +0100 Subject: Patriot Act can "obtain" data in Europe, researchers say Message-ID: <20121205145243.GV9750@leitl.org> (Ya think?) http://www.cbsnews.com/8301-205_162-57556674/patriot-act-can-obtain-data-in-europe-researchers-say/ Patriot Act can "obtain" data in Europe, researchers say AP file LONDON European data stored in the "cloud" could be acquired and inspected by U.S. law enforcement and intelligence agencies, despite Europe's strong data protection laws, university researchers have suggested. The research paper, titled "Cloud Computing in Higher Education and Research Institutions and the USA Patriot Act," written by legal experts at the University of Amsterdam's Institute for Information Law, support previous reports that the anti-terror Patriot Act could be theoretically used by U.S. law enforcement to bypass strict European privacy laws to acquire citizen data within the European Union. The Patriot Act, signed into law in 2001, granted some new powers to U.S. authorities, but it was mainly a "framework law" that amended and strengthened a variety of older laws, such as the Foreign Intelligence Services Act (FISA) and the Electronic Communications Privacy Act (ECPA). "Most cloud providers, and certainly the market leaders, fall within the U.S. jurisdiction either because they are U.S. companies or conduct systematic business in the U.S.," Axel Arnbak, one of the authors of the research paper, told CBS News. Obama signs extension of Patriot Act "In particular, the Foreign Intelligence Surveillance Amendments (FISA) Act makes it easy for U.S. authorities to circumvent local government institutions and mandate direct and easy access to cloud data belonging to non-Americans living outside the U.S., with little or no transparency obligations for such practices -- not even the number of actual requests." This holds true for requests targeted at non-U.S. individuals and for entire business records, he added. Dutch vice-chair of the European Parliament's civil liberties committee Sophie in 't Veld welcomed the research, adding that it "provided further evidence" to support the theory. She told CBS News, however, that the European Commission's proposals for new data protection rules will not solve the potential conflicts posed by third country law and the lengthy period of time in which EU laws become ratified, "would not be a reason to let the situation be for several years to come." Information security, privacy and data protection lawyer Bryan Cunningham, who worked under both democratic and republican administrations, most recently as deputy legal advisor to former U.S. National Security Advisor Condoleezza Rice under President George W. Bush, told CBS News that this "important report" should "help correct a widespread post-9/11 misconception," that the Patriot Act and related legislation, "provided vast new powers for the U.S. government to gain access to sensitive communications and data of non-U.S. persons." The research resurfaces questions about the security and sovereignty of citizen and government data in an ever-connected global and borderless online world. It also supports a ZDNET report that European data protection rules do not protect EU citizens' data against extra-territorial third country law, such as that of the United States. Months after the research was published, Microsoft U.K. managing director Gordon Frazer was the first to publicly admit that the software giant could not guarantee that European citizen data stored in EU-based data centers would not leave the European Union under any circumstances, including under a Patriot Act request. "Neither can any other company," Frazer noted. Frazer's disclosure triggered outrage among politicians in the European Parliament. Subsequently a number of European member state governments began to question their own cloud service provisions, and in some cases banned U.S. providers from offering IT and computing services in their countries. U.K.-based defense giant BAE Systems in the past year reneged on plans to adopt Microsoft's cloud-based services, citing fears that critical national defense secrets could land in U.S. hands. The Dutch government is also investigating a potential conflict with third country law in regards to personal citizen passport data. Dutch social-liberal party D66 raised questions in the country's parliament after suspicions arose that U.S. authorities could potentially access Dutch fingerprint and facial scans for passports because the North Holland-based company Morpho is owned by parent company Safran, which conducts systematic business in the U.S." U.S. jurisdiction "extends to companies" Cloud computing is the storing of documents, photos, music and files online. Governments, in possession of citizen data along with their own national security secrets, are increasingly utilizing cloud services for internal government communications, hosting documents and enabling the sharing of vast amounts of data between government departments. Companies, schools and universities that wish to keep their data in their home jurisdiction -- governments, most of all -- the cloud poses a new set of risks. Because most major cloud providers, such as Apple, Amazon, Google and Microsoft, are based in the U.S., the study was focused on the provisions under U.S. law, particularly in reference to the Patriot Act, signed in 2001, and the Foreign Surveillance Intelligence Act (FISA), originally signed into law in 1978 and last amended in 2008 by Congress. Facebook is, basically, a giant cloud-based service, that can store your photos, videos, and other content, which is available from almost any device in the world. / AP PHOTO/TOBY TALBOT The researchers explain that businesses, schools and universities located outside the United States -- including foreign governments -- which use cloud services offered by a company that conducts business in the U.S., could be forced by U.S. law enforcement to transfer data to U.S. territory for inspection by law enforcement agencies. "In the U.S. legal framework, there is a legal doctrine called 'extra-territorial jurisdiction'. This implies that cloud providers operating anywhere in the EU, or anywhere in the world for that matter, have to comply with data requests from U.S. authorities as soon as they fall under U.S. laws," said Arnbak. "These laws, including the Patriot Act, apply as soon as a cloud service conducts systematic business in the United States. It's a widely held misconception that data actually has to be stored on servers physically located in the U.S." If they are forced to hand over EU-stored data back to the U.S., the company could be found in breach of EU law, even if is covered by both EU and U.S. legal jurisdictions. "The key criterion in this respect is whether the cloud provider conducts systematic business in the United States, for example because it is based there or is a subsidiary of a U.S.-based company that controls the data in question," the researchers write. Because non-U.S. residents are not protected from unwarranted searches under the Fourth Amendment, the researchers warn that this "gives the U.S. government entities concerned the statutory power to gather data on a large scale about non-U.S. citizens located abroad. And, legal protection under specific U.S. laws applies primarily to U.S. citizens and residents." However, under FISA -- amended by the Patriot Act in October 2001, just a month after the September 11 terrorist attacks -- foreigners were not the only group immune to unwarranted searches, the Fourth Amendment notwithstanding. "The Bush administration had intercepted the communications of Americans without obtaining a judicial warrant. The New York Times had carried reports on this from late 2005," the researchers write. The Patriot Act also added powers to FISA which, "enables the FBI to request access to business records for an investigation into espionage and terrorism involving both U.S. and non-U.S. persons." However, while the researchers warn that U.S. law extends beyond the reach of its borders, figures relating to requests do not exist in the public domain. CNET: Patriot Act renewed despite warnings of 'secret' law This Internet provider pledges to put your privacy first. Always The common misconception, according to the researchers, is that FISA gives the U.S. "unrestricted" or "unprecedented" access to data outside the country. FISA warrants do go through a "special court known as the Foreign Intelligence Surveillance Court (FISC)." The role of the court is to, "review the acquisition of intelligence information in this way if U.S. government entities require the assistance of electronic communication service providers for this purpose." This keeps highly sensitive requests for foreign data, under the premise of keeping terrorism-scale investigations secret, out of the public eye. Because FISA courts hold national security secrets and details of ongoing terrorism investigations, the researchers say the data can't and shouldn't be published. "Given the nature of intelligence work, it is not possible to gain insight into actual requests for information by the U.S. authorities, other than a description of the general legal framework," the researchers write. EU citizens "at risk" from FISA, Patriot Act While most Americans are aware of the Patriot Act and its wide-ranging provisions for domestic security, its role outside the U.S. border remains widely unknown. While the researchers focused their efforts on the data protection of cloud users in higher education in the Netherlands, in speaking to CBS News, Arnbak warned that the concern over the ability of third countries accessing data stored in the European Union was not limited to the Netherlands, but that it "certainly" extends to the 27 member state bloc, and even outside the European Union. "The risk of data access by U.S. authorities to cloud data is realistic, and should form an integral part in any decision making process to move data into the cloud," he said. Because the Netherlands is a member of the European Union, the country's data protection laws originally stemmed from a wider directive from the European Commission. Ratified in 1995, the EU Data Protection Directive must have been subsequently implemented into the legal systems of all member states by 1998. Therefore, every EU member state has the same foundation framework for data protection and privacy as each other, giving member state governments to expand upon the base principles and allowing data to freely flow across member states' borders, just as EU citizens have the right to do. Play Video Audit Raps FBI On Privacy "This concerns anyone with an interest in autonomy and control over access to data -- governments, businesses, non-profits and consumers alike. That's why the current debate on electronic heath records in The Netherlands is both fascinating and very serious. It appears that nobody has looked into this risk, before investing millions of taxpayers money to build these systems," Arnbak said. He noted that businesses and governments alike, despite the additional costs, should consider in-house solutions instead of moving to the cloud. "If data is processed in-house, institutions will at the very least know of such investigations at an early stage." Cunningham says, "There remains no credible way -- short, perhaps, of end-to-end encryption with the data provider holding the only key -- to assure confidentiality and security for cloud-stored data, whether stored in the United States or elsewhere." "Governments and institutions seeking such privacy and security protections should, at least for now, stick to storing their own data or, perhaps, implementing national cloud solutions with robust privacy and security protections." Because the U.S. government has "ample possibilities to request data from foreign (in this case Dutch) users of the cloud," the researchers claim, "it grants [authorities] to retrieve information on a large scale, including access to complete data sets." "In other words, these agencies may obtain information not only about a student who could pose a threat to U.S. national security but also about a student who makes an appointment in good faith through email with a person suspected by U.S. authorities of drug trafficking," the researchers assert. But this also extends outside the Netherlands to countries both in and outside the European Union. "From the U.S. legal perspective, Dutch users of cloud-based computing services therefore enjoy the same degree of [U.S.] constitutional protection as North Koreans," the study says. However, the U.S. is not alone with laws reminiscent of FISA or the Patriot Act. The researchers note that such wide-ranging provisions able to access cloud-stored data outside of their respective jurisdictions are not limited to the U.S. And continue to say, "Other nation states, including the Netherlands, have comparable provisions in place for access to data in the context of law enforcement and national security." For instance, the report notes the Dutch Intelligence and Security Services Act, which give the Dutch security and intelligence services, "the power to process the personal data of a wide range of persons." One of the sections of the law specifically carries FISA-like provisions in the Netherlands, which, "authorizes them to carry out, using a technical aid, targeted tapping, reception, recording and interception of any form of conversation, telecommunication or data transfer by means of an automated activity, irrespective of where this takes place." Similarly, the Canadian Anti-Terrorism Act "replicates" much of the provisions in the U.S.' Patriot Act. Ontario's Information and Privacy Commissioner Ann Cavoukian said in a recent report that the Act's provisions are part of the normal data-sharing process between governments. "You can outsource services, but you cannot outsource accountability," Cavoukian says. "Legal provisions regulating data access for intelligence and law enforcement purposes will exist in all democracies," Arnbak says. Cunningham warns that large, multinational, private cloud companies could pose a greater risk to private and sensitive citizen data than governments. "Many intelligence services around the world, particularly in non-democratic countries, have no effective legal restrictions whatsoever, and are aggressively collecting massive amounts of sensitive personal, government, and commercially valuable information around the world," Cunningham says. "Particularly with the rise of large, lightly-regulated cloud data storage providers, private, multinational companies actually may have more access to sensitive, personal data than national governments." Cunningham continues to say, such firms "assert far more authority to combine and data-mine such data for their own purposes than would the government be permitted under U.S. law." "And, whether or not such companies would intend to misuse such data, they are far from immune from ill-motivated insiders and external hacking activities, by individuals, criminal groups, and foreign governments." From Celia at dentalnets.com Wed Dec 5 07:55:31 2012 From: Celia at dentalnets.com (Lesley Pitts) Date: Wed, 05 Dec 2012 16:55:31 +0100 Subject: Lesley Pitts sent you a message Message-ID: <12596ACB.4302AFA1@dentalnets.com> A non-text attachment was scrubbed... Name: not available Type: text/html Size: 366 bytes Desc: not available URL: From cincinnatus at lavabit.com Wed Dec 5 19:44:53 2012 From: cincinnatus at lavabit.com (Cincinnatus) Date: Wed, 05 Dec 2012 17:44:53 -1000 Subject: Assange-WikiLeaks Crypto Arms Call Triple Cross In-Reply-To: <1354758955.23240.1.camel@anglachel> References: <1354758955.23240.1.camel@anglachel> Message-ID: <50C014B5.5020304@lavabit.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Everyone respects John for what he does, but it's clear the cheese has slipped further off his cracker in the last couple years. It's saddening. Then again, his messages aren't signed with a key. Maybe the crazy-talk is part of an elaborate psyops quadruple-cross by the Assyrian Illuminati to damage his credibility. On 12/5/2012 3:55 PM, Ted Smith wrote: > On Wed, 2012-12-05 at 13:23 -0500, John Young wrote: >> Assange-WikiLeaks Crypto Arms Call Triple Cross >> > > > Someone's been hitting the silk road a little hard... > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQQcBAEBAgAGBQJQwBS0AAoJEEx0OAr3LYCzGXof/31xLKlKWc+26qwepCkVNdKH svvjAlZvgpAeDFfnXON237/+ppXLyYWH9CdE5Qa7z2trMto5nNcBmxpghRreolO1 LcrT7lPX4LIaoKn+ISKc1xNcUZdljezdN7tQC/WBJWGYT+7tY80Bc5mUOL+YoruV Hr8bzTv1P7TAIsUJ+YeAU9O6d/o55jbjQDNCAun+o+0LrwqH2AXC/u/6ccrQr4Dn RfUgSRAqxI71dF/LI6TUVhD0mQWC1/s9EjzqCYF6dpP1dJAOwmXIViychNeGQV+x Dh/VXbTdoG+C1aFxhTva7EoK/huIIddYhmq4eq/FyqR9dKKCKQdYeGVwTw2AXRSc IrkmwlgGIVAez11BjQIy0NolW/OiszWZ3fkn5FASTASbtFQ3hBxjTS8hPQIWdDd8 0/nVKicsht9qCId4XqHXImwBCDSwqFlubjHj9lL4wJjCLpAQphZ2WM3eDnRGw9rc D9CA82EPALbqU/kDycpZR8iKWPSFX5sW/Lj+KQazjQUepyyCKvJuHJMIJsmm4D9a OHS56ZFFHWutmxfhUPaNsovq8mah5o3I6CJxvhngmyesMBvm/jZyGDuXZWaUcVyj lE38WBbXXNIfHTkxrX0kJ1Glw5Aa0vVlLllYMQvKYcK7/DxoGYfsNlVHyg/9R/0O nHIKs3mGlX9T/29kilfFOOUiKelCrmWLATQfwNdWQF+ktYMv02lP0FfpAn/WPEja hhENGxxzfWXe+CqdbhgbIEYjXgnlS+Rdhbu2Ji4naPt3WJ9pVyOro+0VgIDUurzh ZxIxxa6s3wAlMCg6zIaAO8i5mhAf8qbBb7Th1xINCW3ZNr7p+CnksDysOiZsBZ5k EaI4KAuQjfYtUcJOhWx+QxrqtmLVsRpaI9bDPbFCUVbHaqYQCHx4yq2hoqbXeR4H pc/ef5PFM1z7jea21Rkz/w77kTnC7RaBSuignrykP4Xov5ESspdHgPx4h1RTx11B GyXruo+tdcTVr/+WdBIcJH9/0tmETRCizKh0xP3WmGA5V2AR0rW8XR93L7uk+V0e RsIRFeKPJOfYKp5SJzfIiAZmH8QkhPg7fXFqzZXtUd+XZ6HUr3BNiY5ds8Q7HoBz WsyAmvlKCI73az+lBW6UcycADE+5BkyVsJAu90xClH9gxQJ1NQqmsRjh4ZeBp1ck mVjXt4Sn3rgYQP15Q8qEV1HSSa405s6pAH/t9yum9GAH+mE2qSuusgeH2N/BGxIC rxqtvTxgihqd3NRZ27mi++wsz5atBZOeYmAIM6qDfJX2EK6W0XafK30FAWFHCW4I XQ2w4uBp1mUcFpWs8sU+l2NYHkc/JkFk7q03KqVIaFO83tH/QE4WgkBkyU0BhGk= =lekg -----END PGP SIGNATURE----- From cincinnatus at lavabit.com Wed Dec 5 19:55:22 2012 From: cincinnatus at lavabit.com (Cincinnatus) Date: Wed, 05 Dec 2012 17:55:22 -1000 Subject: Assange-WikiLeaks Crypto Arms Call Triple Cross In-Reply-To: <1354765719.23240.17.camel@anglachel> References: <1354758955.23240.1.camel@anglachel> <50C014B5.5020304@lavabit.com> <1354765719.23240.17.camel@anglachel> Message-ID: <50C0172A.9090208@lavabit.com> Look how deep the conspiracy goes! On 12/5/2012 5:48 PM, Ted Smith wrote: > Maybe he's like me, and the list strips off his PGP/MIME attachment. > > On Wed, 2012-12-05 at 17:44 -1000, Cincinnatus wrote: >> Everyone respects John for what he does, but it's clear the cheese has >> slipped further off his cracker in the last couple years. It's saddening. >> >> Then again, his messages aren't signed with a key. Maybe the crazy-talk >> is part of an elaborate psyops quadruple-cross by the Assyrian >> Illuminati to damage his credibility. >> >> >> >> >> On 12/5/2012 3:55 PM, Ted Smith wrote: >>> On Wed, 2012-12-05 at 13:23 -0500, John Young wrote: >>>> Assange-WikiLeaks Crypto Arms Call Triple Cross >>>> >>> >>> >>> Someone's been hitting the silk road a little hard... From eugen at leitl.org Wed Dec 5 09:25:22 2012 From: eugen at leitl.org (Eugen Leitl) Date: Wed, 5 Dec 2012 18:25:22 +0100 Subject: Six Strike Rule (Was: William was raided...) Message-ID: <20121205172522.GH9750@leitl.org> ----- Forwarded message from Barry Shein ----- From christian.fuchs at uti.at Wed Dec 5 10:27:27 2012 From: christian.fuchs at uti.at (Christian Fuchs) Date: Wed, 05 Dec 2012 19:27:27 +0100 Subject: [liberationtech] /. ITU Approves Deep Packet Inspection Message-ID: If this approval by the ITU is true - then it is no surprise at all, but what one would expect. What else has the ITU in the past ever been than an instrument that supports capitalist interests and commodification of the ICT and telecommunications industries? DPI can advance large-scale monitoring of citizens by the state-capital complex that is connected by a right-wing state ideology of fighting crime and terror by massive use of surveillance technologies and a neoliberal ideology of capitalist organisations that want to make a profit out of surveillance and want to hinder the undermining of intellectual property rights. See this: Christian Fuchs: Implications of Deep Packet Inspection (DPI) Internet Surveillance for Society. http://www.projectpact.eu/documents-1/%231_Privacy_and_Security_Research_Paper_Series.pdf Best, CF Am 12/5/12 7:11 PM, schrieb Nicholas Judd: > Hi list, Nick from techPresident here. If I could tap into your hive-mind intelligence for a moment to help me be more precise about explaining why this is an issue, I would appreciate it ... > > Governments, intelligence organizations and assorted nogoodniks already use deep-packet inspection, so the declaration of a standard for DPI comes off as vaguely Orwellian but not news. I'm searching for a way to explain the privacy-advocate position on this is both accurately and concisely. > > The sense I get from CDT's blog post is that there are three reasons why this is more than just creepy in principle: > > 1. The standard outlines ways that, in the ITU's view, ISPs should structure their operations so that highly invasive surveillance can function; > 2. Under current governance, this standard could be as widely ignored as the tag, but ISPs could be forced to comply if the ITU becomes a must-follow standards-making body for the Internet b meaning all traffic in every ITU member state, in this extreme example, would be vulnerable by design; > 3. On principle, IETF and W3C don't address standards for surveillance, highlighting another way the ITU is ideologically removed from the way the Internet is now governed. > > Am I on target here? > > On Dec 5, 2012, at 12:41 PM, Cynthia Wong wrote: > >> The final version of the standard should show up here... eventually: >> >> http://www.itu.int/en/ITU-T/publications/Pages/latest.aspx >> >> http://www.itu.int/dms_pages/itu-t/rec/T-REC-RSS.xml >> >> >> >> -----Original Message----- >> From: liberationtech-bounces at lists.stanford.edu [mailto:liberationtech-bounces at lists.stanford.edu] On Behalf Of Asher Wolf >> Sent: Wednesday, December 05, 2012 7:38 AM >> To: liberationtech at lists.stanford.edu >> Subject: Re: [liberationtech] /. ITU Approves Deep Packet Inspection >> >> From http://committee.tta.or.kr : >> Revision of Y.2770 Requirements for #DPI in Next Generation Networks http://bit.ly/Yx0Sya (via @BetweenMyths) >> >> On 5/12/12 9:25 PM, Andre Rebentisch wrote: >>> Am 05.12.2012 10:27, schrieb Eugen Leitl: >>>> http://yro.slashdot.org/story/12/12/05/0115214/itu-approves-deep-pack >>>> et-inspection >>>> >>>> >>>> ITU Approves Deep Packet Inspection >>>> >>>> Posted by Soulskill on Tuesday December 04, @08:19PM >>>> >>>> from the inspect-my-encryption-all-you'd-like dept. >>>> >>>> dsinc sends this quote from Techdirt about the International >>>> Telecommunications Union's ongoing conference in Dubai that will have >>>> an effect on the internet everywhere: >>> The WCIT is a "diplomatic conference" for the rules governing the ITU, >>> the ITRs. It seems wrong to mix that with ongoing specific >>> standardisation work of the ITU. >>> >>> Anyway, interesting discussions over at circleid.com: >>> http://www.circleid.com/posts/20121203_wcit_off_to_a_flying_start/ >>> Apparently ITU fellows are disgruntled that they cannot control the >>> media coverage and complain about all the "misinformation". >>> >>> Best, >>> AndrC) >>> >>> >>> -- >>> Unsubscribe, change to digest, or change password at: >>> https://mailman.stanford.edu/mailman/listinfo/liberationtech >> >> -- >> Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech >> -- >> Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech > > -- > Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech > -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From pettter at acc.umu.se Wed Dec 5 10:34:59 2012 From: pettter at acc.umu.se (Petter Ericson) Date: Wed, 5 Dec 2012 19:34:59 +0100 Subject: [liberationtech] /. ITU Approves Deep Packet Inspection Message-ID: Reading the draft document provided by Asher, I find nowhere any reference to this being a required activity for any ISP. Instead, it talks mainly about how data flows between generalised entities (think "devices"). So no, if ITU received a more governing role of the internet, that would not _in itself_ lead to Y.2770 being a "required standard" to implement for all ISPs (and I have no idea how this would happen anyway, given it doesn't concern itself with specififying any actions for ISPs). There are legitimate uses for DPI, though the examples cited in the draft seems to be more about limiting BitTorrent traffic... So basically, the standard is probably going to do mostly these things: a) DPI equipment manufacturers can claim to be "standards compliant" which is a selling point in some circumstances b) DPI might get more widely accepted as a technique. It is up to us and other hackers to make sure that censorship and traffic discrimination is not. c) It might be slightly more easy for surveillance tech to interoperate between manufacturers, given that the main point of the standard is to suggest everyone output data and accept rules in a standard way. To be frank, I have been trying to find out what the fuss has been about regarding this standard and come up.. not blank, as it _is_ worrying that ITU is spending time on this shit, but at least I haven't found anything to inspire the absolutely massive shitstorm I have been seeing in certain places (e.g. /.). Is it just because it's the ITU doing it rather than, say, ISO or ANSI? Best /P On 05 December, 2012 - Nicholas Judd wrote: > Hi list, Nick from techPresident here. If I could tap into your hive-mind intelligence for a moment to help me be more precise about explaining why this is an issue, I would appreciate it ... > > Governments, intelligence organizations and assorted nogoodniks already use deep-packet inspection, so the declaration of a standard for DPI comes off as vaguely Orwellian but not news. I'm searching for a way to explain the privacy-advocate position on this is both accurately and concisely. > > The sense I get from CDT's blog post is that there are three reasons why this is more than just creepy in principle: > > 1. The standard outlines ways that, in the ITU's view, ISPs should structure their operations so that highly invasive surveillance can function; > 2. Under current governance, this standard could be as widely ignored as the tag, but ISPs could be forced to comply if the ITU becomes a must-follow standards-making body for the Internet b meaning all traffic in every ITU member state, in this extreme example, would be vulnerable by design; > 3. On principle, IETF and W3C don't address standards for surveillance, highlighting another way the ITU is ideologically removed from the way the Internet is now governed. > > Am I on target here? > > On Dec 5, 2012, at 12:41 PM, Cynthia Wong wrote: > > > The final version of the standard should show up here... eventually: > > > > http://www.itu.int/en/ITU-T/publications/Pages/latest.aspx > > > > http://www.itu.int/dms_pages/itu-t/rec/T-REC-RSS.xml > > > > > > > > -----Original Message----- > > From: liberationtech-bounces at lists.stanford.edu [mailto:liberationtech-bounces at lists.stanford.edu] On Behalf Of Asher Wolf > > Sent: Wednesday, December 05, 2012 7:38 AM > > To: liberationtech at lists.stanford.edu > > Subject: Re: [liberationtech] /. ITU Approves Deep Packet Inspection > > > > From http://committee.tta.or.kr : > > Revision of Y.2770 Requirements for #DPI in Next Generation Networks http://bit.ly/Yx0Sya (via @BetweenMyths) > > > > On 5/12/12 9:25 PM, Andre Rebentisch wrote: > >> Am 05.12.2012 10:27, schrieb Eugen Leitl: > >>> http://yro.slashdot.org/story/12/12/05/0115214/itu-approves-deep-pack > >>> et-inspection > >>> > >>> > >>> ITU Approves Deep Packet Inspection > >>> > >>> Posted by Soulskill on Tuesday December 04, @08:19PM > >>> > >>> from the inspect-my-encryption-all-you'd-like dept. > >>> > >>> dsinc sends this quote from Techdirt about the International > >>> Telecommunications Union's ongoing conference in Dubai that will have > >>> an effect on the internet everywhere: > >> The WCIT is a "diplomatic conference" for the rules governing the ITU, > >> the ITRs. It seems wrong to mix that with ongoing specific > >> standardisation work of the ITU. > >> > >> Anyway, interesting discussions over at circleid.com: > >> http://www.circleid.com/posts/20121203_wcit_off_to_a_flying_start/ > >> Apparently ITU fellows are disgruntled that they cannot control the > >> media coverage and complain about all the "misinformation". > >> > >> Best, > >> AndrC) > >> > >> > >> -- > >> Unsubscribe, change to digest, or change password at: > >> https://mailman.stanford.edu/mailman/listinfo/liberationtech > > > > -- > > Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech > > -- > > Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech > > -- > Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Petter Ericson (pettter at acc.umu.se) Telecomix Sleeper Jellyfish -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From gbroiles at gmail.com Wed Dec 5 20:04:19 2012 From: gbroiles at gmail.com (Greg Broiles) Date: Wed, 5 Dec 2012 20:04:19 -0800 Subject: Assange-WikiLeaks Crypto Arms Call Triple Cross In-Reply-To: <50C014B5.5020304@lavabit.com> References: <1354758955.23240.1.camel@anglachel> <50C014B5.5020304@lavabit.com> Message-ID: On Wed, Dec 5, 2012 at 7:44 PM, Cincinnatus wrote: > Everyone respects John for what he does, but it's clear the cheese has > slipped further off his cracker in the last couple years. It's saddening. > While I imagine John appreciates the plausible deniability provided by the possibility of mental illness or declining faculties (cf. Uncle Junior), I think you're failing to appreciate the opportunity here to watch a master at work. It's all part of the show, right? John understands the long game (long con?) better than most. -- Greg Broiles gbroiles at gmail.com From eugen at leitl.org Wed Dec 5 11:06:43 2012 From: eugen at leitl.org (Eugen Leitl) Date: Wed, 5 Dec 2012 20:06:43 +0100 Subject: [liberationtech] /. ITU Approves Deep Packet Inspection Message-ID: <20121205190643.GM9750@leitl.org> ----- Forwarded message from Nicholas Judd ----- From eugen at leitl.org Wed Dec 5 11:07:03 2012 From: eugen at leitl.org (Eugen Leitl) Date: Wed, 5 Dec 2012 20:07:03 +0100 Subject: [liberationtech] /. ITU Approves Deep Packet Inspection Message-ID: <20121205190703.GN9750@leitl.org> ----- Forwarded message from Christian Fuchs ----- From eugen at leitl.org Wed Dec 5 11:07:33 2012 From: eugen at leitl.org (Eugen Leitl) Date: Wed, 5 Dec 2012 20:07:33 +0100 Subject: [liberationtech] /. ITU Approves Deep Packet Inspection Message-ID: <20121205190733.GO9750@leitl.org> ----- Forwarded message from Petter Ericson ----- From tedks at riseup.net Wed Dec 5 17:55:55 2012 From: tedks at riseup.net (Ted Smith) Date: Wed, 05 Dec 2012 20:55:55 -0500 Subject: Assange-WikiLeaks Crypto Arms Call Triple Cross In-Reply-To: References: Message-ID: <1354758955.23240.1.camel@anglachel> On Wed, 2012-12-05 at 13:23 -0500, John Young wrote: > Assange-WikiLeaks Crypto Arms Call Triple Cross > Someone's been hitting the silk road a little hard... -- Sent from Ubuntu From eugen at leitl.org Wed Dec 5 12:03:45 2012 From: eugen at leitl.org (Eugen Leitl) Date: Wed, 5 Dec 2012 21:03:45 +0100 Subject: EDRi-gram newsletter - Number 10.23, 5 December 2012 Message-ID: <20121205200345.GS9750@leitl.org> ----- Forwarded message from EDRi-gram ----- From edrigram at edri.org Wed Dec 5 11:49:08 2012 From: edrigram at edri.org (EDRi-gram) Date: Wed, 05 Dec 2012 21:49:08 +0200 Subject: EDRi-gram newsletter - Number 10.23, 5 December 2012 Message-ID: ====================================================================== EDRi-gram biweekly newsletter about digital civil rights in Europe Number 10.23, 5 December 2012 ======================================================================= Contents ======================================================================= 1. European domain names under siege 2. International coalition calls for withdrawal of Dutch hacking plans 3. Lobbying DP Regulation: European Banking Federation as an example 4. Chisugate: Copyright blackmail in Finland 5. Russia: Pussy Riot's videos declared illegal on the Internet 6. Netherlands: legislation for forced decryption announced 7. German government proposes extended tracking of Internet users 8. Danish opposition wants to abandon the illegal medicine site blocking 9. ENDitorial: What could possibly go wrong? 10. Recommended Reading 11. Agenda 12. About ======================================================================= 1. European domain names under siege ======================================================================= On 26 November 2012, 132 or 133 domain names were seized by the U.S. Immigration and Customs Enforcement's Homeland Security Investigations (ICE) in collaboration with the Europol and national law enforcement authorities. The seized domains were supposed to have illegally sold counterfeit products on the Internet online. The common press release of the ICE and Europol not only does not agree on the correct number of the domain names seized (132 on the ICE website or 133 on the Europol website), but also does not seem to know the difference between trademark and copyright ("the copyright holders confirmed that the purchased products were counterfeit" or "banner that (...) educates them about the federal crime of willful copyright infringement.") The US law enforcement authorities have seized domains before but this is the first time that European ccTLDs such as .be, .eu, .dk, .fr, .ro, or .uk. have been involved. The authorities have not released the list of the 31 European domain names involved in the action, but Torrentfreak already identified some of those sites, such as: chaussuresfoot.be, chaussurevogue.eu or eshopreplica.eu. The official press release talks about "a great example of the tremendous cooperation" that "enables us to go after criminals who are duping unsuspecting shoppers all over the world." But there is no information if the domain name holders were actually identified and accused of an IPR infringement in a penal case. Or, if a court order was required to shut down the website. Or, if the website was actually targeting the US Market, so that the US authorities be involved. Just a few days later, on 30 November 2012, several BitTorrent sites including Torrentz.eu, Fenopy.eu and BTscene.eu found their .EU domains put on hold by EURid, the European Registry of Internet Domain Names. bThis domain name has been registered and is on hold. It is active but may not be traded or transferred pending the outcome of legal activity,b say EURidbs notes. EURid has made no further public comments, but informed the domain names holders that the action was made "upon request of the Belgian Public Prosecutor following notification of pending legal proceedings in respect of the website" without wanting to give any details regarding the legal proceedings involved. DDL linking sites Sceper.eu and Downextra.eu, torrent site RealTorrentz.eu, and streaming links sites WatchSeries.eu and ChannelCut.eu are also in a similar situation. All these sites appear in the first few pages of Googlebs Transparency Report which means that they are associated with a rather high number of takedown requests. It seems that now, only three sites on Googlebs report have not, at least not yet, been put on hold. In another news on torrent domain names, Torrentreactor.net and Torrents.net domain names and IP-addresses are to be blocked by all ISPs in Italy following a local court injunction. Websites selling counterfeit merchandise taken down by authorities in Europe and the USA (26.11.2012) https://www.europol.europa.eu/content/press/websites-selling-counterfeit-merchandise-taken-down-authorities-europe-and-usa-1855 BitTorrent Site Owners Fear European Domain Name Seizures (27.11.2012) http://torrentfreak.com/bittorrent-site-owners-fear-european-domain-seizures-121127/ Top BitTorrent Sites Have Domains Put On Hold Pending Legal Action (1.12.2012) https://torrentfreak.com/top-bittorrent-sites-have-domains-put-on-hold-pending-legal-action-121201/ Italian Court Orders Nationwide Block of TorrentReactor and Torrents.net (4.12.2012) http://torrentfreak.com/italian-court-orders-nationwide-block-of-torrentreactor-and-torrents-net-121204/ ======================================================================= 2. International coalition calls for withdrawal of Dutch hacking plans ======================================================================= An international coalition of more than 40 civil rights organizations and security experts have expressed their bgrave concernsb about a Dutch proposal to break into foreign computers and search and delete data. In a letter handed over to the Dutch minister of Security and Justice by Dutch digital rights organization Bits of Freedom on Monday 3 December 2012, the coalition urgently calls upon the minister to withdraw his proposal. According to the international coalition, the proposal poses serious risks to the human rights and cybersecurity of individuals worldwide. This is aggravated by the fact that countries will likely follow the initiative of the Netherlands. This will lead to a situation where countries will enforce their local laws on foreign computers. These local laws would not solely address cybercrime, but also issues deemed illegal in other countries, such as blasphemy and political criticism. The coalition therefore strongly urges the minister to withdraw his proposal. The letter is signed by more than 40 members of the civil society. These include civil rights organizations such as the Electronic Frontier Foundation (US), Privacy International (UK), the Chaos Computer Club (Germany) or EDRi. In addition, renowned security-experts and software developers Bruce Schneier (US), Richard Stallman (US) and Ron Deibert (Canada) signed the letter. The proposal will be debated in the Dutch parliament on Thursday, 6 December 2012. The letter is then likely to be discussed, as it received broad media coverage. If you are interested in the outcome, please mail directly to simone.halink at bof.nl. EDRi-gram: Dutch proposal to search and destroy foreign computers (24.10.2012) http://www.edri.org/edrigram/number10.20/dutch-proposal-state-spyware Dutch plans to remotely conduct searches and delete data on foreign computers (30.11.2012) https://www.bof.nl/live/wp-content/uploads/20121203-Sign-on_proposal_Opstelten.pdf (Contribution by Simone Halink - EDRi member Bits of Freedom, Netherlands) ======================================================================= 3. Lobbying DP Regulation: European Banking Federation as an example ======================================================================= With the discussions on the proposed General Data Protection Regulation moving forward, lobbyists in Brussels are working overtime. One example is the European Banking Federation (EBF), which submitted a letter outlining its position and proposed changes to the text to MEPs. A public version is available on the EBF's website. EDRi has also seen the complete version with proposed amendments ready for copy&paste. Quite a few of these amendments have been tabled word-for-word in the IMCO Committee. In short, the EBF wants weaker obligations on data breach notification, implicit consent, lower fines, more profiling and more grounds for lawful processing: a) processing of data taken from publicly available lists or documents which should always be lawful; b) processing "necessary to defend an interest, collecting evidences as judicial proofs or file an action". In a bit more detail, the EBF wants controllers to be able to use "implicit" consent b no specific reasons are given for their unwillingness or inability to ask for explicit consent for processing personal data. Likewise, it wants to remove the provisions saying that consent is required in situations where there is a significant imbalance between the controller and data subject. Here, at least a reason is given, namely that this could apply to banks. Another proposal is to cut the fines data protection authorities can impose on controllers who break the law b the Commission proposal had 1 million Euro or 2% of global annual turnover for companies as the upper limit for the most egregious breaches. The EBF proposes to remove the second part, claiming that such fees would be disproportionate. Additionally, the EBF wants to make it easier to allow profiling. Their arguments are that sometimes profiling customers is imposed by anti-money-laundering laws, sometimes it makes sense for the banks to do it, e.g. before approving real-estate loans, and finally, they argue, it can sometimes be in the customer's interest. So, looking at the Commission's proposal, when would profiling be allowed? If it is expressly authorised by law; when it is carried out in the course of entering into a contract; when it is based on the data subject's consent b which would be easily obtainable for profiling measures that are supposedly in their interest. So, while legitimate cases would already be allowed, the EBF wants to push it further, to allow profiling when neither the customer nor the law have approved it. In some cases, the proposed changes also stem from a simple misunderstanding of the proposal. For example, the EBF proposes excluding the right to erasure, if there is a legal obligation for the controller to keep the data. Sounds sensible. So sensible in fact, that the Commission proposal contains a provision doing exactly this, just two paragraphs below in the same Article! There are more examples of such proposed changes duplicating rules that are already in the proposal. Such changes would not help the text's clarity, and could cause further misunderstanding when it will be applied in practice. One would imagine that industrial lobbyists would be lobbying for more legal clarity and not less. The bottom line is that some of the proposed amendments seriously weaken consumer protection, while others are based on a faulty understanding of the text, introducing provisions that are not needed and undermining the clarity of the Regulation. One would hope that this would not get the EBF far, especially in the European Parliament Committee charged with consumer protection. Think again. Many of its proposals on reasons for lawfulness, consent, profiling, data subject rights, and fees have simply been copied and pasted by several MEPs into their amendments. Whether these amendments will be carried remains to be seen. But already the fact that they were tabled shows how easily lobbies b even with proposed changes that sometimes simply do not make sense b can influence the political process. This was just one lobby group. There are many, many more. Brussels is awash with data bprotectionb lobbying, misunderstandings and misinformation. Whether the fundamental right to privacy of 500 million Europeans will survive this onslaught is anyone's guess. As usual, EDRi is chasing around the corridors trying to redress the balance. EBU lobbying letter http://www.ebf-fbe.eu/uploads/D1391E-2012%20-%20EBF%20letter%20to%20Members%20of%20the%20European%20Parliament.pdf EDRi's website on the Regulation http://protectmydata.eu (Contribution by EDRi intern - Owe Langfeldt) ======================================================================= 4. Chisugate: Copyright blackmail in Finland ======================================================================= In the spring of 2012, in Finland, the father of a young girl received what amounted to a blackmail letter from a copyright lawyer. The letter demanded the payment of 600 Euros as damages for having distributed copyright-protected music recordings. The letter also demanded that the father sign a non-disclosure agreement regarding the matter. The father contacted the lawyer and denied having distributed any copyrighted material. He explained that his daughter, who had been nine years old at the time of the so-called crimes, had tried to download some songs of her idol, the Finnish artist called Chisu. The girl had been saving money in order to buy Chisu's latest CD, but was impatient to hear some songs from the album already, and so her dad showed her how to write the appropriate keywords in search engines. Despite her attempts, the girl only managed to download something that did not play. Soon after that the father bought the CD for the girl. In November 2012, something unbelievable happened. Two police officers with a search warrant entered the home of the family and seized the girl's computer. The police officers also suggested the father pay up "to make things easier for everyone involved" because they would immediately drop the matter if he did. Even the Finnish Copyright Information and Anti-Piracy Centre (TTVK ry, a private association of the copyright industry) has admitted that the identity of a person who shares copyrighted material online cannot be ascertained, and that, in Finland, the threat letters are sent to the owner of the Internet connection. The owner of the connection is the one who risks being subjected to a search and seizure of property. TTVK also says that the majority of people who have received these letters have agreed to the non-disclosure and payments demanded of them. The amounts are smaller than in the US, but still hefty. Shocking but true, apparently a copyright holder can demand mafia-style payments from ordinary people who are told to hand over their money and shut up or otherwise the police might come and take away their computers. TTVK has openly admitted that the aim of the letters is to threaten other downloaders. The disturbing incident was covered in the Finnish online and printed press, and made international headlines. In his detailed Facebook post about the incident, the father makes it clear that he has supported artists in many ways for his entire life, but as a result of the unethical practices of the copyright industry he has come to question the sanity of the copyright enforcement system. After the incident had become a major PR headache for the copyright lobby, the matter was settled out of court between the father and TTVK, and the father apparently agreed to pay half of the originally demanded amount (300 Euros). After this, the seized laptop is being returned to its owner. Electronic Frontier Finland (Effi) filed a request to investigate the actions of the Helsinki district court and the police with the parliamentary ombudsman. According to the court papers, TTVK only had evidence that one music album had been downloaded from the IP address which belonged to the father. The court interpreted this as constituting significant ongoing damage to the copyright holder and ordered the ISP to reveal the identity of the user of the IP address to TTVK. In the opinion of Effi, this is an overreaching interpretation of the Finnish copyright law. The police "planned the search and seizure carefully" (in their own words) but failed to act in proportion to the alleged damage: they should have only copied the contents of the laptop for evidence instead of seizing the whole device. Additionally, as police resources are limited nowadays, carrying out a search and seizure operation in a minor case like this has probably delayed the investigation of more important cases. Antipiracy Center in Finland http://antipiracy.fi/inenglish/ Payment demand for child's downloading part of a strike against piracy - majority paid without resisting (only in Finnish, 21.11.2012) http://ylex.yle.fi/uutiset/popuutiset/lapsen-latailusta-saatu-maksumaarays-osa-piratismin-vastaista-tehoiskua-valtaosa- Payments of hundreds of euros for illegally downloading Chisu's album (only in Finnish, 2.12.2012) http://www.aamulehti.fi/Kotimaa/1194722011272/artikkeli/satojen%20eurojen%20maksut%20chisun%20levyn%20laittomasta%20imuroinnista.html Post on Facebook from the father (only in Finnish, 20.11.2012) http://www.facebook.com/aki.w.nylund/posts/10151139041245079 Request to investigate the actions of Helsinki district court and the police in so-called Chisugate (only in Finnish, 27.11.2012) http://www.effi.org/kirjeet/121127-effi-tutkintapyynto-chisugate.html Anti-piracy group takes child's laptop in Finland (30.11.2012) http://www.bbc.co.uk/news/technology-20554442 (Contribution by Otso Kassinen and Timo Karjalainen - EDRi member Electronic Frontier Finland) ======================================================================= 5. Russia: Pussy Riot's videos declared illegal on the Internet ======================================================================= A Moscow-based court has ruled on 29 November 2012 that four videos of the already famous dissident punk band Pussy Riot are extremist and therefore should be banned on the Russian Internet. The court said that all the Russian websites that do not comply with this obligation could pay a fine of up to approx. 2500 Euro (100 000 roubles). Prosecutors took up the case on the request of State Duma member Alexander Starovoitov, from the Liberal Democratic Party of Russia. The court refused to allow the participation in the hearing of the one member of the punk band that was not convicted. Yekaterina Samutsevich, was freed last month after a court suspended her sentence. A Google representative confirmed that they would block the content on YouTube in Russia after they would receive the court order information. Under the Russian law, providers who host forbidden content are subject to criminal prosecution. "Whatever you think about these videos, they have become a part of the history of this country. Just as in old times, we burned books. Now we are deleting video clips which have undoubted historic significance." commented Russian blogger and analyst Oleg Kozyrev to the Radio Free Europe. The extremist nature of the videos was explained by the fact that it offended the Orthodox Christians, by shooting the anti-Putin performance video at Moscowbs main Russian Orthodox cathedral. This is why probably a spokesman for the Russian Orthodox Church welcomed the ruling. The ruling "violates the right to freedom of expression and shows the continued failure of the Russian justice system to protect political and artistic dissent," said Dr Agnes Callamard, Executive Director of the EDRi member ARTICLE 19, and explained that "the Russian government is trying to hide its attacks on democracy, claiming that the punk prayer which mocks the corrupt relationship between Putin and the church's patriarch is an attack on religious believers". The ruling should be enforced starting with 1 January 2013, but could be appealed. It is not clear who may appeal, though, after the spokeswoman for Moscow's Court, told journalists that Samutsevich has no right to appeal the court's decision because she did not take part in the hearing. But the Russian authorities might aim at more rules on the Internet. During the joint news conference held in Paris on 27 November 2012 by Russian Prime Minister Dmitry Medvedev and French Prime Minister Jean-Marc Ayrault, Medvedev was asked a question of legislative scrutiny with regard to internet regulation in Russia. In his reply, the Russian prime minister admitted that the current legislation regulating the Internet is bimperfectb and called upon the international community to bconsider parameters to regulate the operation of the internet on the national or international level.b He also noted that the Russian Internet legislation bshould not be referred to as repressive because not a single online source has been blocked or cut off during the enforcement of this legislation.b Moscow court orders removal of bextremistb Pussy Riot online videos (3.12.2012) http://netprophet.tol.org/2012/12/03/moscow-court-orders-removal-of-extremist-pussy-riot-online-videos/ Moscow Court Designates Pussy Riot Videos As 'Extremist' (3.12.2012) http://www.rferl.org/content/pussy-riot-video-extremist-russia/24784613.html Moscow Court Finds Pussy Riot Video 'Extremist' (29.11.2012) http://en.rian.ru/russia/20121129/177815365.html Special Report On Russia: Enforcement Against Online Copyright Infringement (3.12.2012) http://www.ip-watch.org/2012/12/03/special-report-on-russia-enforcement-against-online-copyright-infringement/ Transcript of the Medvedev- Ayrault common press conference (27.11.2012) http://government.ru/eng/docs/21621/ Russia: Pussy Riot bpunk prayerb video banned (30.11.2012) http://www.article19.org/resources.php/resource/3547/en/russia:-pussy-riot-%E2%80%98punk-prayer%E2%80%99-video-banned ======================================================================= 6. Netherlands: legislation for forced decryption announced ======================================================================= The Dutch Minister of Justice has sent a letter to the House of Representatives announcing a proposal for legislation that will allow the police to force a suspect to decrypt information that is under investigation in a case of terrorism or sexual abuse of children. The Minister has ignored all major conclusions and recommendations set forth in the report commissioned by his department. The Dutch House of Representatives has urged the Minister of Justice to investigate the feasibility of such injunction. The Parliament felt these extra powers to be necessary after the media reported that the police was having difficulties accessing encrypted information on the computer of someone suspected of sexually abusing children. However, there has been no supporting evidence that this is a structural problem. Last year, the minister agreed to investigate the feasibility of such an order. He promised to look into the reconcilability with the privilege against self-incrimination, experiences of other countries in implementing such legislation and technical developments. A comprehensive report was sent to the Parliament last week, accompanied with the announcement of a legislative proposal. The report states that, although such an injunction will always be an infringement on the privilege against self-incrimination, this privilege does not preclude such an injunction as there may be a legitimate interests at stake. The report sets out that the European Court of Justice considers four criteria to determine whether a forced decryption is acceptable. These criteria are: i) the nature and extent of the coercion, ii) the public interest, iii) the presence of relevant safeguards, and iv) the way in which the decrypted information is used. The research also looks into the use of similar powers in other countries. The United Kingdom has an extensive regulation with quite some safeguards for legal protection. France has a similar law and in the United States the enforced decryption is defined by case law. However, these legal systems differ from those in the Netherlands considerably. As a result, the experiences from these countries cannot easily be translated to the Dutch legal system. The research also examined the enforceability and developments in technology. It finds that the use of encryption is rising and that the concept of bplausible deniabilityb makes it hard to prove the existence of encrypted information in the first place. The researchers doubt the effectiveness of the proposed powers when used against serious criminals. Such an injunction will only work against petty criminals. The research concludes with three proposals, apart from maintaining the status quo. One option would be to codify the procedure for such an injunction, but not to penalize refusal by the suspect. Alternatively, one could penalize the use upon the refusal. This last proposal comes in two flavours: one in which the unencrypted information is used excluded from the suspect's case and one in which the information may be used against the suspect as well. Based on this research, the Minister has now announced a proposal for legislation that will allow the police to force a suspect to decrypt information that is under investigation in a case of terrorism or sexual abuse of children. The suspect will be penalized if he refuses to provide access to the information. The Minister does not want to let room for exclusion of evidence. The Ministry has thus ignored all major conclusions and recommendations of the report. Letter of Minister of Justice to the House of Representatives, announcing legislation to allow police to force a suspect to decrypt information (only in Dutch, 28.11.2012) http://www.rijksoverheid.nl/bestanden/documenten-en-publicaties/kamerstukken/2012/11/28/brief-over-onderzoek-naar-wettelijk-decryptiebevel/kamerbrief-onderzoek-naar-wettelijk-decryptiebevel.pdf Research: forced decryption and the privilege against self-incrimination (only in Dutch, 28.11.2012) http://www.rijksoverheid.nl/bestanden/documenten-en-publicaties/kamerstukken/2012/11/28/het-decryptiebevel-en-het-nemo-tenurbeginsel/het-decryptiebevel-en-het-nemo-tenurbeginsel.pdf Bits of Freedom: forced decryption will not work and makes the Netherlands more insecure (28.11.2012) https://www.bof.nl/2012/11/28/decryptiebevel-werkt-niet-en-maakt-nederland-onveiliger/ (Contribution by Rejo Zenger - EDRi member Bits of Freedom, Netherlands) ======================================================================= 7. German government proposes extended tracking of Internet users ======================================================================= The German government is proposing an amendment to the Telecommunication Act that would allow law enforcement and intelligence agencies to extensively identify Internet users, without any court order or reasonable suspicion of a crime. The proposed amendment comes as a result of the German Federal Constitutional Court having decided in January 2012 that the rules governing the inquiry of telecommunication data from providers were unconstitutional. The Court found the provisions within the Telecommunication Act granting authorities the right to access such data, as unconstitutional and required additional specific provisions within the relevant specific laws, such as the code of criminal procedure. According to the draft amendment produced by the government, prosecution authorities as well as security and secret services may inquire certain personal data (such as name, address or bank information of customers) collected by telecommunications and Internet providers. Explicit provisions allow the use of a dynamic IP address for the identification of its holder. The amendment also includes a qualified legal basis for inquiry rights of the respective authorities against providers. The identification of IP addresses is not to be limited to a case-by-case basis. Providers are to install electronic data handover interfaces. The government is also planning to grant access to e-mail account passwords as well as to voicebox and mobile phone PIN codes without clearly defining the preconditions to such access. Several civil rights groups expressed concern regarding the draft amendment considering it poses a serious threat to civil liberties. bIn the face of the fact that this has the quality of a breach of the privacy of telecommunication, the present draft of a revised disclosure of inventory data contains only insufficient provisions to guarantee the basic rights. It is especially problematic that it lacks the necessity of an injunction issued by a court or a state prosecutor. There has to be a qualified legal basis which fulfils the requirements of the principle of proportionality,b says Henning Lesch, Head of Law & Regulation of eco Association. Revision of Telecommunications Act Constitutional? (2.11.2012) http://international.eco.de/2012/news/revision-of-telecommunications-act-constitutional.html New German draft on state authorities' rights to inquiry telecommunications data from providers (11.2012) http://www.linkedin.com/groups/New-German-draft-on-state-4375471.S.181168482 German government to legalize extensive tracking of Internet users (26.11.2012) http://www.vorratsdatenspeicherung.de/content/view/714/79/lang,en/ German version http://www.vorratsdatenspeicherung.de/content/view/714/79/lang,de Draft Amendment (only in German, 19.09.2012) http://www.moenikes.de/ITC/wp-content/uploads/2012/10/2012-09-26_BR_Gesetzesentwurf_Bestandsdatenauskunft.pdf ======================================================================= 8. Danish opposition wants to abandon the illegal medicine site blocking ======================================================================= A majority outside the Danish government parties proposes to abandon blocking access to websites selling illegal medicine. The law (a new revision of the laws regulating selling of medicine etc.) allowing blocking of these sites was passed in May 2011. Since that time, only one website 24hdiet.com, was blocked and new domains selling the same products as 24hdiet quickly appeared (e.g. 24hdiet.net). Now, laws regulating the sale of medicine are being revised again to implement EU directive 2011/62/EU. Enhedslisten party proposed an amendment to the revision to abandon the blocking. The proposal is a result of Enhedslisten spokeswoman, Stine Brix who started the debate on an Etherpad. Questions put to the government were formulated on the Etherpad where and the text of the amendment to abandon the blocking appeared first. There is a majority in the parliament against the blocking from the parties of the previous government that introduced it. The spokeswoman for opposition party Venstre, the biggest party in the Parliament, explains that they have expected the blocking to work, but it turned out not to be effective and now she wants to focus on customs and international cooperation. The spokesman for the Social Democrats (Government Party), Flemming MC8ller Mortensen, said to Information that something had to be done, that was more than a signal, something that they can believe it works. "Because it is really difficult with all the things that can be done on the Internet across borders". This is just about one kind of blocking. For example the blocking of gambling sites is still in effect. But maybe the tide is finally turning in Denmark. DNS-censoring Illegal Pharmaceutical Vendors - 24hdiet.com Blocked (30.09.2012) http://blog.censurfridns.dk/en/node/32 Rollback of DNS Blocking (only in Danish) http://openetherpad.org/b1zz1fEEf4 Majority outside the Government will remove net-blocking for medicine pages (only in Danish, 27.11.2012) http://www.information.dk/318311 (Contribution by Niels Elgaard Larsen EDRi member IT Pol - Denmark) ======================================================================= 9. ENDitorial: What could possibly go wrong? ======================================================================= With the discussions on the proposed General Data Protection Regulation in full swing and the first opinions of some European Parliament Committees in, several themes of proposed changes emerge. One of these can be paraphrased as bwe shouldn't bother controllers with too many obligations, they know their stuff and want to do the right thingb. Slightly more elaborate versions of this view have been used to justify amendments aiming to cut documentation obligations, lessen requirements on data breach notifications and information obligations. There also seems to be an undercurrent of bin any case, it's usually not that bad if things go wrongb. Indeed, how bad could it be if things go wrong? And do controllers handle personal data responsibly? A few cases that made headlines in the past years can provide examples. Between 2005 and 2007, Deutsche Telekom used its own traffic data to spy on journalists and trade union members of its own supervisory board in order to stop leaks. According to the head of unit in charge of the spy operation, this happened on behalf of the then-CEO and the chairman of the supervisory board. Since then, this head of unit has been sentenced to 3.5 years of prison, while the former CEO and the chairman of the supervisory board claimed not to have known anything. More recently, whatsapp, a smartphone application for sending text messages which is used around the globe to send more than a billion messages per day, is currently in the news for an astounding row of privacy gaffes. For starters, the service used to send messages without encryption, so that exchanges could be easily spied upon. It seems that whatsapp's developers had been made aware about this security hole the size of a barn door almost a year before they fixed it. Just a month later, another security flaw was uncovered, allowing to take over whatsapp accounts and send messages from compromised accounts using simple tools b there was an app for that. Instead of fixing the problem, whatsapp sent legal threats against the developers of the tools. Now, two and a half months later, this other barn door is still wide open. Between 2002 and 2005 Deutsche Bahn, a railway operator, screened 170 000 of its employees to find out about connections to subcontractors and possible corruption. In 2006 and 2007, it also spied on employees' e-mails to uncover whistleblowers, sifting through up to 150 000 e-mails a day. The company's CEO had to step down over these scandals, while still denying that any wrongdoing had occurred. Later on, investigations confirmed the suspicions and Deutsche Bahn was fined 1.12 Million Euro in 2009. Sounds like a lot? That year, it took Deutsche Bahn about seven hours to make that amount in pre-tax profit. In 2007 to 2010, when sending cars around the world to collect images for its service Street View, Google also collected information on wireless networks to be used to make cell phone localisation more precise. The software used also collected content sent over open WiFi networks, collecting websites visited, passwords, e-mails and other information. Google was not forthcoming in the investigations, first denying that payload data had been collected, then talking about a simple bmistakeb, then blaming it on a rogue developer. In the end, it turned out that the code in question was in fact documented, and that oversight was bminimalb, to quote from the US Federal Communications Commission's investigation report, which fined Google 25 000 USD for stonewalling the investigation. In a different register, police authorities do not fare better. They will be subject to a different text, a proposed Directive that contains more lax rules than the Regulation. Here as well, egregious violations can be found everywhere. For example, officers of the Irish Police (Garda) used police databases for their private interests, for example to run background checks on their daughters' boyfriends. In another case, a police officer used retained telecommunications traffic data to snoop on her ex-partner. Such cases have been discovered again and again over the years, following a usual pattern: they become public, the Data Protection Authority (DPA) investigates and conducts audits, finds wrongdoings, the Garda promises to change, rinses and repeats. In one case, the Garda also adopted a bcode of practiceb, endorsed by the DPA. It does not seem to have helped much. In Poland, the police, as well as the anti-corruption office and the domestic intelligence agency, surveyed at least ten journalists of various media between 2005 and 2007, using telecommunications traffic data without court orders or any connection to ongoing investigations. One of the journalists, of the influential Gazeta Wyborcza, wrote several articles about well-known and sometimes controversial actions of the anti-corruption office b the one that later on requested his traffic data. After the case became public, an investigation was launched, but a regional prosecutorbs office claimed to have found no wrongdoing. Only after one of the spied journalists went to court, a meaningful investigation got under way. The court ruled on the case in April 2012, saying that the anti-corruption office violated the journalistbs privacy, as well as the right to protection of journalistic sources. In Dresden, Germany, the local police collected information on more or less every mobile phone call made and SMS sent in the city, in total almost one million connections, at the occasion of an anti-Nazi demonstration. The police justified collecting the information with several offences that occurred at the margins of the demonstration. Saxony's interior minister defended the measure as being bproportionateb, even after it became public that the police also used the data for totally unrelated investigations and had been told to stop this by the local prosecutor's office. Months after being formally reprimanded by Saxony's DPA, the police still used the data. What all these examples, both from the private and the public sector, show is that in many cases, incompetence or lack of oversight lead to unacceptable shortcomings, while in others, it is straight-up malice. In law-enforcement, there seems to be a widespread belief among practitioners that bwe're the good guysb, which in turn sometimes leads to abuses. So no, we cannot trusts controllers to know their stuff and to want to do the right thing. And yes, it can be bad if things go wrong. Whatsapp case http://www.h-online.com/security/news/item/Account-theft-still-possible-with-latest-WhatsApp-1760639.html http://www.h-online.com/security/news/item/WhatsApp-no-longer-sends-plain-text-1674723.html http://www.h-online.com/security/news/item/WhatsApp-threatens-legal-action-against-API-developers-1716912.html http://www.h-online.com/security/news/item/WhatsApp-accounts-almost-completely-unprotected-1708545.html http://www.androidpolice.com/2012/05/02/whatsappsniffer-shames-whatsapps-plaintext-unprotected-chat-transfer-protocol-shows-off-just-how-much-can-be-sniffed/ Deutsche Telekom case http://www.wiwo.de/5239704-all.html http://www.wiwo.de/5239730.html Deutsche Bahn case http://www.heise.de/newsticker/meldung/Deutsche-Bahn-zahlt-Rekordstrafe-wegen-Datenschutzverstoessen-837477.html http://www.heise.de/ct/meldung/Bahn-Datenskandal-Arbeitsminister-bekraeftigt-Forderung-nach-Arbeitnehmerdatenschutz-Update-210207.html http://www.n24.de/news/newsitem_4936517.html http://www.sueddeutsche.de/wirtschaft/spitzel-affaere-bei-der-bahn-tiefensee-macht-druck-1.486385 Google Streetview case http://www.wired.com/threatlevel/2012/05/google-wifi-fcc-investigation/ Irish police case http://www.edri.org/edrigram/number10.21/irish-dpa-police-self-regulation Surveillance of Polish journalists case http://wyborcza.pl/1,76842,8842563,Inwigilacja_dziennikarzy_badana_od_nowa.html http://wyborcza.pl/1,76842,9763653,CBA_i_billingi_dziennikarza__Gazety_.html http://wyborcza.pl/1,75478,11625664,Precedensowy_wyrok__CBA_nie_moze__ot_tak_sobie__nas.html Dresden police case http://www.taz.de/!73222/ http://www.taz.de/!94114/ http://www.heise.de/newsticker/meldung/Saechsische-Polizei-nutzt-weiter-Mobilfunkdaten-1390019.html (Contribution by EDRi interns Katarzyna Syska and Owe Langfeldt) ======================================================================= 10. Recommended Reading ======================================================================= Do we really want to put the ITU in charge of cybersecurity? (28.11.2012) http://edri.org/ITU-fail http://www.golem.de/news/internationale-fernmeldeunion-un-lassen-itu-blog-weitgehend-ungeschuetzt-1211-95980.html Northern Ireland Court Orders Facebook to take down bPaedophile Watchb page (30.11.2012) http://inforrm.wordpress.com/2012/11/30/news-northern-ireland-court-orders-facebook-to-take-paedophile-watch-page/ EU urged to choose transatlantic convergence on data protection (5.12.2012) http://www.euractiv.com/infosociety/eu-urged-choose-data-protection-news-516449 ======================================================================= 11. Agenda ======================================================================= 27-30 December 2012, Hamburg, Germany 29C3 - Chaos Communication Congress http://events.ccc.de/category/29c3/ 20-23 January 2013, Brussels, Belgium The Power of Information - How Science and Technology can Make a Difference http://www.ThePowerofInformation.eu 23-25 January 2013, Brussels, Belgium CPDP 2013 Conference - Reloading data protection http://www.cpdpconferences.org/callforpapers.html 2-3 February 2013, Brussels, Belgium FOSDEM https://fosdem.org/2013/ 22 February 2013, Warsaw, Poland ePSIplatform Conference: "Gotcha! Getting everyone on board" http://epsiplatform.eu/content/save-date-22-february-2013-epsiplatform-conference 21-22 March 2013, Malta Online Privacy: Consenting to your Future CfP by 14 December 2012 http://www.onlineprivacyconference.eu/ 6-8 May 2013, Berlin, Germany re:publica 2013 http://www.re-publica.de 25-26 June 2013, Barcelona, Spain 9th International Conference on Internet Law & Politics: Big Data: Challenges and Opportunities. http://edcp.uoc.edu/symposia/idp2013/?lang=en 31 July b 4 August 2013, Geestmerambacht, Netherlands Observe. Hack. Make. - OHM2013 https://ohm2013.org/ 24-27 September 2013, Warsaw, Poland Public Voice Conference 2013 35th International Data Protection and Privacy Commissioners conference http://www.giodo.gov.pl/ ============================================================ 12. About ============================================================ EDRi-gram is a biweekly newsletter about digital civil rights in Europe. Currently EDRi has 32 members based or with offices in 20 different countries in Europe. European Digital Rights takes an active interest in developments in the EU accession countries and wants to share knowledge and awareness through the EDRi-gram. All contributions, suggestions for content, corrections or agenda-tips are most welcome. Errors are corrected as soon as possible and are visible on the EDRi website. Except where otherwise noted, this newsletter is licensed under the Creative Commons Attribution 3.0 License. See the full text at http://creativecommons.org/licenses/by/3.0/ Newsletter editor: Bogdan Manolea Information about EDRi and its members: http://www.edri.org/ European Digital Rights needs your help in upholding digital rights in the EU. If you wish to help us promote digital rights, please consider making a private donation. http://www.edri.org/about/sponsoring http://flattr.com/thing/417077/edri-on-Flattr - EDRI-gram subscription information subscribe by e-mail To: edri-news-request at edri.org Subject: subscribe You will receive an automated e-mail asking to confirm your request. Unsubscribe by e-mail To: edri-news-request at edri.org Subject: unsubscribe - EDRI-gram in Macedonian EDRI-gram is also available partly in Macedonian, with delay. Translations are provided by Metamorphosis http://www.metamorphosis.org.mk/mk/vesti/edri - EDRI-gram in German EDRI-gram is also available in German, with delay. Translations are provided by Andreas Krisch from the EDRI-member VIBE!AT - Austrian Association for Internet Users http://www.unwatched.org/ - Newsletter archive Back issues are available at: http://www.edri.org/edrigram - Help Please ask if you have any problems with subscribing or unsubscribing. ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From tedks at riseup.net Wed Dec 5 19:48:39 2012 From: tedks at riseup.net (Ted Smith) Date: Wed, 05 Dec 2012 22:48:39 -0500 Subject: Assange-WikiLeaks Crypto Arms Call Triple Cross In-Reply-To: <50C014B5.5020304@lavabit.com> References: <1354758955.23240.1.camel@anglachel> <50C014B5.5020304@lavabit.com> Message-ID: <1354765719.23240.17.camel@anglachel> Maybe he's like me, and the list strips off his PGP/MIME attachment. On Wed, 2012-12-05 at 17:44 -1000, Cincinnatus wrote: > Everyone respects John for what he does, but it's clear the cheese has > slipped further off his cracker in the last couple years. It's saddening. > > Then again, his messages aren't signed with a key. Maybe the crazy-talk > is part of an elaborate psyops quadruple-cross by the Assyrian > Illuminati to damage his credibility. > > > > > On 12/5/2012 3:55 PM, Ted Smith wrote: > > On Wed, 2012-12-05 at 13:23 -0500, John Young wrote: > >> Assange-WikiLeaks Crypto Arms Call Triple Cross > >> > > > > > > Someone's been hitting the silk road a little hard... > > > -- Sent from Ubuntu From tedks at riseup.net Wed Dec 5 20:09:29 2012 From: tedks at riseup.net (Ted Smith) Date: Wed, 05 Dec 2012 23:09:29 -0500 Subject: Assange-WikiLeaks Crypto Arms Call Triple Cross In-Reply-To: References: <1354758955.23240.1.camel@anglachel> <50C014B5.5020304@lavabit.com> Message-ID: <1354766969.23240.20.camel@anglachel> On Wed, 2012-12-05 at 20:04 -0800, Greg Broiles wrote: > On Wed, Dec 5, 2012 at 7:44 PM, Cincinnatus > wrote: > Everyone respects John for what he does, but it's clear the > cheese has > slipped further off his cracker in the last couple years. > It's saddening. > > While I imagine John appreciates the plausible deniability provided by > the possibility of mental illness or declining faculties (cf. Uncle > Junior), I think you're failing to appreciate the opportunity here to > watch a master at work. It's all part of the show, right? John > understands the long game (long con?) better than most. > Well, there are the following options: * John plays at level 0: he is insane * John plays at level 1: he is sane, pretending to be insane, and we are deceived by this (in this world, you play at level 2, Greg) But it's also possible for a mask to lie beneath the mask, for him to be insane pretending to be sane pretending to be insane. And so on and so forth all the way down the rabbit hole. I'm sure if we asked him what level he played at, he'd only respond "one level higher than you." It's definitely a great show. -- Sent from Ubuntu From asherwolf at cryptoparty.org Wed Dec 5 04:38:00 2012 From: asherwolf at cryptoparty.org (Asher Wolf) Date: Wed, 05 Dec 2012 23:38:00 +1100 Subject: [liberationtech] /. ITU Approves Deep Packet Inspection Message-ID: >From http://committee.tta.or.kr : Revision of Y.2770 Requirements for #DPI in Next Generation Networks http://bit.ly/Yx0Sya (via @BetweenMyths) On 5/12/12 9:25 PM, Andre Rebentisch wrote: > Am 05.12.2012 10:27, schrieb Eugen Leitl: >> http://yro.slashdot.org/story/12/12/05/0115214/itu-approves-deep-packet-inspection >> >> >> ITU Approves Deep Packet Inspection >> >> Posted by Soulskill on Tuesday December 04, @08:19PM >> >> from the inspect-my-encryption-all-you'd-like dept. >> >> dsinc sends this quote from Techdirt about the International >> Telecommunications Union's ongoing conference in Dubai that will have an >> effect on the internet everywhere: > The WCIT is a "diplomatic conference" for the rules governing the ITU, > the ITRs. It seems wrong to mix that with ongoing specific > standardisation work of the ITU. > > Anyway, interesting discussions over at circleid.com: > http://www.circleid.com/posts/20121203_wcit_off_to_a_flying_start/ > Apparently ITU fellows are disgruntled that they cannot control the > media coverage and complain about all the "misinformation". > > Best, > Andri > > > -- > Unsubscribe, change to digest, or change password at: > https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From gfoster at entersection.org Wed Dec 5 22:20:34 2012 From: gfoster at entersection.org (Gregory Foster) Date: Thu, 06 Dec 2012 00:20:34 -0600 Subject: [drone-list] "SIGKILL imminent" @ SIGINT 2009 Message-ID: YouTube (Dec 5) - "SIGKILL imminent [SIGINT09]" by CCCen: http://www.youtube.com/watch?v=MDgq5-RW2jw This is a talk from the SIGINT 2009 event (Cologne, Germany: May 22, 2009) by Astera and George Shammas. http://events.ccc.de/sigint/2009/Fahrplan/events/3166.en.html http://astera.soup.io/ http://wiki.nycresistor.com/wiki/User:Georgyo A survey of the road to killer robots + more. Pretty remarkable collection of information. Was just posted to the English-language YouTube channel of the venerable Chaos Computer Club: http://www.youtube.com/user/CCCen Here's the video they start off the talk with, an old Saturday Night Live skit featuring Sam Waterston pitching Old Glory Insurance's killer robot plan: http://www.nbc.com/saturday-night-live/video/old-glory-insurance/229049/ And here's the mentioned Boston Dynamics Big Dog Beta video, which at 4.7M views I was a little disappointed I had not seen it before :) http://www.youtube.com/watch?v=VXJZVZFRFJc ~22:25 - Spends a little time on iRobot, which is interesting considering their co-Founder was in the news a few days ago: http://www.wired.com/dangerroom/2012/12/cyphy/ gf -- Gregory Foster || gfoster at entersection.org @gregoryfoster <> http://entersection.com/ _______________________________________________ drone-list mailing list drone-list at lists.stanford.edu Should you need to change your subscription options, please go to: https://mailman.stanford.edu/mailman/listinfo/drone-list If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?" You will need the user name and password you receive from the list moderator in monthly reminders. Should you need immediate assistance, please contact the list moderator. ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From pgut001 at cs.auckland.ac.nz Wed Dec 5 05:01:28 2012 From: pgut001 at cs.auckland.ac.nz (Peter Gutmann) Date: Thu, 06 Dec 2012 02:01:28 +1300 Subject: Custom Chips Could Be the Shovels in a Bitcoin Gold Rush Message-ID: Eugen Leitl forwards: >http://www.technologyreview.com/news/508061/custom-chips-could-be-the-shovels-in-a-bitcoin-gold-rush/ > >Custom Chips Could Be the Shovels in a Bitcoin Gold Rush I guess the main lesson from this (well, the second lesson after the fact that Extraordinary Popular Delusions needs a new chapter) is that if you're doing password hashing, use anything but SHA-256. Peter. From socializedu at reinhardtinsurance.com Thu Dec 6 03:29:53 2012 From: socializedu at reinhardtinsurance.com (=?koi8-r?B?Iv7B09kgz9QgNSA5OTkg0tXCzMXKIg==?=) Date: Thu, 6 Dec 2012 04:29:53 -0700 Subject: =?koi8-r?B?797Fztgg09TJzNjO2cUg3sHT2SDTIPvXxcrDwdLTy8nNySDJIPHQz87T?= =?koi8-r?B?y8nNySDNxcjBzsnazcHNyQ==?= Message-ID: Высококачественные копии Швейцарских Часов с швейцарсикми и японскими механизмами! От 6 000 рублей. Сегодня скидки! Наш сайт: http://часы-бутик.рф From eugen at leitl.org Wed Dec 5 23:33:46 2012 From: eugen at leitl.org (Eugen Leitl) Date: Thu, 6 Dec 2012 08:33:46 +0100 Subject: [drone-list] "SIGKILL imminent" @ SIGINT 2009 Message-ID: <20121206073346.GZ9750@leitl.org> ----- Forwarded message from Gregory Foster ----- From eugen at leitl.org Wed Dec 5 23:34:39 2012 From: eugen at leitl.org (Eugen Leitl) Date: Thu, 6 Dec 2012 08:34:39 +0100 Subject: [liberationtech] /. ITU Approves Deep Packet Inspection Message-ID: <20121206073438.GA9750@leitl.org> ----- Forwarded message from Asher Wolf ----- From adumbratedhyvr3 at rasoulution.com Wed Dec 5 21:25:44 2012 From: adumbratedhyvr3 at rasoulution.com (=?koi8-r?B?Iv7B09kgydog5dfSz9DZICDP1CA5IDk5OSDS1cIuIg==?=) Date: Thu, 6 Dec 2012 10:55:44 +0530 Subject: =?koi8-r?B?9M/M2MvPIDEwMCVyZWYg3MzJ1M7ZyCAg+9fFysPB0tPLycXIIN7B08/X?= Message-ID: <000d01cdd372$2410ddb0$6400a8c0@adumbratedhyvr3> VIP реплики мужских и женских Швейцарских часов от 9 999 рублей. Производятся только в Европе и только швейцарские механизмы! Сегодня скидки! Наш сайт: http://www.часы-тут.рф From virtualadept at gmail.com Thu Dec 6 08:11:24 2012 From: virtualadept at gmail.com (Bryce Lynch) Date: Thu, 6 Dec 2012 11:11:24 -0500 Subject: [ZS] /. ITU Approves Deep Packet Inspection Message-ID: On Wed, Dec 5, 2012 at 1:19 PM, Mark Nuzzolilo II wrote: > I'll take a copy if its not a classified document or anything like that > There's an even better way: http://boingboing.net/2012/12/05/leaked-itus-secret-internet.html Thanks to Asher Wolf of Telecomix for getting hold of the official version and sending it to Boing Boing. Amazing what "please" and "thank you" will still get you... their trying to convince her to treat it as sensitive after the fact was grin worthy, too. -- The Doctor [412/724/301/703] [ZS (MED)] https://drwho.virtadpt.net/ "I am everywhere." -- -- Zero State mailing list: http://groups.google.com/group/DoctrineZero ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From pgut001 at cs.auckland.ac.nz Wed Dec 5 15:35:29 2012 From: pgut001 at cs.auckland.ac.nz (Peter Gutmann) Date: Thu, 06 Dec 2012 12:35:29 +1300 Subject: [liberationtech] /. ITU Approves Deep Packet Inspection In-Reply-To: <20121205190733.GO9750@leitl.org> Message-ID: Eugen Leitl forwards: >To be frank, I have been trying to find out what the fuss has been about >regarding this standard and come up.. not blank, as it _is_ worrying that ITU >is spending time on this shit, but at least I haven't found anything to >inspire the absolutely massive shitstorm I have been seeing in certain places >(e.g. /.). Is it just because it's the ITU doing it rather than, say, ISO or >ANSI? Yes. In the current climate if the ITU tried to standardise ponies, people would find reasons why ponies are evil. Peter. From gustaf at accessnow.org Thu Dec 6 10:45:18 2012 From: gustaf at accessnow.org (Gustaf Bjvrksten) Date: Thu, 06 Dec 2012 13:45:18 -0500 Subject: [liberationtech] Announcing finalists (and soon winners) for the Access Tech Innovation Prize Message-ID: Hi everybody, The finalists of the Access Technology Innovation Prize have been announced. The projects selected by the judges as finalists are: Blackout Resilience Award: Briar, Linux en Caja + BogotaMesh + RedPaTodos + Hackbo, Project Byzantium, RePress - Greenhost Making Crypto Easy: Enigmail, GPG Clipboard - Open Technology Institute, HTTPS Everywhere - Electronic Frontier Foundation, LEAP Encryption Access Project Freedom of Expression Award (Golden Jellybean 1): Free Network Foundation, Initiative for China + Tahrir Project, Open Observatory for Network Interference (OONI), Project Gulliver - Greenhost, Storymaker - Small World News and Guardian Project Grassroots Technology Award (Golden Jellybean 2): Flashproxy - Open Technology Institute, Haroon Rashid Shah, Interactive Voice Response-Based Market Information System - Marye, Mengistu Miskir, Maletsabisa Molapo, Reticle - Malice Afterthought Facebook Award: Map Kibera Trust, BigWebNoise, Seven Sisters, Social Media for Democracy For further information on the projects please follow the link below: https://www.accessnow.org/blog/2012/12/04/announcing-the-access-tech-innovation-prize-finalists The winners will be announced this Monday 10th December at an awards party in New York City. All welcome to attend (please RSVP to rsvp at accessnow.org). The official invitation for the awards ceremony and party can be found at the following location: https://www.accessnow.org/TIP-awards All the very best, -- Gustaf Bjvrksten Technology Director Access https://www.accessnow.org GPG ID: 0xFEB3D12A GPG Fingerprint: C10F FC31 B92A 3A32 40A0 1A72 43AC A427 FEB3 D12A -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From n.tkacz at warwick.ac.uk Thu Dec 6 05:50:32 2012 From: n.tkacz at warwick.ac.uk (nathaniel tkacz) Date: Thu, 6 Dec 2012 13:50:32 +0000 Subject: CFP: Value and Currency in Peer Production Message-ID: *The Journal of Peer Production CFP: Value and Currency in Peer Production Edited by: Nathaniel Tkacz, Nicol?s Mendoza and Francesca Musiani. The marriage of cryptography and the dynamics of open-source have now produced a working distributed currency system. Bitcoin, as the most notable example, can be understood as a new technics of exchange inspired by the animal spirits of crypto-libertarianism. Whether or not there is a place for currency -- and therefore exchange and (economic) value -- in the utopian visions of commons-oriented thought is contested. Meanwhile, hybrid forms like Bitcoin are developing unhindered by their constitutional paradoxes. Capitalism, after all, equally thrives atop what David Graeber has called a 'baseline' or 'everyday' communism. Current developments of digital currencies are pervaded by a number of issues: Who or what issues the money? What is the source of the collective agreement to concede value? What forms of control are coded into currency systems and who is guiding processes of (re)design? Who plays the role of guarantor when a currency is decentralized? And what role does trust play in all these issues? Has crypto-mathematics transformed trust into a technical quality of a system? The flipside of this issue is value: The intensification and extension of computational procedures, which is manifested most clearly in the rise of big data, has lead to a proliferation of bottom-up procedures to formalise 'values', rendering them easily calculable and lending order to the decentralised world of peers. Wikipedia contributors, for example, have long awarded each other 'barnstars' for valued service in a range of areas, and the site has long explored ways of rating article quality. In place of managerial commands and bureaucratic hierarchies we have Karma points, ranking systems, reputation metrics and the long-tail logic of networks. Order in this sense is iterative, recursive and topological. This issue of The Journal of Peer Production invites contributions on the themes of value and currency as they relate to peer production. Topics might include but are not limited to: - Decentralised and crypto-currencies; - Non-coercive taxation systems and/or experiments/experiences; - Analog/pre-digital (or historical) networks for distributed value exchange; - Currency and design; - Currencies and the commons; - Life after fiat (the becoming-uncertain of taxes); - What does/should peer production value?; - Re-thinking the constitution of value; - Theories of non-monetary value and worth; - The relationship between valuing practices and project hierarchies; - Forms of belief in peer production; - Automated systems of ranking and distributing value; - Theories of exchange, gift and voluntarism; - Trust and anonymity in the building of value; - Intermediation and 'guarantees' in P2P exchanges. Submission proposals of under 500 words due by January 28, 2013. Full submission details and extended CFP available at http://peerproduction.net/value-and-currency-in-peer-production/.* Nathaniel Tkacz Assistant Professor Centre for Interdisciplinary Methodologies The University of Warwick Twitter: http://twitter.com/__nate__ # distributed via : no commercial use without permission # is a moderated mailing list for net criticism, # collaborative text filtering and cultural politics of the nets # more info: http://mx.kein.org/mailman/listinfo/nettime-l # archive: http://www.nettime.org contact: nettime at kein.org ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From jd.cypherpunks at gmail.com Thu Dec 6 05:10:48 2012 From: jd.cypherpunks at gmail.com (jd.cypherpunks) Date: Thu, 6 Dec 2012 14:10:48 +0100 Subject: Assange-WikiLeaks Crypto Arms Call Triple Cross In-Reply-To: <1354766969.23240.20.camel@anglachel> References: <1354758955.23240.1.camel@anglachel> <50C014B5.5020304@lavabit.com> <1354766969.23240.20.camel@anglachel> Message-ID: <0FD15747-53E4-4449-9CCD-0413CA8162F0@gmail.com> So - imo it's not too hard to understand what's going on. First - John isn't insane. Second - read again the first statement. I think you have to re-read his post and try to understand the underlining context. Try - and try again! All the best --Michael On 06.12.2012 05:09 Ted Smith : > On Wed, 2012-12-05 at 20:04 -0800, Greg Broiles wrote: >> On Wed, Dec 5, 2012 at 7:44 PM, Cincinnatus >> wrote: >> Everyone respects John for what he does, but it's clear the >> cheese has >> slipped further off his cracker in the last couple years. >> It's saddening. >> >> While I imagine John appreciates the plausible deniability provided by >> the possibility of mental illness or declining faculties (cf. Uncle >> Junior), I think you're failing to appreciate the opportunity here to >> watch a master at work. It's all part of the show, right? John >> understands the long game (long con?) better than most. >> > > Well, there are the following options: > > * John plays at level 0: he is insane > * John plays at level 1: he is sane, pretending to be insane, and > we are deceived by this (in this world, you play at level 2, > Greg) > > But it's also possible for a mask to lie beneath the mask, for him to be > insane pretending to be sane pretending to be insane. And so on and so > forth all the way down the rabbit hole. > > I'm sure if we asked him what level he played at, he'd only respond "one > level higher than you." > > It's definitely a great show. > > -- > Sent from Ubuntu From phw at riseup.net Thu Dec 6 05:49:55 2012 From: phw at riseup.net (Philipp Winter) Date: Thu, 6 Dec 2012 14:49:55 +0100 Subject: [liberationtech] /. ITU Approves Deep Packet Inspection Message-ID: On Wed, Dec 05, 2012 at 08:28:36PM +0100, Petter Ericson wrote: > Transparent IPv4-to-IPv6 tunneling, detection of certain > forms of abuse, QoS modificaton, traffic monitoring and > shaping. > > Obviouly, these are mostly happening at a firewall or > equivalent, which is kind of the point. Very little DPI > is legitimate in core networking. I would not limit your point to core networking. DPI technology is also used by organizations at the networking edges to conduct censorship. I agree that there is some legitimate use for DPI but giving up on that is a small price to pay considering the mass surveillance and censorship which is made so easy by DPI. Looking into packet payload should be considered taboo for middle boxes. No matter where they are. Cheers, Philipp -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From rifestv1 at rotohire.com Thu Dec 6 01:44:20 2012 From: rifestv1 at rotohire.com (=?koi8-r?B?IvPVzcvJIMnaIOnUwczJySDP1CAgNiA3MDAg0tXCzMXKIg==?=) Date: Thu, 6 Dec 2012 16:44:20 +0700 Subject: =?koi8-r?B?79TMyd7O2cog0M/EwdLPyyAtICD2xc7Ty8nFIMkgzdXW08vJxSDT1c3L?= =?koi8-r?B?ySDw0sHEwSwg+8HOxczYIMkgxNIhIPPLycTLySE=?= Message-ID: <3711BC36EF2E4BE7A5BC76CEC24AC136@svrpu> Женские и мужские сумки из Италии элитных брендов от 6 700 рублей! Сегодня скидки на сайте http://www.сумки-длявсех.рф From noloader at gmail.com Thu Dec 6 13:45:58 2012 From: noloader at gmail.com (Jeffrey Walton) Date: Thu, 6 Dec 2012 16:45:58 -0500 Subject: [cryptography] OT: Traffic sensor flaw that could allow driver tracking fixed Message-ID: It's amazing where these defects show up. I think Morris was right with his three laws. I also believe this was an direct application of "Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices." The same authors are responsible for the paper, the advisory and the proof of concept against the traffic system. http://www.csoonline.com/article/723229/traffic-sensor-flaw-that-could-allow-driver-tracking-fixed Mobile security involves more than just keeping one's personal devices secure from hacks or other exploits. Threats can also come from the technology government uses to track and manage traffic flow. The Department of Homeland Security's (DHS) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued an alert last week over a vulnerability that it said impacts Post Oak Traffic AWAM Bluetooth Reader Systems. The system collects data from drivers who are using Bluetooth equipment, and uses it to calculate their speed and determine traffic conditions on a particular highway or road. The alert said "insufficient entropy," or insecure encryption, in those roadway sensors could allow an attacker to impersonate the device, "obtain the credentials of administrative users and potentially perform a Man-in-the-Middle attack." "This could allow the attacker to gain unauthorized access to the system and read information on the device, as well as inject data compromising the integrity of the data," the alert said. ... _______________________________________________ cryptography mailing list cryptography at randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From eugen at leitl.org Thu Dec 6 08:02:56 2012 From: eugen at leitl.org (Eugen Leitl) Date: Thu, 6 Dec 2012 17:02:56 +0100 Subject: [liberationtech] /. ITU Approves Deep Packet Inspection Message-ID: <20121206160256.GR9750@leitl.org> ----- Forwarded message from Philipp Winter ----- From asherwolf at cryptoparty.org Wed Dec 5 22:12:27 2012 From: asherwolf at cryptoparty.org (Asher Wolf) Date: Thu, 06 Dec 2012 17:12:27 +1100 Subject: [liberationtech] /. ITU Approves Deep Packet Inspection Message-ID: Latest copy of the ITU's DPI recommendations: http://brendan.so/2012/12/06/leak-draft-new-recommendation-itu-t-y-2770-formerly-y-dpireq/ - Asher Wolf On 6/12/12 9:41 AM, Petter Ericson wrote: > On 05 December, 2012 - Pavol Luptak wrote: > >> On Wed, Dec 05, 2012 at 07:27:27PM +0100, Christian Fuchs wrote: >>> If this approval by the ITU is true - then it is no surprise at all, >>> but what one would expect. What else has the ITU in the past ever >>> been than an instrument that supports capitalist interests and >>> commodification of the ICT and telecommunications industries? >>> >>> DPI can advance large-scale monitoring of citizens by the >>> state-capital complex that is connected by a right-wing state >>> ideology of fighting crime and terror by massive use of surveillance >>> technologies and a neoliberal ideology of capitalist organisations >>> that want to make a profit out of surveillance and want to hinder >>> the undermining of intellectual property rights. >> >> DPI censorship is not a 'competitive' advantage, so it's quite likely that >> in a pure market society ('anarchocapitalism') without strong socialistic >> governments and their stupid Internet regulations, most Internet providers WILL >> NOT censor their connections, otherwise they will loose their customers. Most >> customers are not willing to pay for censored Internet if they can choose >> unfiltered free Internet. And the only one who can take them this right is >> a monopoly for laws/regulations - the centralized government. > > Without being drawn wildly off-topic, let me just note that you are > assuming that the customers of a generic ISP in a "pure market society" > are the people getting the "internet" access. > > /P > -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From eugen at leitl.org Thu Dec 6 08:25:44 2012 From: eugen at leitl.org (Eugen Leitl) Date: Thu, 6 Dec 2012 17:25:44 +0100 Subject: [ZS] /. ITU Approves Deep Packet Inspection Message-ID: <20121206162544.GT9750@leitl.org> ----- Forwarded message from Bryce Lynch ----- From eugen at leitl.org Thu Dec 6 11:10:12 2012 From: eugen at leitl.org (Eugen Leitl) Date: Thu, 6 Dec 2012 20:10:12 +0100 Subject: [liberationtech] Announcing finalists (and soon winners) for the Access Tech Innovation Prize Message-ID: <20121206191012.GU9750@leitl.org> ----- Forwarded message from Gustaf Bjvrksten ----- From gojomo-forkxent at xavvy.com Thu Dec 6 20:55:51 2012 From: gojomo-forkxent at xavvy.com (Gordon Mohr) Date: Thu, 06 Dec 2012 20:55:51 -0800 Subject: [FoRK] bitcoins vs. alchemy Message-ID: On 12/6/12 7:56 PM, Ken Ganshirt @ Yahoo wrote: > --- On Thu, 12/6/12, Gordon Mohr wrote: > >> >> The consensus ledger then agrees that your key can spend those >> bitcoins. >> >> Only if someone gets your private key can they pretend to be the >> owner of those previously-minted-on-schedule coins. >> >> - Gordon >> > > That's the part that I don't get, even after reading. When you do > get around to spending your bitcoins, do those earlier bitcoins have > their original purchasing power? Or do they only have the more recent > "devalued" purchasing power? There is no 'devaluation event'. There's a decrease in the reward credited when someone wins the race to supply the next canonical transaction-log block. The reward used to be 50 BTC per block; now it's 25 BTC per block. It will keep halving at regular intervals until it's less than the smallest representable value in the protocol. 1 BTC from a recent 25 BTC reward is exactly the same as 1 BTC from an earlier 50 BTC reward. Age of origin doesn't matter, and in normal use, the balances that originated in different block rewards get mixed together. (A subsequent use of that mixed balance just refers back to the immediately previous mixing-use. While it is *possible* to keep looking further back to precedent transactions, it's not *necessary*.) Unfortunately the terms and analogies used to describe Bitcoin often lead to confusion. They're not really 'created by computation' or even 'discovered', but disbursed on a reward schedule that's set by the system's 'technical constitution'. Who wins the hash-collision/block-creation competition only affects to whom the values are disbursed. Thinking about them as a tangible thing (or even a specific number/solution) can also lead you astray; they're just a credit, in a shared globally-readable ledger. Based on that consensus ledger, veryone agrees a particular public-key may reassign that balance to one or more other public-keys (by submitting a signed transaction). It's more like a bunch of swiss bank accounts in the peer-cloud, than it is some collection of digital rarities kept secure via confidentiality. (You just keep your signing keys -- your bank account passwords, if you will -- secret, so that no one else can issue signed transactions drawing down your balances.) > Asked a different way, are all bitcoins of equal "value" all the > time, just as 1 "dollar" of fiat currency is always equal to any > other 1 "dollar" of that same fiat currency at any single point in > time? Or is there a different value between the earlier and more > recent. Eg. Is there some distinction based on the different > "vintages" that are baked into the "revaluation" process such that at > the same instant in time 1 unit of bitcoin mined before a devaluation > event is "worth" more than that same size unit mined after. Yes, all bitcoin balances are denominated in the same mixable/interchangeable units. Vintage doesn't matter. 1 BTC (from any block/txn) + 1 BTC (from any other block/txn) = 2 BTC (There are some other subtleties, regarding balances that were recently awarded or transferred. So by convention some balances may not be immediately/preferentially spendable. But in such cases just waiting for the blockchain to get a bit longer over 1-20 hours makes the balances completely equal.) > There seems to be an assumption in some folks' questions that there > is a difference in "value" by vintage, eg. related to/marked by each > "revaluation" stage. I'm not sure, so I have to ask the dumb > question. > > Or perhaps there is something else baked into the process such that > after a devaluation event the payout for a block is relatively > smaller than it would have been before the devaluation event to > offset the relative change in value due to the revaluation? Any assumptions involving a 'devaluation event' or 'revaluation vintages' would be based on misconceptions. Of course, the value of 1 BTC against other currencies floats around based on what people are willing to pay, but that's a different thing entirely. - Gordon > Or do I just need to change my bifocals? Or my meds. Or both. > > ...ken... _______________________________________________ FoRK > mailing list http://xent.com/mailman/listinfo/fork > > _______________________________________________ FoRK mailing list http://xent.com/mailman/listinfo/fork ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From demisedrs89 at rouse.com.jfet.org Thu Dec 6 05:20:48 2012 From: demisedrs89 at rouse.com.jfet.org (MRC-Group) Date: Thu, 6 Dec 2012 21:20:48 +0800 Subject: =?koi8-r?B?UkU6IOTP09TB18nNICDJzsbP0s3Bw8nAICDPINfB28nIIO7P18/Hz8TO?= =?koi8-r?B?ycggwcvDydHILiDiwdrBIM7B28EgyczJIPfB28Eu?= Message-ID: <000d01cdd3b4$81bca3d0$6400a8c0@demisedrs89> Эффективные способы доставки информации Вашим клиентам по e-mail Наша База 8 500 000 подпискичков по Москве и России Декабрь. Пора зимних сюрпризов. Мы радуем Вас акциями. Цены указанны за рассылку по нашей базе! 1 рассылка - 2500 (старая цена 3000) 3 - 6000 (старая цена 9000) 5 - 7500 (старая цена 15000) Супер пакет! 10 - 12 000 рублей! месяц - 25000 (старая цена 60000) Оплата через QIWI кошелёк контакты: +79ОЗООО6ОЗО 9030006030 at yahoo.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >Какой размер охвата? >Сколько стоит рассылка? >Существуют ли интересные предложения? >Форма оплаты? > From eugen at leitl.org Thu Dec 6 13:23:12 2012 From: eugen at leitl.org (Eugen Leitl) Date: Thu, 6 Dec 2012 22:23:12 +0100 Subject: CFP: Value and Currency in Peer Production Message-ID: <20121206212312.GF9750@leitl.org> ----- Forwarded message from nathaniel tkacz ----- From eugen at leitl.org Thu Dec 6 13:48:08 2012 From: eugen at leitl.org (Eugen Leitl) Date: Thu, 6 Dec 2012 22:48:08 +0100 Subject: [cryptography] OT: Traffic sensor flaw that could allow driver tracking fixed Message-ID: <20121206214808.GH9750@leitl.org> ----- Forwarded message from Jeffrey Walton ----- From keishamaurice at actnow.com Thu Dec 6 22:19:51 2012 From: keishamaurice at actnow.com (Nilda Wen) Date: Fri, 07 Dec 2012 10:19:51 +0400 Subject: Quick Extender Pro - Enlarge your small penis 3shwle Message-ID: <50c18a87.056739fb@actnow.com> Quick Extender Pro Extend your Manhood - It Works! Try it Risk Free - 100% Guaranteed http://ugala.ru From eugen at leitl.org Fri Dec 7 02:22:03 2012 From: eugen at leitl.org (Eugen Leitl) Date: Fri, 7 Dec 2012 11:22:03 +0100 Subject: [FoRK] bitcoins vs. alchemy Message-ID: <20121207102203.GN9750@leitl.org> ----- Forwarded message from Gordon Mohr ----- From bluishkw at rjghan.com Thu Dec 6 21:02:14 2012 From: bluishkw at rjghan.com (=?koi8-r?B?IuHKxs/O2SAg0tXezs/KINLBws/U2SDP1CA4NiAwMDAi?=) Date: Fri, 7 Dec 2012 12:02:14 +0700 Subject: =?koi8-r?B?aVBIT05FIDUgySA0UyAg1yD6z8zP1MUgySDTIMTSwcfPw8XOztnNySDL?= =?koi8-r?B?wc3O0c3JIMnaIOnUwczJySE=?= Message-ID: Драгоценные телефоны iPHONE 5 и iPHONE 4s ручной работы от известного итальянского дизайнера - Илии Джакометти Цена от 86 000 рублей АКЦИЯ, при покупке двух золотых iPhone 5, в ПОДАРОК золотой iPhone 4s Наш сайт: http://www.голд-айфон.рф From prabahy at gmail.com Fri Dec 7 14:45:10 2012 From: prabahy at gmail.com (Paul Rabahy) Date: Fri, 7 Dec 2012 17:45:10 -0500 Subject: [tahoe-dev] LAFS Weekly Dev Hangout notes, 2012-12-06 Message-ID: First off, let me say that I enjoyed listening in to the hangout even though I couldn't participate. For the last year or 2 I have been thinking about building a distributed, untrusted storage system. When I found Tahoe-lafs, I was ecstatic that it had already implemented about 90% of the ideas that I had thought of and that it sounds like the remaining 10% are being worked on. I have some comments on Zooko's Proof-of-Retrievability paper. 1. Great job writing this. It was very easy to read and get up to speed without having to read 10 other whitepapers first to understand the basics. (I have some background in cryptography/secure computing from college) 2. I completely agree with the 3 levels of bad behavior (Greed, Malice, and Adaptive Malice). In addition, I believe there should be a fourth level which I will call "Accidental Greed". In this case, the sever stores the data, responds to all requests properly, but one day fails (either a POR or GetData request) for some unknown reason. This server will acknowledge their mistake and attempt to reverse it once they are notified (restore backups, patch bug, etc.). 2a. For POR, Zooko nailed this. We don't have to care about "Accidental Greed" at the protocol level because if we cover our-self for Malice or Adaptive Malice we already have a solution. 3. I am convinced that to prevent Malice or Adaptive Malice, there cannot be a difference between running a POR or GetData. If there is either type of attacker could respond correctly to the POR but incorrectly to the GetData. 3a. For my use cases I feel that having POR and GetData can have different traffic patterns and not affect my experience as a customer. I realize that will introduce a gap in the protocol so that Adaptive Malice could defeat the POR. I would like for POR to cover me 90% of the time, but occasionally I will actually download a file and will be able to catch the Adaptive Malice server at that point. (This might seem like a contradiction, but Tahoe already has the enormously powerful feature of erasure coding to protect me from an occasional malicious server even if POR fails.) 4. Unfortunately Zooko lost me in Part 2b and 3. I understand the trade-off between "(a) reduced performance for downloads, and/or (b) increased bandwidth usage for verification", but I was never able to understand how Tahoe is supposed to be convinced that a share is retrievable without even contacting the server containing the share. 4a. Several times during the hangout, it was mentioned that increasing N and K would help POR to work better. I don't follow that argument. I agree that setting N higher increases the retrievability of a file (because it can withstand more malicious servers), but I don't see how increasing either of these will help me single out the malicious server. 5. I need to do more reading on the current Tahoe verify system, but I don't understand how Tahoe can verify a file using B Bandwidth where B is less than F Filesize. 5a. Using the Tahoe defaults (K = 3, N = 10) and assuming that F = 1(MB) it will take 3.33(MB) to store all ten shares. Each share will take .333(MB) to store. To verify the file, wouldn't you have to retrieve at least K shares therefor B would equal .333(MB) * 3(K) = 1MB(F). To me, it seems we didn't save any bandwidth. 5b. (Ah, just thought of this as I was writing). Does Tahoe maintain some sort of tree/share based hash so that it can verify individual shares or parts of a share without verifying the entire file? If so, I can see the bandwidth savings. 6. I agree that TOR/distributed verification could help in the case of an Adaptive Malicious server, but until I have a clearer understanding of my points 5 and 6, I'm not sure if this description of POR will be have a benefit for my use case. Hopefully these points make sense. Let me know if I made anything confusing. PRabahy On Thu, Dec 6, 2012 at 3:42 PM, Zooko Wilcox-O'Hearn wrote: > In attendance: Brian, David-Sarah, Zooko (scribe), Andrew, PRabahy (silent) > > The meeting started about 10 minutes late and ran more than 30 minutes > past its scheduled stop-time. (Because we were too engaged to stop at > the stop-time since we were sorting out the question of whether > Zooko's "Strong Proof-of-Retrievability" concept was inherently as > inefficient as simply downloading the whole file.) > > Caveat Lector! I might have forgotten some stuff. I haven't taken the > time to add explanations for most of what follows. My own biases shine > through willy nilly. > > > * The LAFS-PoR.rst text file was cleverly hidden behind an obstacle course. > > * 'Ephemeral Elliptic Curve Diffie-Hellmanb= My friend Zooko excels at > redefining "What 'everyone' or what 'no-one' uses."' > > * leasedb+cloud-backend > * LeastAuthority.com has at long last delivered Milestone 3 to > DARPA. Milestone 1 was a design document Milestone 2 was Cloud/S3 > backend, and Milestone 3 was leasedb. > * https://tahoe-lafs.org/trac/tahoe-lafs/ticket/1818 / > https://github.com/davidsarah/tahoe-lafs/tree/1818-leasedb is the > implementation of leasedb against trunk (disk backend) > * https://tahoe-lafs.org/trac/tahoe-lafs/ticket/1819 / > https://github.com/davidsarah/tahoe-lafs/tree/1819-cloud-merge is the > merge of that with the cloud backend > * The 1819-cloud-merge branch passes all unit tests, and passes > manual testing by David-Sarah. It is currently being evaluated on > behalf of DARPA by their contractors, BITSYS. > * next steps: > * Keep 1818-leasedb and 1819-cloud-merge out of Tahoe-LAFS v1.10. > * Let Brian review them. > * David-Sarah is still re-recording the patch series for > 1819-cloud-merge. > * Zooko is still code-reviewing the patches. > * Check for the transition experience b what happens the first > time you upgrade, for example. > * There is at least one incomplete detail about transition: > starter leases don't get added (there isn't a ticket for this b we > should open one). > * Zooko and David-Sarah want to implement #1834 and related > tickets b not necessarily before we land it on trunk, but before we > release 1.11. Or we could do it on the branch before we land it on > trunk. > > * Tahoe-LAFS v1.10 > * Let's package up what we have currently on trunk (plus, Zooko > added to these notes after the meeting, possibly a few other good > patches that are basically already done, are very non-disruptive b > such as documentation-only patches b and/or have forward-compatibility > implications, such as #1240, #1802, #1789, #1477, #901, #1539, #1643, > #1842, and #1679). > * Everyone review pending tickets! > https://tahoe-lafs.org/trac/tahoe-lafs/milestone/1.10.0 > * The next Weekly Dev Hangout will be about Tahoe-LAFS v1.10 > * goal: get trunk to meet our desires for Tahoe-LAFS v1.10, release > from trunk > * Brian wants to fix #1767, which has forward-compatibility > implications. > > * tarcieri's new HTML > * not for 1.10 > * It changes only the front page and so the other pages are > inconsistent with the new front page. > * But commit it to a branch ASAP and demonstrate to tarcieri that > we're serious about merging it to trunk as soon as it is complete. > > * Proof-of-Retrievability > * Zooko has written a rough draft of a tahoe-dev post/science > paper, arguing that real "Strong" Proof-of-Retrievability is possible, > that the current exemplars in the crypto literature fail to provide > Strong Proofs-of-Retrievability, and that Tahoe-LAFS combined with Tor > would make a nice basis on which to build a Strong > Proof-of-Retrievability, and that if it did, it would be a practical > censorship-resistance tool. > * Brian posed some good challenges in practical terms about the > performance and bandwidth costs. > * The key difference that makes this new concept of > Proof-of-Retrievability different and better than previous attempts is > that it uses multiple storage servers (which are hopefully not > colluding with one another), and erasure-coding in order to keep total > upload and storage costs fixed even while scaling a single file, > horizontally, to a large number of storage servers. > * That's also the key to answering Brian's challenge b that sort of > spreading across storage servers alllows one to gain verification > assurance b *even* against Adaptive Malicious Storage Servers b at a > fraction of the aggregate bandwidth cost of a full download. If there > were only a single storage server then Juels-2009 and > Brian-in-this-meeting would be right that no efficient Strong PoR is > possible. > * Next steps: Zooko needs to rewrite the second half of the current > document to emphasize these insights gained from this meeting and to > streamline it. Several experts have volunteered to review it already. > Then: post it to tahoe-dev? > * David-Sarah has some idea that Brian and Zooko don't quite get > about improving the quantitative advantage to the defender by > increasing erasure coding parameters and storing multiple shares per > server. > * Let's get drunk and argue about whether God can see into the future. > _______________________________________________ > tahoe-dev mailing list > tahoe-dev at tahoe-lafs.org > https://tahoe-lafs.org/cgi-bin/mailman/listinfo/tahoe-dev > _______________________________________________ tahoe-dev mailing list tahoe-dev at tahoe-lafs.org https://tahoe-lafs.org/cgi-bin/mailman/listinfo/tahoe-dev ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From potentc at rlryerson.com Fri Dec 7 09:36:40 2012 From: potentc at rlryerson.com (=?koi8-r?B?Iv7B09kgydog5dfSz9DZICDP1CA5IDg5OSDS1cIuIg==?=) Date: Sat, 8 Dec 2012 00:36:40 +0700 Subject: =?koi8-r?B?+8nLwdLO2cog0M/EwdLPyyAgxMzRICDN1dbeyc4hICD718XKw8HS08vJ?= =?koi8-r?B?xSDewdPP1w==?= Message-ID: Наручные Швейцарские часы! Сделанны в Европе, гарантия 25 мес, только швейцарские механизмы. VIP-ref элитных брендов и дизайнов! Цены от 9 989 рублей. Сегодня скидки! http://www.часы-тут.рф From eugen at leitl.org Sat Dec 8 02:19:57 2012 From: eugen at leitl.org (Eugen Leitl) Date: Sat, 8 Dec 2012 11:19:57 +0100 Subject: [tahoe-dev] LAFS Weekly Dev Hangout notes, 2012-12-06 Message-ID: <20121208101957.GI9750@leitl.org> ----- Forwarded message from Paul Rabahy ----- From contributorymr383 at royalessence.com Fri Dec 7 21:33:50 2012 From: contributorymr383 at royalessence.com (=?koi8-r?B?Iv7B09kgz9QgNSA5OTkg0tXCzMXKIg==?=) Date: Sat, 8 Dec 2012 12:33:50 +0700 Subject: =?koi8-r?B?797Fztgg09TJzNjO2cUg3sHT2SDTIPvXxcrDwdLTy8nNySDJIPHQz87T?= =?koi8-r?B?y8nNySDNxcjBzsnazcHNyQ==?= Message-ID: Высококачественные копии Швейцарских Часов с швейцарсикми и японскими механизмами! От 6 000 рублей. Сегодня скидки! Наш сайт: http://часы-бутик.рф From gfoster at entersection.org Sat Dec 8 10:47:10 2012 From: gfoster at entersection.org (Gregory Foster) Date: Sat, 08 Dec 2012 12:47:10 -0600 Subject: [drone-list] This week in domestic drone activism Message-ID: Nation of Change (Dec 8) - "Drones Come Home, to U.S. Privacy Activists Dismay": http://www.nationofchange.org/drones-come-home-us-privacy-activists-dismay-1354982443 Nice survey of anti-drone activism occurring in the United States, beginning with the notable victory obtained earlier this week by the Alameda County Against Drones coalition (ACAD). ACAD headed off an attempt by the Alameda County Sheriff to win approval from the Alameda County Board of Supervisors to accept a DHS grant to acquire a surveillance drone. I would love to hear a summary of the effort that went into successfully undermining that "stealth attack" from the ACAD representatives on this list. The linked article also includes details about domestic drone activism in Buffalo, Syracuse, San Diego, Portland, and Seattle. HT OpPinkPower https://twitter.com/OpPinkPower/status/277474634176266240 gf -- Gregory Foster || gfoster at entersection.org @gregoryfoster <> http://entersection.com/ _______________________________________________ drone-list mailing list drone-list at lists.stanford.edu Should you need to change your subscription options, please go to: https://mailman.stanford.edu/mailman/listinfo/drone-list If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?" You will need the user name and password you receive from the list moderator in monthly reminders. Should you need immediate assistance, please contact the list moderator. ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From Brad at cercis.net Sat Dec 8 08:56:15 2012 From: Brad at cercis.net (Carol Horton) Date: Sat, 08 Dec 2012 17:56:15 +0100 Subject: Carol Horton sent you a message Message-ID: A non-text attachment was scrubbed... Name: not available Type: text/html Size: 363 bytes Desc: not available URL: From belyingn5 at rfpcommercial.com Sat Dec 8 04:31:30 2012 From: belyingn5 at rfpcommercial.com (=?koi8-r?B?IuHKxs/O2SAg0tXezs/KINLBws/U2SDP1CA4NiAwMDAi?=) Date: Sat, 8 Dec 2012 19:31:30 +0700 Subject: =?koi8-r?B?+s/Mz9TPyiBJUGhvbmUgNHMg1yDQz8TB0s/LINDSySDQz8vV0MvFIDIt?= =?koi8-r?B?yCBJUGhvbmUgNQ==?= Message-ID: Драгоценные телефоны iPHONE 5 и iPHONE 4s ручной работы от известного итальянского дизайнера Цена от 86 000 рублей СЕГОДНЯ АКЦИИ: -Золотой CAVIAR IPhone 4s в подарок при покупке 2-х CAVIAR IPhone 5, -Итальянское Prosecco и черная икра каждому покупателю, -25% скидка на CAVIAR IPhone 4s Наш сайт: http://www.голд-айфон.рф From eugen at leitl.org Sat Dec 8 11:21:02 2012 From: eugen at leitl.org (Eugen Leitl) Date: Sat, 8 Dec 2012 20:21:02 +0100 Subject: [drone-list] This week in domestic drone activism Message-ID: <20121208192102.GS9750@leitl.org> ----- Forwarded message from Gregory Foster ----- From virtualadept at gmail.com Sat Dec 8 22:49:10 2012 From: virtualadept at gmail.com (Bryce Lynch) Date: Sun, 9 Dec 2012 01:49:10 -0500 Subject: Some notes toward a fully distributed, serverless socnet/communications network using CouchDB. Message-ID: Now that Windbringer's been upgraded, I was able to install and run CouchDB. Which means that I've been hacking around. Take cover. Incoming JSON and incoherent rambling. couchdb listens on 127.0.0.1:5984 by default. Configure Tor to expose port 5984/tcp on .onion. Voila. creating new databases (even remotely) is as simple as making an HTTP request to localhost:5984 consisting of PUT http://localhost:5984/ Then documents can start being added to it. The array "acl" has a couple of default values. An an entry "all" mean that anyone can read and replicate it. "private" means that only the author is allowed to access it; an empty entry means the same thing. >From http://www.cmlenz.net/archives/2007/10/couchdb-joins Every post and comment is stored as a separate document with the same schema. The key "acl" is an array of usernames that are allowed to see the post. By extension, this is also the list of nodes that are allowed to replicate this document. The field "post" is an integer that increments with every blog post one makes. This field is used to tie together a post and all comments that are tied to it. The key "type" is the type of document, either "post" (a blog post) or "comment" (a comment on a blog post). database name: n25_blog_ blog schema: {_id: "autogenerated", _rev: "autogenerated, too", acl: ["all", ], author: "me", content: "Contents of my blog post", post: 0, title: "Frist psot!", type: "post", } Every bookmark one stores is kept as a separate document in a database. All have the same schema. The "acl" key works as defined earlier. Eventually, I'd like to make a JavaScript bookmarklet that makes it much easier to store a bookmark in this database. I'm not sure if bookmarks are going to be private only (i.e., personal) or database name: n25_bookmarks_ bookmarks schema: {{title: "", url: "", description: "", tags: ["", ], categories: ["", ], acl: ["all", ], date_added: ["YYYY/MM/DD", "HH:MM", "TZ"], date_modified: ["YYYY/MM/DD", "HH:MM", "TZ"], }, } Yes, I know that JSON documents aren't really schemas. I need to call them something, and I don't yet know the terminology ("layout" says HTML to me and not the format of the data in a document because it's not markup. Then again, I relate to device drivers better than I do websites.) database name: n25_profile_username profile schema (dumped from my CouchDB instance and reformatted for readability): { "_id": "", "_rev": "", "profile": "{"chosen_name": "Bryce A. Lynch", "aliases": ["Bryce", "The Doctor [412/724/301/703][ZS|Media]", ] gender: ["Androgynous", ], identification: "Organic sapient with semiautonomous software augmentations", location: "I am everywhere.", email_addresses: ["virtualadept at gmail.com", "bryce.lynch at zerostate.net", "bryce at somewhereelse.com", ], websites: ["https://drwho.virtadpt.net", ], IM: [{network: "gchat", protocol: "XMPP", handle: "virtualadept at gmail.com"}, {network: "Network25", protocol: "torchat", handle: "foo.onion"}, ], public_keys: [{"My PGP public key goes here"}], profile_address: ["something.onion", ], tor_sites: [""], bio: "This is where I write freeform stuff about myself.", interests: ["ad-hocracy", "anhedonia", "anonymity", "privacy", "assembly language", "blogging", "hacktivism", "tor", "python", "mesh networking", "couchdb", ], skillset: ["system administration", "system architecture", "information security", "security research", "mesh networking", "linux", "bsd", "software engineering", ], projects: [{name: "Project Byzantium", position: "core developer", website: "http://project-byzantium.org"}, {name: "Zero State: Media", position: "Project Manager", website: "http://zerostate.net/"}, ], affiliations: ["Project Byzantium", "Zero State", ], bitcoin_address: "blahblahblah", blog_db: "n25_blog_brycealynch", bookmarks_db: "n25_bookmarks_brycealynch", }, "friends": "{acl: ["all", ], friends: [{chosen_name: "Amon Zero", local_name: "Amon", profile_address: "something_else.onion"}, ] }", "cached_friend_profiles": "{}", // Note, these are duplicates of the profiles of everyone on this user's friends list. I'm not going to reproduce them here. "date_updated": ["2012/12/08", "18:19", "EST5EDT"], "groups": "[acl: ["all", ], {name: "Zero State General", description: "General Zero State discussion", database: "zerostategeneral", }, {name: "Network25 Updates", description: "Status and development reports for the Network25 package", database: "n25updates", }, {name: "", description: "", database: "", },]" } TODO: Finish adding ACLs to the profiles. Also, figure out how to write CouchDB design docs to make this information accessible without using Futon. -- The Doctor [412/724/301/703] [ZS|Media] https://drwho.virtadpt.net/ "I am everywhere." -- You received this message because you are subscribed to the Google Groups "ZS-P2P" group. To post to this group, send email to zs-p2p at googlegroups.com. To unsubscribe from this group, send email to zs-p2p+unsubscribe at googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From mk at dee.su Sat Dec 8 20:09:31 2012 From: mk at dee.su (Maxim Kammerer) Date: Sun, 9 Dec 2012 06:09:31 +0200 Subject: [tor-talk] Botnets through Tor Message-ID: On Sun, Dec 9, 2012 at 5:47 AM, wrote: > I'd be interested if gnunet or i2p have seem similar usage by > botnets. I was going to write that for I2P it is highly unlikely due to autonomous daemon configuration complexity, a dependency on Java, and unreliability wrt. network configuration changes, but here is a botnet advertisement that mentions I2P support: http://uscyberlabs.com/blog/2012/09/24/dark-heart-botnet-tor-c2-bullet-proof-server-collector/ -- Maxim Kammerer Liberti Linux: http://dee.su/liberte _______________________________________________ tor-talk mailing list tor-talk at lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From Fannie at hightechbid.com Sun Dec 9 00:47:51 2012 From: Fannie at hightechbid.com (Thomas Calhoun) Date: Sun, 09 Dec 2012 09:47:51 +0100 Subject: Thomas Calhoun sent you a message Message-ID: A non-text attachment was scrubbed... Name: not available Type: text/html Size: 3569 bytes Desc: not available URL: From eugen at leitl.org Sun Dec 9 02:08:17 2012 From: eugen at leitl.org (Eugen Leitl) Date: Sun, 9 Dec 2012 11:08:17 +0100 Subject: [tor-talk] Botnets through Tor Message-ID: <20121209100817.GV9750@leitl.org> ----- Forwarded message from Maxim Kammerer ----- From eugen at leitl.org Sun Dec 9 02:10:20 2012 From: eugen at leitl.org (Eugen Leitl) Date: Sun, 9 Dec 2012 11:10:20 +0100 Subject: Some notes toward a fully distributed, serverless socnet/communications network using CouchDB. Message-ID: <20121209101020.GW9750@leitl.org> ----- Forwarded message from Bryce Lynch ----- From collettekareen at garzanet.com Sun Dec 9 09:47:04 2012 From: collettekareen at garzanet.com (KYLEE LASHONDA) Date: Sun, 09 Dec 2012 11:47:04 -0600 Subject: Cialis at Half Price Pharmacy. For Visa owners only! Free Shipping, Free Consultation! Up to 40% Loyalty Bonus. 43tes9 Message-ID: <45a82w22q67-02508493-508i1i21@lkflwpy> Cialis at Half Price Pharmacy For Visa owners only! Free Shipping, Free Consultation! Up to 40% Loyalty Bonus. Safe Generic medications from non US Licensed(!) pharmacy. 100% Satisfaction Guaranteed http://doserxpharmacy.ru From squalling at reubro.com Sat Dec 8 21:04:09 2012 From: squalling at reubro.com (=?koi8-r?B?IvPVzcvJIMnaIOnUwczJySI=?=) Date: Sun, 9 Dec 2012 13:04:09 +0800 Subject: =?koi8-r?B?9sXO08vJxSDJIM3V1tPLycUg09XNy8kg8NLBxMEsIPvBzsXM2CDJIMTS?= =?koi8-r?B?ISDzxcrewdMgIPPLycTLySE=?= Message-ID: <8BC797A3ADD74EE2A4538A5B0F7945EB@PC200812071930> Женские и мужские сумки из Италии элитных брендов! Сегодня скидки на сайте http://сумки-длявсех.рф From inanimatem867 at radme.com Sun Dec 9 00:33:40 2012 From: inanimatem867 at radme.com (=?koi8-r?B?IvPVzcvJIMnaIOnUwczJySI=?=) Date: Sun, 9 Dec 2012 15:33:40 +0700 Subject: =?koi8-r?B?9sXO08vJxSDJIM3V1tPLycUg09XNy8kg8NLBxMEsIPvBzsXM2CDJIMTS?= =?koi8-r?B?ISDzxcrewdMgIPPLycTLySE=?= Message-ID: Женские и мужские сумки из Италии элитных брендов! Сегодня скидки на сайте http://сумки-длявсех.рф From brianakarissa at paradigmhealth.org Sun Dec 9 05:19:54 2012 From: brianakarissa at paradigmhealth.org (MARYLOU) Date: Sun, 09 Dec 2012 18:19:54 +0500 Subject: Want to Improve Your Penis Size? Proven Penis Enlargement 75ouuf3oz5 Message-ID: <50c48ffa.37627b7b@paradigmhealth.org> Proven Penis Enlargement - Want to Improve Your Penis Size? Now You Can Risk Free Order Now! http://unalf.ru From prism at redlighttoys.com Sun Dec 9 11:50:38 2012 From: prism at redlighttoys.com (=?koi8-r?B?Iv7B09kgydog5dfSz9DZICDP1CA5IDg5OSDS1cIuIg==?=) Date: Sun, 9 Dec 2012 20:50:38 +0100 Subject: =?koi8-r?B?+8nLwdLO2cog0M/EwdLPyyAgxMzRICDN1dbeyc4hICD718XKw8HS08vJ?= =?koi8-r?B?xSDewdPP1w==?= Message-ID: <209A534E3F144DA2BFD46D75891E825F@spotlighd765db> Наручные Швейцарские часы! Сделанны в Европе, гарантия 25 мес, только швейцарские механизмы. VIP-ref элитных брендов и дизайнов! Цены от 9 989 рублей. Сегодня скидки! http://www.часы-тут.рф From vestryxu6 at royalautos.com Sun Dec 9 22:00:46 2012 From: vestryxu6 at royalautos.com (=?koi8-r?B?Iv7B09kgz9QgNSA5OTkg0tXCzMXKIg==?=) Date: Sun, 9 Dec 2012 22:00:46 -0800 Subject: =?koi8-r?B?797Fztgg09TJzNjO2cUg3sHT2SDTIPvXxcrDwdLTy8nNySDJIPHQz87T?= =?koi8-r?B?y8nNySDNxcjBzsnazcHNyQ==?= Message-ID: <1DD265626F8F4C52A77BB8220CC5D958@e4506c8825c054> Высококачественные копии Швейцарских Часов с швейцарсикми и японскими механизмами! От 6 000 рублей. Сегодня скидки! Наш сайт: http://часы-бутик.рф From belleoscar at seagate.com Sun Dec 9 22:40:07 2012 From: belleoscar at seagate.com (Yvone) Date: Mon, 10 Dec 2012 04:40:07 -0200 Subject: Buy Viagra Online Without Prescription!40-120 FREE Viagra Pills We accept VISA MC(PayPal) Payments, 100000 Satisfied Customers! ov5hfkno Message-ID: <201212101136.50DEC29E82B5AEEB2C5F0C@50q2vuf> Viagra BUY ONLINE NOW!!from $1.35/100mg Buy Viagra Online Without Prescription!40-120 FREE Viagra Pills We accept VISA MC(PayPal) Payments, 100000 Satisfied Customers! Top Selling 100% Quality & Satisfaction guaranteed http://drugspharmacyrx.ru From coderman at gmail.com Mon Dec 10 11:26:41 2012 From: coderman at gmail.com (coderman) Date: Mon, 10 Dec 2012 11:26:41 -0800 Subject: Assange-WikiLeaks Crypto Arms Call Triple Cross In-Reply-To: <0FD15747-53E4-4449-9CCD-0413CA8162F0@gmail.com> References: <1354758955.23240.1.camel@anglachel> <50C014B5.5020304@lavabit.com> <1354766969.23240.20.camel@anglachel> <0FD15747-53E4-4449-9CCD-0413CA8162F0@gmail.com> Message-ID: On Thu, Dec 6, 2012 at 5:10 AM, jd.cypherpunks wrote: > So - imo it's not too hard to understand what's going on. > First - John isn't insane. > Second - read again the first statement. > > I think you have to re-read his post and try to understand the underlining > context. > Try - and try again! > if the screed rings not of truth and substance, your mind may be clouded by bias, or you're asleep at the wheel of life... From jya at pipeline.com Mon Dec 10 13:04:06 2012 From: jya at pipeline.com (John Young) Date: Mon, 10 Dec 2012 16:04:06 -0500 Subject: Assange-WikiLeaks Crypto Arms Call Triple Cross In-Reply-To: References: <1354758955.23240.1.camel@anglachel> <50C014B5.5020304@lavabit.com> <1354766969.23240.20.camel@anglachel> <0FD15747-53E4-4449-9CCD-0413CA8162F0@gmail.com> Message-ID: Cryptome has published more on Assange and WikiLeaks than any other source except for WikiLeaks itself. Few have examined the initiative's whole body of material and promotional enterprise. Now that Assange has cloaked himself and the three others in the cypherpunks/cryptography mantle I think his shit-storm is coming this way. I agree with putting distance between what has happened in cypherpunks Vegas from what is brewing in DoJ. More of that is probably a good thing. That was the purpose of the screed against Assange's insurance entrapment via weak crypto meant to be cracked with leak-fed access. For edification read the JA-WL behavior in the fuller context of cypherpunks and forget the easily dismissed summary. Assange is playing the cypherpunks card for a purpose that deserves scrutiny if for no other reason than to avoid being sucked into his practice of taking credit for wins and shifting blame to others when the chips are down. That is why he proclaims to be a privileged journalist after years of disparaging the corruption of that crowd. Cypherpunks/cryptography vaunting may be part of a past, present or future plea arrangement or more likely a turning of the coat. Where else has this been better predicted than on cypherpunks, yay, even encouraged to cut the deal of ratting on colleagues. At 02:26 PM 12/10/2012, coderman wrote: >On Thu, Dec 6, 2012 at 5:10 AM, jd.cypherpunks >wrote: > > > So - imo it's not too hard to understand what's going on. > > First - John isn't insane. > > Second - read again the first statement. > > > > I think you have to re-read his post and try to understand the underlining > > context. > > Try - and try again! > > > > >if the screed rings not of truth and substance, > your mind may be clouded by bias, or > you're asleep at the wheel of life... From StealthMonger at nym.mixmin.net Mon Dec 10 14:07:23 2012 From: StealthMonger at nym.mixmin.net (StealthMonger) Date: Mon, 10 Dec 2012 22:07:23 +0000 (GMT) Subject: [liberationtech] Mailvelope: OpenPGP Encryption for Webmail Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 "Fabio Pietrosanti (naif)" writes: > for whose who has still not see that project, i wanted to send a notice > about MailVelope, OpenPGP encryption for webmail: http://www.mailvelope.com > It's a client-side, plug-in based (similar to CryptoCat), OpenPGP email > encryption plugin available for Chrome and Firefox. To compare it with CryptoCat is unfair to MailVelope. As I understand things, CryptoCat has an ongoing reliance on server integrity. On the other hand, MailVelope is self-contained once securely installed, thus providing true peer-to-peer confidentiality and authentication (assuming that the correspondents have confirmed keys out-of-band). Please correct this if in error. - -- -- StealthMonger Long, random latency is part of the price of Internet anonymity. anonget: Is this anonymous browsing, or what? http://groups.google.ws/group/alt.privacy.anon-server/msg/073f34abb668df33?dmode=source&output=gplain stealthmail: Hide whether you're doing email, or when, or with whom. mailto:stealthsuite at nym.mixmin.net?subject=send%20index.html Key: mailto:stealthsuite at nym.mixmin.net?subject=send%20stealthmonger-key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Processed by Mailcrypt 3.5.9 iEYEARECAAYFAlDGTA0ACgkQDkU5rhlDCl4oUgCdGJJIXDNS5c3yIeuKIMzbzHo+ F2gAoLzRcHoro25IaTbezc1fk8imYvyT =PD9O -----END PGP SIGNATURE----- -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From eugen at leitl.org Tue Dec 11 00:16:35 2012 From: eugen at leitl.org (Eugen Leitl) Date: Tue, 11 Dec 2012 09:16:35 +0100 Subject: [liberationtech] Mailvelope: OpenPGP Encryption for Webmail Message-ID: <20121211081635.GS9750@leitl.org> ----- Forwarded message from StealthMonger ----- From malte at zeromail.org Tue Dec 11 05:37:06 2012 From: malte at zeromail.org (malte) Date: Tue, 11 Dec 2012 14:37:06 +0100 Subject: [liberationtech] Mailvelope: OpenPGP Encryption for Webmail Message-ID: hi > I'm interested whether there is any comparison (code-base wise or > feature wise) with the (unfortunately discontinued) FireGPG > (http://getfiregpg.org) pigeonpg (which is part of mailvelope) contains code from firegpg - look like some recycling took place :) malte -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From kb at karelbilek.com Tue Dec 11 06:21:13 2012 From: kb at karelbilek.com (=?ISO-8859-1?Q?Karel_B=EDlek?=) Date: Tue, 11 Dec 2012 15:21:13 +0100 Subject: [liberationtech] Mailvelope: OpenPGP Encryption for Webmail In-Reply-To: <20121211081635.GS9750@leitl.org> References: <20121211081635.GS9750@leitl.org> Message-ID: OK, I just REALLY want to thank you right now. We will have a small talk when we will want to demonstrate how to easily use mail encryption with popular clients we found out that none of us lecturers even use thunderbird, let alone knows how to set up the encryption. all of use use webmails. we suppose our audience does, too. for this, mailvelope is AWESOME. It "just works". it has one big downside though.... it doesn't support UTF8 in either name of key owner OR in the message itself (it totally mangles all UTF8 input). if you speak with a language that has diacritics (we speak Czech), it sucks a bit. small downside - it doesn't encrypt attachment and doesn't (AFAIK) sign the messages. but if they catch all these issues, it will be great On Tue, Dec 11, 2012 at 9:16 AM, Eugen Leitl wrote: > ----- Forwarded message from StealthMonger ----- > > From: StealthMonger > Date: Mon, 10 Dec 2012 22:07:23 +0000 (GMT) > To: liberationtech > Subject: Re: [liberationtech] Mailvelope: OpenPGP Encryption for Webmail > Reply-To: liberationtech > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > "Fabio Pietrosanti (naif)" writes: > >> for whose who has still not see that project, i wanted to send a notice >> about MailVelope, OpenPGP encryption for webmail: http://www.mailvelope.com > >> It's a client-side, plug-in based (similar to CryptoCat), OpenPGP email >> encryption plugin available for Chrome and Firefox. > > To compare it with CryptoCat is unfair to MailVelope. As I understand > things, CryptoCat has an ongoing reliance on server integrity. On the > other hand, MailVelope is self-contained once securely installed, thus > providing true peer-to-peer confidentiality and authentication > (assuming that the correspondents have confirmed keys out-of-band). > > Please correct this if in error. > > > - -- > > > -- StealthMonger > Long, random latency is part of the price of Internet anonymity. > > anonget: Is this anonymous browsing, or what? > http://groups.google.ws/group/alt.privacy.anon-server/msg/073f34abb668df33?dmode=source&output=gplain > > stealthmail: Hide whether you're doing email, or when, or with whom. > mailto:stealthsuite at nym.mixmin.net?subject=send%20index.html > > > Key: mailto:stealthsuite at nym.mixmin.net?subject=send%20stealthmonger-key > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (GNU/Linux) > Comment: Processed by Mailcrypt 3.5.9 > > iEYEARECAAYFAlDGTA0ACgkQDkU5rhlDCl4oUgCdGJJIXDNS5c3yIeuKIMzbzHo+ > F2gAoLzRcHoro25IaTbezc1fk8imYvyT > =PD9O > -----END PGP SIGNATURE----- > > -- > Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech > > ----- End forwarded message ----- > -- > Eugen* Leitl leitl http://leitl.org > ______________________________________________________________ > ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org > 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From eugen at leitl.org Tue Dec 11 08:19:26 2012 From: eugen at leitl.org (Eugen Leitl) Date: Tue, 11 Dec 2012 17:19:26 +0100 Subject: [liberationtech] Mailvelope: OpenPGP Encryption for Webmail Message-ID: <20121211161926.GX9750@leitl.org> ----- Forwarded message from malte ----- From jd.cypherpunks at gmail.com Tue Dec 11 09:18:57 2012 From: jd.cypherpunks at gmail.com (jd.cypherpunks) Date: Tue, 11 Dec 2012 18:18:57 +0100 Subject: Assange-WikiLeaks Crypto Arms Call Triple Cross In-Reply-To: References: <1354758955.23240.1.camel@anglachel> <50C014B5.5020304@lavabit.com> <1354766969.23240.20.camel@anglachel> <0FD15747-53E4-4449-9CCD-0413CA8162F0@gmail.com> Message-ID: <78F24390-BF7A-4D51-B40F-8ABAD082C368@gmail.com> funny. After all those years - cpunks know the stories of snitches, deception, false accusation, blood and thunder at every possible level and from every side of all possible coins. Sort of been there done that got the tshirt. Saw JA coming and going from cpunks and these days he (like many before) use 'affiliation' to get add. cover, it's ok with me (and acceptable to most, I guess). Anyhow, be aware that many see the move and some may react. Some education can be found in Jim Bell's story, see http://www.cryptome.org/cartome/homeland.htm or use Google in case you (as a 'coderman' ) don't trust cpunks at all. :) --Michael 10.12.2012, 22:04 John Young : > Cryptome has published more on Assange and WikiLeaks > than any other source except for WikiLeaks itself. Few have > examined the initiative's whole body of material and promotional > enterprise. Now that Assange has cloaked himself and the > three others in the cypherpunks/cryptography mantle I think > his shit-storm is coming this way. > > I agree with putting distance between what has happened in > cypherpunks Vegas from what is brewing in DoJ. More of > that is probably a good thing. That was the purpose of the > screed against Assange's insurance entrapment via weak > crypto meant to be cracked with leak-fed access. > > For edification read the JA-WL behavior in the fuller context > of cypherpunks and forget the easily dismissed summary. > > Assange is playing the cypherpunks card for a purpose that > deserves scrutiny if for no other reason than to avoid being > sucked into his practice of taking credit for wins and shifting > blame to others when the chips are down. That is why he > proclaims to be a privileged journalist after years of disparaging > the corruption of that crowd. > > Cypherpunks/cryptography vaunting may be part of a past, > present or future plea arrangement or more likely a > turning of the coat. Where else has this been better > predicted than on cypherpunks, yay, even encouraged > to cut the deal of ratting on colleagues. > > > > At 02:26 PM 12/10/2012, coderman wrote: >> On Thu, Dec 6, 2012 at 5:10 AM, jd.cypherpunks wrote: >> >> > So - imo it's not too hard to understand what's going on. >> > First - John isn't insane. >> > Second - read again the first statement. >> > >> > I think you have to re-read his post and try to understand the underlining >> > context. >> > Try - and try again! >> > >> >> >> if the screed rings not of truth and substance, >> your mind may be clouded by bias, or >> you're asleep at the wheel of life... From europus at gmail.com Tue Dec 11 16:38:04 2012 From: europus at gmail.com (Ulex Europae) Date: Tue, 11 Dec 2012 19:38:04 -0500 Subject: [liberationtech] Mailvelope: OpenPGP Encryption for Webmail In-Reply-To: References: <20121211081635.GS9750@leitl.org> Message-ID: <50c7d1e7.a349420a.08bb.ffff8d7c@mx.google.com> At 04:38 PM 12/11/2012, Karel Bmlek wrote: >hm, we talked about this extension today > >how much is it REALLY safe to use webmail (particularly gmail) with this? > >the thing is... GMail is saving your mail while you type and this >extension is not stopping it in any way. so, google has the data about >your mails - and more importantly, if you are tracked by >fbi/whatever, they can start actively track your keypresses by >javascript. > >to add the salt to the injury, this extension works with chrome >(closed source) only and has problems installing on chromium. That's kinda what I thought. Even if you install it as a plugin, it's still running on a foreign (their) server that can do other things in the background - undetectably by the user who wrongly presumes her email to be one-of and encrypted after sending. So snake oil, IOW. >k > >On 12/11/12, Karel Bmlek wrote: > > OK, I just REALLY want to thank you right now. > > > > We will have a small talk when we will want to demonstrate how to > > easily use mail encryption with popular clients > > > > we found out that none of us lecturers even use thunderbird, let alone > > knows how to set up the encryption. all of use use webmails. we > > suppose our audience does, too. > > > > for this, mailvelope is AWESOME. It "just works". > > > > it has one big downside though.... it doesn't support UTF8 in either > > name of key owner OR in the message itself (it totally mangles all > > UTF8 input). if you speak with a language that has diacritics (we > > speak Czech), it sucks a bit. > > > > small downside - it doesn't encrypt attachment and doesn't (AFAIK) > > sign the messages. > > > > but if they catch all these issues, it will be great > > > > On Tue, Dec 11, 2012 at 9:16 AM, Eugen Leitl wrote: > >> ----- Forwarded message from StealthMonger > >> ----- > >> > >> From: StealthMonger > >> Date: Mon, 10 Dec 2012 22:07:23 +0000 (GMT) > >> To: liberationtech > >> Subject: Re: [liberationtech] Mailvelope: OpenPGP Encryption for Webmail > >> Reply-To: liberationtech > >> > >> -----BEGIN PGP SIGNED MESSAGE----- > >> Hash: SHA1 > >> > >> "Fabio Pietrosanti (naif)" writes: > >> > >>> for whose who has still not see that project, i wanted to send a notice > >>> about MailVelope, OpenPGP encryption for webmail: > >>> http://www.mailvelope.com > >> > >>> It's a client-side, plug-in based (similar to CryptoCat), OpenPGP email > >>> encryption plugin available for Chrome and Firefox. > >> > >> To compare it with CryptoCat is unfair to MailVelope. As I understand > >> things, CryptoCat has an ongoing reliance on server integrity. On the > >> other hand, MailVelope is self-contained once securely installed, thus > >> providing true peer-to-peer confidentiality and authentication > >> (assuming that the correspondents have confirmed keys out-of-band). > >> > >> Please correct this if in error. > >> > >> > >> - -- > >> > >> > >> -- StealthMonger > >> Long, random latency is part of the price of Internet anonymity. > >> > >> anonget: Is this anonymous browsing, or what? > >> > >> >http://groups.google.ws/group/alt.privacy.anon-server/msg/073f34abb668df33?d m >ode=source&output=gplain > >> > >> stealthmail: Hide whether you're doing email, or when, or with whom. > >> mailto:stealthsuite at nym.mixmin.net?subject=send%20index.html > >> > >> > >> Key: mailto:stealthsuite at nym.mixmin.net?subject=send%20stealthmonger-key > >> > >> -----BEGIN PGP SIGNATURE----- > >> Version: GnuPG v1.4.10 (GNU/Linux) > >> Comment: Processed by Mailcrypt 3.5.9 > >> > >> iEYEARECAAYFAlDGTA0ACgkQDkU5rhlDCl4oUgCdGJJIXDNS5c3yIeuKIMzbzHo+ > >> F2gAoLzRcHoro25IaTbezc1fk8imYvyT > >> =PD9O > >> -----END PGP SIGNATURE----- > >> > >> -- > >> Unsubscribe, change to digest, or change password at: > >> https://mailman.stanford.edu/mailman/listinfo/liberationtech > >> > >> ----- End forwarded message ----- > >> -- > >> Eugen* Leitl leitl http://leitl.org > >> ______________________________________________________________ > >> ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org > >> 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From kb at karelbilek.com Tue Dec 11 13:38:48 2012 From: kb at karelbilek.com (=?ISO-8859-1?Q?Karel_B=EDlek?=) Date: Tue, 11 Dec 2012 22:38:48 +0100 Subject: [liberationtech] Mailvelope: OpenPGP Encryption for Webmail In-Reply-To: References: <20121211081635.GS9750@leitl.org> Message-ID: hm, we talked about this extension today how much is it REALLY safe to use webmail (particularly gmail) with this? the thing is... GMail is saving your mail while you type and this extension is not stopping it in any way. so, google has the data about your mails - and more importantly, if you are tracked by fbi/whatever, they can start actively track your keypresses by javascript. to add the salt to the injury, this extension works with chrome (closed source) only and has problems installing on chromium. k On 12/11/12, Karel Bmlek wrote: > OK, I just REALLY want to thank you right now. > > We will have a small talk when we will want to demonstrate how to > easily use mail encryption with popular clients > > we found out that none of us lecturers even use thunderbird, let alone > knows how to set up the encryption. all of use use webmails. we > suppose our audience does, too. > > for this, mailvelope is AWESOME. It "just works". > > it has one big downside though.... it doesn't support UTF8 in either > name of key owner OR in the message itself (it totally mangles all > UTF8 input). if you speak with a language that has diacritics (we > speak Czech), it sucks a bit. > > small downside - it doesn't encrypt attachment and doesn't (AFAIK) > sign the messages. > > but if they catch all these issues, it will be great > > On Tue, Dec 11, 2012 at 9:16 AM, Eugen Leitl wrote: >> ----- Forwarded message from StealthMonger >> ----- >> >> From: StealthMonger >> Date: Mon, 10 Dec 2012 22:07:23 +0000 (GMT) >> To: liberationtech >> Subject: Re: [liberationtech] Mailvelope: OpenPGP Encryption for Webmail >> Reply-To: liberationtech >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> "Fabio Pietrosanti (naif)" writes: >> >>> for whose who has still not see that project, i wanted to send a notice >>> about MailVelope, OpenPGP encryption for webmail: >>> http://www.mailvelope.com >> >>> It's a client-side, plug-in based (similar to CryptoCat), OpenPGP email >>> encryption plugin available for Chrome and Firefox. >> >> To compare it with CryptoCat is unfair to MailVelope. As I understand >> things, CryptoCat has an ongoing reliance on server integrity. On the >> other hand, MailVelope is self-contained once securely installed, thus >> providing true peer-to-peer confidentiality and authentication >> (assuming that the correspondents have confirmed keys out-of-band). >> >> Please correct this if in error. >> >> >> - -- >> >> >> -- StealthMonger >> Long, random latency is part of the price of Internet anonymity. >> >> anonget: Is this anonymous browsing, or what? >> >> http://groups.google.ws/group/alt.privacy.anon-server/msg/073f34abb668df33?dm ode=source&output=gplain >> >> stealthmail: Hide whether you're doing email, or when, or with whom. >> mailto:stealthsuite at nym.mixmin.net?subject=send%20index.html >> >> >> Key: mailto:stealthsuite at nym.mixmin.net?subject=send%20stealthmonger-key >> >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1.4.10 (GNU/Linux) >> Comment: Processed by Mailcrypt 3.5.9 >> >> iEYEARECAAYFAlDGTA0ACgkQDkU5rhlDCl4oUgCdGJJIXDNS5c3yIeuKIMzbzHo+ >> F2gAoLzRcHoro25IaTbezc1fk8imYvyT >> =PD9O >> -----END PGP SIGNATURE----- >> >> -- >> Unsubscribe, change to digest, or change password at: >> https://mailman.stanford.edu/mailman/listinfo/liberationtech >> >> ----- End forwarded message ----- >> -- >> Eugen* Leitl leitl http://leitl.org >> ______________________________________________________________ >> ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org >> 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From kb at karelbilek.com Tue Dec 11 14:21:37 2012 From: kb at karelbilek.com (=?ISO-8859-1?Q?Karel_B=EDlek?=) Date: Tue, 11 Dec 2012 23:21:37 +0100 Subject: [liberationtech] Mailvelope: OpenPGP Encryption for Webmail In-Reply-To: References: <20121211081635.GS9750@leitl.org> Message-ID: hm, I just tried it GMail really sends everything to their own servers, even with the extension installed. Well, it sucks. On Tue, Dec 11, 2012 at 10:38 PM, Karel Bmlek wrote: > hm, we talked about this extension today > > how much is it REALLY safe to use webmail (particularly gmail) with this? > > the thing is... GMail is saving your mail while you type and this > extension is not stopping it in any way. so, google has the data about > your mails - and more importantly, if you are tracked by > fbi/whatever, they can start actively track your keypresses by > javascript. > > to add the salt to the injury, this extension works with chrome > (closed source) only and has problems installing on chromium. > > k > > On 12/11/12, Karel Bmlek wrote: >> OK, I just REALLY want to thank you right now. >> >> We will have a small talk when we will want to demonstrate how to >> easily use mail encryption with popular clients >> >> we found out that none of us lecturers even use thunderbird, let alone >> knows how to set up the encryption. all of use use webmails. we >> suppose our audience does, too. >> >> for this, mailvelope is AWESOME. It "just works". >> >> it has one big downside though.... it doesn't support UTF8 in either >> name of key owner OR in the message itself (it totally mangles all >> UTF8 input). if you speak with a language that has diacritics (we >> speak Czech), it sucks a bit. >> >> small downside - it doesn't encrypt attachment and doesn't (AFAIK) >> sign the messages. >> >> but if they catch all these issues, it will be great >> >> On Tue, Dec 11, 2012 at 9:16 AM, Eugen Leitl wrote: >>> ----- Forwarded message from StealthMonger >>> ----- >>> >>> From: StealthMonger >>> Date: Mon, 10 Dec 2012 22:07:23 +0000 (GMT) >>> To: liberationtech >>> Subject: Re: [liberationtech] Mailvelope: OpenPGP Encryption for Webmail >>> Reply-To: liberationtech >>> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> "Fabio Pietrosanti (naif)" writes: >>> >>>> for whose who has still not see that project, i wanted to send a notice >>>> about MailVelope, OpenPGP encryption for webmail: >>>> http://www.mailvelope.com >>> >>>> It's a client-side, plug-in based (similar to CryptoCat), OpenPGP email >>>> encryption plugin available for Chrome and Firefox. >>> >>> To compare it with CryptoCat is unfair to MailVelope. As I understand >>> things, CryptoCat has an ongoing reliance on server integrity. On the >>> other hand, MailVelope is self-contained once securely installed, thus >>> providing true peer-to-peer confidentiality and authentication >>> (assuming that the correspondents have confirmed keys out-of-band). >>> >>> Please correct this if in error. >>> >>> >>> - -- >>> >>> >>> -- StealthMonger >>> Long, random latency is part of the price of Internet anonymity. >>> >>> anonget: Is this anonymous browsing, or what? >>> >>> http://groups.google.ws/group/alt.privacy.anon-server/msg/073f34abb668df33?dm ode=source&output=gplain >>> >>> stealthmail: Hide whether you're doing email, or when, or with whom. >>> mailto:stealthsuite at nym.mixmin.net?subject=send%20index.html >>> >>> >>> Key: mailto:stealthsuite at nym.mixmin.net?subject=send%20stealthmonger-key >>> >>> -----BEGIN PGP SIGNATURE----- >>> Version: GnuPG v1.4.10 (GNU/Linux) >>> Comment: Processed by Mailcrypt 3.5.9 >>> >>> iEYEARECAAYFAlDGTA0ACgkQDkU5rhlDCl4oUgCdGJJIXDNS5c3yIeuKIMzbzHo+ >>> F2gAoLzRcHoro25IaTbezc1fk8imYvyT >>> =PD9O >>> -----END PGP SIGNATURE----- >>> >>> -- >>> Unsubscribe, change to digest, or change password at: >>> https://mailman.stanford.edu/mailman/listinfo/liberationtech >>> >>> ----- End forwarded message ----- >>> -- >>> Eugen* Leitl leitl http://leitl.org >>> ______________________________________________________________ >>> ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org >>> 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From ali at packetknife.com Tue Dec 11 22:06:05 2012 From: ali at packetknife.com (Ali-Reza Anghaie) Date: Wed, 12 Dec 2012 01:06:05 -0500 Subject: [liberationtech] Mailvelope: OpenPGP Encryption for Webmail Message-ID: You just jogged my memory w/ the clipboard bit.. http://safegmail.com/ Another project in the mix. -Ali On Wed, Dec 12, 2012 at 12:38 AM, Uncle Zzzen wrote: > The reason why FireGPG no longer ships with tails is that the DOM of a web > app is not a safe place for plaintext > > https://tails.boum.org/doc/encryption_and_privacy/FireGPG_susceptible_to_devastating_attacks/ > Any architecture where plaintext is stored inside a web app's DOM is > dangerous. Especially a webmail app that can be expected to save drafts, > but not only. Web apps can be MITMed, XSSed, etc. If it came via the web, > it's a suspect. > > I'd expect a crypto add-on to only accept plaintext (and other sensitive) > information via separate GUI that can only be launched manually (not via > javascript in an app's DOM) and has a hard-to-imitate look-and-feel (to > discourage phishing). The only communication between this add-on and the > rest of the browser should be via the clipboard. Users who can't handle > copy/paste shouldn't be trusted with a key pair :) > > From what I see at the http://www.mailvelope.com/ slide-show, it seems to > provide even more shooting-yourself-in-the-leg firepower than FireGPG. > > > > On Wed, Dec 12, 2012 at 3:21 AM, Nadim Kobeissi wrote: > >> Cryptocat is a local browser plugin served over SSL, installed locally, >> loads/executes no external code, and communicates only via SSL. It does not >> rely on server integrity with regards to these parameters. >> >> Regarding Mailvelope b does its operation depend on the Gmail DOM? What >> happens if the Gmail DOM is modified, can that be used to damage the >> integrity of Mailvelope operations? There's a reason Cryptocat operates in >> its own browser tab separate from other sites. >> >> NK >> >> On 2012-12-11, at 6:54 PM, Andy Isaacson wrote: >> >> > On Mon, Dec 10, 2012 at 10:07:23PM +0000, StealthMonger wrote: >> >> "Fabio Pietrosanti (naif)" writes: >> >>> for whose who has still not see that project, i wanted to send a >> notice >> >>> about MailVelope, OpenPGP encryption for webmail: >> http://www.mailvelope.com >> >> >> >>> It's a client-side, plug-in based (similar to CryptoCat), OpenPGP >> email >> >>> encryption plugin available for Chrome and Firefox. >> >> >> >> To compare it with CryptoCat is unfair to MailVelope. As I understand >> >> things, CryptoCat has an ongoing reliance on server integrity. On the >> >> other hand, MailVelope is self-contained once securely installed, >> > >> > I'm not sure why you claim that. It was true for Cryptocat v1 which was >> > a browser app and could be compromised at any time with new JS from a >> > compromised server. Cryptocat v2 is a downloadable + installable plugin >> > which at least doesn't immediately execute code served to it. >> > >> > In both the JS and plugin versions, Cryptocat (with uncompromised code) >> > does not depend on server integrity for message confidentiality. >> > >> > Now, both CryptoCat and MailVelope probably have an upgrade >> > vulnerability where a compromised server can tell the app "there's a new >> > version available, plese ask the user to install it". And since the >> > compromised server could refuse to provide service to the secure version >> > of the app, there's a powerful functional reason for the user to accept >> > the upgrade. >> > >> > Ah, perhaps you're referring to the fact that MailVelope layers on top >> > of another server (Gmail) for its transport layer, rather than depending >> > on a "MailVelope server" which could selectively deny service to the >> > uncompromised version of the product. In that respect, MailVelope might >> > be more secure-by-design than Cryptocat. >> > >> > -andy >> > -- >> > Unsubscribe, change to digest, or change password at: >> https://mailman.stanford.edu/mailman/listinfo/liberationtech >> >> -- >> Unsubscribe, change to digest, or change password at: >> https://mailman.stanford.edu/mailman/listinfo/liberationtech >> > > > -- > Unsubscribe, change to digest, or change password at: > https://mailman.stanford.edu/mailman/listinfo/liberationtech > -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From kb at karelbilek.com Tue Dec 11 17:01:47 2012 From: kb at karelbilek.com (=?ISO-8859-1?Q?Karel_B=EDlek?=) Date: Wed, 12 Dec 2012 02:01:47 +0100 Subject: [liberationtech] Mailvelope: OpenPGP Encryption for Webmail In-Reply-To: <50c7d1e7.a349420a.08bb.ffff8d7c@mx.google.com> References: <20121211081635.GS9750@leitl.org> <50c7d1e7.a349420a.08bb.ffff8d7c@mx.google.com> Message-ID: I wrote to the author, he is planning some kind of editor which opens in its own frame and is "outside" of webmail as iframe. (see http://www.reddit.com/r/netsec/comments/13xhh9/finally_a_way_to_use_pgpgnupg_in_the_office/c78j3jk - it's the author) If he did that, it would be great. Because really I stopped using classic mails in favor of browser/webmail long time ago and this seems promising. k On Wed, Dec 12, 2012 at 1:38 AM, Ulex Europae wrote: > At 04:38 PM 12/11/2012, Karel Bmlek wrote: >> >> hm, we talked about this extension today >> >> how much is it REALLY safe to use webmail (particularly gmail) with this? >> >> the thing is... GMail is saving your mail while you type and this >> extension is not stopping it in any way. so, google has the data about >> your mails - and more importantly, if you are tracked by >> fbi/whatever, they can start actively track your keypresses by >> javascript. >> >> to add the salt to the injury, this extension works with chrome >> (closed source) only and has problems installing on chromium. > > > That's kinda what I thought. Even if you install it as a plugin, it's > still running on a foreign (their) server that can do other things in > the background - undetectably by the user who wrongly presumes her > email to be one-of and encrypted after sending. > > So snake oil, IOW. > > > > >> k >> >> >> On 12/11/12, Karel Bmlek wrote: >> > OK, I just REALLY want to thank you right now. >> > >> > We will have a small talk when we will want to demonstrate how to >> > easily use mail encryption with popular clients >> > >> > we found out that none of us lecturers even use thunderbird, let alone >> > knows how to set up the encryption. all of use use webmails. we >> > suppose our audience does, too. >> > >> > for this, mailvelope is AWESOME. It "just works". >> > >> > it has one big downside though.... it doesn't support UTF8 in either >> > name of key owner OR in the message itself (it totally mangles all >> > UTF8 input). if you speak with a language that has diacritics (we >> > speak Czech), it sucks a bit. >> > >> > small downside - it doesn't encrypt attachment and doesn't (AFAIK) >> > sign the messages. >> > >> > but if they catch all these issues, it will be great >> > >> > On Tue, Dec 11, 2012 at 9:16 AM, Eugen Leitl wrote: >> >> ----- Forwarded message from StealthMonger > > >> >> >> ----- >> >> >> >> From: StealthMonger >> >> Date: Mon, 10 Dec 2012 22:07:23 +0000 (GMT) >> >> To: liberationtech >> >> Subject: Re: [liberationtech] Mailvelope: OpenPGP Encryption for >> >> Webmail >> >> Reply-To: liberationtech >> >> >> >> -----BEGIN PGP SIGNED MESSAGE----- >> >> Hash: SHA1 >> >> >> >> "Fabio Pietrosanti (naif)" writes: >> >> >> >>> for whose who has still not see that project, i wanted to send a >> >>> notice >> >>> about MailVelope, OpenPGP encryption for webmail: >> >>> http://www.mailvelope.com >> >> >> >>> It's a client-side, plug-in based (similar to CryptoCat), OpenPGP >> >>> email >> >>> encryption plugin available for Chrome and Firefox. >> >> >> >> To compare it with CryptoCat is unfair to MailVelope. As I understand >> >> things, CryptoCat has an ongoing reliance on server integrity. On the >> >> other hand, MailVelope is self-contained once securely installed, thus >> >> providing true peer-to-peer confidentiality and authentication >> >> (assuming that the correspondents have confirmed keys out-of-band). >> >> >> >> Please correct this if in error. >> >> >> >> >> >> - -- >> >> >> >> >> >> -- StealthMonger >> >> Long, random latency is part of the price of Internet anonymity. >> >> >> >> anonget: Is this anonymous browsing, or what? >> >> >> >> >> >> http://groups.google.ws/group/alt.privacy.anon-server/msg/073f34abb668df33?d > > m >> >> ode=source&output=gplain >> >> >> >> stealthmail: Hide whether you're doing email, or when, or with whom. >> >> mailto:stealthsuite at nym.mixmin.net?subject=send%20index.html >> >> >> >> >> >> Key: >> >> mailto:stealthsuite at nym.mixmin.net?subject=send%20stealthmonger-key >> >> >> >> -----BEGIN PGP SIGNATURE----- >> >> Version: GnuPG v1.4.10 (GNU/Linux) >> >> Comment: Processed by Mailcrypt 3.5.9 > > >> >> >> >> >> iEYEARECAAYFAlDGTA0ACgkQDkU5rhlDCl4oUgCdGJJIXDNS5c3yIeuKIMzbzHo+ >> >> F2gAoLzRcHoro25IaTbezc1fk8imYvyT >> >> =PD9O >> >> -----END PGP SIGNATURE----- >> >> >> >> -- >> >> Unsubscribe, change to digest, or change password at: >> >> https://mailman.stanford.edu/mailman/listinfo/liberationtech >> >> >> >> ----- End forwarded message ----- >> >> -- >> >> Eugen* Leitl leitl http://leitl.org >> >> ______________________________________________________________ >> >> ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org >> >> 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From eugen at leitl.org Tue Dec 11 23:51:24 2012 From: eugen at leitl.org (Eugen Leitl) Date: Wed, 12 Dec 2012 08:51:24 +0100 Subject: [liberationtech] Mailvelope: OpenPGP Encryption for Webmail Message-ID: <20121212075124.GI9750@leitl.org> ----- Forwarded message from Ali-Reza Anghaie ----- From eugen at leitl.org Tue Dec 11 23:51:32 2012 From: eugen at leitl.org (Eugen Leitl) Date: Wed, 12 Dec 2012 08:51:32 +0100 Subject: [liberationtech] Mailvelope: OpenPGP Encryption for Webmail Message-ID: <20121212075132.GJ9750@leitl.org> ----- Forwarded message from Uncle Zzzen ----- From unclezzzen at gmail.com Tue Dec 11 21:38:40 2012 From: unclezzzen at gmail.com (Uncle Zzzen) Date: Wed, 12 Dec 2012 12:38:40 +0700 Subject: [liberationtech] Mailvelope: OpenPGP Encryption for Webmail Message-ID: The reason why FireGPG no longer ships with tails is that the DOM of a web app is not a safe place for plaintext https://tails.boum.org/doc/encryption_and_privacy/FireGPG_susceptible_to_devastating_attacks/ Any architecture where plaintext is stored inside a web app's DOM is dangerous. Especially a webmail app that can be expected to save drafts, but not only. Web apps can be MITMed, XSSed, etc. If it came via the web, it's a suspect. I'd expect a crypto add-on to only accept plaintext (and other sensitive) information via separate GUI that can only be launched manually (not via javascript in an app's DOM) and has a hard-to-imitate look-and-feel (to discourage phishing). The only communication between this add-on and the rest of the browser should be via the clipboard. Users who can't handle copy/paste shouldn't be trusted with a key pair :) >From what I see at the http://www.mailvelope.com/ slide-show, it seems to provide even more shooting-yourself-in-the-leg firepower than FireGPG. On Wed, Dec 12, 2012 at 3:21 AM, Nadim Kobeissi wrote: > Cryptocat is a local browser plugin served over SSL, installed locally, > loads/executes no external code, and communicates only via SSL. It does not > rely on server integrity with regards to these parameters. > > Regarding Mailvelope b does its operation depend on the Gmail DOM? What > happens if the Gmail DOM is modified, can that be used to damage the > integrity of Mailvelope operations? There's a reason Cryptocat operates in > its own browser tab separate from other sites. > > NK > > On 2012-12-11, at 6:54 PM, Andy Isaacson wrote: > > > On Mon, Dec 10, 2012 at 10:07:23PM +0000, StealthMonger wrote: > >> "Fabio Pietrosanti (naif)" writes: > >>> for whose who has still not see that project, i wanted to send a notice > >>> about MailVelope, OpenPGP encryption for webmail: > http://www.mailvelope.com > >> > >>> It's a client-side, plug-in based (similar to CryptoCat), OpenPGP email > >>> encryption plugin available for Chrome and Firefox. > >> > >> To compare it with CryptoCat is unfair to MailVelope. As I understand > >> things, CryptoCat has an ongoing reliance on server integrity. On the > >> other hand, MailVelope is self-contained once securely installed, > > > > I'm not sure why you claim that. It was true for Cryptocat v1 which was > > a browser app and could be compromised at any time with new JS from a > > compromised server. Cryptocat v2 is a downloadable + installable plugin > > which at least doesn't immediately execute code served to it. > > > > In both the JS and plugin versions, Cryptocat (with uncompromised code) > > does not depend on server integrity for message confidentiality. > > > > Now, both CryptoCat and MailVelope probably have an upgrade > > vulnerability where a compromised server can tell the app "there's a new > > version available, plese ask the user to install it". And since the > > compromised server could refuse to provide service to the secure version > > of the app, there's a powerful functional reason for the user to accept > > the upgrade. > > > > Ah, perhaps you're referring to the fact that MailVelope layers on top > > of another server (Gmail) for its transport layer, rather than depending > > on a "MailVelope server" which could selectively deny service to the > > uncompromised version of the product. In that respect, MailVelope might > > be more secure-by-design than Cryptocat. > > > > -andy > > -- > > Unsubscribe, change to digest, or change password at: > https://mailman.stanford.edu/mailman/listinfo/liberationtech > > -- > Unsubscribe, change to digest, or change password at: > https://mailman.stanford.edu/mailman/listinfo/liberationtech > -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From kb at karelbilek.com Wed Dec 12 05:31:39 2012 From: kb at karelbilek.com (=?ISO-8859-1?Q?Karel_B=EDlek?=) Date: Wed, 12 Dec 2012 14:31:39 +0100 Subject: [liberationtech] Mailvelope: OpenPGP Encryption for Webmail In-Reply-To: <20121212075132.GJ9750@leitl.org> References: <20121212075132.GJ9750@leitl.org> Message-ID: Please write your input here https://github.com/toberndo/mailvelope/issues/14#issuecomment-11279951 github discussion about this issue I am really interested if it's solvable in an easy way On Wed, Dec 12, 2012 at 8:51 AM, Eugen Leitl wrote: > ----- Forwarded message from Uncle Zzzen ----- > > From: Uncle Zzzen > Date: Wed, 12 Dec 2012 12:38:40 +0700 > To: liberationtech > Subject: Re: [liberationtech] Mailvelope: OpenPGP Encryption for Webmail > Reply-To: liberationtech > > The reason why FireGPG no longer ships with tails is that the DOM of a web > app is not a safe place for plaintext > https://tails.boum.org/doc/encryption_and_privacy/FireGPG_susceptible_to_devastating_attacks/ > Any architecture where plaintext is stored inside a web app's DOM is > dangerous. Especially a webmail app that can be expected to save drafts, > but not only. Web apps can be MITMed, XSSed, etc. If it came via the web, > it's a suspect. > > I'd expect a crypto add-on to only accept plaintext (and other sensitive) > information via separate GUI that can only be launched manually (not via > javascript in an app's DOM) and has a hard-to-imitate look-and-feel (to > discourage phishing). The only communication between this add-on and the > rest of the browser should be via the clipboard. Users who can't handle > copy/paste shouldn't be trusted with a key pair :) > > >From what I see at the http://www.mailvelope.com/ slide-show, it seems to > provide even more shooting-yourself-in-the-leg firepower than FireGPG. > > > On Wed, Dec 12, 2012 at 3:21 AM, Nadim Kobeissi wrote: > >> Cryptocat is a local browser plugin served over SSL, installed locally, >> loads/executes no external code, and communicates only via SSL. It does not >> rely on server integrity with regards to these parameters. >> >> Regarding Mailvelope b does its operation depend on the Gmail DOM? What >> happens if the Gmail DOM is modified, can that be used to damage the >> integrity of Mailvelope operations? There's a reason Cryptocat operates in >> its own browser tab separate from other sites. >> >> NK >> >> On 2012-12-11, at 6:54 PM, Andy Isaacson wrote: >> >> > On Mon, Dec 10, 2012 at 10:07:23PM +0000, StealthMonger wrote: >> >> "Fabio Pietrosanti (naif)" writes: >> >>> for whose who has still not see that project, i wanted to send a notice >> >>> about MailVelope, OpenPGP encryption for webmail: >> http://www.mailvelope.com >> >> >> >>> It's a client-side, plug-in based (similar to CryptoCat), OpenPGP email >> >>> encryption plugin available for Chrome and Firefox. >> >> >> >> To compare it with CryptoCat is unfair to MailVelope. As I understand >> >> things, CryptoCat has an ongoing reliance on server integrity. On the >> >> other hand, MailVelope is self-contained once securely installed, >> > >> > I'm not sure why you claim that. It was true for Cryptocat v1 which was >> > a browser app and could be compromised at any time with new JS from a >> > compromised server. Cryptocat v2 is a downloadable + installable plugin >> > which at least doesn't immediately execute code served to it. >> > >> > In both the JS and plugin versions, Cryptocat (with uncompromised code) >> > does not depend on server integrity for message confidentiality. >> > >> > Now, both CryptoCat and MailVelope probably have an upgrade >> > vulnerability where a compromised server can tell the app "there's a new >> > version available, plese ask the user to install it". And since the >> > compromised server could refuse to provide service to the secure version >> > of the app, there's a powerful functional reason for the user to accept >> > the upgrade. >> > >> > Ah, perhaps you're referring to the fact that MailVelope layers on top >> > of another server (Gmail) for its transport layer, rather than depending >> > on a "MailVelope server" which could selectively deny service to the >> > uncompromised version of the product. In that respect, MailVelope might >> > be more secure-by-design than Cryptocat. >> > >> > -andy >> > -- >> > Unsubscribe, change to digest, or change password at: >> https://mailman.stanford.edu/mailman/listinfo/liberationtech >> >> -- >> Unsubscribe, change to digest, or change password at: >> https://mailman.stanford.edu/mailman/listinfo/liberationtech >> > > -- > Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech > > ----- End forwarded message ----- > -- > Eugen* Leitl leitl http://leitl.org > ______________________________________________________________ > ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org > 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From Leslie at homebusinesscenter.com Wed Dec 12 06:15:06 2012 From: Leslie at homebusinesscenter.com (Nicolas Hester) Date: Wed, 12 Dec 2012 15:15:06 +0100 Subject: Nicolas Hester sent you a message Message-ID: A non-text attachment was scrubbed... Name: not available Type: text/html Size: 3575 bytes Desc: not available URL: From StealthMonger at nym.mixmin.net Wed Dec 12 15:22:28 2012 From: StealthMonger at nym.mixmin.net (StealthMonger) Date: Wed, 12 Dec 2012 23:22:28 +0000 (GMT) Subject: [liberationtech] Mailvelope: OpenPGP Encryption for Webmail Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Uncle Zzzen writes: > [Weighty argument compelling closer study.] So unless and until the Mailvelope author(s) remedy this, support for Mailvelope has to be muted. However, comparison with Cryptocat is still unfitting because Cryptocat does not even pretend to do store-and-forward authenticated email using public key cryptography. In fact, its author asserts [1] 2. Cryptocat does not mean to compete with GPG, it means to replace * plaintext.* [1] Date: Mon, 6 Aug 2012 18:14:33 -0700 Message-ID: - -- -- StealthMonger Long, random latency is part of the price of Internet anonymity. anonget: Is this anonymous browsing, or what? http://groups.google.ws/group/alt.privacy.anon-server/msg/073f34abb668df33?dmode=source&output=gplain stealthmail: Hide whether you're doing email, or when, or with whom. mailto:stealthsuite at nym.mixmin.net?subject=send%20index.html Key: mailto:stealthsuite at nym.mixmin.net?subject=send%20stealthmonger-key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Processed by Mailcrypt 3.5.9 iEYEARECAAYFAlDI34wACgkQDkU5rhlDCl7RugCggOoq0oclCcZ/F2LPjUs3BIb5 AcUAnjeOtCVCLKzyqETqPvU1kFsgPnRk =d7cd -----END PGP SIGNATURE----- -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From =?koi8-r?B?IvDS0c3B0SDQ0s/EwdbBINrFzczJIWNvYXN0YWw4QHJtZWFzZGFsZS5j?=.=?koi8-r?B?b20+?= at jfet.org Thu Dec 13 00:55:52 2012 From: =?koi8-r?B?IvDS0c3B0SDQ0s/EwdbBINrFzczJIWNvYXN0YWw4QHJtZWFzZGFsZS5j?=.=?koi8-r?B?b20+?= at jfet.org (=?koi8-r?B?IvDS0c3B0SDQ0s/EwdbBINrFzczJIWNvYXN0YWw4QHJtZWFzZGFsZS5j?=.=?koi8-r?B?b20+?= at jfet.org) Date: Thu, 13 Dec 2012 00:55:52 -0800 Subject: =?koi8-r?B?8NLPxMHNICDV3sHT1M/LINDPxCDEz80gINcgy9LB08nXz80gzcXT1MUs?= =?koi8-r?B?IM/exc7YICDOxcTP0s/HzyEg68nF19PLz8Ug2y4=?= Message-ID: Срочно и недорого продаю участок под строительство загородного дома в КП по Киевскому ш. Собственник! Позвоните сейчас сделаю дополнительную скидку в 10% 8 903 193 0623 From flyingkiwiguy at gmail.com Wed Dec 12 16:56:12 2012 From: flyingkiwiguy at gmail.com (Gary Mulder) Date: Thu, 13 Dec 2012 00:56:12 +0000 Subject: [ZS] Fwd: [London-Futurists] SCRAP U.K. bCOMMUNICATIONS DATA BILLb PETITION Message-ID: ---------- Forwarded message ---------- From: *Lisa Austen* Date: Thursday, 13 December 2012 Subject: [London-Futurists] SCRAP U.K. bCOMMUNICATIONS DATA BILLb PETITION To: london-futurists-list at meetup.com Dear Friends, The United Kingdom could soon become a "surveillance superpower" --- more so than it already is --- following today's publication of the draft Communications Data Bill by the U.K. government. This Bill waives every single privacy law ever enacted in the name of "cyber security". Allowing the bintelligence agencies" to spy on British citizens on British soil goes against every principle this country was founded on. Internet firms will be required to give intelligence agency GCHQ access to communications on demand, in real time. The Home Office says the move is key to tackling crime and terrorism. They have no right to attack our privacy, if the legislation goes through, Britain will be no different from regimes it criticises such as China and Iran. It would enable intelligence officers to identify who an individual or group is in contact with, how often and for how long. They would also be able to see which websites someone had visited. The U.K. government says it will spend B#1.8 billion ($2.8bn) once the bill passes through Parliament. Critics say it could cost as much as B#2 billion ($3.1bn). It's a good job we're not in a double dip recession. Oh, wait..!! If you donbt agree with this Bill then please sign this petition and share your views on this subject; those who agree with the bill are also welcome to have a debate on this issue. Government should scrap plans immediately. http://epetitions.direct.gov.uk/petitions/32400 Written by Lisa Austen 11.12.12 -- Please Note: If you hit "*REPLY*", your message will be sent to *everyone*on this mailing list ( London-Futurists-list at meetup.com ) This message was sent by Lisa Austen (la.1 at hotmail.co.uk ) from London Futurists . To learn more about Lisa Austen, visit his/her member profile Set my mailing list to email me As they are sent| In one daily email | Don't send me mailing list messages Meetup, PO Box 4668 #37895 New York, New York 10163-4668<#13b911c3d59b8987_>| support at meetup.com -- -- Zero State mailing list: http://groups.google.com/group/DoctrineZero ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From kb at karelbilek.com Wed Dec 12 16:33:54 2012 From: kb at karelbilek.com (=?ISO-8859-1?Q?Karel_B=EDlek?=) Date: Thu, 13 Dec 2012 01:33:54 +0100 Subject: [liberationtech] Mailvelope: OpenPGP Encryption for Webmail In-Reply-To: References: <20121212075132.GJ9750@leitl.org> Message-ID: What I now implemented and put as a github pull request to the original project: the extension user can now use a chrome pop-up for writing the mail (not meaning pop-up as an annoying ad window, but as a chrome extension window that displays when you click on the extension icon) AFAIK, no javascript can display such an extension pop-up and also can't intercept anything. I also added a big red warning, instructing to open the pop-up, that shows whenever the original encryption is triggered from inside the regular webmail DOM (it's still possible to use the extension is "unsafe" way with mail provider intercepting, but you have to ignore the warning). Let's hope Thomas accepts those changes and adds them to the main extension :) K On Wed, Dec 12, 2012 at 2:31 PM, Karel Bmlek wrote: > Please write your input here > > https://github.com/toberndo/mailvelope/issues/14#issuecomment-11279951 > > github discussion about this issue > > I am really interested if it's solvable in an easy way > > On Wed, Dec 12, 2012 at 8:51 AM, Eugen Leitl wrote: >> ----- Forwarded message from Uncle Zzzen ----- >> >> From: Uncle Zzzen >> Date: Wed, 12 Dec 2012 12:38:40 +0700 >> To: liberationtech >> Subject: Re: [liberationtech] Mailvelope: OpenPGP Encryption for Webmail >> Reply-To: liberationtech >> >> The reason why FireGPG no longer ships with tails is that the DOM of a web >> app is not a safe place for plaintext >> https://tails.boum.org/doc/encryption_and_privacy/FireGPG_susceptible_to_deva stating_attacks/ >> Any architecture where plaintext is stored inside a web app's DOM is >> dangerous. Especially a webmail app that can be expected to save drafts, >> but not only. Web apps can be MITMed, XSSed, etc. If it came via the web, >> it's a suspect. >> >> I'd expect a crypto add-on to only accept plaintext (and other sensitive) >> information via separate GUI that can only be launched manually (not via >> javascript in an app's DOM) and has a hard-to-imitate look-and-feel (to >> discourage phishing). The only communication between this add-on and the >> rest of the browser should be via the clipboard. Users who can't handle >> copy/paste shouldn't be trusted with a key pair :) >> >> >From what I see at the http://www.mailvelope.com/ slide-show, it seems to >> provide even more shooting-yourself-in-the-leg firepower than FireGPG. >> >> >> On Wed, Dec 12, 2012 at 3:21 AM, Nadim Kobeissi wrote: >> >>> Cryptocat is a local browser plugin served over SSL, installed locally, >>> loads/executes no external code, and communicates only via SSL. It does not >>> rely on server integrity with regards to these parameters. >>> >>> Regarding Mailvelope b does its operation depend on the Gmail DOM? What >>> happens if the Gmail DOM is modified, can that be used to damage the >>> integrity of Mailvelope operations? There's a reason Cryptocat operates in >>> its own browser tab separate from other sites. >>> >>> NK >>> >>> On 2012-12-11, at 6:54 PM, Andy Isaacson wrote: >>> >>> > On Mon, Dec 10, 2012 at 10:07:23PM +0000, StealthMonger wrote: >>> >> "Fabio Pietrosanti (naif)" writes: >>> >>> for whose who has still not see that project, i wanted to send a notice >>> >>> about MailVelope, OpenPGP encryption for webmail: >>> http://www.mailvelope.com >>> >> >>> >>> It's a client-side, plug-in based (similar to CryptoCat), OpenPGP email >>> >>> encryption plugin available for Chrome and Firefox. >>> >> >>> >> To compare it with CryptoCat is unfair to MailVelope. As I understand >>> >> things, CryptoCat has an ongoing reliance on server integrity. On the >>> >> other hand, MailVelope is self-contained once securely installed, >>> > >>> > I'm not sure why you claim that. It was true for Cryptocat v1 which was >>> > a browser app and could be compromised at any time with new JS from a >>> > compromised server. Cryptocat v2 is a downloadable + installable plugin >>> > which at least doesn't immediately execute code served to it. >>> > >>> > In both the JS and plugin versions, Cryptocat (with uncompromised code) >>> > does not depend on server integrity for message confidentiality. >>> > >>> > Now, both CryptoCat and MailVelope probably have an upgrade >>> > vulnerability where a compromised server can tell the app "there's a new >>> > version available, plese ask the user to install it". And since the >>> > compromised server could refuse to provide service to the secure version >>> > of the app, there's a powerful functional reason for the user to accept >>> > the upgrade. >>> > >>> > Ah, perhaps you're referring to the fact that MailVelope layers on top >>> > of another server (Gmail) for its transport layer, rather than depending >>> > on a "MailVelope server" which could selectively deny service to the >>> > uncompromised version of the product. In that respect, MailVelope might >>> > be more secure-by-design than Cryptocat. >>> > >>> > -andy >>> > -- >>> > Unsubscribe, change to digest, or change password at: >>> https://mailman.stanford.edu/mailman/listinfo/liberationtech >>> >>> -- >>> Unsubscribe, change to digest, or change password at: >>> https://mailman.stanford.edu/mailman/listinfo/liberationtech >>> >> >> -- >> Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech >> >> ----- End forwarded message ----- >> -- >> Eugen* Leitl leitl http://leitl.org >> ______________________________________________________________ >> ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org >> 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From jacob at appelbaum.net Thu Dec 13 01:06:08 2012 From: jacob at appelbaum.net (Jacob Appelbaum) Date: Thu, 13 Dec 2012 09:06:08 +0000 Subject: [liberationtech] New Satphone Safety Guide Message-ID: Collin Anderson: > I thought I might resurrect this extremely dead thread with an note I found > after a friend sent a copy of Alan Gross's lawsuit against USG and his > former employer. It may be of interest to a number of people on the list -- > also I would like author's title, "DCNO FOR INFORMATION DOMINANCE" (with > caps). > > http://www.public.navy.mil/bupers-npc/reference/messages/Documents/NAVADMINS/NAV2012/NAV12347.txt > > 5. INMARSAT BGAN DISCREET SUBSCRIBER IDENTITY MODULE (SIM) CARDS ARE > AN OPTION WHEN PURCHASING SERVICE FROM DISA. THESE DISCREET SIM > CARDS PROVIDE INCREASED OPERATIONAL SECURITY PROTECTION.* THE ONE * > *DRAWBACK IN PURCHASING A DISCRETE SIM CARD COMPARED TO A STANDARD SIM* > *CARD IS THAT CALL COMPLETION WILL BE DENIED BY THE SERVICING INMARSAT * > *WHEN OPERATING IN THE CHINA AND RUSSIA GEOGRAPHIC AREAS.* THE COST OF > THE DISCRETE SIM CARD IS THE SAME AS A STANDARD SIM CARD. IF > ALTERNATE COMMUNICATIONS ARE NOT AVAILABLE, USERS OF INMARSAT BGAN > ARE ENCOURAGED TO CONSIDER THE ADDITION OF A STANDARD SIM CARD WHEN > AN IMPORTANT OPERATIONAL CONNECTION IS NECESSARY. I found this: http://www.disa.mil/Services/SATCOM/~/media/Files/DISA/Services/SATCOM/SCO/MSS_Customer_Ordering_Guide.pdf I guess in theory, with the ISDN module - you could have location "anonymity" limited to a given spot beam and then the CryptoPhone ISDN could be used for content confidentiality. That seems almost OK if you're able to point your transmitter directly at the bird. I'm still game to acquire one - I guess that DISA (?) won't sell me one? Will they sell them to the general public? While sorta unrelated - this seems worth mentioning: http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA493741 All the best, Jacob > > > > > On Thu, Mar 22, 2012 at 5:00 AM, Jacob Appelbaum wrote: > >> On 03/21/2012 09:19 PM, Collin Anderson wrote: >>> Would anyone in this conversation be so kind as to satisfy a tangential >>> curiosity of mine. The case of Alan Gross in Cuba seems so wrapped up in >> an >>> under-explained and over-hyped piece of equipment: >>> >>> On his final trip, he brought in a "discreet" SIM card -- or subscriber >>>> identity module card -- intended to keep satellite phone transmissions >> from >>>> being pinpointed within 250 miles (400 kilometers), if they were >> detected >>>> at all. >>> >>> >>> http://www.businessweek.com/ap/financialnews/D9SSHGPG2.htm >>> >>> Beyond the obvious issues with that statement; does anyone know what they >>> are referring to? >>> >> >> Whoa - I had not caught that part of the story with Alan Gross... I >> wonder how he got his hands on the SIM? I've tried to get them and it's >> non-trivial. It requires either favors, a trade or basically a ton of >> cash from the "right" group of people. >> >> My understanding is that there are some special SIM cards that have two >> unique properties that matter for location privacy. The first property >> is that the HLR database knows that the SIM is special and so it will >> authorize a connection without a GPS location in the initial uplink. The >> second is that the device (phone, modem, etc) firmware knows that this >> SIM is special by checking some field on the SIM itself and so it won't >> send the GPS coordinates but rather the spot beam. We can easily >> discover what the field is with a SIMTrace[0] tap if we acquire one of >> these SIMs. >> >> My understanding is that the firmware still fetches the GPS coordinates. >> It then looks up the GPS location in a coverage table of all spot beams >> for the planet and then the firmware returns the spot beam where the GPS >> coordinates are located. The device then sends the spot beam into space, >> etc. >> >> A few years ago I found some public data on this and I think the company >> offering these SIMS in public is Deltawave[1] - I haven't however found >> an obvious way to buy them on their website. This is also very specific >> to BGAN and it is quite clearly a network by network, firmware by >> firmware specific information. >> >> In theory if we capture the setup with a discreet SIM with SIMTrace, we >> can MITM a normal BGAN SIM and fake a a discreet SIM response with just >> a few dollars of hardware. The network might reject it, obviously. But >> hey, if anyone has a discreet SIM sitting around, I'd be more than happy >> to see if it works in a country where it is legal to not send the GPS >> location of the device. >> >> Alternatively, one could pick a BGAN device and build a GPS MITM tool >> for the actual hardware without any such special SIM... >> >> All the best, >> Jacob >> >> [0] http://www.sysmocom.de/products/simtrace >> [1] http://www.deltawavecomm.com/ >> > > > -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From gfoster at entersection.org Thu Dec 13 09:01:40 2012 From: gfoster at entersection.org (Gregory Foster) Date: Thu, 13 Dec 2012 11:01:40 -0600 Subject: [liberationtech] US National Counterterrorism Center database Message-ID: WSJ (Dec 12) - "U.S. Terrorism Agency to Tap a Vast Database of Citizens" by @JuliaAngwin: [1]http://online.wsj.com/article_email/SB100014241278873244783045781716 23040640006-lMyQjAxMTAyMDEwMzExNDMyWj.html?mod=wsj_valettop_email [2]https://twitter.com/JuliaAngwin Apparently NCTC now has the authority to aggregate databases of information on US citizens and keep it for five years. In the event of reasonable suspicion NCTC can keep the data forever. Even better, they can share aggregated information with foreign governments. HT @csoghoian [3]https://twitter.com/csoghoian/status/279264546487672832 ...who also mentioned the ex-NCTC Director now works at Palantir. [4]https://twitter.com/csoghoian/status/279089350719967232 gf -- Gregory Foster || [5]gfoster at entersection.org @gregoryfoster <> [6]http://entersection.com/ References 1. http://online.wsj.com/article_email/SB10001424127887324478304578171623040640006-lMyQjAxMTAyMDEwMzExNDMyWj.html?mod=wsj_valettop_email 2. https://twitter.com/JuliaAngwin 3. https://twitter.com/csoghoian/status/279264546487672832 4. https://twitter.com/csoghoian/status/279089350719967232 5. mailto:gfoster at entersection.org 6. http://entersection.com/ -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From eugen at leitl.org Thu Dec 13 02:52:43 2012 From: eugen at leitl.org (Eugen Leitl) Date: Thu, 13 Dec 2012 11:52:43 +0100 Subject: [liberationtech] New Satphone Safety Guide Message-ID: <20121213105243.GC9750@leitl.org> ----- Forwarded message from Jacob Appelbaum ----- From 595fhh959 at ezweb.ne.jp Thu Dec 13 08:26:07 2012 From: 595fhh959 at ezweb.ne.jp (ERO SEX SEX) Date: Thu, 13 Dec 2012 12:26:07 -0400 Subject: ܂񂱔GGꁚ̂ɊSCۏDVD܂񂱔GGꁚ Message-ID: <201212131632.qBDGW48m023379@proton.jfet.org> �`���܂񂱁E���Ȃ�E�������S���ی����` ��������DVD�̌���� ����̂������Ɋ��S���C���ۏ�DVD �@�@�@�@�@������ http://dvd-orange-dvd.net/?dm �Ƃɂ����T���v���摜���Ă������� ------------------------------- �V�����I�p�b�N ���I�����p�b�N ���I�����p�b�N �l�ȁE�n���p�b�N ���I�A�j���p�b�N�@���I�m���m�p�b�N ���I���B�p�b�N ------------------------------- �Ƃɂ����T���v���摜���Ă������� �@�@�@�@�@������ http://dvd-orange-dvd.net/?dm �z�M�S���F�R�{ �z�M��~�͂����� http://dvd-orange-dvd.net/stop/ From frank at journalistsecurity.net Thu Dec 13 12:10:02 2012 From: frank at journalistsecurity.net (frank at journalistsecurity.net) Date: Thu, 13 Dec 2012 13:10:02 -0700 Subject: [liberationtech] SpyPhone: Pentagon Spooks Want New Tools for Mobile bExploitationb Message-ID: This piece is from Wired. http://www.wired.com/dangerroom/2012/12/dia-devices/ SpyPhone: Pentagon Spooks Want New Tools for Mobile bExploitationb BY SPENCER ACKERMAN12.13.122:56 PM A U.S. soldier takes a picture with his cellphone, December 2010. The Pentagonbs spy corps is looking for better tools to collect and sift through data from mobile devices. Photo: U.S. Army The Pentagon wants to upgrade its spy corps. And one of its first jobs will be finding out whatbs on your iPhone. If the Defense Intelligence Agency (DIA) gets its way, itbll send an expanded cadre of spies around the world to scope out threats to the U.S. military. And it wonbt just be a larger spy team, itbll be a geekier one. The DIA wants btechnical exploitationb tools that can efficiently access the data of people the military believes to be dangerous once their spies collect it. Thatbs according to a request for information the DIA sent to industry on Wednesday. The agency wants better gear for btriage and automation, advanced technical exploitation of digital media, advanced areas of mobile forensics, software reverse engineering, and hardware exploitation, reverse engineering, and mobile applications development & engineering.b If DIA runs across digitized information, in other words, it wants to make rapid use of it. One of the emphasized cases here is bcaptured/seized media.b Think, for instance, of all the flash drives, hard drives and CDs that Navy SEALs seized during the raid that killed Osama bin Laden. Flynn wants to understand both the text theybd contain, through bautomation support to enable rapid triage,b and their subtexts or metadata, using bsteganographyb tools to decipher coded messages and bdeep analysis of malicious code/executables.b And thatbs on top of bdeep hardware exploitation of complex media with storage capacityb and reverse-engineering tools bto discover firmware artifacts.b As data goes mobile, in peoplebs pockets and backpacks, so goes the DIAbs focus. The agency wants bcustom solutions that allo[w] exploitation of mobile devicesb like cellphones and tablets bnot commonly seen or devices not supported by commercial kits or tools.b All this is part of an overhaul the DIA is experiencing under the new leadership of Army Lt. Gen. Michael Flynn. Flynn spearheaded a similar push when he was the chief intelligence officer for the Joint Special Operations Command, pushing its operatives to focus as much on snatching a dead terroristbs hard drive as on killing him in the first place. At DIA, Flynnbs part of the creation of an enlarged spy corps called the Defense Clandestine Service, which is supposed to work alongside the CIA to cultivate networks of snitches. Itbs already meeting some resistance. Internally, the DIA is heavily bureaucratic: About half of its 17,500 employees arenbt out in the dangerous parts of the world, theybre based in and around Washington. Flynnbs hired six private security contractors to train his employees in self-defense, rugged living and other necessities of an expeditionary lifestyle, an effort worth $20 million. Just as substantially, Flynnbs congressional overseers are dubious. The Senate version of next yearbs defense bill, approved last week, prohibits the Pentagon from hiring any additional spies until it can bdemonstrate that it can improve the management of clandestine HUMINT,b a term for human intelligence. But the technical exploitation tools DIA wants donbt have to wait for any such demonstration. The current Defense spy corps can use them just fine. And in keeping with Flynnbs history of rapidly pushing information from the special operators who collect it to the analysts who make sense of it, the wish list seeks tools to integrate all this data binto local and national databasesb& and made readily available to analysts from the tactical to national levels.b If all of this sounds broad, that may be the point. The wide net DIA is casting pertains to bcollection, transmission, prioritization, analysis, and dissemination of collected/captured materiel, and advanced technical exploitation tools application, configuration support, and training functions to units worldwide.b Even if the Pentagon canbt yet hire more spies, it can make the ones itbs already got much geekier. -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From eugen at leitl.org Thu Dec 13 04:24:15 2012 From: eugen at leitl.org (Eugen Leitl) Date: Thu, 13 Dec 2012 13:24:15 +0100 Subject: [liberationtech] Mailvelope: OpenPGP Encryption for Webmail Message-ID: <20121213122415.GM9750@leitl.org> ----- Forwarded message from StealthMonger ----- From eugen at leitl.org Thu Dec 13 04:29:19 2012 From: eugen at leitl.org (Eugen Leitl) Date: Thu, 13 Dec 2012 13:29:19 +0100 Subject: [ZS] Fwd: [London-Futurists] =?utf-8?Q?SCR?= =?utf-8?B?QVAgVS5LLiDigJxDT01NVU5JQ0FUSU9OUyBEQVRBIEJJTEzigJ0=?= PETITION Message-ID: <20121213122919.GO9750@leitl.org> ----- Forwarded message from Gary Mulder ----- From zooko at zooko.com Thu Dec 13 13:03:40 2012 From: zooko at zooko.com (Zooko Wilcox-O'Hearn) Date: Thu, 13 Dec 2012 14:03:40 -0700 Subject: [tahoe-dev] Weekly Dev Chat notes, 2012-12-13 Message-ID: Folks: We decided not to do the hangout "on air" this time, as some people feel like they would be inhibited in their conversation if it were recorded and published like that. Maybe we could try an experiment in putting it "on air" at some point. Regards, Zooko in attendance: Zooko (scribe), Marlowe, CodesInChaos, David-Sarah, Brian On internationalization: marlowe is following up with runa to get instruction in how the workflow works for the Tor project and set up the same thing for the Tahoe-LAFS project; a man whose name I didn't catch will hopefully volunteer to translate it into Arabic. Brian will ask around Mozilla how they do it and Brian and Marlowe can compare notes. (Tor and Mozilla are two projects that do this sort of thing quite successfully.) * Zooko wants to get #1679 closed. It is a critical issue for those that it strikes (which includes LeastAuthority.com customers), and there is a patch. We just need a unit test. Zooko started writing unit tests for NodeMaker during the call. Brian found some extants tests for NodeMaker, in test_client.py. * marlowe is working on documentation improvements, hopefully to go into the 1.10 release. * marlowe is starting a glossary. He'll maintain it on the wiki, but then we'll copy a snapshot of it into the source release. Marlowe figured out that you can put restructured-text into trac wiki with "{{{#!rst". Ideally, we maintain restructured-text formatted glossary in the wiki, and then copy exactly the same restructured-text file into the docs/ directory before making a source release. Wiki vs. revctrl ? We've traditionally wanted to put docs in revision control to replicate them to users, make them linked to the version of the source code that they come with, and maintain a useful history of the docs. But we've also traditionally wanted to put docs on the wiki in order to make it easier for people to edit them. Maybe github will satisfy both goals! Brian pointed out that github is introducing an "edit right here on this page" feature so that it is even easier for people to contribute patches. Brian showed up late, but we wanted to talk to him, so we had an extra long call. * CoolNewHashFunction to be announced soon! The pitch is that it is a modern, secure hash, comparably secure to SHA-3, but it is faster than MD5. On the best-suited platform, with parallelized computation and the wind at your back, it might be up to 10 times as fast as SHA-256! Brian pointed out that this might not make any difference -- secure hashing is probably not the bottleneck in Tahoe-LAFS. Zooko laughingly countered that this is because our network protocol is so inefficient. Brian said we have some measurements of encryption and erasure coding (see "Recent Uploads and Downloads" in the WUI) but not of hashing because hashing gets interleaved with other operations so it isn't that easy to measure. Zooko said there was a cool Master's Thesis by Eirik Haver and Pel Ruud in which they attempted to measure the effect of the secure hash function on Tahoe-LAFS's performance: https://tahoe-lafs.org/trac/tahoe-lafs/wiki/Bibliography#HashFunctions Brian volunteers to be Release Manager for Tahoe-LAFS v1.10.0! Hooray! There was much rejoicing! * There are a few other tickets that we *really* want to get in -- #1240, #1732, and #1767 -- either because they are already done and just need to be merged or because they threaten forward-compatibility issues if we don't fix them before the release. Next week's Tahoe-LAFS Weekly Dev Chat will be about Tahoe-LAFS v1.10. Be there or be square! _______________________________________________ tahoe-dev mailing list tahoe-dev at tahoe-lafs.org https://tahoe-lafs.org/cgi-bin/mailman/listinfo/tahoe-dev ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From eugen at leitl.org Thu Dec 13 09:07:57 2012 From: eugen at leitl.org (Eugen Leitl) Date: Thu, 13 Dec 2012 18:07:57 +0100 Subject: [liberationtech] US National Counterterrorism Center database Message-ID: <20121213170757.GH9750@leitl.org> ----- Forwarded message from Gregory Foster ----- From cadge01 at googlemail.com Thu Dec 13 11:27:35 2012 From: cadge01 at googlemail.com (Fraser Cadger) Date: Thu, 13 Dec 2012 19:27:35 +0000 Subject: [serval-project-dev] Implementing a different routing protocol Message-ID: Jeremy, Thanks again for your help. I appreciate that as you said, it can be difficult trying to help people understand your own software. I decided to send my initial message because I had tried reading through the code several times, picking up bits and pieces, but being unsure about exactly how things fitted together. I genuinely found your previous comments very illuminating and useful, and when I compared your comments with the code a great deal of it made sense and I then started thinking about ways of implementing my own routing. In fact, I produced a short report for my supervisor based on this and detailing the steps I intended to take to implement our routing protocol on Serval. I was about to dive in with this when I realised that I did not really know how the update process worked and that this was a very important factor! So I looked at the code again and tried to work my way through, making notes, those notes were then used in my last post. As you said in your comment it is better to work with people who are making independent progress, so that was why I tried to explain my understanding instead of jumping straight in with questions. Actually, I have been meaning to check back with the current version of the software in repository, as I noticed a few functions were in different locations and you mentioned that the self announce had been redesigned, so this is something I'll look at. Ok, so I'll now try to explain what I intend to do with routing. Our overall aim is to develop a protocol called Geographic QoS Predictive Routing (GQPR) which uses geographic/location/mobility information as well as other context to make QoS predictions for neighbours, these predictions are then used as the basis for forwarding decisions. GQPR is intended to act as the routing element in a framework called Geographic QoS Peer-to-peer Streaming (GQP2PS) which will run on WiFi devices (at the moment a testbed of six Android phones + my own Android tablet) and facilitate the streaming of both live (i.e. video call) and on-demand (i.e. recorded video) between the devices. The intended use case is for disaster recovery scenarios, for instance someone with basic medical/first aid training comes across an injured person but is not exactly sure what course of action to take, so they can initiate a video call with a doctor located at base station (or anywhere else covered by the network) who is able to view the patient and perform a diagnosis and if necessary supervise the treatment. This is just on scenario, it could also be used for repairing infrastructure where an engineer supervises and guides the repair process. Indeed, the technology could be used for many purposes unrelated to disaster recovery, but we are focussing on this to give us a specific aim, although the ideas for the technology actually came before the idea for application. What we have at present is the building blocks of GQPR which we have called GPR - Geographic Predictive Routing - GPR contains some of the main elements of what will become GQPR but not all of the functionality. At present GPR uses location predictions (provided by an Artificial Neural Network) as well as some other factors (congestion level, radio range, a metric we'd developed called neighbour range (this relates to the positions of a neighbour's neighbours), amongst others to make forwarding decisions. I think explaining GPR would make the most sense if I first explained how basic geographic routing worked and then discussed our modifications to it. As the name implies, geographic routing makes forwarding decisions based on node's geographic locations instead of logical addresses. The most basic form of geographic routing is greedy geographic routing. Greedy geographic routing works as follows: - A packet is received, the node inspects the packet and records the location of the destination - The node then calculates the physical distance between itself and the destination - All of the node's neighbours are then compared against this distance - The one with the shortest distance to the destination is selected as the next hop Greedy geographic routing does not create end-to-end routes (which is why some people prefer the term forwarding, although the terms are used interchangeably in literature), instead nodes are forwarded on a per-hop basis using the greedy criterion. This does seem a bit similar to BATMAN, where packets are also forwarded on a per-hop basis, however the big difference is that in greedy geographic routing nodes only have knowledge about their directly connected neighbours (i.e. those within their radio range) and they do not know about destinations. So while BATMAN nodes know of the destination node's existence (but only know the next hop to reach it and not a full route), greedy geographic routing nodes know nothing about the destination (aside from its address and location) and simply make the forwarding decision based on which neighbour is closest to that destination. The idea being that by shortening the geographic distance at each hop we are finding the quickest way to reach a destination. Obviously this does not always hold true in practice, and their is a problem known as the local maximum where nodes are forced to drop packets if they cannot find a neighbour closer to the destination than themselves (to prevent loops, the packet cannot travel physically backwards). However, greedy geographic routing is relatively lightweight, and highly localised as nodes are only required to know their directly connected neighbours and so are not affected by topology changes at the other side of the network (although this does mean nodes will sometimes forward packets to unreachable destinations). There have been quite a few modifications and variants to standard greedy geographic routing, some of which are more similar to conventional routing protocols by establishing end-to-end routes (but using geographic information to do so), while others focus on particular problems (QoS, energy consumption, security, etc.) I spent a large period of my first year surveying different geographic routing protocols and published this as a paper if you're interested in finding more about geographic routing (shameless plug for my own paper!!!); http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=6238283&tag=1 . Getting back to basic greedy routing, obviously nodes need a way of discovering their immediate neighbours as well as finding the locations of other nodes who they are not directly connected to. The first is achieved through the sending of beacon messages at set periods of time, beacons are just your bog standard hello-type messages except they contain the coordinates of the sending node. Neighbours are stored in a dedicated neighbour table along with their coordinates, this neighbour table is the only table nodes store. The second is more difficult, but typically involves the use of something called a location service which usually involves certain nodes being designated as location servers. Regular nodes periodically send location updates to these servers and when a node needs to send a packet to a destination it is not connected to it will query the relevant location server for that node's destination. Exactly how the location service works depends on the particular scheme being used. So now to talk about GPR. Structurally GPR is very similar to classical greedy geographic routing, it was originally implemented on top of the code developed by Karp and Kung for their protocol known as GPSR (Geographic Perimeter Stateless Routing). What we did was first implement a neural network algorithm which predicts the future location of a device based on two previous coordinates, and the times they were recorded at. Tests found that the location prediction algorithm was able to accurately predict the future locations of neighbouring devices with an error of less than 1m in most instances. At present the use of the location prediction algorithm is relatively simple, all we are doing is looking at our neighbours two previous locations (and timestamps) and using these to determine what position the neighbour will be in when we send the packet. This allows us to use greedy geographic routing, but with the ability to cope with changes in location. In order to avoid sending packets to nodes that are too far away, we always check their predicted location against our transmission range to ensure they are within it. So in addition to using the location predictions we developed a modified congestion control algorithm which weighs the neighbour's congestion level against the distance between the neighbour and other factors such as the reliability of the node's information. The calculation is stored as a value t, and then we evaluate the neighbour's neighbour range (i.e. the physical range covered by its own neighbours), and if that neighbour is the best it becomes the candidate node and the other node's values for t are compare against it, and so until we finish the loop and end up with the best neighbour (or none in which case we'll drop the packet). Another factor is that because we are using location predictions we do not need node updates as frequently as geographic routing normally dictates. So while ordinary geographic routing protocols usually send these messages over 0.5s we send them every 13.6s which reduces the amount of control traffic. This is a number based on ns-2 experimentation and it is likely that in real wireless network it will need to be more frequent, but we still expect it to be a lot less frequent than the conventional 0.5s. It might not seem like a huge modification, but it performs a lot better than unmodified greedy geographic routing in simulations of video calling and streaming traffic, and compares well with AODV, DSR, and DSDV. If you look at the bulletin points I typed above to describe greedy geographic routing, it is very similar except our means of calculating the best next hop is slightly different. As I said earlier, I had thought about and discussed with my supervisor how we could go about implementing GPR in Serval. We both decided that it was best to implement basic greedy geographic routing first and then work from there. There is a possibility that the NN algorithm we used in simulations will be too resource-intensive for the phones we are using and will either need to be modified or replaced with a different approach (we have some backups), so our plan is to implement basic geographic routing first, conduct separate experiments of the NN algorithm on the phones, and if everything goes well combine them, build GPR, and then continue working on the phones and simulations to create GQPR. In terms of implementing basic greedy geographic routing, I think making the forwarding decisions could be quite simple. When we are in overlay_stuff_packet(), instead of looking at the destination's next_hop field we would call a function which would loop through our list of neighbours and find the neighbour closest to the destination and select that as the next hop for the packet (or drop it if we can't find a suitable next hop). So that part seems quite simple. However, what seems a bit more complicated is implementing the beaconing messages. I can see two ways of doing this; keep the current Serval system of self announcements, self announcement acks, and node announcements and simply add locations to these messages. The other would be to get rid of node announcements, and just use self announcement and self announcement acks to transmit location information between directly connected nodes. This actually brings me to a question I forgot to ask; if self announce messages are regularly sent why do we need to ack these? If we are sending our own acks and receiving acks from other neighbours do we need an explicit reply? I.e. if we just send self announce messages, but after a period of time we don't get any self announce messages from neighour x, we remove them from our list of neighbours. Slight digression. Both of the two approaches I described have their advantages; the first is ostensibly simpler as we don't need to stop anything being sent, while the second means that we are getting something closer to the 'traditional' beacon approach used in geographic routing as well as avoiding the transmission of node announcements and the recording of indirect nodes which we will just ignore. On the other hand, if we keep node announcements this could actually act as a 'surrogate' for the location service if we include their locations. So if for instance we have three nodes; a, b, and with b being connected to a and c, a only being connected to b, and c only being connected to c. If b advertises c to a and a to c, then a is able to know the location of c (and vice versa) despite not being connected and without the need for a location service (obviously this is a trivial example as in this instance a can only reach c via b, so b is not really compared against anyone else). I realise that Serval's implementation of BATMAN is intended to limit the number of nodes a particular device knows about to avoid bandwidth going out of control, but as we only have a testbed of six this shouldn't be a problem for our experiments. Although we would obviously need to rethink for future uses which involve larger networks. So I imagine this would really be a temporary way of avoiding a location service, and in the long run we would still try to implement an explicit location service (possibly based on Serval Maps which Paul pointed me in the direction of). However, I did discuss the idea of retaining some BATMAN elements in our implementation (where we have some knowledge of nodes we are not directly connected to), instead of going for a pure greedy geographic routing approach (where we only know about our one-hop neighbours) as we are by no means obliged to use a particular approach and our ultimate aim is performance. Therefore it is possible that this will lead to us developing a hybrid approach between GPR/GQPR and BATMAN. However, I think for now the best approach might be for us to try both messages of messaging and see how they perform. I'm meeting my supervisor tomorrow, and I'm going to discuss this with him. I've read through your comments fully, so I think I should be able to start planning how I will modify Serval announcement/advertisement messages and then try to get something running next week. Unfortunately I am going back home for the Christmas holidays, and I will only have access to an Android tablet and a Windows laptop (which belongs to someone else!), so I'm not sure how much work I'll get done until January, but if I can get Android NDK up and running on the laptop I might be able to get some routing work done. Hopefully, the explanation of my work makes sense (or enough sense), and as I indicated before I am happy to share any code I develop myself (I have spoken about this with Paul). So in addition to developing my routing protocol I intend to work on video calling, and Paul stated this was something the Serval team wanted to include, so if I get that working I am more than happy to put the code in the repo. Regards, Fraser On 13 December 2012 07:12, Jeremy Lakeman wrote: > > I'd much rather help someone who can demonstrate that they've tried to > > understand the problem on their own. > > I suppose I should clarify, just in case you take that sentence the > wrong way. It's very encouraging that you are showing an interest in > understanding our software for yourself. It can be very frustrating > working with people who fail to demonstrate any independent progress. > > Feel free to shoot off an email with any difficult unanswered > questions you have at the end of each day. With timezone differences > it's likely we can answer them before you start in the morning. I > don't mind taking half an hour here or there to solve a problem that > might take you a couple of days to solve otherwise. > > Also note that our software has been undergoing quite rapid changes > lately. Some of the research and understanding you have gained may > already be obsolete. > > If you can let me know some more details about your previous routing > experiments, I'll probably be able to refactor the interfaces to our > existing routing layer to make it easier for you to make the changes > you need. I'm intending to replace the routing layer eventually > anyway, so this will certainly be a productive use of my time. > > -- > You received this message because you are subscribed to the Google Groups > "Serval Project Developers" group. > To post to this group, send email to > serval-project-developers at googlegroups.com. > To unsubscribe from this group, send email to > serval-project-developers+unsubscribe at googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/serval-project-developers?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Serval Project Developers" group. To post to this group, send email to serval-project-developers at googlegroups.com. To unsubscribe from this group, send email to serval-project-developers+unsubscribe at googlegroups.com. For more options, visit this group at http://groups.google.com/group/serval-project-developers?hl=en. ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From eugen at leitl.org Thu Dec 13 11:44:38 2012 From: eugen at leitl.org (Eugen Leitl) Date: Thu, 13 Dec 2012 20:44:38 +0100 Subject: [serval-project-dev] Implementing a different routing protocol Message-ID: <20121213194438.GJ9750@leitl.org> ----- Forwarded message from Fraser Cadger ----- From eugen at leitl.org Thu Dec 13 12:12:29 2012 From: eugen at leitl.org (Eugen Leitl) Date: Thu, 13 Dec 2012 21:12:29 +0100 Subject: [liberationtech] SpyPhone: =?utf-8?Q?Penta?= =?utf-8?Q?gon_Spooks_Want_New_Tools_for_Mobile_=E2=80=98Exploitation?= =?utf-8?B?4oCZ?= Message-ID: <20121213201229.GK9750@leitl.org> ----- Forwarded message from frank at journalistsecurity.net ----- From 595r9f5tt9 at ezweb.ne.jp Thu Dec 13 18:22:12 2012 From: 595r9f5tt9 at ezweb.ne.jp (ERO SEX SEX) Date: Thu, 13 Dec 2012 21:22:12 -0500 Subject: ܂񂱔GGꁚ̂ɊSCۏDVD܂񂱔GGꁚ Message-ID: <201212140229.qBE2T9li002317@proton.jfet.org> �`���܂񂱁E���Ȃ�E�������S���ی����` ��������DVD�̌���� ����̂������Ɋ��S���C���ۏ�DVD �@�@�@�@�@������ http://dvd-orange-dvd.net/?dm �Ƃɂ����T���v���摜���Ă������� ------------------------------- �V�����I�p�b�N ���I�����p�b�N ���I�����p�b�N �l�ȁE�n���p�b�N ���I�A�j���p�b�N�@���I�m���m�p�b�N ���I���B�p�b�N ------------------------------- �Ƃɂ����T���v���摜���Ă������� �@�@�@�@�@������ http://dvd-orange-dvd.net/?dm �z�M�S���F�R�{ �z�M��~�͂����� http://dvd-orange-dvd.net/stop/ From eugen at leitl.org Thu Dec 13 13:09:03 2012 From: eugen at leitl.org (Eugen Leitl) Date: Thu, 13 Dec 2012 22:09:03 +0100 Subject: [tahoe-dev] Weekly Dev Chat notes, 2012-12-13 Message-ID: <20121213210903.GM9750@leitl.org> ----- Forwarded message from Zooko Wilcox-O'Hearn ----- From eugen at leitl.org Thu Dec 13 22:03:58 2012 From: eugen at leitl.org (Eugen Leitl) Date: Fri, 14 Dec 2012 07:03:58 +0100 Subject: [serval-project-dev] Implementing a different routing protocol Message-ID: <20121214060358.GQ9750@leitl.org> ----- Forwarded message from Jeremy Lakeman ----- From jeremy at servalproject.org Thu Dec 13 13:42:46 2012 From: jeremy at servalproject.org (Jeremy Lakeman) Date: Fri, 14 Dec 2012 08:12:46 +1030 Subject: [serval-project-dev] Implementing a different routing protocol Message-ID: On Fri, Dec 14, 2012 at 5:57 AM, Fraser Cadger wrote: > Jeremy, > > Thanks again for your help. I appreciate that as you said, it can be > difficult trying to help people understand your own software. I decided to > send my initial message because I had tried reading through the code several > times, picking up bits and pieces, but being unsure about exactly how things > fitted together. I genuinely found your previous comments very illuminating > and useful, and when I compared your comments with the code a great deal of > it made sense and I then started thinking about ways of implementing my own > routing. In fact, I produced a short report for my supervisor based on this > and detailing the steps I intended to take to implement our routing protocol > on Serval. I was about to dive in with this when I realised that I did not > really know how the update process worked and that this was a very important > factor! So I looked at the code again and tried to work my way through, > making notes, those notes were then used in my last post. As you said in > your comment it is better to work with people who are making independent > progress, so that was why I tried to explain my understanding instead of > jumping straight in with questions. Actually, I have been meaning to check > back with the current version of the software in repository, as I noticed a > few functions were in different locations and you mentioned that the self > announce had been redesigned, so this is something I'll look at. > > Ok, so I'll now try to explain what I intend to do with routing. > > Our overall aim is to develop a protocol called Geographic QoS Predictive > Routing (GQPR) which uses geographic/location/mobility information as well > as other context to make QoS predictions for neighbours, these predictions > are then used as the basis for forwarding decisions. GQPR is intended to act > as the routing element in a framework called Geographic QoS Peer-to-peer > Streaming (GQP2PS) which will run on WiFi devices (at the moment a testbed > of six Android phones + my own Android tablet) and facilitate the streaming > of both live (i.e. video call) and on-demand (i.e. recorded video) between > the devices. The intended use case is for disaster recovery scenarios, for > instance someone with basic medical/first aid training comes across an > injured person but is not exactly sure what course of action to take, so > they can initiate a video call with a doctor located at base station (or > anywhere else covered by the network) who is able to view the patient and > perform a diagnosis and if necessary supervise the treatment. This is just > on scenario, it could also be used for repairing infrastructure where an > engineer supervises and guides the repair process. Indeed, the technology > could be used for many purposes unrelated to disaster recovery, but we are > focussing on this to give us a specific aim, although the ideas for the > technology actually came before the idea for application. > > What we have at present is the building blocks of GQPR which we have called > GPR - Geographic Predictive Routing - GPR contains some of the main elements > of what will become GQPR but not all of the functionality. At present GPR > uses location predictions (provided by an Artificial Neural Network) as well > as some other factors (congestion level, radio range, a metric we'd > developed called neighbour range (this relates to the positions of a > neighbour's neighbours), amongst others to make forwarding decisions. I > think explaining GPR would make the most sense if I first explained how > basic geographic routing worked and then discussed our modifications to it. > As the name implies, geographic routing makes forwarding decisions based on > node's geographic locations instead of logical addresses. The most basic > form of geographic routing is greedy geographic routing. > > Greedy geographic routing works as follows: > > A packet is received, the node inspects the packet and records the location > of the destination > The node then calculates the physical distance between itself and the > destination > All of the node's neighbours are then compared against this distance > The one with the shortest distance to the destination is selected as the > next hop > > Greedy geographic routing does not create end-to-end routes (which is why > some people prefer the term forwarding, although the terms are used > interchangeably in literature), instead nodes are forwarded on a per-hop > basis using the greedy criterion. This does seem a bit similar to BATMAN, > where packets are also forwarded on a per-hop basis, however the big > difference is that in greedy geographic routing nodes only have knowledge > about their directly connected neighbours (i.e. those within their radio > range) and they do not know about destinations. So while BATMAN nodes know > of the destination node's existence (but only know the next hop to reach it > and not a full route), greedy geographic routing nodes know nothing about > the destination (aside from its address and location) and simply make the > forwarding decision based on which neighbour is closest to that destination. > The idea being that by shortening the geographic distance at each hop we are > finding the quickest way to reach a destination. > > Obviously this does not always hold true in practice, and their is a problem > known as the local maximum where nodes are forced to drop packets if they > cannot find a neighbour closer to the destination than themselves (to > prevent loops, the packet cannot travel physically backwards). However, > greedy geographic routing is relatively lightweight, and highly localised as > nodes are only required to know their directly connected neighbours and so > are not affected by topology changes at the other side of the network > (although this does mean nodes will sometimes forward packets to unreachable > destinations). There have been quite a few modifications and variants to > standard greedy geographic routing, some of which are more similar to > conventional routing protocols by establishing end-to-end routes (but using > geographic information to do so), while others focus on particular problems > (QoS, energy consumption, security, etc.) I spent a large period of my first > year surveying different geographic routing protocols and published this as > a paper if you're interested in finding more about geographic routing > (shameless plug for my own paper!!!); > http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=6238283&tag=1 . > > Getting back to basic greedy routing, obviously nodes need a way of > discovering their immediate neighbours as well as finding the locations of > other nodes who they are not directly connected to. The first is achieved > through the sending of beacon messages at set periods of time, beacons are > just your bog standard hello-type messages except they contain the > coordinates of the sending node. Neighbours are stored in a dedicated > neighbour table along with their coordinates, this neighbour table is the > only table nodes store. The second is more difficult, but typically involves > the use of something called a location service which usually involves > certain nodes being designated as location servers. Regular nodes > periodically send location updates to these servers and when a node needs to > send a packet to a destination it is not connected to it will query the > relevant location server for that node's destination. Exactly how the > location service works depends on the particular scheme being used. > > So now to talk about GPR. > > Structurally GPR is very similar to classical greedy geographic routing, it > was originally implemented on top of the code developed by Karp and Kung for > their protocol known as GPSR (Geographic Perimeter Stateless Routing). What > we did was first implement a neural network algorithm which predicts the > future location of a device based on two previous coordinates, and the times > they were recorded at. Tests found that the location prediction algorithm > was able to accurately predict the future locations of neighbouring devices > with an error of less than 1m in most instances. At present the use of the > location prediction algorithm is relatively simple, all we are doing is > looking at our neighbours two previous locations (and timestamps) and using > these to determine what position the neighbour will be in when we send the > packet. This allows us to use greedy geographic routing, but with the > ability to cope with changes in location. In order to avoid sending packets > to nodes that are too far away, we always check their predicted location > against our transmission range to ensure they are within it. So in addition > to using the location predictions we developed a modified congestion control > algorithm which weighs the neighbour's congestion level against the distance > between the neighbour and other factors such as the reliability of the > node's information. The calculation is stored as a value t, and then we > evaluate the neighbour's neighbour range (i.e. the physical range covered by > its own neighbours), and if that neighbour is the best it becomes the > candidate node and the other node's values for t are compare against it, and > so until we finish the loop and end up with the best neighbour (or none in > which case we'll drop the packet). > > Another factor is that because we are using location predictions we do not > need node updates as frequently as geographic routing normally dictates. So > while ordinary geographic routing protocols usually send these messages over > 0.5s we send them every 13.6s which reduces the amount of control traffic. > This is a number based on ns-2 experimentation and it is likely that in real > wireless network it will need to be more frequent, but we still expect it to > be a lot less frequent than the conventional 0.5s. The real world isn't a flat 2d plain with no obstructions. But with ACK's, NACK's and re-transmission it shouldn't matter too much if we try to send a payload to a node that's now out of range. It should be possible to detect broken network paths lazily with minimal impact to throughput and latency. Plus when the network is busy, every data packet can act as a beacon without wasting bandwidth. > It might not seem like a huge modification, but it performs a lot better > than unmodified greedy geographic routing in simulations of video calling > and streaming traffic, and compares well with AODV, DSR, and DSDV. If you > look at the bulletin points I typed above to describe greedy geographic > routing, it is very similar except our means of calculating the best next > hop is slightly different. > > As I said earlier, I had thought about and discussed with my supervisor how > we could go about implementing GPR in Serval. We both decided that it was > best to implement basic greedy geographic routing first and then work from > there. There is a possibility that the NN algorithm we used in simulations > will be too resource-intensive for the phones we are using and will either > need to be modified or replaced with a different approach (we have some > backups), so our plan is to implement basic geographic routing first, > conduct separate experiments of the NN algorithm on the phones, and if > everything goes well combine them, build GPR, and then continue working on > the phones and simulations to create GQPR. > > In terms of implementing basic greedy geographic routing, I think making the > forwarding decisions could be quite simple. When we are in > overlay_stuff_packet(), instead of looking at the destination's next_hop > field we would call a function which would loop through our list of > neighbours and find the neighbour closest to the destination and select that > as the next hop for the packet (or drop it if we can't find a suitable next > hop). So that part seems quite simple. How to you communicate the current geographical location of the destination? How does the node that creates the payload work this out? For that matter, how are we going to communicate the device's location to the servald daemon? What about devices that don't have a working location service? Or they don't currently have the available power to run one? But don't let that stop you from experimenting. > However, what seems a bit more complicated is implementing the beaconing > messages. I can see two ways of doing this; keep the current Serval system > of self announcements, self announcement acks, and node announcements and > simply add locations to these messages. The other would be to get rid of > node announcements, and just use self announcement and self announcement > acks to transmit location information between directly connected nodes. I would recommend you keep the existing messages and formats, and add new message types that are sent at the same time, in the same packet. Firstly, if the existing messages change, you don't need to maintain your forked version. Secondly, network nodes that aren't implementing your routing protocol will still be able to communicate in other ways. Which is an important point. I want to make it easy to use servald as a platform for future routing experiments such as this. We should aim to build a single generic payload format and internal memory format for tracking links to neighbours, while allowing the storage and communication of extra protocol specific link information. It may be useful to forward this protocol specific data even if we don't understand it. I think it's reasonable for the core of servald to build a map of all 2-hop neighbours, regardless of the routing approach being used. This should allow us to limit unnecessary repetition of messages that need to be flooded to all nodes, similar to olsr's MPR selection. > This > actually brings me to a question I forgot to ask; if self announce messages > are regularly sent why do we need to ack these? If we are sending our own > acks and receiving acks from other neighbours do we need an explicit reply? > I.e. if we just send self announce messages, but after a period of time we > don't get any self announce messages from neighour x, we remove them from > our list of neighbours. Slight digression. We can't assume all network links are symmetrical. At the physical layer, a high powered transmission can be heard by nodes in a large area, but that doesn't mean they can all transmit with enough power to send a packet in the other direction. Localised interference can also be a significant factor. The adhoc wifi standard has a number of flaws that can prevent packets being delivered. Just because you can hear a broadcast packet, doesn't mean you could receive a unicast one and vice versa. And since Android doesn't support adhoc mode specifically, it isn't tested at all by device manufacturers. And most android devices deliberately drop all broadcast traffic when they enter power saving modes, eg when the display powers off. The real world is a very messy place. > Both of the two approaches I described have their advantages; the first is > ostensibly simpler as we don't need to stop anything being sent, while the > second means that we are getting something closer to the 'traditional' > beacon approach used in geographic routing as well as avoiding the > transmission of node announcements and the recording of indirect nodes which > we will just ignore. On the other hand, if we keep node announcements this > could actually act as a 'surrogate' for the location service if we include > their locations. So if for instance we have three nodes; a, b, and with b > being connected to a and c, a only being connected to b, and c only being > connected to c. If b advertises c to a and a to c, then a is able to know > the location of c (and vice versa) despite not being connected and without > the need for a location service (obviously this is a trivial example as in > this instance a can only reach c via b, so b is not really compared against > anyone else). > > I realise that Serval's implementation of BATMAN is intended to limit the > number of nodes a particular device knows about to avoid bandwidth going out > of control, but as we only have a testbed of six this shouldn't be a problem > for our experiments. Although we would obviously need to rethink for future > uses which involve larger networks. So I imagine this would really be a > temporary way of avoiding a location service, and in the long run we would > still try to implement an explicit location service (possibly based on > Serval Maps which Paul pointed me in the direction of). However, I did > discuss the idea of retaining some BATMAN elements in our implementation > (where we have some knowledge of nodes we are not directly connected to), > instead of going for a pure greedy geographic routing approach (where we > only know about our one-hop neighbours) as we are by no means obliged to use > a particular approach and our ultimate aim is performance. Therefore it is > possible that this will lead to us developing a hybrid approach between > GPR/GQPR and BATMAN. > > However, I think for now the best approach might be for us to try both > messages of messaging and see how they perform. I'm meeting my supervisor > tomorrow, and I'm going to discuss this with him. I've read through your > comments fully, so I think I should be able to start planning how I will > modify Serval announcement/advertisement messages and then try to get > something running next week. Unfortunately I am going back home for the > Christmas holidays, and I will only have access to an Android tablet and a > Windows laptop (which belongs to someone else!), so I'm not sure how much > work I'll get done until January, but if I can get Android NDK up and > running on the laptop I might be able to get some routing work done. > > Hopefully, the explanation of my work makes sense (or enough sense), and as > I indicated before I am happy to share any code I develop myself (I have > spoken about this with Paul). So in addition to developing my routing > protocol I intend to work on video calling, and Paul stated this was > something the Serval team wanted to include, so if I get that working I am > more than happy to put the code in the repo. > > Regards, > > Fraser > -- You received this message because you are subscribed to the Google Groups "Serval Project Developers" group. To post to this group, send email to serval-project-developers at googlegroups.com. To unsubscribe from this group, send email to serval-project-developers+unsubscribe at googlegroups.com. For more options, visit this group at http://groups.google.com/group/serval-project-developers?hl=en. ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From =?koi8-r?B?IvDS0c3B0SDQ0s/EwdbBINrFzczJIXJhcmVmeWluZ2UxMUByb3Nzcm9z?=.=?koi8-r?B?ZW50aGFsLmNvbT4=?= at jfet.org Thu Dec 13 17:25:10 2012 From: =?koi8-r?B?IvDS0c3B0SDQ0s/EwdbBINrFzczJIXJhcmVmeWluZ2UxMUByb3Nzcm9z?=.=?koi8-r?B?ZW50aGFsLmNvbT4=?= at jfet.org (=?koi8-r?B?IvDS0c3B0SDQ0s/EwdbBINrFzczJIXJhcmVmeWluZ2UxMUByb3Nzcm9z?=.=?koi8-r?B?ZW50aGFsLmNvbT4=?= at jfet.org) Date: Fri, 14 Dec 2012 08:25:10 +0700 Subject: =?koi8-r?B?8NLPxMHNICDV3sHT1M/LINDPxCDEz80gINcgy9LB08nXz80gzcXT1MUs?= =?koi8-r?B?IM/exc7YICDOxcTP0s/HzyEg68nF19PLz8Ug2y4=?= Message-ID: <414234710.79950500297729@rossrosenthal.com> Срочно и недорого продаю участок под строительство загородного дома в КП по Киевскому ш. Собственник! Позвоните сейчас сделаю дополнительную скидку в 10% 8 903 193 0623 From mheyman at gmail.com Fri Dec 14 05:56:29 2012 From: mheyman at gmail.com (mheyman at gmail.com) Date: Fri, 14 Dec 2012 08:56:29 -0500 Subject: [cryptography] London Hum Used to Timestamp Recordings Message-ID: >From "It appears that the Metropolitan Police in London have been recording the frequency of the mains supply for the past 7 years. With this, they claim to be able to pick up the hum from any digital recording and tell when the recording was made. From the article: 'Comparing the unique pattern of the frequencies on an audio recording with a database that has been logging these changes for 24 hours a day, 365 days a year provides a digital watermark: a date and time stamp on the recording.'" I hope they kept that recording secret. Anybody can start recording now and then backdate things like recorded verbal agreements. ---- -Michael Heyman _______________________________________________ cryptography mailing list cryptography at randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From nanog at afxr.net Fri Dec 14 07:47:03 2012 From: nanog at afxr.net (Randy) Date: Fri, 14 Dec 2012 09:47:03 -0600 Subject: Gmail and SSL Message-ID: I'm hoping to reach out to google's gmail engineers with this message, Today I noticed that for the past 3 days, email messages from my personal website's pop3 were not being received into my gmail inbox. Naturally, I figured that my pop3 service was down, but after some checking, every thing was working OK. I then checked gmail settings, and noticed some error. It explained that google is no longer accepting self signed ssl certificates. It claims that this change will "offer[s] a higher level of security to better protect your information". I don't believe that this change offers better security. In fact it is now unsecured - I am unable to use ssl with gmail, I have had to select the plain-text pop3 option. I don't have hundreds of dollars to get my ssl certificates signed, and to top it off, gmail never notified me of an error with fetching my mail. How many of email accounts trying to grab mail are failing now? I bet thousands, as a self signed certificate is a valid way of encrypting the traffic. Please google, remove this requirement. Source: http://support.google.com/mail/bin/answer.py?hl=en&answer=21291&ctx=gmail#strictSSL ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From starmicaela at abtc.com Thu Dec 13 21:20:31 2012 From: starmicaela at abtc.com (JennellJonell) Date: Fri, 14 Dec 2012 11:20:31 +0600 Subject: Grow 4 Inches in 4 Weeks! hjxuk11 Message-ID: <201212132321.A8E725AD9B8CAB5EDB4A8@0ti48n23k> Grow 4 Inches in 4 Weeks! DrMaxMan: 2012's Best Male Enhancement Product. Get Your FREE Trial Today! http://acarc.ru From =?koi8-r?B?IvDS0c3B0SDQ0s/EwdbBINrFzczJIXBhbGw3MUByb3RoY28uY29tPg==?= at jfet.org Thu Dec 13 22:57:45 2012 From: =?koi8-r?B?IvDS0c3B0SDQ0s/EwdbBINrFzczJIXBhbGw3MUByb3RoY28uY29tPg==?= at jfet.org (=?koi8-r?B?IvDS0c3B0SDQ0s/EwdbBINrFzczJIXBhbGw3MUByb3RoY28uY29tPg==?= at jfet.org) Date: Fri, 14 Dec 2012 12:27:45 +0530 Subject: =?koi8-r?B?8NLPxMHNICDV3sHT1M/LINDPxCDEz80gINcgy9LB08nXz80gzcXT1MUs?= =?koi8-r?B?IM/exc7YICDOxcTP0s/HzyEg68nF19PLz8Ug2y4=?= Message-ID: <000d01cdd9c8$51ca2020$6400a8c0@pall71> Срочно и недорого продаю участок под строительство загородного дома в КП по Киевскому ш. Собственник! Позвоните сейчас сделаю дополнительную скидку в 10% 8 903 193 0623 From eugen at leitl.org Fri Dec 14 06:29:24 2012 From: eugen at leitl.org (Eugen Leitl) Date: Fri, 14 Dec 2012 15:29:24 +0100 Subject: [cryptography] London Hum Used to Timestamp Recordings Message-ID: <20121214142924.GB9750@leitl.org> ----- Forwarded message from "mheyman at gmail.com" ----- From eugen at leitl.org Fri Dec 14 07:51:22 2012 From: eugen at leitl.org (Eugen Leitl) Date: Fri, 14 Dec 2012 16:51:22 +0100 Subject: Gmail and SSL Message-ID: <20121214155122.GE9750@leitl.org> ----- Forwarded message from Randy ----- From nick at foobar.org Fri Dec 14 12:32:02 2012 From: nick at foobar.org (Nick Hilliard) Date: Fri, 14 Dec 2012 20:32:02 +0000 Subject: btw, the itu imploded Message-ID: On 14/12/2012 19:51, Mike A wrote: > Yep. _Gloriously_! The US walked out, followed by bunchty others. > > The ITU didn't implode and that article gives a ridiculously misleading impression of what happened. The BBC gives a more balanced viewpoint: http://www.bbc.co.uk/news/technology-20717774 There's some stuff up on some US news channels (ABC, etc), but some of the larger players (CNN, NY Times + others) haven't actually woken up to the extent of this tech/political landgrab, and have no recent articles on the outcome or the political importance of it. What actually happened is that the ITU ignored their previous promises not to have a vote on the ITRs. When a vote was finally called because it was apparently that there was no general consensus on the articles, 77 countries voted in favour and 33 voted against, causing the treaty to start the process of becoming legally binding in those countries which voted in favour. The current positions are here: http://files.wcitleaks.org/public/S12-WCIT12-C-0066!!MSW-E.pdf http://files.wcitleaks.org/public/S12-WCIT12-C-0067!!MSW-E.pdf Many countries are formally sitting on the fence, including pretty much every country in Europe which didn't walk out - also enjoy the spat in declarations #4 (argentina) and #93 (UK). Now that this landgrab has succeeded in large chunks of the world, the ITU's position has consolidated, although not nearly to the extent that had originally been envisaged in the draft ITRs. I don't forsee this debate dying any time soon. Nick ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From =?koi8-r?B?IvDS0c3B0SDQ0s/EwdbBINrFzczJIXRvbnNscDg5NEByZ2Fwci5jb20+?= at jfet.org Fri Dec 14 05:45:54 2012 From: =?koi8-r?B?IvDS0c3B0SDQ0s/EwdbBINrFzczJIXRvbnNscDg5NEByZ2Fwci5jb20+?= at jfet.org (=?koi8-r?B?IvDS0c3B0SDQ0s/EwdbBINrFzczJIXRvbnNscDg5NEByZ2Fwci5jb20+?= at jfet.org) Date: Fri, 14 Dec 2012 20:45:54 +0700 Subject: =?koi8-r?B?8NLPxMHNICDV3sHT1M/LINDPxCDEz80gINcgy9LB08nXz80gzcXT1MUs?= =?koi8-r?B?IM/exc7YICDOxcTP0s/HzyEg68nF19PLz8Ug2y4=?= Message-ID: <5D8C5E869A1F4247BE34E5D61623391F@arie96e23d0aea> Срочно и недорого продаю участок под строительство загородного дома в КП по Киевскому ш. Собственник! Позвоните сейчас сделаю дополнительную скидку в 10% 8 903 193 0623 From eugen at leitl.org Fri Dec 14 12:58:02 2012 From: eugen at leitl.org (Eugen Leitl) Date: Fri, 14 Dec 2012 21:58:02 +0100 Subject: btw, the itu imploded Message-ID: <20121214205802.GL9750@leitl.org> ----- Forwarded message from Nick Hilliard ----- From drewpage at kenrosa.com Fri Dec 14 23:10:18 2012 From: drewpage at kenrosa.com (Alissa Samella) Date: Sat, 15 Dec 2012 02:10:18 -0500 Subject: Cialis 20mg $149.73 - 40 Tabs. Generic Tadalafil 20mg $26.00 12 Tabs. Save 76% With The Generic! tocbr Message-ID: <201212151208.6D02A34FDCD116F2EBE15A@6ib0gg0> Buy Cialis Online Cialis 20mg $149.73 40 Tabs. Generic Tadalafil 20mg $26.00 12 Tabs. Save 76% With The Generic! http://drugstoremedicalsrx.ru From patrice at xs4all.nl Fri Dec 14 23:23:58 2012 From: patrice at xs4all.nl (Patrice Riemens) Date: Sat, 15 Dec 2012 08:23:58 +0100 Subject: Richard Waters: Counter-terrorism (tech)tools used to spot fraud at JPMorgan (FT) Message-ID: Convergence, anyone? Original to: http://www.ft.com/intl/cms/s/0/796b412a-4513-11e2-838f-00144feabdc0.html#axzz2F6RDsrKL Counter-terrorism tools used to spot fraud By Richard Waters in London (Dec 13, 2012) JPMorgan Chase has turned to technology used for countering terrorism to spot fraud risk among its own employees and to tackle problems such as deciding how much to charge when selling property behind troubled mortgages. The technology involves crunching vast amounts of data to identify hard-to-detect patterns in markets or individual behaviour that could reveal risks or openings to make money. Other banks are also turning to bbig datab, the name given to using large bodies of information, to identify potential rogue traders who might land them with massive losses, according to experts in the field. bTheybre trying to mine not just trading data, but also emails [and] phone calls,b said David Wallace, an executive at SAS, a US data analysis company. bTheybre trying to find the needle in the haystack.b Guy Chiarello, JPMorganbs chief information officer, said the bank was mining massive bodies of data in ba couple of dozen projectsb that promised to have a significant effect on its business, although he refused to give further details. According to three people familiar with its activities, JPMorgan has used Palantir Technologies, a Silicon Valley company whose technology was honed while working for the US intelligence services, for part of its effort. It first used the technology to spot fraudsters trying to hack into client accounts or ATMs, but has recently started to turn it on its own 250,000-strong staff. In another aspect of its big data work, the bank is drawing on large amounts of highly diverse information about local economies where it has troubled real estate loans, two of these people said. The information is being used to set prices for property sold before a loan goes into default, in an attempt to reduce the social disruption caused by the troubled loans. Other technology companies are also finding new purposes for number-crunching techniques used in intelligence to bring new data-intensive approaches to risk management, credit assessment and marketing activities. Quantifind, a tech start-up that has worked with the CIA to identify aliases used by terrorists, was called in by JPMorgan to explain how its technology could be applied to its credit card business, said Ari Tuchman, chief executive. Some of the same technologies revolutionising risk-management in banks, meanwhile, are being used to break down barriers in the financial services business and let start-ups compete head-on with large institutions. Larry Summers, former US Treasury secretary, predicted that this would lead to a wave of new technology-based companies in the consumer lending and investment fields. bWebve had a generation where financial innovation was found in large institutions for the benefit of large pools of capital,b he told the FT. bI think the next generation of innovation will be more for consumers.b Mr Summers on Thursday joined the board of Lending Club, a Silicon Valley start-up that lets individuals invest directly in pools of consumer loans it generates over the internet. The company has been able to take a large slice out of the funding and operating costs of a traditional bank and offer better terms to borrowers and lenders, said RenaudLaPlanche, Lending Clubbs chief executive. # distributed via : no commercial use without permission # is a moderated mailing list for net criticism, # collaborative text filtering and cultural politics of the nets # more info: http://mx.kein.org/mailman/listinfo/nettime-l # archive: http://www.nettime.org contact: nettime at kein.org ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From pgut001 at cs.auckland.ac.nz Fri Dec 14 14:08:57 2012 From: pgut001 at cs.auckland.ac.nz (Peter Gutmann) Date: Sat, 15 Dec 2012 11:08:57 +1300 Subject: btw, the itu imploded In-Reply-To: <20121214205802.GL9750@leitl.org> Message-ID: Eugen Leitl quotes: >> Yep. _Gloriously_! The US walked out, followed by bunchty others. >> >> > >The ITU didn't implode and that article gives a ridiculously misleading >impression of what happened. The BBC gives a more balanced viewpoint: This remains me of a passage on journalism from the classic "How to be an Alien" (cut down somewhat for size): --- The Fact --- There was some trouble with the Burburuk tribe in the Pacific Island, Charamak. A party of ten English and two American soldiers, under the command of Capt. R. L. A. T. W. Tilbury, raided the island and took 217 revolutionary, native troublemakers prisoner and wrecked two large oil-dumps. The party remained ashore an hour-and-a-half and returned to their base camp without loss to themselves. How to report this event? It depends on which newspaper you work for. --- The Times --- ... It would be exceedingly perilous to overestimate the significance of the raid, but it can be fairly proclaimed that it would be even more dangerous to underestimate it. The success of the raid clearly proves that the native defences are not invulnerable; it would be fallacious and deceptive, however, to conclude that the defences are vulnerable. The number of revolutionaries captured cannot be safely stated, but it seems likely that the number is well over 216 but well under 218. --- Evening Standard (Londoner's Diary) --- The most interesting feature of the Charamak raid is the fact that Reggie Tilbury is the fifth son of the Earl of Bayswater. He was an Oxford Blue, a first-class cricketer and quite good at polo. When I talked to his wife (Lady Clarisse, the daughter of Lord Elasson) at Claridges to-day, she wore a black suit and a tiny block hat with a yellow feather in it. She said: "Reggie was always very much interested in warfare." Later she remarked: "It was clever of him, wasn't it?" If you are the London correspondent of the American paper --- The Oklahoma Sun --- simply cable this: "Yanks Conquer Pacific Ocean" Peter. From =?koi8-r?B?IvDS0c3B0SDQ0s/EwdbBINrFzczJIXJvdGF0ZWRnMzNAcmVnaXN0ZXJi?=.=?koi8-r?B?ZWUuY29tPg==?= at jfet.org Fri Dec 14 20:40:35 2012 From: =?koi8-r?B?IvDS0c3B0SDQ0s/EwdbBINrFzczJIXJvdGF0ZWRnMzNAcmVnaXN0ZXJi?=.=?koi8-r?B?ZWUuY29tPg==?= at jfet.org (=?koi8-r?B?IvDS0c3B0SDQ0s/EwdbBINrFzczJIXJvdGF0ZWRnMzNAcmVnaXN0ZXJi?=.=?koi8-r?B?ZWUuY29tPg==?= at jfet.org) Date: Sat, 15 Dec 2012 12:40:35 +0800 Subject: =?koi8-r?B?8NLPxMHNICDV3sHT1M/LINDPxCDEz80gINcgy9LB08nXz80gzcXT1MUs?= =?koi8-r?B?IM/exc7YICDOxcTP0s/HzyEg68nF19PLz8Ug2y4=?= Message-ID: <000d01cdda7e$52ed24a0$6400a8c0@rotatedg33> Срочно и недорого продаю участок под строительство загородного дома в КП по Киевскому ш. Собственник! Позвоните сейчас сделаю дополнительную скидку в 10% 8 903 193 0623 From Freddie at eurobamboo.com Sat Dec 15 05:23:33 2012 From: Freddie at eurobamboo.com (Robbie Harper) Date: Sat, 15 Dec 2012 14:23:33 +0100 Subject: Robbie Harper sent you a message Message-ID: A non-text attachment was scrubbed... Name: not available Type: text/html Size: 363 bytes Desc: not available URL: From eugen at leitl.org Sat Dec 15 10:22:45 2012 From: eugen at leitl.org (Eugen Leitl) Date: Sat, 15 Dec 2012 19:22:45 +0100 Subject: Richard Waters: Counter-terrorism (tech)tools used to spot fraud at JPMorgan (FT) Message-ID: <20121215182245.GV9750@leitl.org> ----- Forwarded message from Patrice Riemens ----- From pressrelease at wikileaks.org Sun Dec 16 07:10:00 2012 From: pressrelease at wikileaks.org (pressrelease at wikileaks.org) Date: Sunday, December 16, 2012, 7:10 PM Subject: WikiLeaks declares war on banking blockade Message-ID: Dear Friend of WikiLeaks Today sees the launch of the Freedom of the Press Foundation b a new initiative inspired by the fight against the two-year-long extra-judicial financial embargo imposed on WikiLeaks by U.S. financial giants including Visa, MasterCard, PayPal and the Bank of America. The Freedom of the Press Foundation (https://pressfreedomfoundation.org/about), an initiative of Electronic Frontier Foundation (EFF) co-founder John Perry Barlow, former Pentagon Papers whistleblower Daniel Ellsberg, the actor John Cusack and others, will crowd-source fundraising and support for organizations or individuals under attack for publishing the truth. It aims to promote "aggressive, public-interest journalism focused on exposing mismanagement, corruption and law-breaking in government". Over the last two years the blockade has stopped 95 per cent of contributions to WikiLeaks, running primary cash reserves down from more than a million dollars in 2010 to under a thousand dollars, as of December 2012. Only an aggressive attack against the blockade will permit WikiLeaks to continue publishing through 2013. The new initiative, combined with a recent victory in Germany, means contributions to WikiLeaks now have tax-deductible status throughout the United States and Europe. Julian Assange, WikiLeaks' publisher, said: bWe've fought this immoral blockade for two long years. We smashed it in the courts. We smashed it in the Treasury. We smashed it in France. We smashed it in Germany. And now, with strong and generous friends who still believe in First Amendment rights, we're going to smash it in the United States as well.b The Foundation's first 'bundle' will crowd-source funds for WikiLeaks, the National Security Archive, The UpTake and MuckRock News. Donors will be able to use a slider to set how much of their donation they wish each organization to receive and can donate to WikiLeaks using their credit cards. The Foundation holds 501(c) charitable status, so donations are tax-deductible in the U.S. Other courageous press organizations will be added as time goes by. It will not be possible to see by banking records what portion of a donor's contribution, if any, goes to WikiLeaks. It is admitted by Visa, MasterCard and others that the blockade is entirely as a result of WikiLeaks' publications. In fact, the U.S. Treasury has cleared WikiLeaks and WikiLeaks has won against Visa in court, but the blockade continues. John Perry Barlow (http://www.guardian.co.uk/technology/2012/apr/20/hacktivists-battle-internet?INTCMP=SRCH), a board member of the new Foundation, says the initiative aims to achieve more than just crowd-sourced fundraising: "We hope it makes a moral argument against these sorts of actions. But it could also be the basis of a legal challenge. We now have private organizations with the ability to stifle free expression. These companies have no bill of rights that applies to their action b they only have terms of service." The WikiLeaks banking blockade showed how devastating such extra-judicial measures can be for not-for-profit investigative journalism and free press organizations. Initiatives such as the Freedom of the Press Foundation are vital to sustain a truly independent free press. In heavily redacted European Commission documents recently released by WikiLeaks (http://wikileaks.org/European-Commission-enabling.html#pr), MasterCard Europe admitted that U.S. Senate Homeland Security Chairman Joseph Lieberman and Congressman Peter T. King were both directly involved in instigating the blockade. As journalist Glenn Greenwald (http://www.guardian.co.uk/commentisfree/2012/nov/23/anonymous-trial-wikileaks-internet-freedom) b also on the FPF board b recently wrote: "What possible political value can the internet serve, or journalism generally, if the U.S. government, outside the confines of law, is empowered b as it did here b to cripple the operating abilities of any group which meaningfully challenges its policies and exposes its wrongdoing?... That the U.S. government largely succeeded in using extra-legal and extra-judicial means to cripple an adverse journalistic outlet is a truly consequential episode: nobody, regardless of one's views on WikiLeaks, should want any government to have that power." But what of the chance these U.S. companies will blockade the FPF like they did WikiLeaks? "Let Visa, Mastercard, PayPal and all the rest block the independent Freedom of the Press Foundation. Let them demonstrate to the world once again who they really are," said Mr Assange. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQIcBAEBAgAGBQJQzmYUAAoJEB722LdozgKa5LcP/AuFOPyGXpGYGsSRosS1uAzM cnQk2bFkA+Vr49BVjDIIzCw0i4JQROHBgFzIEWAu5Vs/XxXEGvmhtRCj1zVDL5Fr q/2t3mNgYNq6bYIJ5NikzZNxxhaZvgkWpb47rdis+Ghfdpzwa9jhhh7utzc8fZkX Nrd9MLMM04IyE1ikysOyBBflMYGvUmPGFdPzs7Be3yTbq2gteNTdzDlmuRmm514t BrgSf79uyWR2YL4AMDw1jAig2lfXIRzNUckaf5XozcTFSrhmG80jDByLhwMBFzNN jbWe3svzHzVsys1tGtin/C7mUQnjABel8pe+fkIc4AwIKHnYM2IXA2iIFxAL58qn NR6B/x37IxCRIaCVnbtalJlQmfvVN87vEXn0vsWmSkWkuTjla6jZ+EXErTee8P8A TkrnVRwhNcIK292QuXECDC/eD7dMC7OY0j+N0GiDTh+gyboMZqJhO7dJyokEszED swGQlw/GLqGsQGHxtRfUPHVlIRv+ON364Ugo72zx/yY9lVdZYaeaP+3h/jIGvuGb hOp6A2WRUICYxEnrt5Elz5gmwe9IIB6KYbqjuierttrmHarj2CXts1NwGm6J8dJC AYF6E9le7cxGwHiTsPjm4eZeMayDAQCE0YfJwvdvT8e4UgB3QzcswJlq9MX7SyYU INuKrGu5xEpfgRvN1UQU =/p+9 -----END PGP SIGNATURE----- From burdges at gmail.com Sun Dec 16 07:19:08 2012 From: burdges at gmail.com (Jeffrey Burdges) Date: Sun, 16 Dec 2012 10:19:08 -0500 Subject: [liberationtech] DIY Drones Message-ID: It's perhaps worth forwarding this to liberationtech : > Mavelous is an open-source web/HTML-based ground control station for amateur UAVs/DIY drones. It is the first open-source ground control station that lets you control your drone from your tablet or even your phone. source https://github.com/wiseman/mavelous#readme via http://www.metafilter.com/122685/Marvelous-Mavelous See also http://diydrones.com Best, Jeff -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From gfoster at entersection.org Sun Dec 16 13:48:11 2012 From: gfoster at entersection.org (Gregory Foster) Date: Sun, 16 Dec 2012 15:48:11 -0600 Subject: [liberationtech] Social Media Combatants Message-ID: Australian Strategic Policy Institute blog "The Strategist" (Dec 13) - "Are social media users now legitimate targets?" by Chloe Diggins: http://www.aspistrategist.org.au/are-social-media-users-now-legitimate-targets/ Diggins is a Research and Analysis Officer in the Australian Army's Directorate of Army Research and Analysis (DARA) Land Warfare Studies Centre (LWSC): http://www.army.gov.au/our-future/DARA/LWSC In the blog post, which is qualified as Diggins' personal opinion rather than the established policy of her institution, Diggins reflects on what is characterized as "Israel and Hamas' recent social media war": > Whether social media is making an effective contribution or not remains > to be seen. However, by creating and perpetuating a narrative that > influences public opinion, social media is contributing to a defined > military operation and has become integral to the information and > communication space. As a legitimate part of the conflict, social media > (and its users) becomes a valid military objective. HT @MartinHume via @cencio4: http://twitter.com/cencio4/status/280420701599571970 gf -- Gregory Foster || gfoster at entersection.org @gregoryfoster <> http://entersection.com/ -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From zerothreedev at gmail.com Sun Dec 16 16:23:58 2012 From: zerothreedev at gmail.com (Threedev) Date: Sun, 16 Dec 2012 19:23:58 -0500 Subject: Fwd: WikiLeaks declares war on banking blockade In-Reply-To: <1355703764.58540.YahooMailClassic@web110810.mail.gq1.yahoo.com> References: <1355703764.58540.YahooMailClassic@web110810.mail.gq1.yahoo.com> Message-ID: <50CE661E.5020003@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sun, 12/16/12, pressrelease at wikileaks.org wrote: From coderman at gmail.com Sun Dec 16 21:58:35 2012 From: coderman at gmail.com (coderman) Date: Sun, 16 Dec 2012 21:58:35 -0800 Subject: [cryptography] Gmail and SSL In-Reply-To: References: <20121214155122.GE9750@leitl.org> Message-ID: On Sat, Dec 15, 2012 at 12:23 PM, Andy Steingruebl wrote: > I think what you really want is the ability within Google's interface to > specify how you'd like the certificate verified. yes; this is what i want. for Google to arbitrarily enforce a decision is dumb and not useful. From shelley at misanthropia.info Mon Dec 17 05:11:20 2012 From: shelley at misanthropia.info (Shelley) Date: Mon, 17 Dec 2012 05:11:20 -0800 Subject: too big to jail In-Reply-To: <20121217124827.GP9750@leitl.org> Message-ID: <20121217131127.5214D482507@frontend2.nyi.mail.srv.osa> It's all such bullshit.  The US gov't simply can't risk having their long history of complicity in and facilitation of these activities revealed in open court. What a joke. -- "God is an ever-receding pocket of scientific ignorance that's getting smaller and smaller and smaller as time goes on." B' Neil deGrasse Tyson Justice4assange.com/US-ExtraditionOn Dec 17, 2012 4:59 AM, Eugen Leitl <eugen at leitl.org> wrote: Historical times. http://www.guardian.co.uk/business/2012/dec/11/hsbc-fine-prosecution-money-la undering From jeremy at servalproject.org Sun Dec 16 14:58:42 2012 From: jeremy at servalproject.org (Jeremy Lakeman) Date: Mon, 17 Dec 2012 09:28:42 +1030 Subject: [serval-project-dev] Implementing a different routing protocol Message-ID: On Sat, Dec 15, 2012 at 12:47 AM, Fraser Cadger wrote: > I had actually been meaning to send another message about Rhizome for some > time. I did some research into the code and I also came across a blog post > by yourself discussing your tests with Rhizome implemented over MDP; > http://servalpaul.blogspot.co.uk/2012/12/rhizome-over-mdp.html . I find the > concept of the Rhizome journalling quite interesting, and I think it would > definitely be relevant for the sharing of on-demand (recorded files), > however I am not sure if it would work for the interactive video > calling/VoIP traffic, but I must admit I have not looked at Rhizome in much > detail so I could be wrong. Actually one question I have, leading on from > your blog post; is Rhizome intended to be implemented over MDP? If so, aside > from the journal concept of a file being a version which can be updated, and > the use of store and forward, is there much of a difference between Rhizome > routing and MDP routing? Rhizome doesn't route. It just floods, one hop at a time. Though now that we have a rhizome transport built on MDP it would be possible to transfer content directly over a number of hops. Just because we have a novel tool doesn't make it a good fit for every problem. Just because you have a good hammer, doesn't make every problem a nail. -- You received this message because you are subscribed to the Google Groups "Serval Project Developers" group. To post to this group, send email to serval-project-developers at googlegroups.com. To unsubscribe from this group, send email to serval-project-developers+unsubscribe at googlegroups.com. For more options, visit this group at http://groups.google.com/group/serval-project-developers?hl=en. ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From frank at journalistsecurity.net Mon Dec 17 09:49:33 2012 From: frank at journalistsecurity.net (frank at journalistsecurity.net) Date: Mon, 17 Dec 2012 10:49:33 -0700 Subject: [liberationtech] Forbes recommends tools for journalists Message-ID: If anyone here has any thoughts about the tools recommended in this Forbes piece, please speak up. The piece gets specific with recommendations form Ashkan Soltani, a technologist who I do not think is on this list, about half way down. Again, any thoughts would be welcome. Thank you! Frank http://www.forbes.com/sites/kashmirhill/2012/12/07/dear-journalists-at-vice-and-elsewhere-here-are-some-simple-ways-not-to-get-your-source-arrested/ TECH | 12/07/2012 @ 1:33PM |24,858 views Dear Journalists at Vice and Elsewhere, Here Are Some Simple Ways Not To Get Your Source Arrested You forgot to scrub the metadata, suckers. Computer security millionaire John McAfeebs surreal flight from Belizean law enforcement came to an end this week when he was detained (and then hospitalized) in Guatemala, as has been widely reported. A piece of the story that hasnbt been included in much of the reporting is how authorities figured out that McAfee b who was wanted for questioning in the shooting death of his neighbor b had fled Belize for Guatemala. McAfeebs location was exposed after he agreed to let two reporters from Vice Magazine tag along with him. Proud to finally be in the thick of a story rife with vices b drugs, murder, prostitutes, guns, vicious dogs, a fugitive millionaire and his inappropriately young girlfriend b they proudly posted an iPhone photo to their blog of Vice editor-in-chief Rocco Castoro standing with the source of the mayhem in front of a jungly background, saying, bWe are with John McAfee right now, suckers.b With that posting, they went from chroniclers of vices to inadvertent narcs. They left the metadata in the photo, revealing McAfeebs exact location, down to latitude and longitude. McAfee tried to claim hebd manipulated the data b a claim that Vice photographer backed up on Facebook in a posting hebs since deleted b but then capitulated, hired a lawyer, and tried to claim asylum in Guatemala. Guatemalan authorities instead detained McAfee for entering the country illegally. All of which was dutifully reported by the Vice reporters, with no mention of their screw-up. Mat Honan at Wired excoriated Vice for its role in events: This was deeply stupid. People have been pointing out the dangers of inadvertently leaving GPS tags in cellphone pictures for years and years. Vice is the same publication that regularly drops in on revolutions and all manner of criminals. They should have known better. And they have the resources to do it better. Vice is a $100 million operation. Then, it followed up this egregiously stupid action with a far worse one. Vice photographer Robert King apparently lied on his Facebook page and Twitter in order to protect McAfee. Like McAfee, he claimed that the geodata in the photo had been manipulated to conceal their true location. b& But the coverup, as always, is worse than the crime. In claiming the geodata had been manipulated when it had not, Vice was no longer just documenting. Now it was actively aiding a fugitive wanted for questioning in the murder investigation of his neighbor Gregory Faull, who was shot dead at his own home. Via How Trusting In Vice Led To John McAfeebs Downfall b Wired. It was indeed deeply stupid. Journalists are professional dealers in information but many are terrible about protecting it. While willing to go to jail to protect their sources, journalists may wind up leaving them exposed instead through poor data practices. In a New York Times editorial last year, Chris Soghoian, now chief technologist at the ACLU, warned that bsecrets arenbt safe with journalistsb explaining that b the safety of anonymous sources will depend not only on journalistsb ethics, but on their computer skills.b There are three very basic things journalists should be doing to shield their sources: Scrubbing metadata from photos, documents and other files. Resisting the desire to save copies of everything. Encrypting communications. Technologist Ashkan Soltani walked me through some simple tools for doing this. Theybre not foolproof, but theybll make it a little less likely that your blog post will wind up sending the person youbre profiling to jail (unless thatbs your intent). 1. Scrubbing metadata. bAll files b photos, Word docs, PDFs b include some kind of metadata: author, location created, device information,b says Soltani. If you leave the metadata attached, you run the risk of exposing private information about the person who gave you the file, or, in the case of Vice, the location of the person trying to keep his location under wraps. Before you share a Word doc with the world that a source sent you, run it through a scrubber. Otherwise, it may reveal where the doc was created, who authored it and anyone who has ever made changes to it. Therebs Doc Scrubber for Microsoft Word. For PDF docs, use a tool like Metadata Assistant. Or use Adobe Acrobatbs bExamine Documentb tool which will scan the doc for hidden information. For photos, think about turning off geotagging on your phone or digital camera so that the information doesnbt get included in the first place. Youbll usually do that in your phonebs bLocation Settings.b Instructions here. You can run your photos through a metadata scrubber. Or, if you donbt care much about the resolution, you can just take a screenshot of the photo and use that metadata-free version. Some photo-hosting services do you the favor of scrubbing metadata. Facebook, Twitter and Instagram all have this privacy-protective measure in place. 2. Resisting the desire to save copies of everything. We live in a time when itbs easy to save everything, meaning webve all become digital hoarders. Why delete an email or chat when you can just archive it? It could come in handy later. Or it could come back to bite you later. bDisable chat logs in whatever program youbre using, Gmail or Skype,b says Soltani. In Gmail, that means switching chats to boff the record.b In Skype, it means turning off the feature that automatically saves your chats to anywhere you log in. (Added privacy bonus: That could keep your boss from winding up getting his hands on a sexy chat you had on your home computer.) If you need to keep a record of a chat, save it as a Word file on your own computer, and encrypt it. bDonbt keep emails around for years and years,b says Soltani. bPractice better data hygiene.b Soltani says journalists and sources might consider setting up temporary email accounts to communicate about a story, and then to delete the accounts after the storybs complete. He compares it to using a burner cell phone. 3. Encrypting your communications. This may be the most labor intensive of the recommendations from computer security professionals, but if itbs important that your communications with someone not be compromised, itbs worth it. This means your emails will appear as gibberish to anyone you donbt want reading them. Had David Petraeus and Paula Broadwell encrypted their emails to one another rather than saving them in a drafts folder, their exposing themselves to each other wouldnbt have been exposed to the world. bThis allows you to communicate securely and protects your messages if your account is compromised,b says Soltani. For chat, consider using Adiumbs OTR. Use a Virtual Private Network or create your own SSL. Take 30 minutes (more or less, depending on your savvy level) to set up SMime or PGP for Gmail so that the emails you send from whichever provider you use are encrypted. The only limitation here: you need to get the person youbre communicating with to enable encryption as well. Rather than calling someone from your landline or cell phone, use Skype or Silent Circle. *** A journalistbs job is to bring information to light. Using these tools, youbll retain some control over which information gets lit. 10 Incredibly Simple Things You Can Do To Protect Your Privacy Password Protect Your Devices Choosing not to password protect your devices is the digital equivalent of leaving your home or car unlocked. If you're lucky, no one will take advantage of the access. Or maybe the contents will be ravaged and your favorite speakers and/or secrets stolen. -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From kb at karelbilek.com Mon Dec 17 02:27:26 2012 From: kb at karelbilek.com (=?ISO-8859-1?Q?Karel_B=EDlek?=) Date: Mon, 17 Dec 2012 11:27:26 +0100 Subject: [liberationtech] Mailvelope: OpenPGP Encryption for Webmail In-Reply-To: <20121213122415.GM9750@leitl.org> References: <20121213122415.GM9750@leitl.org> Message-ID: Because Thomas (the original developer of Mailvelope) wanted to let the extension work as it was, with the unsecure encryption inside DOM, I decided to fork his project and make a new one, which both encrypts and decrypts in a secure chrome pop-up. It's here, it's called ChromeGP. https://cryptoparty.cz/ChromeGP/ Available on chrome web store here https://chrome.google.com/webstore/detail/chromegp/pebhdbojdpjfidjbneklefmpojncdpmf and on github here https://github.com/runn1ng/ChromeGP There are two big issues with it - first is missing signing/signature control (which should be easy to implement, but we will see) and the second is OpenPGP's trouble with zip compression inside PGP (which, unfortunately, causes the default Thunderbird/Enigmail encryption fail to decrypt, I think). Feel free to share and/or criticize :) K On Thu, Dec 13, 2012 at 1:24 PM, Eugen Leitl wrote: > ----- Forwarded message from StealthMonger ----- > > From: StealthMonger > Date: Wed, 12 Dec 2012 23:22:28 +0000 (GMT) > To: liberationtech > Subject: Re: [liberationtech] Mailvelope: OpenPGP Encryption for Webmail > Reply-To: liberationtech > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Uncle Zzzen writes: > >> [Weighty argument compelling closer study.] > > So unless and until the Mailvelope author(s) remedy this, support for > Mailvelope has to be muted. > > However, comparison with Cryptocat is still unfitting because > Cryptocat does not even pretend to do store-and-forward authenticated > email using public key cryptography. In fact, its author asserts [1] > > 2. Cryptocat does not mean to compete with GPG, it means to replace * > plaintext.* > > [1] Date: Mon, 6 Aug 2012 18:14:33 -0700 Message-ID: > > > - -- > > > -- StealthMonger > Long, random latency is part of the price of Internet anonymity. > > anonget: Is this anonymous browsing, or what? > http://groups.google.ws/group/alt.privacy.anon-server/msg/073f34abb668df33?dmode=source&output=gplain > > stealthmail: Hide whether you're doing email, or when, or with whom. > mailto:stealthsuite at nym.mixmin.net?subject=send%20index.html > > > Key: mailto:stealthsuite at nym.mixmin.net?subject=send%20stealthmonger-key > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (GNU/Linux) > Comment: Processed by Mailcrypt 3.5.9 > > iEYEARECAAYFAlDI34wACgkQDkU5rhlDCl7RugCggOoq0oclCcZ/F2LPjUs3BIb5 > AcUAnjeOtCVCLKzyqETqPvU1kFsgPnRk > =d7cd > -----END PGP SIGNATURE----- > > -- > Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech > > ----- End forwarded message ----- > -- > Eugen* Leitl leitl http://leitl.org > ______________________________________________________________ > ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org > 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From kb at karelbilek.com Mon Dec 17 02:27:26 2012 From: kb at karelbilek.com (Karel Bmlek) Date: Mon, 17 Dec 2012 11:27:26 +0100 Subject: [liberationtech] Mailvelope: OpenPGP Encryption for Webmail Message-ID: Because Thomas (the original developer of Mailvelope) wanted to let the extension work as it was, with the unsecure encryption inside DOM, I decided to fork his project and make a new one, which both encrypts and decrypts in a secure chrome pop-up. It's here, it's called ChromeGP. https://cryptoparty.cz/ChromeGP/ Available on chrome web store here https://chrome.google.com/webstore/detail/chromegp/pebhdbojdpjfidjbneklefmpojncdpmf and on github here https://github.com/runn1ng/ChromeGP There are two big issues with it - first is missing signing/signature control (which should be easy to implement, but we will see) and the second is OpenPGP's trouble with zip compression inside PGP (which, unfortunately, causes the default Thunderbird/Enigmail encryption fail to decrypt, I think). Feel free to share and/or criticize :) K On Thu, Dec 13, 2012 at 1:24 PM, Eugen Leitl wrote: > ----- Forwarded message from StealthMonger ----- > > From: StealthMonger > Date: Wed, 12 Dec 2012 23:22:28 +0000 (GMT) > To: liberationtech > Subject: Re: [liberationtech] Mailvelope: OpenPGP Encryption for Webmail > Reply-To: liberationtech > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Uncle Zzzen writes: > >> [Weighty argument compelling closer study.] > > So unless and until the Mailvelope author(s) remedy this, support for > Mailvelope has to be muted. > > However, comparison with Cryptocat is still unfitting because > Cryptocat does not even pretend to do store-and-forward authenticated > email using public key cryptography. In fact, its author asserts [1] > > 2. Cryptocat does not mean to compete with GPG, it means to replace * > plaintext.* > > [1] Date: Mon, 6 Aug 2012 18:14:33 -0700 Message-ID: > > > - -- > > > -- StealthMonger > Long, random latency is part of the price of Internet anonymity. > > anonget: Is this anonymous browsing, or what? > http://groups.google.ws/group/alt.privacy.anon-server/msg/073f34abb668df33?dmode=source&output=gplain > > stealthmail: Hide whether you're doing email, or when, or with whom. > mailto:stealthsuite at nym.mixmin.net?subject=send%20index.html > > > Key: mailto:stealthsuite at nym.mixmin.net?subject=send%20stealthmonger-key > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (GNU/Linux) > Comment: Processed by Mailcrypt 3.5.9 > > iEYEARECAAYFAlDI34wACgkQDkU5rhlDCl7RugCggOoq0oclCcZ/F2LPjUs3BIb5 > AcUAnjeOtCVCLKzyqETqPvU1kFsgPnRk > =d7cd > -----END PGP SIGNATURE----- > > -- > Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech > > ----- End forwarded message ----- > -- > Eugen* Leitl leitl http://leitl.org > ______________________________________________________________ > ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org > 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From 05151bv51 at docomo.ne.jp Mon Dec 17 05:48:50 2012 From: 05151bv51 at docomo.ne.jp (ERO SEX SEX) Date: Mon, 17 Dec 2012 12:48:50 -0100 Subject: ܂񂱔GGꁚ̂ɊSCۏDVD܂񂱔GGꁚ Message-ID: <201212171349.qBHDnmgh005686@proton.jfet.org> �`���܂񂱁E���Ȃ�E�������S���ی����` ��������DVD�̌���� ����̂������Ɋ��S���C���ۏ�DVD �@�@�@�@�@������ http://dvd-orange-dvd.net/?dm �Ƃɂ����T���v���摜���Ă������� ------------------------------- �V�����I�p�b�N ���I�����p�b�N ���I�����p�b�N �l�ȁE�n���p�b�N ���I�A�j���p�b�N�@���I�m���m�p�b�N ���I���B�p�b�N ------------------------------- �Ƃɂ����T���v���摜���Ă������� �@�@�@�@�@������ http://dvd-orange-dvd.net/?dm �z�M�S���F�R�{ �z�M��~�͂����� http://dvd-orange-dvd.net/stop/ From eugen at leitl.org Mon Dec 17 04:32:41 2012 From: eugen at leitl.org (Eugen Leitl) Date: Mon, 17 Dec 2012 13:32:41 +0100 Subject: [liberationtech] DIY Drones Message-ID: <20121217123241.GI9750@leitl.org> ----- Forwarded message from Jeffrey Burdges ----- From eugen at leitl.org Mon Dec 17 04:37:15 2012 From: eugen at leitl.org (Eugen Leitl) Date: Mon, 17 Dec 2012 13:37:15 +0100 Subject: [liberationtech] Mailvelope: OpenPGP Encryption for Webmail Message-ID: <20121217123715.GK9750@leitl.org> ----- Forwarded message from Karel Bmlek ----- From =?koi8-r?B?IvDS0c3B0SDQ0s/EwdbBINrFzczJIXJlaGVhdGVkc21qN0Byb2VzbGVy?=.=?koi8-r?B?LWdydXBwZS5jb20+?= at jfet.org Mon Dec 17 00:09:21 2012 From: =?koi8-r?B?IvDS0c3B0SDQ0s/EwdbBINrFzczJIXJlaGVhdGVkc21qN0Byb2VzbGVy?=.=?koi8-r?B?LWdydXBwZS5jb20+?= at jfet.org (=?koi8-r?B?IvDS0c3B0SDQ0s/EwdbBINrFzczJIXJlaGVhdGVkc21qN0Byb2VzbGVy?=.=?koi8-r?B?LWdydXBwZS5jb20+?= at jfet.org) Date: Mon, 17 Dec 2012 13:39:21 +0530 Subject: =?koi8-r?B?8NLPxMHNICDV3sHT1M/LINDPxCDEz80gINcgy9LB08nXz80gzcXT1MUs?= =?koi8-r?B?IM/exc7YICDOxcTP0s/HzyEg68nF19PLz8Ug2y4=?= Message-ID: <000d01cddc2d$d1942b40$6400a8c0@reheatedsmj7> Срочно и недорого продаю участок под строительство загородного дома в КП по Киевскому ш. Собственник! Позвоните сейчас сделаю дополнительную скидку в 10% 8 903 193 0623 From eugen at leitl.org Mon Dec 17 04:48:27 2012 From: eugen at leitl.org (Eugen Leitl) Date: Mon, 17 Dec 2012 13:48:27 +0100 Subject: too big to jail Message-ID: <20121217124827.GP9750@leitl.org> Historical times. http://www.guardian.co.uk/business/2012/dec/11/hsbc-fine-prosecution-money-laundering From eugen at leitl.org Mon Dec 17 04:59:27 2012 From: eugen at leitl.org (Eugen Leitl) Date: Mon, 17 Dec 2012 13:59:27 +0100 Subject: Author Identification Message-ID: <20121217125927.GR9750@leitl.org> http://www.uni-weimar.de/medien/webis/research/events/pan-13/pan13-web/author-identification.html Author Identification Authorship attribution is an important problem in many areas including information retrieval and computational linguistics, but also in applied areas such as law and journalism where knowing the author of a document (such as a ransom note) may be able to save lives. The most common framework for testing candidate algorithms is a text classification problem: given known sample documents from a small, finite set of candidate authors, which if any wrote a questioned document of unknown authorship? It has been commented, however, that this may be an unreasonably easy task. A more demanding problem is author verification where given a set of documents by a single author and a questioned document, the problem is to determine if the questioned document was written by that particular author or not. This may more accurately reflect real life in the experiences of professional forensic linguists, who are often called upon to answer this kind of question. Given a small set (no more than 10, possibly as few as one) of "known" documents by a single person and a "questioned" document, the task is to determine whether the questioned document was written by the same person who wrote the known document set. One problem comprises a set of known documents by a single person and a questioned document. There will be several such problems covering English, Greek, and Spanish (about 20 cases per language) and a varying number of known documents (1-10). All documents within a single problem will be in the same language and best efforts will be applied to assure that within-problem documents are matched for genre, register, theme, and date of writing. The documents will possibly be fragmentary, with a minimum length of 1,000 words. View details ; Download data (Release by mid-December) Participants are asked to provide a simple "yes/no" binary answer for each problem. Grading will be based on the percentage of correct answers. Beyond the accuracy on the entire corpus, separate rankings will be provided for the subsets of problems for each language. In addition, participants may also provide a score, a real number in the set [0,1] inclusive, where 0 corresponds to NO and 1 to YES. In that case, ROC curves will be produced and the area under the curve will be used to grade participant systems. We refer you to: PAN @ CLEF'12 (overview paper), PAN @ CLEF'11 (overview paper), Patrick Juola. Authorship Attribution. In Foundations and Trends in Retrieval, Volume 1, Issue 3, December 2006. Moshe Koppel, Jonathan Schler, and Shlomo Argamon. Computational Methods Authorship Attribution. Journal of the American Society for Information Science and Technology, Volume 60, Issue 1, pages 9-26, January 2009. Efstathios Stamatatos. A Survey of Modern Authorship Attribution Methods. of the American Society for Information Science and Technology, Volume 60, Issue 3, pages 538-556, March 2009. We ask you to prepare your software so that in can be executed via a command line. However, you can choose freely among the available programming languages and among the operating systems Microsoft Windows 7 and Ubuntu 12.04. We will ask you to deploy your software onto a virtual machine that will be made accessible to you after registration. You will be able to reach the virtual machine via ssh and via remote desktop. From eugen at leitl.org Mon Dec 17 05:04:05 2012 From: eugen at leitl.org (Eugen Leitl) Date: Mon, 17 Dec 2012 14:04:05 +0100 Subject: Analyzing the Veracity of Tweets during a Major Crisis Message-ID: <20121217130404.GS9750@leitl.org> http://irevolution.net/2010/09/19/veracity-of-tweets-during-a-major-crisis/ Analyzing the Veracity of Tweets during a Major Crisis Posted on September 19, 2010 | 16 Comments A research team at Yahoo recently completed an empirical study (PDF) on the behavior of Twitter users after the 8.8 magnitude earthquake in Chile. The study was based on 4,727,524 indexed tweets, about 20% of which were replies to other tweets. What is particularly interesting about this study is that the team also analyzed the spread of false rumors and confirmed news that were disseminated on Twitter. The authors bmanually selected some relevant cases of valid news items, which were confirmed at some point by reliable sources.b In addition, they bmanually selected important cases of baseless rumors which emerged during the crisis (confirmed to be false at some point).b Their goal was to determine whether users interacted differently when faced with valid news vs false rumors. The study shows that about 95% of tweets related to confirmed reports validated that information. In contrast only 0.03% of tweets denied the validity of these true cases. Interestingly, the results also show that bthe number of tweets that deny information becomes much larger when the information corresponds to a false rumor.b In fact, about 50% of tweets will deny the validity of false reports. The table below lists the full results. The authors conclude that bthe propagation of tweets that correspond to rumors differs from tweets that spread news because rumors tend to be questioned more than news by the Twitter community. Notice that this fact suggests that the Twitter community works like a collaborative filter of information. This result suggests also a very promising research line: it could posible to detect rumors by using aggregate analysis on tweets.b I think these findings are particularly important for projects like *Swift River, which try to validate crowdsourced crisis information in real-time. I would also be interested to see a similar study on tweets around the Haitian earthquake to explore whether this bcollaborative filterb dynamic is an emergent phenomena in this complex systems or simply an artifact of something else. Interested in learning more about binformation forensicsb? See this link and the articles below: Predicting the Credibility of Disaster Tweets Automatically Automatically Ranking Credibility of Tweets During Major Events Six Degrees of Separation: Implications for Verifying Social Media How to Verify Crowdsourced Information from Social Media Truth in Age of Social Media: Social Computing & Big Data Challenge Truthiness as Probability: Moving Beyond the True or False Dichotomy when Verifying Social Media How to Verify and Counter Rumors in Social Media Crowdsourcing for Human Rights Monitoring: Challenges and Opportunities for Information Collection & Verification Rapidly Verifying the Credibility of Sources on Twitter Accelerating the Verification of Social Media Content From inezmandy at mycingular.com Mon Dec 17 05:21:48 2012 From: inezmandy at mycingular.com (RosioChae) Date: Mon, 17 Dec 2012 14:21:48 +0100 Subject: We accept VISA & MASTERCARD 90000+ Satisfied Customers! Cialis 20mg x 80 Pills $155 eiywa516 Message-ID: <50cf1c6c.d8c76f83@mycingular.com> Best Buy Cialis Generic Online Cialis 20mg x 80 Pills $155, Free Pills & Reorder Discount, Top Selling 100% Quality & Satisfaction guaranteed! We accept VISA & MASTERCARD 90000+ Satisfied Customers! http://healthpills.ru From eugen at leitl.org Mon Dec 17 05:28:32 2012 From: eugen at leitl.org (Eugen Leitl) Date: Mon, 17 Dec 2012 14:28:32 +0100 Subject: [liberationtech] Social Media Combatants Message-ID: <20121217132832.GX9750@leitl.org> ----- Forwarded message from Gregory Foster ----- From MiniFunPeople at psl.to Mon Dec 17 14:33:34 2012 From: MiniFunPeople at psl.to (Peter Langston) Date: Mon, 17 Dec 2012 14:33:34 -0800 Subject: Why we all have a stake in the Freedom of the Press Foundation Message-ID: MiniFunPeople........................................ISSN 1098-7649 Forwarded-by: Peter Langston Forwarded-by: Dave Farber From: *Dewayne Hendricks* Two years ago this month, the major online payment systems b Visa, Mastercard, PayPal and more b cut off one of the world's most famous journalism organizations from the public. They stopped taking payments on behalf of WikiLeaks and, in the process, highlighted one of the most dangerous threats to modern journalism: the ability of centralized third parties to make trouble for anyone and any organization they didn't like, for whatever reason. With a few exceptions, the traditional journalism industry has been all but indifferent to what happened b a payment boycott done almost certainly under pressure from the American government, which was and remains infuriated by WikiLeaks' methods and results. No other journalism-related organization has been treated this way, as far as I know. But given the rise of independent media organizations and the utter lack of accountability the payment systems have faced for their outrageous actions, the threat is greater than ever. The journalists' silence was unfortunate but, sad to say, a reflection of most media companies' coziness with the rich and powerful in America and around the world. It's fair to assume, though, that had any one of those companies been shut out of modern payment systems, the entire industry would have: a) created a huge outcry; and b) found ways to go around the centralized systems that had taken such pernicious actions. So I'm glad to see the emergence of a new not-for-profit group whose mission is to "promote and fund aggressive, public-interest journalism focused on exposing mismanagement, corruption, and law-breaking in government". It's called the Freedom of the Press Foundation. Its method is "crowd-funding" b pulling together donations from people like you and me b and it could be a game-changer. The foundation is based in San Francisco, with a board of directors that includes Daniel Ellsberg (of Pentagon Papers fame), John Perry Barlow (co-founder of the Electronic Frontier Foundation), Xeni Jardin (from BoingBoing), the Guardian's Glenn Greenwald and several others in the civil liberties and media arenas. (Disclosure: I am friends with several board members, and have offered advice to the founders.) What's novel are the tactics: the foundation will be accepting donations from individuals and then forwarding them along, according to the donors' specific direction, to organizations designed by foundation. The list of organizations will evolve over time; the first group includes WikiLeaks, MuckRock, the National Security Archive and the UpTake, all of which are worthy of support. The foundation has come up with clear and useful criteria for its selections: 1. Record of engaging in transparency journalism or supporting it in a material way, including support for whistleblowers. 2. Public interest agenda. 3. Organizations or individuals under attack for engaging in transparency journalism. 4. Need for support: the foundation's goal is to prioritize support for organizations and individuals who are in need of funding or who face obstacles to gaining support on their own. The system the foundation has devised is simple and smart. Donors can designate as many or few of the organizations as he or she chooses, with online "sliders" that make it easy to raise or lower the percentage going to each of the chosen groups. The foundation also accepts donations, and it takes an 8% cut of the proceeds for operational costs. I'm donating immediately, and will designate that my gift goes to all four organizations, with the bulk to WikiLeaks, given its especially endangered status. The crowdfunding method takes a page from the "HumbleBundle" operation, which has been offering software, books and games this way b asking people to donate whatever they wish, and choosing which providers and/or organizations will get what percentage of their donations. Then, the donors can download the items. Donations range widely. I've participated several times. The best part is that everyone involved gets value from the system. The obvious question raised by the Freedom of the Press Foundation initiative is whether the payment systems will shut this off, too. If they do, they'll be punishing not just WikiLeaks, but the entire journalism ecosystem b and ultimately, your right to get the information you want and need. Will they extend the bad faith they showed two years ago? That I even have to ask this question is evidence of the power of these centralized mega-corporations. They have far too much power, like too many other telecommunications companies and a number of others in the information and communications industries on which we rely more and more for our daily activities. The Freedom of the Press Foundation can be a first step away from the edge of a cliff. But it needs to be recognized and used by as many people as possible, as fast as possible. And journalists, in particular, need to offer their support in every way. This is ultimately about their future, whether they recognize it or not. But it's more fundamentally about all of us. I encourage you to support the foundation and the organizations it is trying to help. This is about your future, too. ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From eugen at leitl.org Mon Dec 17 05:38:15 2012 From: eugen at leitl.org (Eugen Leitl) Date: Mon, 17 Dec 2012 14:38:15 +0100 Subject: [serval-project-dev] Implementing a different routing protocol Message-ID: <20121217133815.GY9750@leitl.org> ----- Forwarded message from Jeremy Lakeman ----- From steveweis at gmail.com Mon Dec 17 15:10:40 2012 From: steveweis at gmail.com (Steve Weis) Date: Mon, 17 Dec 2012 15:10:40 -0800 Subject: [liberationtech] Forbes recommends tools for journalists Message-ID: Just to go further down the tech tangent... There are SSD drives with full-disk encryption, such as the Intel 520 series. Here's a paper "Reliably Erasing Data From Flash-Based Solid State Drives" from Usenix 2011 that analyzes disk sanitation on several SSD drives. Their conclusion was that built in encryption and sanitization functions were most effective, but were not always implemented correctly: http://static.usenix.org/events/fast11/tech/full_papers/Wei.pdf Regarding storage for disk-encryption keys, PCs with TPMs can seal keys such that they can only be unsealed if the machine is booted to a verifiable state. Then you can leave the sealed key on the disk, which is how Bitlocker works. Keep in mind that TPMs can be compromised by physical attacks. They aren't going to protect you from a moderately-funded forensics effort. But if you're getting information security advice from a Forbes blog, that will be the least of your worries. On Mon, Dec 17, 2012 at 1:42 PM, Michael Rogers wrote: > I'm not aware of any suitable storage on current smartphones or > personal computers, so we may need to ask device manufacturers to add > (simple, inexpensive) hardware to their devices to support secure > deletion. > -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From flyingkiwiguy at gmail.com Mon Dec 17 07:23:40 2012 From: flyingkiwiguy at gmail.com (Gary Mulder) Date: Mon, 17 Dec 2012 15:23:40 +0000 Subject: [ZS] Two criticisms of ZS, and solutions... Message-ID: On 17 December 2012 14:53, Tyler wrote: > > Also BTC is a monetary system. Basing worth on wealth might not be the > best way to form ZS. > I think a distributed Web Of trust model would work well and not be > beholden to any central authority However, a BTC address can be used as a unique, distributed, verifiable, but still semi-anonymous identity. I just read the following interesting blog post which also looks at trust and reputation online: http://associatesmind.com/2012/12/07/the-hyperlink-a-microtransaction-of-trust/ Regards, Gary -- -- Zero State mailing list: http://groups.google.com/group/DoctrineZero ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From codesinchaos at gmail.com Mon Dec 17 07:25:53 2012 From: codesinchaos at gmail.com (CodesInChaos) Date: Mon, 17 Dec 2012 16:25:53 +0100 Subject: [cryptography] Gmail and SSL In-Reply-To: References: <20121214155122.GE9750@leitl.org> Message-ID: One could require the user to specify/confirm a certificate fingerprint on gmail in such a case. That way you're MitM proof, even with a self signed certificate. From frank at journalistsecurity.net Mon Dec 17 15:38:21 2012 From: frank at journalistsecurity.net (frank at journalistsecurity.net) Date: Mon, 17 Dec 2012 16:38:21 -0700 Subject: [liberationtech] Forbes recommends tools for journalists Message-ID: But if > you're getting information security advice from a Forbes blog, that will be > the least of your worries. Where would you suggest we get information security advice from? Many here are quick to point out what people should not rely upon. But relatively few seem to want to assume the responsibility to suggest what people should use. We are gleaning material including on concepts from the Information Security chapter written by Danny in CPJ's Journalist Security Guide (full disclosure: I wrote the chapters on physical safety). We are looking for guidance on tools from Security-in-a-Box by Tactical Tech. And we are reviewing and closely following the discussion over the new Internews guide which covers both concepts and tools. We are also looking at relevant guides by Small World News by Brian and others, and Mobile Active by Katrin and Alix. It seems to me that the above comprise the best available sources out there. Would you agree? Of course, if you or anyone has any other suggestions, we are all ears. The discussion itself over the Forbes blog and other material is all helpful. But backhanded snipes without the benefit of positive alternative suggestions are not. Most people on this list and in conferences seem to be agreeing, at least lately if not also before, that if people who need to use the tools don't use them, then that becomes a security problem in and of itself. And that the overwhelming majority of people in places like Syria really do not understand the risks or practice best measures. Would you agree? Getting over these obstacles requires training, and also more transparency within this "Open Source" community about what we should be teaching people. I am also learning not to take gratuitous snipes here personally. As it seems to be all too common within this group. But I do think we would serve a great many more people if we had more constructive conversations. Isn't that what this list is for? > -------- Original Message -------- > Subject: Re: [liberationtech] Forbes recommends tools for journalists > From: Steve Weis > Date: Mon, December 17, 2012 6:10 pm > To: liberationtech > > > Just to go further down the tech tangent... > > There are SSD drives with full-disk encryption, such as the Intel 520 > series. Here's a paper "Reliably Erasing Data From Flash-Based Solid State > Drives" from Usenix 2011 that analyzes disk sanitation on several SSD > drives. Their conclusion was that built in encryption and sanitization > functions were most effective, but were not always implemented correctly: > http://static.usenix.org/events/fast11/tech/full_papers/Wei.pdf > > Regarding storage for disk-encryption keys, PCs with TPMs can seal keys > such that they can only be unsealed if the machine is booted to a > verifiable state. Then you can leave the sealed key on the disk, which is > how Bitlocker works. > > Keep in mind that TPMs can be compromised by physical attacks. They aren't > going to protect you from a moderately-funded forensics effort. But if > you're getting information security advice from a Forbes blog, that will be > the least of your worries. > > On Mon, Dec 17, 2012 at 1:42 PM, Michael Rogers wrote: > > > I'm not aware of any suitable storage on current smartphones or > > personal computers, so we may need to ask device manufacturers to add > > (simple, inexpensive) hardware to their devices to support secure > > deletion. > >
-- > Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From eugen at leitl.org Mon Dec 17 07:41:50 2012 From: eugen at leitl.org (Eugen Leitl) Date: Mon, 17 Dec 2012 16:41:50 +0100 Subject: [ZS] Two criticisms of ZS, and solutions... Message-ID: <20121217154150.GH9750@leitl.org> ----- Forwarded message from Gary Mulder ----- From eugen at leitl.org Mon Dec 17 09:54:10 2012 From: eugen at leitl.org (Eugen Leitl) Date: Mon, 17 Dec 2012 18:54:10 +0100 Subject: [liberationtech] Forbes recommends tools for journalists Message-ID: <20121217175410.GM9750@leitl.org> ----- Forwarded message from frank at journalistsecurity.net ----- From DObrien at cpj.org Mon Dec 17 12:12:02 2012 From: DObrien at cpj.org (Danny O'Brien) Date: Mon, 17 Dec 2012 20:12:02 +0000 Subject: [liberationtech] Forbes recommends tools for journalists Message-ID: On Mon, Dec 17, 2012 at 10:49:33AM -0700, frank at journalistsecurity.net wrote: > If anyone here has any thoughts about the tools recommended in this > Forbes piece, please speak up. The piece gets specific with > recommendations form Ashkan Soltani, a technologist who I do not think > is on this list, about half way down. Again, any thoughts would be > welcome. Thank you! Frank The reference to Glenn's "Create your own SSL certiiate" article is weird; what he talks about in that Ars Technica piece not a replacement for a VPN by any means, and I think the reference would just confuse anyone who was not technical. I think these days you have to tie Forbes' (good) advice not to save everything with an encouragement to use full disk encryption. We're in an awkward space right now where we can't fully guarantee that data gets deleted off a modern flash (SSD) drive, even with previously strong deletion tools. And forensics software is good enough to pick up a lot of local clues about what you've used your own computer for, even if you think you've turned off all logs and removed the saving of sensitive data. Minimize what you record, but also encrypt. I'd be cautious about explicitly recommending Word's encryption as they do -- if you save encrypted docs in 97/2000 mode, they're instantly breakable, and there are dedicated tools out there to break later versions. I don't know whether they exploit later weaknesses, or are just fancy password crackers. http://www.elcomsoft.com/aopr.html?r1=Openwall Usual provisos about Skype (and Silent Circle to a certain extent). It's *really* hard to permanently recommend particular products, without at least making the statement "Keep an eye for news that the tools you use are vulnerable, and keep the software updated." We really need to stop making this exclusively about the tools, and make it more about the practices, and tools that can reinforce those practices. This article isn't that bad at all about that -- but you want to be able to get people to a point where they can tell themselves whether a package looks like snake oil or not. d. > > http://www.forbes.com/sites/kashmirhill/2012/12/07/dear-journalists-at-vice-and-elsewhere-here-are-some-simple-ways-not-to-get-your-source-arrested/ > > TECH | 12/07/2012 @ 1:33PM |24,858 views > Dear Journalists at Vice and Elsewhere, Here Are Some Simple Ways Not To > Get Your Source Arrested > > You forgot to scrub the metadata, suckers. > > Computer security millionaire John McAfeebs surreal flight from > Belizean law enforcement came to an end this week when he was detained > (and then hospitalized) in Guatemala, as has been widely reported. A > piece of the story that hasnbt been included in much of the reporting > is how authorities figured out that McAfee b who was wanted for > questioning in the shooting death of his neighbor b had fled Belize > for Guatemala. McAfeebs location was exposed after he agreed to let > two reporters from Vice Magazine tag along with him. Proud to finally be > in the thick of a story rife with vices b drugs, murder, prostitutes, > guns, vicious dogs, a fugitive millionaire and his inappropriately young > girlfriend b they proudly posted an iPhone photo to their blog of Vice > editor-in-chief Rocco Castoro standing with the source of the mayhem in > front of a jungly background, saying, bWe are with John McAfee right > now, suckers.b > > With that posting, they went from chroniclers of vices to inadvertent > narcs. They left the metadata in the photo, revealing McAfeebs exact > location, down to latitude and longitude. McAfee tried to claim hebd > manipulated the data b a claim that Vice photographer backed up on > Facebook in a posting hebs since deleted b but then capitulated, > hired a lawyer, and tried to claim asylum in Guatemala. Guatemalan > authorities instead detained McAfee for entering the country illegally. > All of which was dutifully reported by the Vice reporters, with no > mention of their screw-up. Mat Honan at Wired excoriated Vice for its > role in events: > > This was deeply stupid. People have been pointing out the dangers of > inadvertently leaving GPS tags in cellphone pictures for years and > years. Vice is the same publication that regularly drops in on > revolutions and all manner of criminals. They should have known better. > > And they have the resources to do it better. Vice is a $100 million > operation. > > Then, it followed up this egregiously stupid action with a far worse > one. Vice photographer Robert King apparently lied on his Facebook page > and Twitter in order to protect McAfee. Like McAfee, he claimed that the > geodata in the photo had been manipulated to conceal their true > location. b& > > But the coverup, as always, is worse than the crime. In claiming the > geodata had been manipulated when it had not, Vice was no longer just > documenting. Now it was actively aiding a fugitive wanted for > questioning in the murder investigation of his neighbor Gregory Faull, > who was shot dead at his own home. > > Via How Trusting In Vice Led To John McAfeebs Downfall b Wired. > > It was indeed deeply stupid. Journalists are professional dealers in > information but many are terrible about protecting it. While willing to > go to jail to protect their sources, journalists may wind up leaving > them exposed instead through poor data practices. In a New York Times > editorial last year, Chris Soghoian, now chief technologist at the ACLU, > warned that bsecrets arenbt safe with journalistsb explaining that > b the safety of anonymous sources will depend not only on > journalistsb ethics, but on their computer skills.b > > There are three very basic things journalists should be doing to shield > their sources: > > Scrubbing metadata from photos, documents and other files. > Resisting the desire to save copies of everything. > Encrypting communications. > > Technologist Ashkan Soltani walked me through some simple tools for > doing this. Theybre not foolproof, but theybll make it a little less > likely that your blog post will wind up sending the person youbre > profiling to jail (unless thatbs your intent). > > > 1. Scrubbing metadata. > > bAll files b photos, Word docs, PDFs b include some kind of > metadata: author, location created, device information,b says Soltani. > If you leave the metadata attached, you run the risk of exposing private > information about the person who gave you the file, or, in the case of > Vice, the location of the person trying to keep his location under > wraps. > > Before you share a Word doc with the world that a source sent you, run > it through a scrubber. Otherwise, it may reveal where the doc was > created, who authored it and anyone who has ever made changes to it. > Therebs Doc Scrubber for Microsoft Word. > For PDF docs, use a tool like Metadata Assistant. Or use Adobe > Acrobatbs bExamine Documentb tool which will scan the doc for > hidden information. > For photos, think about turning off geotagging on your phone or digital > camera so that the information doesnbt get included in the first > place. Youbll usually do that in your phonebs bLocation > Settings.b Instructions here. > You can run your photos through a metadata scrubber. Or, if you donbt > care much about the resolution, you can just take a screenshot of the > photo and use that metadata-free version. > Some photo-hosting services do you the favor of scrubbing metadata. > Facebook, Twitter and Instagram all have this privacy-protective measure > in place. > > 2. Resisting the desire to save copies of everything. > > We live in a time when itbs easy to save everything, meaning webve > all become digital hoarders. Why delete an email or chat when you can > just archive it? It could come in handy later. Or it could come back to > bite you later. > > bDisable chat logs in whatever program youbre using, Gmail or > Skype,b says Soltani. In Gmail, that means switching chats to boff > the record.b In Skype, it means turning off the feature that > automatically saves your chats to anywhere you log in. (Added privacy > bonus: That could keep your boss from winding up getting his hands on a > sexy chat you had on your home computer.) > If you need to keep a record of a chat, save it as a Word file on your > own computer, and encrypt it. > bDonbt keep emails around for years and years,b says Soltani. > bPractice better data hygiene.b > Soltani says journalists and sources might consider setting up temporary > email accounts to communicate about a story, and then to delete the > accounts after the storybs complete. He compares it to using a burner > cell phone. > 3. Encrypting your communications. > > This may be the most labor intensive of the recommendations from > computer security professionals, but if itbs important that your > communications with someone not be compromised, itbs worth it. This > means your emails will appear as gibberish to anyone you donbt want > reading them. Had David Petraeus and Paula Broadwell encrypted their > emails to one another rather than saving them in a drafts folder, their > exposing themselves to each other wouldnbt have been exposed to the > world. bThis allows you to communicate securely and protects your > messages if your account is compromised,b says Soltani. > > For chat, consider using Adiumbs OTR. > Use a Virtual Private Network or create your own SSL. > Take 30 minutes (more or less, depending on your savvy level) to set up > SMime or PGP for Gmail so that the emails you send from whichever > provider you use are encrypted. The only limitation here: you need to > get the person youbre communicating with to enable encryption as well. > Rather than calling someone from your landline or cell phone, use Skype > or Silent Circle. > *** > > A journalistbs job is to bring information to light. Using these > tools, youbll retain some control over which information gets lit. > > 10 Incredibly Simple Things You Can Do To Protect Your Privacy > > Password Protect Your Devices > Choosing not to password protect your devices is the digital equivalent > of leaving your home or car unlocked. If you're lucky, no one will take > advantage of the access. Or maybe the contents will be ravaged and your > favorite speakers and/or secrets stolen. > > -- > Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From brittnyvaleri at typepad.com Mon Dec 17 08:30:40 2012 From: brittnyvaleri at typepad.com (ELODIALELA) Date: Mon, 17 Dec 2012 20:30:40 +0400 Subject: Get Bigger, Harder, Thicker, Stronger Erections & Last Longer Then Ever. Enhance Sex Drive & Stamina. ocryxz3q62 Message-ID: <50cf48b0.fe880313@typepad.com> #1 Rated Male Enlargement Pill Get Bigger, Harder, Thicker, Stronger Erections & Last Longer Then Ever. Enhance Sex Drive & Stamina. Starts Working in 20 min. Works with alcohol 100% Guaranteed. http://ableg.ru From eugen at leitl.org Mon Dec 17 12:18:56 2012 From: eugen at leitl.org (Eugen Leitl) Date: Mon, 17 Dec 2012 21:18:56 +0100 Subject: [liberationtech] Forbes recommends tools for journalists Message-ID: <20121217201856.GP9750@leitl.org> ----- Forwarded message from Danny O'Brien ----- From adam at adamcolligan.net Mon Dec 17 19:24:13 2012 From: adam at adamcolligan.net (Adam Colligan) Date: Mon, 17 Dec 2012 21:24:13 -0600 Subject: [Freedombox-discuss] Which mail server do people use with FBX? Message-ID: I've been wondering about something along these lines for a little while. Is there a potential capability in FreedomBox to transmit substantive, asynchronous messages between two or more parties directly through the mesh network, or at least within Tor? And can this be done without the highly complex and confusing business of running a mailserver? It would clearly be a little silly if messages between dissidents on a mesh network, especially in a closed country, could route one another's packets but generally had to deposit messages at Google or another service to actually be read. For real-time two-person messaging, there is already an off-the-shelf solution: including some form of torchat (jtorchat maybe?). For real-time multi-person messaging, the cryptocat protocol might have some promise, particularly if it could easily be tweaked to put the chatroom address on a hidden service. If the FBXs have very high uptime, then the synchronous instant messaging protocol(s) might sort of work alright: the message just waits for the user to read it, or the sending FBX puts it in an outbox until it can establish a connection. But if there are significant uptime limitations (power outages, internet outages, people feeling the need to turn off or hide their FBXs when not in use), then maybe something more complex and robust needs to be considered. Or has the consensus been that a full-on mailserver will be part of the setup? _____________ Adam Colligan AdamColligan.net On 2012-12-17 06:00, freedombox-discuss-request at lists.alioth.debian.org wrote: > Send Freedombox-discuss mailing list submissions to > freedombox-discuss at lists.alioth.debian.org > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss > > or, via email, send a message with subject or body 'help' to > freedombox-discuss-request at lists.alioth.debian.org > > You can reach the person managing the list at > freedombox-discuss-owner at lists.alioth.debian.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Freedombox-discuss digest..." > > > Today's Topics: > > 1. Which mail server do people use with FBX? (Melvin Carvalho) > > > _______________________________________________ > Freedombox-discuss mailing list > Freedombox-discuss at lists.alioth.debian.org > http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss _______________________________________________ Freedombox-discuss mailing list Freedombox-discuss at lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From gardellawg at gmail.com Mon Dec 17 21:18:29 2012 From: gardellawg at gmail.com (William Gardella) Date: Tue, 18 Dec 2012 00:18:29 -0500 Subject: [Freedombox-discuss] Which mail server do people use with FBX? Message-ID: Mike Warren writes: > Adam Colligan writes: > >> Is there a potential capability in FreedomBox to transmit >> substantive, asynchronous messages between two or more parties >> directly through the mesh network, or at least within Tor? > > This sounds along precisely those lines: > > https://github.com/agl/pond See also http://dee.su/cables, already included as a component in Liberti Linux. It's essentially a peer-to-peer mail proxy between Tor hidden services; almost a 2012 take on the old UUCP bang paths, by the look of it. -- WGG I use grml (http://grml.org/) _______________________________________________ Freedombox-discuss mailing list Freedombox-discuss at lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From mysidia at gmail.com Mon Dec 17 23:32:56 2012 From: mysidia at gmail.com (Jimmy Hess) Date: Tue, 18 Dec 2012 01:32:56 -0600 Subject: William was raided for running a Tor exit node. Please help if you can. Message-ID: On 12/18/12, Henry Yen wrote: > On Mon, Dec 17, 2012 at 20:45:04AM -0600, Jimmy Hess wrote: > Physical threat is somewhat different than seizure by law enforcement, > though. I'm not so sure about that. It's a kind of physical threat; the set of all physical threats includes a subset of threats that are LEO threats involving authorities and are related to (quasi-)legal threats. The law enforcement personnel may have been paid off by a rogue party in the first place, to seize and "misplace" the data (E.g. deny the legitimate principal access to it for the purposes of competitive advantage), or to seize and "accidentally" leak the data to overseas entity attempting to gain the data for economic advantage, by taking advantage of insufficient security controls of the law enforcement entity. > the idea of encryption as a shield against law enforcement is not yet a > settled issue in the US; see the "Fricosu" case. A nice explanation: > https://www.eff.org/deeplinks/2012/03/tale-two-encryption-cases It obviously wouldn't work for all kinds of data, but; even if it's not a 5th amendment issue; E.g. "required to reveal your keys and allow the data to be decrypted"; the POSSIBILITY has to exist that that you can in fact know or recover the keys. You can't testify against yourself, if you had your memory permanently wiped in some manner, so that you are incapable of ever recalling, because "there's nothing there to present" --- it doesn't matter if there was no 5th amendment, the fact your memory was wiped, erased the possibility of ever testifying. If an automatic response to the security breach results in complete reliable destruction of physical and logical devices absolutely required to be fully intact to recover the keys and execute decryption activity, then "there is inherently nothing to provide", once that occured; the remaining option would be for the LEO to dedicate massive computing resources over a sufficient hundred years, to discover the key through brute force key space search of 10^77+ keys. That's assuming no backups of the key devices. > -- > Henry Yen Aegis Information Systems, -- -JH ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From frank at journalistsecurity.net Tue Dec 18 06:26:18 2012 From: frank at journalistsecurity.net (frank at journalistsecurity.net) Date: Tue, 18 Dec 2012 07:26:18 -0700 Subject: [liberationtech] Online journalist fatalities, deaths in combat both hit record highs Message-ID: Speaking of the need, today CPJ released its journalist killed figures for 2012. Two records: A record number of online journalists killed in 2012. And more journalists killed in combat situations in 2012 than in any previous year that CPJ has been keeping records. Syria is the main reason behind both trends, as Syrian citizen journalists filing to online outlets like Shaam News Network dominated this year's fatalities. http://www.cpj.org/security/2012/12/combat-deaths-high-journalist-risk.php Combat deaths at a high, risks shift for journalists By Frank Smyth/Senior Adviser for Journalist Security Ambulances carry the bodies of Marie Colvin and RC)mi Ochlik, who were killed in government shelling in Syria. (Reuters/Khaled al-Hariri) Murder is the leading cause of work-related deaths among journalists worldwide--and this year was no exception. But the death toll in 2012 continued a recent shift in the nature of journalist fatalities worldwide. More journalists were killed in combat situations in 2012 than in any year since 1992, when CPJ began keeping detailed records. CPJ Special Report b" Journalist deaths spike in 2012 The 23 journalists killed in combat-related crossfire make up 34 percent of the worldwide death toll this year, about twice the historical average. And beginning in 2010, the number of journalists killed while covering street protests or similar dangerous assignments has risen well above the rates recorded since 1992. Journalists carrying cameras--still photographers, television cameramen, and videographers--paid an unusually heavy price in recent years. Freelancers and online journalists have also composed an increasing proportion of fatalities during this timeframe. Many of those killed during combat and dangerous assignments were relatively inexperienced, with some of the victims in Syria still in their teens. So what does this say? It's worth keeping in mind that the risks to journalists change with the news, and the conditions of 2012 won't necessarily be replicated in 2013 or in the future. But a few things stand out from the recent death tolls that demand the attention of the profession. Technology has allowed individuals to cover and disseminate news on their own, without having an affiliation with a news organization. The proportion of online journalists in CPJ's annual death tolls has been rising since 2008, but the 25 online journalists killed worldwide in 2012 represent a record. In Syria, the government worked hard to block the international press, prompting numerous Syrians to pick up cameras to document the violence and upload hours of their footage to online collectives such as Shaam News Network. During the political uprisings that swept the Arab world, domestic and international freelancers were similarly called to action. Individuals with cameras were more likely to be in harm's way as they sought to cover the tumult--and they were also more obvious targets for violence. "I think we have to differentiate between local citizen journalists who report on what is happening in their own country and to their own people, and Western freelancers who go to places like Syria to report on the conflict," said Peter N. Bouckaert, emergencies director at Human Rights Watch who leads a Facebook group composed of conflict journalists and others. Citizen journalists "are part of a seismic shift in the media business, and we are just beginning to understand how we can use the materials they collect, and how we can work together to report better," Bouckaert said. "The role of Western freelancers is totally different. In a shrinking, increasingly risk-adverse media environment, it is all too often freelancers who end up going to the places where the big media won't send their reporters." Many inexperienced, young freelancers can be "lulled" into "a sense of false comfort," Bouckaert noted. "The smartest ones who went through Libya took a step back, and went to take a first-aid course and hostile environment training." But many media organizations that rely on stringers for news also need to step up, he added. "If we want to talk seriously about safety, we need to start getting the media organizations to start contributing more toward safety training and safety gear for freelancers." The annual death tolls in Iraq during the peak of that nation's violence still exceed that of Syria: 32 journalists were killed in Iraq in both 2006 and 2007. But the large majority of deaths in Iraq, especially in the later years of the war, were not combat-related. They were murders. Local journalists working for Western news organizations and those working for local news outlets with perceived sectarian viewpoints were targeted for their affiliation, hunted down, and murdered by the dozen in Iraq. Murder has been the leading cause of death in Afghanistan as well. Any conflict, including the war in Syria, could evolve in ways that would make journalists more vulnerable to targeted attacks than crossfire. That is what has happened, in effect, in Somalia. Government and allied troops largely ousted the militant group Al-Shabaab from the capital, Mogadishu, in 2011, but journalist murders have spiked in the aftermath as remnants of the insurgents and political factions jockey, violently, for control. All 12 journalists killed in Somalia in 2012 were murdered. The 2012 death toll in Syria reflects the range of combat dangers. Many died in government artillery or aerial attacks on populated urban areas. Four were killed in crossfire between government and rebel forces. Four more were shot at close range, according to witnesses, during military operations by either government or rebel forces. Three were murdered outright in non-military circumstances. One journalist died in an explosion. Long-range snipers from either government or rebel forces killed three more. (The last time sniper fire claimed so many journalists' lives was in Bosnia, in 1992 and 1993.) Many combat-related deaths are hardly faultless. In many instances, armed forces act recklessly in firing upon civilians such as journalists. In other cases, they appear to have targeted journalists in violation of international law. Lebanese cameraman Ali Shaaban, who was working just over the border in Lebanon, was killed in a hail of 40 bullets fired by plainclothes Syrian security forces. U.S.-born correspondent Marie Colvin and French photographer RC)mi Ochlik were killed in government shelling that struck their makeshift media center in Homs; journalists who survived believe the shelling was precise, indicating government forces had targeted the center. Unfortunately, there is little accountability for attacks on journalists in Syria or elsewhere. "Most of these abuses remain unpunished," the United Nations Educational, Scientific and Cultural Organization said in a March 2012 report on journalist security. "States must therefore ensure that the perpetrators of crimes and acts of violence against media professionals and associated personnel are brought to justice, while also taking preventative measures to ensure that such crimes are not committed in the first place." Here is one more statistic from CPJ's year-end analysis of journalist fatalities. The rate of accountability for journalist deaths in 2012? Zero. Frank Smyth is CPJbs senior adviser for journalist security. He has reported on armed conflicts, organized crime, and human rights from nations including El Salvador, Guatemala, Colombia, Cuba, Rwanda, Uganda, Eritrea, Ethiopia, Sudan, Jordan, and Iraq. Follow him on Twitter @JournoSecurity. Tags: Al-Shabaab, Ali Shaaban, Blogger, Homs, Internet, Killed, Marie Colvin, RC)mi Ochlik, Shaam News Network December 18, 2012 12:00 AM ET -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From jya at pipeline.com Tue Dec 18 05:02:58 2012 From: jya at pipeline.com (John Young) Date: Tue, 18 Dec 2012 08:02:58 -0500 Subject: Why we all have a stake in the Freedom of the Press Foundation In-Reply-To: <20121218080351.GZ9750@leitl.org> References: <20121218080351.GZ9750@leitl.org> Message-ID: A worthy initiative for the press. Unfortunately press is only one means of freedom of expression, speech, writing, demonstration, opposition, dissent and creative trouble-making-- and hardly objective due to its commercial objective and very loud-mouth, conceit, craven to power and vanity bred by constituional protection of its risk-averse cartel. Press has generated too many fortunes to be singled out for crowd-sourced support. Freedom of the Press is way too limiting, but then that is the nature of its organizers and board members. The rich ones in particular are notabably uninvolved in acitivities that would threaten their wealth and freedom to lord it over the poor fans being urged to crowd-fund just like venal politicians who also adore the press for amplifying their campaigns for dumping crocks of shit on the public. Far better would be for a huge increase in disorganized initiatives of the unruly crowd far from being controlled and exploited by lucrative investment in "crowd-sourcing." Watch out for the crowd-sourcing predators driving the market in the cloud, the latest invention for spying on and profiling the public for marketing profits. Dan Gillmor has been had by his friends, at best, at worst, complicit in the market boosting deception of obedient crowds. From thuyarlette at overlandpartners.com Tue Dec 18 06:19:53 2012 From: thuyarlette at overlandpartners.com (Charleen Keeley) Date: Tue, 18 Dec 2012 08:19:53 -0600 Subject: Lowest price 'VIAGRA'!!!! h14sda25 Message-ID: <23g32c11t67-45193905-481z7k66@errkjwdew> Lowest price 'VIAGRA'!!!! Fast 'SUPER ACTIVE VIAGRA', huge discounts only $1.35 per pill plus FREE worldwide shipping fast! No prescription needed and satisfaction assured. BUY NOW!!! http://pillsfitnesspharmacy.ru From eugen at leitl.org Tue Dec 18 00:03:51 2012 From: eugen at leitl.org (Eugen Leitl) Date: Tue, 18 Dec 2012 09:03:51 +0100 Subject: Why we all have a stake in the Freedom of the Press Foundation Message-ID: <20121218080351.GZ9750@leitl.org> ----- Forwarded message from Peter Langston ----- From eugen at leitl.org Tue Dec 18 00:04:51 2012 From: eugen at leitl.org (Eugen Leitl) Date: Tue, 18 Dec 2012 09:04:51 +0100 Subject: [liberationtech] Forbes recommends tools for journalists Message-ID: <20121218080451.GB9750@leitl.org> ----- Forwarded message from Steve Weis ----- From eugen at leitl.org Tue Dec 18 00:06:58 2012 From: eugen at leitl.org (Eugen Leitl) Date: Tue, 18 Dec 2012 09:06:58 +0100 Subject: [liberationtech] Forbes recommends tools for journalists Message-ID: <20121218080658.GD9750@leitl.org> ----- Forwarded message from frank at journalistsecurity.net ----- From julian at julianoliver.com Tue Dec 18 02:13:52 2012 From: julian at julianoliver.com (Julian Oliver) Date: Tue, 18 Dec 2012 11:13:52 +0100 Subject: [liberationtech] Forbes recommends tools for journalists Message-ID: ..on Mon, Dec 17, 2012 at 03:28:31PM -0800, Brian Conley wrote: > Its SSD so its still not a secure wipe, no? Indeed. From 'Securely Destroying Data' chapter in The CryptoParty Handbook v1.1: //-----------------------------------------------------------------------------> An important note on Solid State Hard Drives The instructions below explain how to use file deletion tools to securely delete files from your hard drives. These tools rely on the Operating System you are using being able to directly address every byte on the hard drive in order to tell the drive "set byte number X to 0". Unfortunately, due to a number of advanced technologies used by Solid State Drives (SSDs) such as TRIM, it is not always possible to ensure with 100% certainty that every part of a file on an SSD has been erased using the tools below. //<----------------------------------------------------------------------------- Us Linux users with our lovely journaled file systems need to take care: //-----------------------------------------------------------------------------> An important note on Journaled File Systems Data Journaling is a feature of several modern file systems and presents a risk to secure data deletion. File-systems of this type include Ext3 and Ext4 (Linux), compressed file systems and RAID-based file systems. The manual page for the deletion program Wipe says: No secure deletion program that does filesystem-level calls can sanitize files on such filesystems, because sensitive data and metadata can be written to the journal, which cannot be readily accessed. Per-file secure deletion is better implemented in the operating system. The manual page for the deletion program Shred says: CAUTION: Note that shred relies on a very important assumption: that the file system overwrites data in place. This is the traditional way to do things, but many modern file system designs do not satisfy this assumption. The following are examples of file systems on which shred is not effective, or is not guaranteed to be effective in all file system modes: log-structured or journaled file systems, such as those supplied with AIX and Solaris (and JFS, ReiserFS, XFS, Ext3, etc.) file systems that write redundant data and carry on even if some writes fail, such as RAID-based file systems * file systems that make snapshots, such as Network Appliance's NFS server file systems that cache in temporary locations, such as NFS version 3 clients compressed file systems In the case of ext3 file systems, the above disclaimer applies (and shred is thus of limited effectiveness) only in data=journal mode, which journals file data in addition to just metadata. In both the data=ordered (default) and data=writeback modes, shred works as usual. Ext3 journaling modes can be changed by adding the data=something option to the mount options for a particular file system in the /etc/fstab file, as documented in the mount man page (man mount). If you wish to delete data from a journaled file-system on Linux (mounted in data=journal mode) you should remount it in another mode. To be sure, remount your disk in Linux in data=ordered mode. See the manual page for the program mount on your system. Solaris users or those with RAID systems are outside of the scope of this manual. Please see the relevant documentation and/or research your special case in order to be sure you are securely deleting your data. //<----------------------------------------------------------------------------- https://cryptoparty.org/wiki/CryptoPartyHandbook#Version_1.1 Cheers, Julian > On Dec 18, 2012 12:26 AM, "Eric S Johnson" wrote: > > > > Secure deletion is a problem we could solve in software, by encrypting > > > the data and then destroying the key to render the data unrecoverable, > > > *if* we had a few bytes of persistent, erasable storage in which to > > > store the key. (Storing the key on the SSD itself doesn't work, > > > because then we can't securely delete the key.) > > > > > > I'm not aware of any suitable storage on current smartphones or > > > personal computers > > > > Isn't this exactly how the iOS (v4+) can be remotely "wiped" in a couple > > seconds? Everything's encrypted, so deleting the key ... > > > > Or are we saying the iOS's storage of the key is insecure? > > > > Best, > > Eric > > > > -- > > Unsubscribe, change to digest, or change password at: > > https://mailman.stanford.edu/mailman/listinfo/liberationtech > > > -- > Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Julian Oliver http://julianoliver.com http://criticalengineering.org -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From gfoster at entersection.org Tue Dec 18 09:58:39 2012 From: gfoster at entersection.org (Gregory Foster) Date: Tue, 18 Dec 2012 11:58:39 -0600 Subject: [drone-list] US Navy/DARPA/SAIC ACTUV Message-ID: YouTube (Dec 18) - "Anti-Submarine Warfare (ASW) Continuous Trail Unmanned Vessel (ACTUV)" by SAIC: [1]https://www.youtube.com/watch?v=qMGNq_1ec3c 12-minute computer graphics film about the DARPA-funded ACTUV program by Science Applications International Corporation (SAIC), which aims to create an autonomous surface vessel capable of tracking submarines. It's interesting to see where the emphases are placed. Apparently this is part of a "single-award, cost-plus fixed-fee (CPFF) contract" worth ~$58M. [2]http://investors.saic.com/phoenix.zhtml?c=193857&p=irol-newsArticle& ID=1757399 gf -- Gregory Foster || [3]gfoster at entersection.org @gregoryfoster <> [4]http://entersection.com/ References 1. https://www.youtube.com/watch?v=qMGNq_1ec3c 2. http://investors.saic.com/phoenix.zhtml?c=193857&p=irol-newsArticle&ID=1757399 3. mailto:gfoster at entersection.org 4. http://entersection.com/ _______________________________________________ drone-list mailing list drone-list at lists.stanford.edu Should you need to change your subscription options, please go to: https://mailman.stanford.edu/mailman/listinfo/drone-list If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?" You will need the user name and password you receive from the list moderator in monthly reminders. Should you need immediate assistance, please contact the list moderator. ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From eugen at leitl.org Tue Dec 18 07:35:08 2012 From: eugen at leitl.org (Eugen Leitl) Date: Tue, 18 Dec 2012 16:35:08 +0100 Subject: [liberationtech] Online journalist fatalities, deaths in combat both hit record highs Message-ID: <20121218153508.GH9750@leitl.org> ----- Forwarded message from frank at journalistsecurity.net ----- From eugen at leitl.org Tue Dec 18 08:03:07 2012 From: eugen at leitl.org (Eugen Leitl) Date: Tue, 18 Dec 2012 17:03:07 +0100 Subject: [Freedombox-discuss] Which mail server do people use with FBX? Message-ID: <20121218160307.GI9750@leitl.org> ----- Forwarded message from Adam Colligan ----- From nabiha.syed at gmail.com Tue Dec 18 14:48:36 2012 From: nabiha.syed at gmail.com (Nabiha Syed) Date: Tue, 18 Dec 2012 17:48:36 -0500 Subject: [drone-list] New Brookings Paper on Domestic Drones Message-ID: In case you haven't seen it yet -- http://www.brookings.edu/research/papers/2012/12/14-drones-bennett Unmanned at Any Speed: Bringing Drones into Our National Airspace By: Wells C. Bennett In February of this year, President Obama signed the Federal Aviation Administration Modernization and Reform Act of 2012 (bFMRAb). The new lawbs plain-sounding title doesnbt tell you, but FMRA encompasses a bold and controversial project: allowing, by a date certain, much broader domestic operation of Unmanned Aircraft Systems (bUASb)b or, as they are more commonly described, bdrones.b Congress instructed the Federal Aviation Administration (bFAAb) to devise rules that, by late 2015, would allow widespread UAS useb both by private individuals and entities, and by federal, state and local governments. Between now and then the agency must meet a slate of statutory benchmarks. To name but one of many, a rule authorizing the private use of bsmallb UAS (those weighing less than fifty-five pounds) must be issued by August of 2013. In this paper, bUnmanned at any Speed: Bringing Drones into our National Airspace,b Wells Bennett assesses the current state of domestic drone integration. Among other things, Bennett overviews: - FMRAbs most important deadlines, and the FAAbs progress in meeting them; - The legal and historical backdrop to FMRA, including the FAAbs longstanding, case-by-case approach to approving domestic drone flights; - Some of the most pressing air safety, security, cybersecurity, and privacy policy questions that must be addressed, policy questions that must be addressed, in order to allow for widespread domestic UAS operation under FMRA. _______________________________________________ drone-list mailing list drone-list at lists.stanford.edu Should you need to change your subscription options, please go to: https://mailman.stanford.edu/mailman/listinfo/drone-list If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?" You will need the user name and password you receive from the list moderator in monthly reminders. Should you need immediate assistance, please contact the list moderator. ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From eugen at leitl.org Tue Dec 18 10:11:10 2012 From: eugen at leitl.org (Eugen Leitl) Date: Tue, 18 Dec 2012 19:11:10 +0100 Subject: [drone-list] US Navy/DARPA/SAIC ACTUV Message-ID: <20121218181110.GM9750@leitl.org> ----- Forwarded message from Gregory Foster ----- From kettledrumxr5 at ricetec.com Tue Dec 18 08:36:20 2012 From: kettledrumxr5 at ricetec.com (=?koi8-r?B?IuTNydTSycog4c7E0sXF18neLiI=?=) Date: Tue, 18 Dec 2012 19:36:20 +0300 Subject: =?koi8-r?B?6d3FzSDT1NLPydTFzNjO1cAgy8/N0MHOycAhISE=?= Message-ID: <000d01cddd3d$cf1eacd0$6400a8c0@kettledrumxr5> Ищем строительную компанию способную качественно и в короткие сроки произвести строительство туристической базы стилизованной под немецкое подворье, 30 км от Москвы по киевскому шоссе. Согласно плану на территории базы отдыха располагаются: 1. Административное здание примерной площади 300-400 кв.м. С Рестораном, летней кухней. Административными помещениями, залом для конференций на 50- 70 человек. 2. 10 гостевых домиков примерной площадью 60-80 м кВ. Гостевой дом рассчитан на размещение одной семьи, 4 -5 человек с двумя спальнями, небольшим холлом, душевой с сан. узлом. К дому должна быть пристроена веранда с барбекю. 3. Две небольшие отдельно стоящие баньки с душевой, парилкой и комнатой отдыха. 4. Мини-ферма размером 6 х9 м. для содержания домашних животных. 5. Ремесленная мастерская площадью 70-90 кв. м. с подсобными помещеньями и сувенирной лавкой. На территории базы отдыха необходимо построить открытый бассейн, пешеходные дорожки, выполнить ландшафтный дизайн и озеленение участка. Все коммуникации: газ, электричество, водопровод не далее20 мот границ участка. Канализация - Септики местные для каждого домика или для нескольких один. База отдыха предназначена для круглогодичного использования. Требуется рассчитать общую стоимость застройки под ключ. Готовы рассмотреть ваши наработки, типовые проекты домов, которые можно будет разместить в создаваемой туристической базе. Тел. 8-909-940-40-53 Дмитрий Андреевич. From Allan at ignati.us Tue Dec 18 12:07:35 2012 From: Allan at ignati.us (Stacy Quinn) Date: Tue, 18 Dec 2012 21:07:35 +0100 Subject: Stacy Quinn sent you a message Message-ID: <1BAE614C.3863DEA0@ignati.us> A non-text attachment was scrubbed... Name: not available Type: text/html Size: 350 bytes Desc: not available URL: From gfoster at entersection.org Tue Dec 18 22:38:14 2012 From: gfoster at entersection.org (Gregory Foster) Date: Wed, 19 Dec 2012 00:38:14 -0600 Subject: [liberationtech] Quantum computation & communication Message-ID: After reading Assange, et. al.'s "Cypherpunks: Freedom and the Future of the Internet", wherein classical encryption is presented as a panacea for ensuring privacy in an age of mass surveillance, I found the following article succinct in questioning the long-term viability of that narrative (or at least insisting on some qualifications). Quantum computation and communication is still a long distance away, but this article provides the outlines of how that technology will be used (and abused) by the institutions that will be able to afford it. Aerospace & Defense News (Dec 19) - "Army Researchers Seek Secure Quantum Communications": http://www.asdnews.com/news-46753/Army_Researchers_Seek_Secure_Quantum_Communications.htm > For the U.S. Army, a secure quantum communications network is a > technology investment worth making. Meyers said physicists around the > world are pursuing quantum teleportation research. > > "One day we will have communication over worldwide distances with > quantum repeaters as mediators at nodes in between," Meyers said. > "We'll be able to teleport information globally. What we'll have is > tamper-resistant security." > > Cyber-security is a major concern for military and civilian sectors. > > "This is important," he said. "The greatest potential that a quantum > communications network holds for the Army is secure communications." > > As quantum computing takes hold in the coming decades, the potential > for hacking exponentially increases. > > "Quantum computers will be able to easily decrypt communications that > are currently secure," Meyers said. "We're talking decryption in > seconds instead of years. That's one reason why it's vital for us to > explore quantum encryption." To understand the assertion that a sufficiently large quantum computer can (hypothetically) decrypt classically encrypted communications---from any time---see: http://en.wikipedia.org/wiki/Shor's_algorithm Will the economic effects of Moore's Law apply to quantum computers, facilitating the mass distribution and use of this technology for popular quantum cryptography? Probably not for some period of time, a time which may recapitulate the big iron power dynamics of the mainframe priesthood. It is that interim time period when there is likely to be a disparity in access to quantum computation that gives me pause. However, in researching this post I was happy to learn that this threat is understood and research is underway into post-Quantum cryptography, which looks like it can be implemented on classical computers. So predictable future problems may be mitigated by avoiding reliance on particular cryptographic techniques that are known to be breakable by quantum computers, such as the RSA algorithm used by many contemporary public-key cryptography systems: http://en.wikipedia.org/wiki/Post-quantum_cryptography I'll readily admit that I am about out of my depth here and welcome corrections and clarifications. If we see this probability emerging, then it seems like liberationtechnicians should be advocating review and redesign of the algorithms used in popular public-key cryptosystems. HT @ASDNewsCom via @MrKoot: http://twitter.com/ASDNewscom/status/281018815276539904 gf -- Gregory Foster || gfoster at entersection.org @gregoryfoster <> http://entersection.com/ -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From jacob at appelbaum.net Tue Dec 18 21:26:05 2012 From: jacob at appelbaum.net (Jacob Appelbaum) Date: Wed, 19 Dec 2012 05:26:05 +0000 Subject: [liberationtech] was: Forbes recommends tools for journalist; is now: depressing realities Message-ID: Hi, frank at journalistsecurity.net: > But if >> you're getting information security advice from a Forbes blog, that >> will be the least of your worries. > > Where would you suggest we get information security advice from? This is an interesting question and I admit, I feel like it leaves a bad ring in my ears... What kind of security advice? Who is following the advice? Does their context change while they follow this advice? Do they have resources of a user without more than a casual interest or are they well funded and dedicated? What are their requirements? What are their temporal tolerances? Do they understand safety plan or threat model without further explanation? What are the stakes for failure? The answer to each of those questions would shift my answers to subsequent questions around, I guess. If I were to change that question a bit to be something that many people are familiar with - I'd say - Where do we get good health advice from? When I go to a general practice doctor, they might refer me to a specialist. But where do I find that doctor? And what if I have issues that are really expensive to solve? It leads us in a similar direction - we look for common certifications, credentials, ratings, feedback, word of mouth, etc. We get a general sense of things, hopefully if we're seeing a terrible doctor, we know before they cut us up or send us home when we really need a different kind of care. It seems that some groups who do practical training are trying to be the specialist and the generalist. Sadly, because many of us are motivated by non-technical goals, say social justice, a real core background in many overlapping fields is simply missing. There isn't an advertised set of unified goals or principles stated where we try to work toward a set of solutions, nor is there a common set of agreed upon threat models that we're working with openly, and so on. The Forbes article is junk for my threat model(s) and frankly, I think it is junk for everyone else on a long enough time line. An open question is mostly if anyone will ever do anything noteworthy enough to learn that it was junk at the time. If it had been written about biology and safe sex, I'd say it was offering sheep skin condoms as a partial solution; we'd all get a pretty bad feeling about it and commonly understand the problem with such solutions, right? The technical details are so poorly understood by journalists that their ethics generally mean nothing; who cares if a journalist promises to keep a secret if they even have Skype *installed* on their laptop with confidential documents, emails or an OTR enable chat client? Their operational security is lower than the bar of the commercial market, we don't even have to begin to discuss intelligence agencies. In almost any other topic, it is simply intolerable to let a person write complete nonsense advice as an authority. Such authors get a reputation for being worth ignoring and sometimes, they're the topic of the next article. Yet in the field of journalism, we see journalists who even proudly boast of their illiteracy, without realizing the recklessness of their choices, sometimes even the choice of straight up ignorance because security is simply too hard. Or refusing to even offer anything resembling a secure way to reach them, let alone actually something they try to use regularly. I've rarely met journalists that encourage people to secure their communications - it does happen but wow, it is rare rare rare. Some journalists at least claim that they will go to jail before they'll give up sources, some won't make such claims or will even make the opposite claims. The signs of such journalists are easy to spot and still hard to confirm in any meaningful manner. When push comes to shove, even the best intentioned journalists still roll over when the might of the state crushes them under a pair of boots. At least with a proper idea of how journalism is being undermined by the Surveillance State, such a journalist might get a clue about the level of help, protection and transitive risk they pose to sources. Such an understanding is largely missing from the dialog and the Forbes piece really obviously shows that the advice is the product of an extremely lacking study of the threat landscape. What am I getting at? When journalism was two people meeting in person, the people were the main piece that mattered, when research on who to contact was ephemeral, even a failed meeting wasn't a pin pointed event to be followed up on later. The (communications, crypto, electricity, etc) systems illiteracy means that otherwise core competencies of a solid journalist are undermined. Where should 'we' get our information? From people who have a clue, I think, in whatever field where we're barely scratching the surface with our questions. When I wonder about specific cryptography issues, I don't go to Forbes, I'd take a class from Dan Boneh or Moxie. When I wonder about a pain in my chest, I go to a doctor for triage. When I want to solve those problems myself, I invest in my own education. It seems to follow that if you're building a knowledge base for journalist security, it might make sense to build a collection of threat models, a collection of unified threats (eg: calls you make will be wiretapped, your location will be recorded, your email will be intercepted) you hope to address, and so on. It might also make sense to define who receives the advice; after all, if the trainers are simply middle (hu)man, why would someone at risk want to talk to them? It seems that if the goal is simply to benefit from the surplus of the labor of others, adding something to the mix might be a useful contribution to the community. We all bring different things to the table, right? To put this a different way: I'm not a lawyer and while I doubt I'll ever be a lawyer, I accept that I do not need to have a law degree to have a clue. I also trust a number of people with law degrees to advise me but it took a lot of study, reading and frankly, rational self-interest in the self-survival department to even slightly *understand* their great advice. I've had the privilege of lawyers friends who didn't tolerate a lack of understanding while also making legal choices. My ability to make decisions was simply not up to snuff without a clue. So at least in a few of my own legal cases, I've done a lot of research to understand the core ground rules of the system that I inhabit, even if the system is made up of things I don't fully like or even really understand in an intuitive sense. While I'm *certainly* not a lawyer, I might have enough of a clue to know who to call or how badly I don't know something. So I wonder, what do journalists need to do? It seems to me that they should talk to the experts in the fields that are required for their specific operations. It also seems to me that they might want to work on not collaborating with the Surveillance State so much. As their lack of knowledge on the topic has basically made their job and their ethical commitments impossible unless they become full time security/privacy/anonymity/computer/network/telephone/etc experts. So on the one hand, I feel for journalists that don't understand technology. But on the other hand, I think without understanding the way that the world works, they're calling themselves journalists without understanding that technology is as important as having credible sources - it isn't like photography, it isn't a value add skill, it is a core and fundamental part of the job. > Many here are quick to point out what people should not rely upon. > But relatively few seem to want to assume the responsibility to > suggestt what people should use. We are gleaning material including > on concepts from the Information Security chapter written by Danny in > CPJ's Journalist Security Guide (full disclosure: I wrote the > chapters on physical safety). We are looking for guidance on tools > from Security-in-a-Box by Tactical Tech. And we are reviewing and > closely following the discussion over the new Internews guide which > covers both concepts and tools. We are also looking at relevant > guides by Small World News by Brian and others, and Mobile Active by > Katrin and Alix. > Security is a process and not simply a product that people use. I'm loathe to repeat that but that concept is worthy of deep thought. It isn't unlike asking which travel visa company we should call about entering Syria. Surely we wouldn't accept a guide that told us to simply call up the local tour company for advice. Rather, we'd want specifics, right? But to have specific, we need grounding in reality - languages help, having street smarts helps and so on. I look at all of the above guides and I think that they're interesting as an awareness and philosophy metric for the respective community that created it. Lots of unequal threat models, lots of varying capacities, lots of graphic design budgets and often very little scientific referencing for *positive* security claims. > It seems to me that the above comprise the best available sources > out there. Would you agree? Of course, if you or anyone has any > other suggestions, we are all ears. The discussion itself over the > Forbes blog and other material is all helpful. But backhanded snipes > without the benefit of positive alternative suggestions are not. No, I wouldn't agree. They're all nice efforts but frankly, all of them are lacking because they don't really explain the social stuff - the reality of the world stuff or the deep factual stuff - and are mostly about tools. There are parts that come close and are then not detailed about the technology, or they simply give up - where is the phone security guide that explains how to buy discrete SIMS for Satellite phones anonymously? Where is the IMEI changing guide for people using cell phones in Syria? Where are the threat modeling discussions that model real situations that actually exist, say for Egypt having a copy of FinFisher? I would suggest reading the (yearly) proceedings from Blackhat, DefCon, NDSS, USENIX Security, Hack-in-The-Box, and others. I would suggest trying to understand the fundamental human assumptions at play by studying behavior of people. Those guys who have generally hung out in the foreign corespondents club - they had a lot going for them but if you wanted to compromise them, how would their skills hold up in the modern world? Now do it to yourself, how would you embody that in a guide? We wouldn't do a life critical bioassay with advice from the DIY bio community, right? Why is security that is also a life line different here? I guess it isn't so simple and that is why it takes time - so I would suggest trying to find ways to encourage people to engage in intense self-study, in things that destroy apathy for the ills of the world with regard to personal liberty - so they can find resources that are otherwise seemingly unconnected on the surface that might otherwise go unnoticed. Sorry for the shameless plug here but I feel it is contextually appropriate: http://www.orbooks.com/catalog/cypherpunks/ ( I make no money from this book; you can easily find it on bittorrent - please do! ) > > Most people on this list and in conferences seem to be agreeing, at > least lately if not also before, that if people who need to use the > tools don't use them, then that becomes a security problem in and of > itself. And that the overwhelming majority of people in places like > Syria really do not understand the risks or practice best measures. > Would you agree? Getting over these obstacles requires training, and > also more transparency within this "Open Source" community about what > we should be teaching people. I think some of the best revolutionaries, journalists, activists and humans that I've ever met understand these issues quite well. That is to say - they understand emotional trauma, wiretapping, physical violence, hacked accounts, torture, legal issues and so on. Many choose to take action even when the odds are stacked against them, even or often unprotected because of say, the political gains or the tactical advantage in the moment. If I understood a point that Gene Sharp made once - trainings are ineffective without a larger framework and without specific understandings of specific words - meaning that is important is otherwise totally lost. So we need to consider the big picture as well as many different kinds of small details - to focus entirely on one area will leave us unbalanced, unprepared and well, less effective. Perhaps to the point of being worse than when people at least tried to work outside of the systems they didn't understand... I think that a long term solution for say, communications security is to normalize secure solutions and to pick some points of unity as part of the definition of secure. As an example - Free Software is a hard requirement for me in a serious situation but being FL/OSS does not mean that it is secure. Again, we need processes, models, realistic situational awareness and so on for humans - not just an International House of Check Boxes with tools, no real desire to do anything more than scrape the barrel and no actual capacity. > I am also learning not to take gratuitous snipes here personally. As > it seems to be all too common within this group. But I do think we > would serve a great many more people if we had more constructive > conversations. Isn't that what this list is for? > I don't think Steve was trying to insult you as he later clarified. That Forbes article really isn't an example of solid and cutting edge advice. Some of their stuff, such as the stuff by Andy Greenberg, is top notch. Some of it is not even a notch... I agree that constructive conversations are useful for the list. If I were to dive right in - I'd say - could you give us examples of your operational security? I'll start and I'm curious to hear your follow ups. I run almost entirely Free Software for my general computing needs. I try to use only Forward Secret cryptography for communication and I assume it only buys me time, rather than totally solves all of my problems. I use GPG with a hardware token, rather than with keys on my laptop. I encrypt all of my disks. I create honeypots to mess with people who mess with me. I use RedPhone, TextSecure, Tor, and so on - the usual suspects in the Free Software world. I assume that most things fail open. I buy most of my hardware with cash. I use different devices in different contexts. I don't believe that the Fourth Amendment actually protects the equipment I have in my home (electronically, physically,etc ). I try to understand, extend and sometimes try to break the systems that I use - I try to only use systems that people I respect have built, analyzed or use themselves. I encourage everyone that I meet or talk with to use strong cryptography, anonymity services and to consider the transitive risk of behavior. I try to write software to improve this entire field and I try to work with end users as well as trainers. And so on. An evil Maid attack would own me in a lot of cases, so I carry my computers with me to some rather annoying places. I stopped carrying a cell phone regularly when I realized that it was simply a lost cause on the privacy front. I do counter-surveillance and surveillance-detection to try to catch people who try to tamper with my hardware or worse. I give samples of likely backdoors to better reverse engineers (than me) when in doubt. I've been working hard for the last few years to show that these tactics and this kind of strategy isn't paranoia. Rather such an understanding is required for the *current* Surveillance State, let alone the coming New and Improved Surveillance State. How about you? A good friend jokingly once told me that some people raise their paranoia to meet their security situation. The joke was of course that I did the opposite: I raised the seriousness of my situation to match my paranoia and outlook. If you have to pick between the two - which side of things seems to have a possible positive outcome? All the best, Jacob > >> -------- Original Message -------- Subject: Re: [liberationtech] >> Forbes recommends tools for journalists From: Steve Weis >> Date: Mon, December 17, 2012 6:10 pm To: >> liberationtech >> >> >> Just to go further down the tech tangent... >> >> There are SSD drives with full-disk encryption, such as the Intel >> 520 series. Here's a paper "Reliably Erasing Data From Flash-Based >> Solid State Drives" from Usenix 2011 that analyzes disk sanitation >> on several SSD drives. Their conclusion was that built in >> encryption and sanitization functions were most effective, but were >> not always implemented correctly: >> http://static.usenix.org/events/fast11/tech/full_papers/Wei.pdf >> >> Regarding storage for disk-encryption keys, PCs with TPMs can seal >> keys such that they can only be unsealed if the machine is booted >> to a verifiable state. Then you can leave the sealed key on the >> disk, which is how Bitlocker works. >> >> Keep in mind that TPMs can be compromised by physical attacks. They >> aren't going to protect you from a moderately-funded forensics >> effort. But if you're getting information security advice from a >> Forbes blog, that will be the least of your worries. >> >> On Mon, Dec 17, 2012 at 1:42 PM, Michael Rogers >> wrote: >> >>> I'm not aware of any suitable storage on current smartphones or >>> personal computers, so we may need to ask device manufacturers to >>> add (simple, inexpensive) hardware to their devices to support >>> secure deletion.
-- >> Unsubscribe, change to digest, or change password at: >> https://mailman.stanford.edu/mailman/listinfo/liberationtech > -- Unsubscribe, change to digest, or change password at: > https://mailman.stanford.edu/mailman/listinfo/liberationtech > -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From saftergood at fas.org Wed Dec 19 06:36:17 2012 From: saftergood at fas.org (Steven Aftergood) Date: Wed, 19 Dec 2012 06:36:17 -0800 Subject: Secrecy News -- 12/19/12 Message-ID: Format Note: If you cannot easily read the text below, or you prefer to receive Secrecy News in another format, please reply to this email to let us know. SECRECY NEWS from the FAS Project on Government Secrecy Volume 2012, Issue No. 127 December 19, 2012 Secrecy News Blog: http://www.fas.org/blog/secrecy/ ** CAN DISCLOSURES OF CLASSIFIED INFO BE AUTHORIZED? ** RISING ECONOMIC POWERS, AND MORE FROM CRS ** IMAGERY DECLASSIFICATION PREPARATIONS CONTINUE ** JASON ON "COMPRESSIVE SENSING" FOR DOD SENSORS CAN DISCLOSURES OF CLASSIFIED INFO BE AUTHORIZED? It is plainly true that executive branch officials will sometimes disclose classified information to reporters and other uncleared individuals. But this practice is not explicitly authorized in any official statement of classification policy. In fact, with an exception for life-threatening emergencies, it is usually understood to be prohibited. How can the obviously flexible practice and the seemingly prohibitive policy be reconciled? A newly updated report from the Congressional Research Service presents a close reading of the relevant rules and regulations in search of some wiggle room for authorized disclosures of classified information. "Nothing in the Executive Order addresses an informal procedure for releasing classified information [to reporters]. E.O. 13526 section 1.1 provides that '[c]lassified information shall not be declassified automatically as a result of any *unauthorized* disclosure of identical or similar information,' but does not address what happens in the event of a disclosure that was in fact authorized," the CRS report observes. "By definition, classified information is designated as such based on whether its *unauthorized* disclosure can reasonably be expected to cause a certain level of damage to the national security. This may be read to suggest that disclosures may be authorized under such circumstances when no damage to national security is reasonably expected." (But under those circumstances, it might be noted, the information should be promptly declassified.) The CRS report, written by legislative attorney Jennifer K. Elsea, continues: "Nothing in the order provides explicit authority to release classified information that exists apart from the authority to declassify, but it is possible that such discretionary authority is recognized to release information outside the community of authorized holders without formally declassifying it." Indeed, this appears to be an accurate characterization of actual practice. In any case, "there is little to stop agency heads and other high-ranking officials from releasing classified information to persons without a security clearance when it is seen as suiting government needs." Again, an accurate description-- particularly since "the Attorney General has prosecutorial discretion to choose which leaks to prosecute." See "The Protection of Classified Information: The Legal Framework," updated December 17, 2012: http://www.fas.org/sgp/crs/secrecy/RS21900.pdf Overall, "Executive Branch policy appears to treat an official disclosure as a declassifying event, while non-attributed disclosures [to reporters or others] have no effect on the classification status of the information," the author writes. "For example, the Department of Defense instructs agency officials, in the event that classified information appears in the media, to neither confirm nor deny the accuracy of the information. The Under Secretary of Defense for Intelligence is then advised to 'consult with the Assistant Secretary of Defense for Public Affairs and other officials having a primary interest in the information to determine if the information was officially released under proper authority.'" But, the CRS report astutely notes, the relevant DoD regulation "does not clarify what happens in the event the disclosure turns out to have been properly authorized." And so it seems that the DoD regulation offers the conceptual space for an authorized disclosure of classified information. (As if to provide an ironic illustration of the point, the Under Secretary of Defense for Intelligence himself -- Michael Vickers -- was reportedly cited in a referral to the Department of Justice for disclosing potentially restricted information concerning the pursuit of Osama bin Laden to filmmakers. See "Bin Laden film leak was referred to Justice; leaker top Obama official" by Marisa Taylor and Jonathan S. Landay, McClatchy Newspapers, December 17, 2012. In a statement last night, the Department of Defense confirmed that Mr. Vickers is a subject of a pending Inspector General investigation. But it said the information in question was unclassified in its entirety.) The CRS report naturally does not constitute an authoritative interpretation of the executive order, and in some respects it may be in error. The report mistakenly states (at footnote 51) that the DOJ Media Leak Questionnaire that agencies must complete when a referring a leak for investigation is "apparently... part of a Memorandum of Understanding concluded between the Department of Justice and elements of the Intelligence Community." But a review of the Memorandum, described in Secrecy News earlier this week, shows that that supposition is incorrect. The two are separate documents. See "Crimes Reports and the Leak Referral Process," Secrecy News, December 17, 2012: http://www.fas.org/blog/secrecy/2012/12/crimes_reports.html Anti-leak legislation that is pending in the Senate would require executive branch officials to record all authorized disclosures of classified intelligence to the press, and to notify Congress when they occur (cf. sections 501 and 502 of Title V of the FY 2013 intelligence authorization bill). These provisions, which may prove unworkable in practice, are presumably intended to enable Congress to publicly comment on classified intelligence matters with the same freedom that agency officials already do. But the public interest concern raised by the notification provisions is that if they are strictly imposed, they may discourage all authorized disclosures of classified intelligence, yielding a net reduction in public access to government information. RISING ECONOMIC POWERS, AND MORE FROM CRS New and updated reports from the Congressional Research Service that Congress has directed CRS not to release to the public include the following. Rising Economic Powers and U.S. Trade Policy, December 3, 2012: http://www.fas.org/sgp/crs/row/R42864.pdf Unauthorized Aliens Residing in the United States: Estimates Since 1986, December 13, 2012: http://www.fas.org/sgp/crs/misc/RL33874.pdf DOD Alternative Fuels: Policy, Initiatives and Legislative Activity, December 14, 2012: http://www.fas.org/sgp/crs/natsec/R42859.pdf Federal Land Ownership: Current Acquisition and Disposal Authorities, December 13, 2012: http://www.fas.org/sgp/crs/misc/RL34273.pdf The Controlled Substances Act: Regulatory Requirements, December 13, 2012: http://www.fas.org/sgp/crs/misc/RL34635.pdf IMAGERY DECLASSIFICATION PREPARATIONS CONTINUE Intelligence community officials have been meeting with representatives of the National Archives to discuss the anticipated declassification and release of intelligence imagery from the KH-9 satellite dating between 1971 and 1984. Officials have been negotiating the transfer of the original negatives from the KH-9 system and the provision of finding aids, according to a newly released but heavily redacted report from the National Geospatial Intelligence Agency, dated June 2012. http://www.fas.org/irp/agency/nga/imagery-declass.pdf Multiple releases of declassified imagery are planned over the coming year "with final delivery of imagery scheduled for September 2013." See "Intelligence Imagery Set to be Disclosed in 2013," Secrecy News, October 22, 2012. http://www.fas.org/blog/secrecy/2012/10/hexagon_imagery.html JASON ON "COMPRESSIVE SENSING" FOR DOD SENSORS The latest report from the elite JASON science advisory panel is devoted to the subject of "compressive sensing." This term generally refers to the use of sensors for imaging (or other sensing) of an object in a manner that uses a limited subset of the available data in order to improve efficiency or conserve resources. "Compressive sensing involves intentionally under-sampling an object or image, typically in a random manner, and then using a companion process known as sparse reconstruction to recover the complete object or image information...," the JASON report says. "Compressed sensing can conceivably lead to reductions in data link requirements, reductions in radar resources needed for radar image formation (thereby providing the radar more resources for its other functions such as target detection, target tracking, and fire control), increased angular resolution without commensurate increases in array costs, and increased fields of view without degradation in resolution..." "Compressive sensing is not a 'free lunch'," the report cautions, "but always involves a tradeoff; reduced data may save measurement resources, but it also means a lower signal-to-noise ratio and possibly other artifacts, such as side lobes or false alarms." A copy of the new JASON report was obtained by Secrecy News. See "Compressive Sensing for DoD Sensor Systems," November 2012: http://www.fas.org/irp/agency/dod/jason/compress.pdf _______________________________________________ Secrecy News is written by Steven Aftergood and published by the Federation of American Scientists. The Secrecy News Blog is at: http://www.fas.org/blog/secrecy/ To SUBSCRIBE to Secrecy News, go to: http://www.fas.org/sgp/news/secrecy/subscribe.html To UNSUBSCRIBE, go to http://www.fas.org/sgp/news/secrecy/unsubscribe.html OR email your request to saftergood at fas.org Secrecy News is archived at: http://www.fas.org/sgp/news/secrecy/index.html Support the FAS Project on Government Secrecy with a donation: http://www.fas.org/member/donate_today.html _______________________ Steven Aftergood Project on Government Secrecy Federation of American Scientists web: www.fas.org/sgp/index.html email: saftergood at fas.org voice: (202) 454-4691 twitter: @saftergood ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From underlinghf960 at realtyone.com Tue Dec 18 16:43:09 2012 From: underlinghf960 at realtyone.com (=?koi8-r?B?IvLFy8/Nxc7Ez9fBzs8g7cnO2sTSwdfPzSI=?=) Date: Wed, 19 Dec 2012 08:43:09 +0800 Subject: =?koi8-r?B?4sHL1MXSycPJxM7ZyiDV18zB1s7J1MXM2CDXz9rE1cjBISDv1CDQ0s/J?= =?koi8-r?B?2tfPxMnUxczR?= Message-ID: <000d01cddd81$d16095a0$6400a8c0@underlinghf960> Климатическая техника Здоровья. Бактерицидный увлажнитель воздуха! Ни каких микробов и бактерий в вашем доме и офисе! Современное средство борьбы с простудой, гриппом и ОРВИ Широко применяется в детских учреждениях Рекомендовано Минздравом! Заказывайте по телефону, на прямую от производителя: (495) 798 -61-66 From mpm at selenic.com Wed Dec 19 07:38:02 2012 From: mpm at selenic.com (Matt Mackall) Date: Wed, 19 Dec 2012 09:38:02 -0600 Subject: [liberationtech] Quantum computation & communication Message-ID: On Wed, 2012-12-19 at 00:38 -0600, Gregory Foster wrote: > After reading Assange, et. al.'s "Cypherpunks: Freedom and the Future of > the Internet", wherein classical encryption is presented as a panacea > for ensuring privacy in an age of mass surveillance, I found the > following article succinct in questioning the long-term viability of > that narrative (or at least insisting on some qualifications). Quantum > computation and communication is still a long distance away, but this > article provides the outlines of how that technology will be used (and > abused) by the institutions that will be able to afford it. Don't believe the hype. Shor's algorithm for quantum factoring is a special case. With it, future large quantum computers may some day be able to break today's RSA and ECC, the two most popular schemes for public key encryption. However, most other cryptographic schemes (including several other public-key schemes) will NOT be rendered broken. Instead, they will become as strong as ciphers with half the key length. For instance, today's AES-256 will become as strong as today's AES-128. It is considered very unlikely that there will be significant breakthroughs in quantum computing theory to improve on that. In short, given everything known today about the possible potential of quantum computers, it is already possible to do all the sorts of things we do with cryptography today in a way that is secure against future adversaries with quantum computers. Unfortunately, "Quantum Computing Not Really A Big Deal For Security" doesn't make for a very good magazine article. To give you a sense of how far there is to go for quantum computers to be practical at breaking SSL, the largest number factored by researchers with a "quantum computer" is the number 143 (ie 11x13), though there's much debate about whether the approach used is actually "quantum". The largest undisputed result is for the number 21, also this year, besting the factoring of the number 15 in 2001. Needless to say, you don't even need pencil and paper, let alone a quantum computer, to factor these sorts of numbers. By comparison, today's typical SSL keys have hundreds of digits. The biggest risk is that the secrets you encrypt today with SSL or GPG might be decrypted by a very rich, patient adversary 20 to 50 years from now. That risk exists with or without quantum computers and I very much doubt the NSA and friends see enough code-breaking potential in quantum computing to be putting serious effort into it. -- Mathematics is the supreme nostalgia of our time. -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From eugen at leitl.org Wed Dec 19 01:19:15 2012 From: eugen at leitl.org (Eugen Leitl) Date: Wed, 19 Dec 2012 10:19:15 +0100 Subject: [drone-list] New Brookings Paper on Domestic Drones Message-ID: <20121219091915.GP9750@leitl.org> ----- Forwarded message from Nabiha Syed ----- From eugen at leitl.org Wed Dec 19 01:32:12 2012 From: eugen at leitl.org (Eugen Leitl) Date: Wed, 19 Dec 2012 10:32:12 +0100 Subject: [liberationtech] Quantum computation & communication Message-ID: <20121219093212.GR9750@leitl.org> ----- Forwarded message from Gregory Foster ----- From eugen at leitl.org Wed Dec 19 02:07:13 2012 From: eugen at leitl.org (Eugen Leitl) Date: Wed, 19 Dec 2012 11:07:13 +0100 Subject: [liberationtech] Forbes recommends tools for journalists Message-ID: <20121219100713.GV9750@leitl.org> ----- Forwarded message from Julian Oliver ----- From tireu at yahoo.com Wed Dec 19 13:26:03 2012 From: tireu at yahoo.com (Timothy Reuter) Date: Wed, 19 Dec 2012 13:26:03 -0800 (PST) Subject: [drone-list] DC Area Drone User Group Message-ID: For anyone in the Washington, DC area interested in using or building drones you may want to check out the DC Area Drone User Group at http://www.meetup.com/DC-Area-Drone-User-Group/ . Our organization's mission is to promote the use of flying robots for humanitarian, artistic, and recreational purposes. We have some events in January to help people who want to build their own low cost drones and we will be running a flight school in February. DC DUG is also going to have some policy events in 2013 so stay tuned if you are interested. I hope to see some of you at our future events. _______________________________________________ drone-list mailing list drone-list at lists.stanford.edu Should you need to change your subscription options, please go to: https://mailman.stanford.edu/mailman/listinfo/drone-list If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?" You will need the user name and password you receive from the list moderator in monthly reminders. Should you need immediate assistance, please contact the list moderator. ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From weinberglf at ri-net.com Tue Dec 18 23:13:25 2012 From: weinberglf at ri-net.com (=?koi8-r?B?IvLFy8/Nxc7Ez9fBzs8g7cnO2sTSwdfPzSI=?=) Date: Wed, 19 Dec 2012 15:13:25 +0800 Subject: =?koi8-r?B?4sHL1MXSycPJxM7ZyiDV18zB1s7J1MXM2CDXz9rE1cjBISDv1CDQ0s/J?= =?koi8-r?B?2tfPxMnUxczR?= Message-ID: <32E42AC002434D57A05477FAF726DCDF@CHINA29995B605> Климатическая техника Здоровья. Бактерицидный увлажнитель воздуха! Ни каких микробов и бактерий в вашем доме и офисе! Современное средство борьбы с простудой, гриппом и ОРВИ Широко применяется в детских учреждениях Рекомендовано Минздравом! Заказывайте по телефону, на прямую от производителя: (495) 798 -61-66 From eugen at leitl.org Wed Dec 19 08:18:21 2012 From: eugen at leitl.org (Eugen Leitl) Date: Wed, 19 Dec 2012 17:18:21 +0100 Subject: Secrecy News -- 12/19/12 Message-ID: <20121219161821.GH9750@leitl.org> ----- Forwarded message from Steven Aftergood ----- From jacob at appelbaum.net Wed Dec 19 09:30:39 2012 From: jacob at appelbaum.net (Jacob Appelbaum) Date: Wed, 19 Dec 2012 17:30:39 +0000 Subject: [liberationtech] Quantum computation & communication Message-ID: Gregory Foster: > After reading Assange, et. al.'s "Cypherpunks: Freedom and the Future of > the Internet", wherein classical encryption is presented as a panacea > for ensuring privacy in an age of mass surveillance, I found the > following article succinct in questioning the long-term viability of > that narrative (or at least insisting on some qualifications). Quantum > computation and communication is still a long distance away, but this > article provides the outlines of how that technology will be used (and > abused) by the institutions that will be able to afford it. > We didn't state that "classical encryption" is a "panacea." Frankly, we didn't event present crypto in general as a panacea - rather, we presented it as a tactical solution that buys time for the social issues that crop up with a surveillance society, amongst other points. We discussed strong cryptography but we were hardly limiting it to RSA or DSA. In any case, most block ciphers aren't thought to be impacted by quantum computers. DJB (Bernstein_-_Post_Quantum_Cryptography.pdf) has a great book on the topic. We tried to state the importance of understanding the threats, the reality and the world wide market for such technology. Obviously, a lack of crypto is itself a threat when spying is essentially free. And while I generally agree that "classical" crypto is only buying time from specific attackers in the long run, we argued that part of attacking is targeting - so to blend in with lots of other ciphertext makes the attacker's job much harder to locate a person. If you have a specific passage where you feel that we state that classical encryption is a panacea to the problem of mass surveillance, I'd hope it is considered in the context of all the social discussion that has almost nothing to do with cryptography per se. (In any case, thanks for reading the book, I hope you enjoyed it!) All the best, Jacob > Aerospace & Defense News (Dec 19) - "Army Researchers Seek Secure > Quantum Communications": > http://www.asdnews.com/news-46753/Army_Researchers_Seek_Secure_Quantum_Communications.htm > > >> For the U.S. Army, a secure quantum communications network is a >> technology investment worth making. Meyers said physicists around the >> world are pursuing quantum teleportation research. >> >> "One day we will have communication over worldwide distances with >> quantum repeaters as mediators at nodes in between," Meyers said. >> "We'll be able to teleport information globally. What we'll have is >> tamper-resistant security." >> >> Cyber-security is a major concern for military and civilian sectors. >> >> "This is important," he said. "The greatest potential that a quantum >> communications network holds for the Army is secure communications." >> >> As quantum computing takes hold in the coming decades, the potential >> for hacking exponentially increases. >> >> "Quantum computers will be able to easily decrypt communications that >> are currently secure," Meyers said. "We're talking decryption in >> seconds instead of years. That's one reason why it's vital for us to >> explore quantum encryption." > > > To understand the assertion that a sufficiently large quantum computer > can (hypothetically) decrypt classically encrypted communications---from > any time---see: > http://en.wikipedia.org/wiki/Shor's_algorithm > > Will the economic effects of Moore's Law apply to quantum computers, > facilitating the mass distribution and use of this technology for > popular quantum cryptography? Probably not for some period of time, a > time which may recapitulate the big iron power dynamics of the mainframe > priesthood. It is that interim time period when there is likely to be a > disparity in access to quantum computation that gives me pause. > > However, in researching this post I was happy to learn that this threat > is understood and research is underway into post-Quantum cryptography, > which looks like it can be implemented on classical computers. So > predictable future problems may be mitigated by avoiding reliance on > particular cryptographic techniques that are known to be breakable by > quantum computers, such as the RSA algorithm used by many contemporary > public-key cryptography systems: > http://en.wikipedia.org/wiki/Post-quantum_cryptography > > I'll readily admit that I am about out of my depth here and welcome > corrections and clarifications. If we see this probability emerging, > then it seems like liberationtechnicians should be advocating review and > redesign of the algorithms used in popular public-key cryptosystems. > > HT @ASDNewsCom via @MrKoot: > http://twitter.com/ASDNewscom/status/281018815276539904 > > gf > -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From eugen at leitl.org Wed Dec 19 08:46:20 2012 From: eugen at leitl.org (Eugen Leitl) Date: Wed, 19 Dec 2012 17:46:20 +0100 Subject: [liberationtech] Quantum computation & communication Message-ID: <20121219164620.GM9750@leitl.org> ----- Forwarded message from Matt Mackall ----- From eugen at leitl.org Wed Dec 19 08:51:19 2012 From: eugen at leitl.org (Eugen Leitl) Date: Wed, 19 Dec 2012 17:51:19 +0100 Subject: [liberationtech] was: Forbes recommends tools for journalist; is now: depressing realities Message-ID: <20121219165119.GP9750@leitl.org> ----- Forwarded message from Jacob Appelbaum ----- From eugen at leitl.org Wed Dec 19 08:55:32 2012 From: eugen at leitl.org (Eugen Leitl) Date: Wed, 19 Dec 2012 17:55:32 +0100 Subject: [liberationtech] Quantum computation & communication Message-ID: <20121219165532.GT9750@leitl.org> ----- Forwarded message from Maxim Kammerer ----- From eugen at leitl.org Wed Dec 19 08:58:48 2012 From: eugen at leitl.org (Eugen Leitl) Date: Wed, 19 Dec 2012 17:58:48 +0100 Subject: William was raided for running a Tor exit node. Please help if you can. Message-ID: <20121219165848.GV9750@leitl.org> ----- Forwarded message from Jimmy Hess ----- From eugen at leitl.org Wed Dec 19 09:01:43 2012 From: eugen at leitl.org (Eugen Leitl) Date: Wed, 19 Dec 2012 18:01:43 +0100 Subject: [Freedombox-discuss] Which mail server do people use with FBX? Message-ID: <20121219170143.GX9750@leitl.org> ----- Forwarded message from William Gardella ----- From jacob at appelbaum.net Wed Dec 19 10:12:36 2012 From: jacob at appelbaum.net (Jacob Appelbaum) Date: Wed, 19 Dec 2012 18:12:36 +0000 Subject: [liberationtech] was: Forbes recommends tools for journalist; is now: depressing realities Message-ID: Danny O'Brien: > On Wed, Dec 19, 2012 at 05:26:05AM +0000, Jacob Appelbaum wrote: >> Hi, >> >> frank at journalistsecurity.net: >>> But if >>>> you're getting information security advice from a Forbes blog, that >>>> will be the least of your worries. >>> >>> Where would you suggest we get information security advice from? >> >> This is an interesting question and I admit, I feel like it leaves a bad >> ring in my ears... >> >> What kind of security advice? Who is following the advice? Does their >> context change while they follow this advice? Do they have resources of >> a user without more than a casual interest or are they well funded and >> dedicated? What are their requirements? What are their temporal >> tolerances? Do they understand safety plan or threat model without >> further explanation? What are the stakes for failure? >> >> The answer to each of those questions would shift my answers to >> subsequent questions around, I guess. >> > > Just to add some notes to Jake's excellent points to broaden the > discussion. I hope I'm not thread-jacking, but it's Jake's comments > unlocked a lot of points that I've been thinking about recently. I'm glad to hear it. :) > > Protecting Sources -- changing the relationship between reporter and source > > One social act that journalists can adopt which has nothing to do with > technology, but everything to do with how technology has changed both > the threats and the opportunities of journalism, is to consider what > *has* to be known about a source. Traditionally, the role between a > source and a journalist has been that there's an inner sanctum of shared > information, and then a set of carefuly managed publically released > data. > There is also a potential notion about the relationship itself being part of that inner sanctum. That is a rather unrealistic expectation without serious care. > For certain beats, there's all kinds of problems with this model at this > point. One is that technically and politically, it's getting harder to > protect the data in the inner sanctum, even within supposedly stable > open societies. Without exaggeration, we've accidentally built a > data-collection system that the Stasi would marvelled at, and then put > all the pressure against its misuse on statutory protections that have > little oversight, poor incentives and almost no track record of punitive > action. > To make matters worse, we've created secret law, secret interpretation and have essentially zero accountability, except to bust up the people talking about it so that the public may learn about it. John Kiriakou, Bill Binney, Thomas Drake and Jesselyn Radack come to mind here. > Second, the management of the released information in order to protect > an identity is now practically a full-time security job in itself. > Forget protecting data that source and journalist agree is confidential; > even the information that has been agreed to be made public can be > compromising in ways that neither party could anticipate. This isn't a > question of ignorance, this is a question of how skillful we can now > collectively pool open source[1] info to deduce hidden data. I think it is more than one thing - so in some cases, it is a matter of simply ignoring the facts; try talking to people about NSA Warrantless wiretaping program and the data (which by the way, I'm confident has been used in the WikiLeaks investigation) produced by it of US citizens on US soil. Eyes will glaze over and people will simply refuse to discuss it. Quite depressing. In some cases, I agree that even if we know that is/has/will/etc happen - some people don't really understand the magnitude of the surveillance state. > It's a > precept of the security professionals I know that you simply can't > de-anonymise mass databases of information; what's unknown is how little > you can add to the wealth of already public information before a single > identity is uncovered. I think you need to come to PETS and the CCC Congress more often Danny! :) > In that sense, I'd welcome this Forbes piece, > because it's the first time that I've seen wide public discussion of > this problem -- that this journalist revealed information about their > source through what both agreed should be made public. I'm pretty sure > McAfee didn't even realise that this was a threat, let alone the editors > and writers at Vice. I'm not sure that I agree that it is the first time that this has happened. I think that it is also a stretch to say that Vice was totally clueless. WikiLeaks discussed these kinds of document issues long long ago - see some of the early CCC talks. Perhaps that doesn't count as wide? I'd say that all of the hubub about redacted PDFs in the last ten years is perhaps more important and has received wider attention. > > My point here is that among all of these threats, there's also > opportunity. Some of the Net-savvier journalists I know now take a > minimal-knowledge approach to sources; you don't need to know who the > source is in order to verify the information you've been provided. This > is a situation that is I think historically unusual, but is increasingly > common. You work with the data itself to confirm its veracity. You don't > need to know whether quarter of a million diplomatic cables were leaked > by a particular security analyst, because you can externally verify the > accuracy of the data. Indeed. Scientific Journalism. > > There are a lot of challenges to this approach, but there advantages > too. It apparently increases the risk of being fed false flag info: but > it also prevents accepting false information through simply believing > authorities. It decreases the value of personal contacts in journalism, > but it increases the value of data analysis. But most importantly, it > helps both of the major problems in journalist-source protection. It > eliminates the requirement to preserve the inner sanctum, and aligns the > incentives of the journalist with the source to test and validate the > safety of revealing data to the public. > I think that it changes the relationship to the so-called authorities; now they're perhaps just an anonymous person, where previously, they were a specific person. Or they're an unknown person and a special person is quoted as interpreting what it means. The latter is quite common and historically quite common, I think. > [1] in the old fashioned sense of open source intelligence > [2] speaking as someone who was asked by McAfee about how cellphones > triangulate location (I didn't answer) -- even if you have your name on > a security product doesn't mean you're an expert in all security. > "Very carefully Mr. McAfee, very carefully." > Revealing our methods > > I'm really really happy that Jake has talked a little about his own > procedures, because we're really bad at this as a community. There are a > couple of reasons for this, I think. The first is that despite all of > our talk about the dangers of security through obscurity, we're all > scared that revealing public information about our setup exposes us to > increased risk. Second, we're scared of looking stupid, or being exposed > to condemnation. > I'm not sure that I agree strongly with the first part - when someone suggests that they use Tails, that is pretty specific! The second is certainly true - and often - reasonable! Lots of people make really bad choices and they hardly understand why they made those choices. Certainly from a technology standpoint but also from a social standpoint. > I think both of these concerns are valid. If I told you that I used > FreeBSD 7.4 on my server, say, and that I'm a big fan of > libpurple-driven OTR clients, it's possibly made it somewhat more > convenient to find out a way of attacking me, even though there's at > least a couple of ways that I'm emitting those facts almost constantly. > Sure, I generally agree on all counts: user-agent: Mutt/1.5.21 (2010-09-15) > Second, if I *did* tell everyone I use libpurple, or that I have Skype > on my machine, I'd be extremely vulnerable to people pointing out that > libpurple is not exploit-free and that Skype is used as a vulnerabilty > distribution vector. > That I think is exactly the right discussion to have - specifically because there is a reason to use libpurple (ahem, pidgin-otr) and a reason to use Skype (ahem, fuck, what was it again?). > I don't know what to do about this. As a community, we jump on people > who publically reveal less-than-perfect security practices. But we've > all -- even if it is in retrospect -- realised risky things we've done > in the past. We can't learn from our mistakes, and worse, others can't > learn from our mistakes, unless we admit to them. We can't berate coders > for not exposing their programs to security audits, unless we have a > better way of sharing the practical knowledge we ourselves use every > day, and we're not going to do that if we just spend our time pretending > we anticipated the latest zeroday years before it actually came about. > -- I'm not entirely sure but I think one answer is not to assume things secure by default. Another is probably to understand that things written in C are likely to have lots of specific memory corruption issues - regardless of *which* codebase is in use. Lots of the zeroday in use today is really lame - not just buffer overflows that are known to exist or are patched but not shipping (ahem, pidgin on Windows) - rather, simply not caring about metadata, location privacy, or stuff said over phones, or sent over HTTP... All the best, Jake -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From mk at dee.su Wed Dec 19 08:36:43 2012 From: mk at dee.su (Maxim Kammerer) Date: Wed, 19 Dec 2012 18:36:43 +0200 Subject: [liberationtech] Quantum computation & communication Message-ID: On Wed, Dec 19, 2012 at 8:38 AM, Gregory Foster wrote: > Aerospace & Defense News (Dec 19) - "Army Researchers Seek Secure Quantum > Communications": > http://www.asdnews.com/news-46753/Army_Researchers_Seek_Secure_Quantum_Communications.htm > >> "Quantum computers will be able to easily decrypt communications that are >> currently secure," Meyers said. "We're talking decryption in seconds instead >> of years. That's one reason why it's vital for us to explore quantum >> encryption." I am yet to see evidence that quantum computing is viable for any non-trivial number of qubits. I think it is more likely that we will see the idealized notion of quantum superposition break once QC is pushed far enough, resulting in physics, but not computation breakthrough, and in ability to still use finite fields-based cryptography, just with bigger key lengths. Also, as pointed by Matt Mackall above, there is a frequent misconception that quantum computers are anything like non-deterministic Turing machines b they are not, and shuffling-based (i.e., symmetric-key, classical) cryptography is still resistant to QC, assuming it's actually resistant to classic computing as well (which is generally seen as a much stronger assumption than, e.g., assuming that factoring is hard). Caveat emptor: not my field, inb4 hate from QC people. -- Maxim Kammerer LibertC) Linux: http://dee.su/liberte -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From panhandledsgb02 at rochester.rr.com Wed Dec 19 05:54:44 2012 From: panhandledsgb02 at rochester.rr.com (=?koi8-r?B?IvfZINPP18XS28XO09TXzyEi?=) Date: Wed, 19 Dec 2012 19:24:44 +0530 Subject: =?koi8-r?B?+s/Mz9TPyiBJUGhvbmUtNSDy1d7OwdEg0sHCz9TBIMnUwczY0c7Ty8/H?= =?koi8-r?B?zyDNwdPUxdLB?= Message-ID: <2FE875C2F95E4C6F9CFB8106191EB109@ptkuser> Драгоценные телефоны iPHONE 5 и iPHONE 4s ручной работы от известного итальянского дизайнера Цена от 86 000 рублей СЕГОДНЯ АКЦИИ: -Золотой CAVIAR IPhone 4s в подарок при покупке 2-х CAVIAR IPhone 5, -Итальянское Prosecco и черная икра каждому покупателю, -25% скидка на CAVIAR IPhone 4s Наш сайт: http://голд-айфон.рф From eugen at leitl.org Wed Dec 19 11:05:46 2012 From: eugen at leitl.org (Eugen Leitl) Date: Wed, 19 Dec 2012 20:05:46 +0100 Subject: [liberationtech] Quantum computation & communication Message-ID: <20121219190546.GZ9750@leitl.org> ----- Forwarded message from Jacob Appelbaum ----- From eugen at leitl.org Wed Dec 19 11:25:32 2012 From: eugen at leitl.org (Eugen Leitl) Date: Wed, 19 Dec 2012 20:25:32 +0100 Subject: [liberationtech] was: Forbes recommends tools for journalist; is now: depressing realities Message-ID: <20121219192532.GC9750@leitl.org> ----- Forwarded message from Jacob Appelbaum ----- From eugen at leitl.org Wed Dec 19 23:40:09 2012 From: eugen at leitl.org (Eugen Leitl) Date: Thu, 20 Dec 2012 08:40:09 +0100 Subject: [drone-list] DC Area Drone User Group Message-ID: <20121220074008.GD9750@leitl.org> ----- Forwarded message from Timothy Reuter ----- From warner at lothar.com Thu Dec 20 09:36:20 2012 From: warner at lothar.com (Brian) Date: Thu, 20 Dec 2012 09:36:20 -0800 Subject: [tahoe-dev] Weekly Dev notes, 20-Dec-2012 Message-ID: It's our last weekly chat of the year! Here are some notes: in attendance: Zooko (scribe), Marlowe, freddyb, amiller, David-Sarah, Warner (late) * translation: Rana from the Tor project walked Marlowe through workflow; Their git repo is checked by transifex. Transifex git pulls their repo. The one thing we have to do manually is that transifex has no way to check for malicious coding added in translations, like XSS/injection-style attacks. Transifex maintains a glossary of "one-offs", words that appear. voulnet does translations for Guardian Project and Tor and would be interested in doing Tahoe-LAFS as well. * Tenerife, Blake2 * ticket notes: #937, #1159, #1539: land them! #1240: probably ready to land #1525: if tests can be made to pass, land it! #1298: trivial, let's land it. If DS doesn't land by this weekend, warner will. #1643: DS will poke at it, else warner will try to fix #1679: warner will try to write a test, test_client.NodeMaker #166: DS will consider 166-3.diff, if no objections by this weekend, warner will land. The -d issue can be figured out for 1.11 #1732: warner will try to write a patch this weekend #1802: warner will write the patch #1735: warner will review and land #1777: warner will land rest of 1.10 tickets: can be landed if simple, else kick out to 1.11 * 1.10: warner will make a push this weekend and over holidays. Goal is to get a 1.10-alpha1 out by xmas, then aim for 1.10-final by late January. * leasedb * warner still needs to review davidsarah/1818-leasedb * we still need to implement starter-lease code before landing 1818-leasedb, probably in january * DS will rebase 1819-cloud-merge on top of 1818-leasedb * DS decided to stick with separate SI,shnum columns instead of a single merged shareid column: sqlite accepts foreign keys and unique keys and handles primary keys well enough that quota-measuring queries (finding unique lists of shares owned by a given account) are simple, or at least they can't be simplified enough to justify the denormalization hit * DS will consider adding the additional leasedb state-transitions to the docs (COMING->GONE when the upload process is interrupted before the backend creates any part of the share object, STABLE->GONE when the shares are deleted out-of-band, GOING->GONE when the share deletion process is interrupted but completes anyways), even before those transitions are actually implemented. There will be no dev call next week on 27-Dec-2012. We'll meet again 03-Jan-2012. happy holidays! -Brian _______________________________________________ tahoe-dev mailing list tahoe-dev at tahoe-lafs.org https://tahoe-lafs.org/cgi-bin/mailman/listinfo/tahoe-dev ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From saftergood at fas.org Thu Dec 20 10:45:11 2012 From: saftergood at fas.org (Steven Aftergood) Date: Thu, 20 Dec 2012 10:45:11 -0800 Subject: Secrecy News -- 12/20/12 Message-ID: Format Note: If you cannot easily read the text below, or you prefer to receive Secrecy News in another format, please reply to this email to let us know. SECRECY NEWS from the FAS Project on Government Secrecy Volume 2012, Issue No. 128 December 20, 2012 Secrecy News Blog: http://www.fas.org/blog/secrecy/ ** DETAINED LINGUIST RELEASED UNDER SUPERVISION ** CONGRESS PERMITS RECLASSIFICATION OF RESTRICTED DATA ** OFFSHORING, CHEMICAL WEAPONS, AND MORE FROM CRS DETAINED LINGUIST RELEASED UNDER SUPERVISION Yesterday former Navy contract linguist James Hitselberger, who has been charged under the Espionage Act with mishandling classified records, was ordered released under supervision while awaiting trial. Mr. Hitselberger is a multi-lingual translator and collector of rare documents, including records that are now housed in a dedicated collection at the Hoover Institution at Stanford University. Unfortunately for him, the government says that his collection activity extends to some documents that are currently classified. (Document Collector Charged Under Espionage Statute, Secrecy News, November 7, 2012). http://www.fas.org/blog/secrecy/2012/11/collector_charged.html Prosecutors had opposed his pre-trial release, arguing that he had fled from law enforcement by traveling for months through Europe, and that he posed a flight risk. But Mr. Hitselberger's public defender argued effectively that could not have "fled" since he had not been charged with anything until recently, that he had traveled openly under his own name, that he remained in contact with his former employer, and that he voluntarily returned to a U.S. Army facility in Kuwait to recover his possessions. "As far as he knew, Mr. Hitselberger was free to travel--which he did," Judge Rudolph Contreras summarized in a memorandum opinion issued today. "And as he traveled, he kept in regular contact with many people through many means, openly used his United States passport, and was willing to go to a military base, which no reasonable fugitive would be likely to do." http://www.fas.org/sgp/jud/hitsel/122012-memop.pdf Therefore Judge Contreras ruled for the defense and granted his release, albeit under "high intensity supervision" and with "Global Positioning System monitoring" of his whereabouts. Moreover, "he is expressly prohibited... from entering or being in the immediate vicinity of Union Station, any other bus or train station that provides service outside of the Washington metropolitan area, or any airport...." http://www.fas.org/sgp/jud/hitsel/121912-order.pdf Mr. Hitselberger has no record of criminal activity, no predisposition to violent behavior, and even prosecutors admit that he was not engaged in espionage on behalf of a foreign power. There is also no indication that even the mildest adverse consequence arose from his alleged conduct. And yet the government has opted to charge him with two felony counts under the Espionage Act, which seems like an extraordinary overreaction given the circumstances. In a different policy environment, loss of job and loss of clearance -- which Mr. Hitselberger has already suffered -- would have been deemed a fully satisfactory response to an offense of this type and magnitude. Thus, speaking at his 1997 CIA confirmation hearing about his response to leaks (at p. 108), George Tenet said "I don't want to prosecute anybody; I want to fire somebody. That will send the right signal to people." http://www.fas.org/irp/congress/1997_hr/tenet.pdf But today, the Obama Justice Department seems unwilling to accept anything short of the maximum available punishment for unauthorized disclosures, at least for those who are not senior officials or acting under color of authority. It's not only the Administration, however. This week the House and Senate adopted a sense of Congress resolution urging the Department of Justice to "investigate possible violations of Federal law related to unauthorized disclosures of classified information," adding that "in appropriate cases, individuals responsible for such unauthorized disclosures should be prosecuted to the full extent of the law." http://www.fas.org/sgp/congress/2012/unauth.html Further anti-leak legislation is under imminent consideration in the Senate. Meanwhile, the White House yesterday issued a new "National Strategy for Information Sharing and Safeguarding." "To foster trust and safeguard our information, policies and coordinating bodies must focus on identifying, preventing, and mitigating insider threats and external intrusions, while departments and agencies work to enhance capabilities for data-level controls, automated monitoring, and cross-classification solutions," the Strategy states. http://www.fas.org/sgp/eprint/strategy.pdf CONGRESS PERMITS RECLASSIFICATION OF RESTRICTED DATA Certain nuclear weapons-related information that has been removed from the category of Restricted Data (RD) and designated as Formerly Restricted Data (FRD) can now be restored to the RD category, under a provision approved by Congress in the FY 2013 national defense authorization act. http://www.fas.org/sgp/congress/2012/rd-reclass.html Until now, the removal of information from the Restricted Data category was irreversible, being prohibited by the Atomic Energy Act. That prohibition is nullified by the new legislation. The authority to reclassify FRD as RD was requested by the Department of Energy last year. "There is sensitive nuclear weapons design information embodied in some FRD... that should be subject to the more stringent security protections afforded RD now than current programmatic capabilities of DoD and the Intelligence Community permit," wrote Energy Secretary Steven Chu in an August 4, 2011 letter. (Dept of Energy Wants to Reclassify Some Info as 'Restricted Data', Secrecy News, January 17, 2012.) http://www.fas.org/blog/secrecy/2012/01/doe_rd.html > From an outside point of view, the reclassification of any such information will be undetectable and should not entail an increase in government secrecy. RD and FRD are equally opaque to the general public. In fact, the move could potentially have positive repercussions. By removing the most sensitive information from the FRD category, it should become more feasible to treat the remaining FRD as "ordinary" classified information and to declassify it in an orderly fashion-- something which does not happen currently. Improving declassification procedures for FRD was among the recommendations presented to the White House earlier this month by the Public Interest Declassification Board. http://www.archives.gov/declassification/pidb/ "FRD information concerns the military utilization of nuclear weapons, including storage locations and stockpile information and often dates from the end of World War II through the height of the Cold War," the PIDB explained in its report. "Although often no longer sensitive or current, this type of FRD information is of high interest to researchers yet remains largely unavailable to the public, because there is no process for systematically reviewing it for declassification and release under the terms of the Executive Order for national security information." Therefore, the PIDB recommended, "The classification status of Formerly Restricted Data (FRD) information should be re-examined. A process should be implemented for the systematic declassification review of historical FRD information." In a 2010 statement to the PIDB, the Federation of American Scientists suggested that the FRD category be eliminated altogether, arguing that it has become obsolete and unnecessary. But such a step was further than the PIDB was prepared to go. http://www.fas.org/sgp/eprint/sa-frd.pdf The Senate voted last week to reauthorize the Public Interest Declassification Board until 2014, and the House followed suit yesterday by a vote of 409-1. Rep. Don Young of Alaska voted against the measure for reasons he did not explain. http://www.fas.org/sgp/congress/2012/pidb-reauth.html OFFSHORING, CHEMICAL WEAPONS, AND MORE FROM CRS New and updated reports from the Congressional Research Service that Congress has not made available to the public include the following. Offshoring (or Offshore Outsourcing) and Job Loss Among U.S. Workers, December 17, 2012: http://www.fas.org/sgp/crs/misc/RL32292.pdf Chemical Weapons: A Summary Report of Characteristics and Effects, December 13, 2012: http://www.fas.org/sgp/crs/nuke/R42862.pdf Party Leaders in the United States Congress, 1789-2012, December 18, 2012: http://www.fas.org/sgp/crs/misc/RL30567.pdf U.S. Wind Turbine Manufacturing: Federal Support for an Emerging Industry, December 18, 2012: http://www.fas.org/sgp/crs/misc/R42023.pdf Survivor Benefits for Families of Civilian Federal Employees and Retirees, December 18, 2012: http://www.fas.org/sgp/crs/misc/RS21029.pdf The Federal Communications Commission: Current Structure and Its Role in the Changing Telecommunications Landscape, December 18, 2012: http://www.fas.org/sgp/crs/misc/RL32589.pdf _______________________________________________ Secrecy News is written by Steven Aftergood and published by the Federation of American Scientists. The Secrecy News Blog is at: http://www.fas.org/blog/secrecy/ To SUBSCRIBE to Secrecy News, go to: http://www.fas.org/sgp/news/secrecy/subscribe.html To UNSUBSCRIBE, go to http://www.fas.org/sgp/news/secrecy/unsubscribe.html OR email your request to saftergood at fas.org Secrecy News is archived at: http://www.fas.org/sgp/news/secrecy/index.html Support the FAS Project on Government Secrecy with a donation: http://www.fas.org/member/donate_today.html _______________________ Steven Aftergood Project on Government Secrecy Federation of American Scientists web: www.fas.org/sgp/index.html email: saftergood at fas.org voice: (202) 454-4691 twitter: @saftergood ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From faltersse at rossiluigi.com Wed Dec 19 23:49:15 2012 From: faltersse at rossiluigi.com (=?koi8-r?B?ItPVzcvJLcTM0dfTxcgu0sYi?=) Date: Thu, 20 Dec 2012 13:19:15 +0530 Subject: Spam : =?koi8-r?B?8M/EwdLJ1MUg1sXO3cnOwc0g09XNy8kg8NLBxMEs59XeySz7wc7FzNgu?= =?koi8-r?B?IOsgy8HWxM/KINPVzcvFINDBzMHO1MnOINcg0M/EwdLPyyE=?= Message-ID: <34F19C6296844DD7A1D9E64E74A31CD4@spr1> Стильные женские и мужские сумки Прада, Гучи, Шанель и другие от 6 750 рублей! К каждой сумке подарок! Доставим на дом или в офис! Наш сайт сумки-длявсех.рф From Grady at e-mailnewsletterstrategies.com Thu Dec 20 09:02:06 2012 From: Grady at e-mailnewsletterstrategies.com (Aldo Mendoza) Date: Thu, 20 Dec 2012 18:02:06 +0100 Subject: Aldo Mendoza sent you a message Message-ID: <1804D05D.8F5FB2FA@e-mailnewsletterstrategies.com> A non-text attachment was scrubbed... Name: not available Type: text/html Size: 239 bytes Desc: not available URL: From dafterwuk7 at ripegroup.com Thu Dec 20 04:56:09 2012 From: dafterwuk7 at ripegroup.com (=?koi8-r?B?IvPVzcvJIOXX0s/QwSI=?=) Date: Thu, 20 Dec 2012 20:56:09 +0800 Subject: =?koi8-r?B?8M/EwdLJ1MUg1sXO3cnOwc0g09XNy8kg8NLBxMEs59XeySz7wc7FzNgu?= =?koi8-r?B?IOsgy8HWxM/KINPVzcvFINDBzMHO1MnOINcg0M/EwdLPyyE=?= Message-ID: <644296549D654E9A9FE50BAD4B39C8B6@ONJUT44GTJKTFGX> Стильные женские и мужские сумки Прада, Гучи, Шанель и другие от 6 750 рублей! К каждой сумке подарок! Доставим на дом или в офис! Скидки и подарки на www.сумки-длявсех.рф From mayolakris at jsainc.com Thu Dec 20 14:10:22 2012 From: mayolakris at jsainc.com (Steffanie) Date: Fri, 21 Dec 2012 03:10:22 +0500 Subject: Check out the latest SPECIAL OFFERS including FREE PILLS and FREE SHIPPING at prices from $1.23 for VIAGRA SUPER ACTIVE 61dpii8m Message-ID: <22w95y91n34-44403251-468p7y99@gpswwcogoh> HURRY VIAGRA SUPER ACTIVE from $1.23!! Check out the latest SPECIAL OFFERS including FREE PILLS and FREE SHIPPING at prices from $1.23 for VIAGRA SUPER ACTIVE and more GREAT DEALS on CIALIS, LEVITRA, KAMAGRA just to name a few!!! http://rxdrugstoremedications.ru From fadsskf at robinsonsupply.com Thu Dec 20 15:41:48 2012 From: fadsskf at robinsonsupply.com (=?koi8-r?B?IvPVzcvJIOXX0s/QwSI=?=) Date: Fri, 21 Dec 2012 06:41:48 +0700 Subject: =?koi8-r?B?8M/EwdLJ1MUg1sXO3cnOwc0g09XNy8kg8NLBxMEs59XeySz7wc7FzNgu?= =?koi8-r?B?IOsgy8HWxM/KINPVzcvFINDBzMHO1MnOINcg0M/EwdLPyyE=?= Message-ID: Стильные женские и мужские сумки Прада, Гучи, Шанель и другие от 6 750 рублей! К каждой сумке подарок! Доставим на дом или в офис! Скидки и подарки на www.сумки-длявсех.рф From r.deibert at utoronto.ca Fri Dec 21 04:15:11 2012 From: r.deibert at utoronto.ca (Ronald Deibert) Date: Fri, 21 Dec 2012 07:15:11 -0500 Subject: [liberationtech] In Ex-Soviet States, Russian Spy Tech Still Watches You Message-ID: Libtech FYI In Ex-Soviet States, Russian Spy Tech Still Watches You b" BY ANDREI SOLDATOV AND IRINA BOROGAN b" 12.21.12 http://www.wired.com/dangerroom/2012/12/russias-hand/all/ "Manned by the countrybs main security service, the FSB, this bSystem of Operative Search Measuresb has been in use for more than two decades. But recently, SORM has been upgraded. It is ingesting new types of data. It is being used as Moscowbs main tool for spying on the countrybs political protesters. And it has become extremely useful in the quest to make sure that the Kremlinbs influence in the former Soviet Union continues long into the second regime of Vladimir Putin." A joint investigation by Agentura.Ru, CitizenLab and Privacy International. Ronald Deibert Director, the Citizen Lab and the Canada Centre for Global Security Studies Munk School of Global Affairs University of Toronto (416) 946-8916 PGP: http://deibert.citizenlab.org/pubkey.txt http://deibert.citizenlab.org/ twitter.com/citizenlab r.deibert at utoronto.ca -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From jacob at appelbaum.net Thu Dec 20 23:49:42 2012 From: jacob at appelbaum.net (Jacob Appelbaum) Date: Fri, 21 Dec 2012 07:49:42 +0000 Subject: [liberationtech] Skype redux Message-ID: Hi, In light of the recent thread on journalism, I wanted to share this link about Skype: https://en.greatfire.org/blog/2012/dec/china-listening-skype-microsoft-assumes-you-approve "With 250 million monthly connected users, Skype is one of the most popular services for making phone calls as well as chatting over the Internet. If you have friends, family or business contacts abroad, chances are you are using Skype to keep in contact. Having said that, you are probably not aware that all your phone calls and text chats can be monitored by the censorship authorities in China. And if you are aware, chances are that you do not consent to such surveillence. Microsoft, however, assumes that you do consent, as expressed in their Privacy Policy: "Skype, Skype's local partner, or the operator or company facilitating your communication may provide personal data, communications content and/or traffic data to an appropriate judicial, law enforcement or government authority lawfully requesting such information. Skype will provide reasonable assistance and information to fulfill this request and you hereby consent to such disclosure. All the best, Jacob -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From eugen at leitl.org Fri Dec 21 01:48:50 2012 From: eugen at leitl.org (Eugen Leitl) Date: Fri, 21 Dec 2012 10:48:50 +0100 Subject: [tahoe-dev] Weekly Dev notes, 20-Dec-2012 Message-ID: <20121221094850.GP9750@leitl.org> ----- Forwarded message from Brian ----- From philodendronsybz1 at rogersmarvel.com Thu Dec 20 19:51:25 2012 From: philodendronsybz1 at rogersmarvel.com (=?koi8-r?B?Iv7B09kgydog5dfSz9DZIM3V1t7JzsHNIMkg1sXO3cnOwc0gICI=?=) Date: Fri, 21 Dec 2012 10:51:25 +0700 Subject: =?koi8-r?B?8sHTy8/bztnKINDPxMHSz8sg08XCxSDJIMLMydrLyc0hIP7B09kgLSD7?= =?koi8-r?B?18XKw8HS08vJxSDNxcjBzsnazdkh?= Message-ID: <87057132D07F45D5842AACF401D09DC0@CJFJDRUGLT1> Наручные часы с Швейцарскими механизамими из Дании! Точнейшие реплики элитных дизайнов, гарантия 25 мес! Сейчас огромные скидки на http://часы-тут.рф From eugen at leitl.org Fri Dec 21 01:52:54 2012 From: eugen at leitl.org (Eugen Leitl) Date: Fri, 21 Dec 2012 10:52:54 +0100 Subject: Secrecy News -- 12/20/12 Message-ID: <20121221095254.GQ9750@leitl.org> ----- Forwarded message from Steven Aftergood ----- From zookog at gmail.com Fri Dec 21 10:28:01 2012 From: zookog at gmail.com (Zooko O'Whielacronx) Date: Fri, 21 Dec 2012 11:28:01 -0700 Subject: [cryptography] introducing BLAKE2 b an alternative to SHA-3, SHA-2 and MD5 Message-ID: Folks: SHA-3 (Keccak) is a fine alternative to SHA-2, has a substantially different design from the SHA-2 family, and has excellent performance in hardware. However, many use cases need an alternative to MD5 b something with better security properties than MD5 but with high performance in software. To that end, we've defined BLAKE2, an optimized version of SHA-3 finalist BLAKE that is faster than MD5 on Intel 64-bit CPUs. https://blake2.net Target applications include cloud storage (my current field), revision control tools, software distribution, host-based intrusion detection, and digital forensics b areas where MD5 and SHA1 currently dominate. We do not think that this superior software performance comes at a cost of reduced security. We argue that much of the extensive security analysis performed on BLAKE during the SHA-3 process applies to BLAKE2 and shows no cause for concern about BLAKE2's security. Please see the blake2.pdf white paper for the details of that argument. In addition, I'll make an argument here that we did not put into the white paper: A guiding factor in NIST's choice of Keccak over BLAKE for SHA-3 was that they wanted SHA-3 to be substantially different from SHA-2 so that it could serve as a fallback in case a breakthrough suddenly revealed SHA-2 to be vulnerable. This was NIST's reason for choosing Keccak over BLAKE even though by their own estimation BLAKE's security margin was comparable to Keccak's and the depth of cryptanalysis that had been applied to BLAKE was greater than that applied to Keccak. That is a good strategy for choosing an algorithm to serve as an emergency fallback, in case SHA-2 suddenly breaks. On the other hand if SHA-2 has remains unbroken, and you are considering the security of BLAKE2, then the fact that it is a traditional Add-Rotate-XOR design like SHA-2 should give increased confidence. When the SHA-3 project began, there was concern among many cryptographers that a breakthrough might appear at any moment and reveal SHA-2 to be vulnerable. Since that hasn't happened after years of study, this concern has faded, and SHA-2 appears for now to have withstood the test. I think a similar argument could be made for the way that BLAKE2 re-uses the ChaCha/Salsa20 stream cipher, which has not been found to have any serious vulnerability. In addition to the superior software performance of the basic single-threaded, linear mode, BLAKE2 includes variants optimized for 32-bit architectures, for SIMD/multicore processors, for Merkle-Tree applications, and for message integrity checking. I'm particularly keen on the SIMD/multicore variant, a parallelized mode named "BLAKE2*p", because almost all modern CPUs b even a lot of the cheap and power-efficient 32-bit ARM chips b come with efficient SIMD features. It looks like it will be possible to have 4-way or 8-way parallelized BLAKE2*p which are many *times* as efficient as MD5, on both short files and long files. Once we've finished porting, measuring, and experimenting with the different modes of BLAKE on different machines, we intend to write a "b2sum" command-line tool, which we hope will eventually replace "md5sum" in the unix user's toolset. (Thanks to the performance engineering of J.P.Aumasson and Samuel Neves.) Regards, Zooko _______________________________________________ cryptography mailing list cryptography at randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From lists at infosecurity.ch Fri Dec 21 02:57:34 2012 From: lists at infosecurity.ch (Fabio Pietrosanti (naif)) Date: Fri, 21 Dec 2012 11:57:34 +0100 Subject: [liberationtech] Namecoin: secure, anti-censorship naming system based on bitcoin Message-ID: Hi all, i encountered such a project called Namecoin: http://dot-bit.org/Main_Page Namecoin is a peer-to-peer *generic* name/value datastore system based on Bitcoin technology (a decentralized cryptocurrency). It allows you to: * Securely register and transfer arbitrary names, *no possible censorship!* * Attach values to the names (up to 1023 bytes) * Trade and transact namecoins, the digital currency *NMC*. There's also a proposal to use NameCoin for naming system for Tor http://dot-bit.org/Namespace:Tor . I am wondering if this system has been already seriously considered as a resilient human readable crypto naming system for other crypto and anti censorship projects, as it seems quite promising but i didn't get deeper technically. Any opinion? Fabio -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From eugen at leitl.org Fri Dec 21 03:08:40 2012 From: eugen at leitl.org (Eugen Leitl) Date: Fri, 21 Dec 2012 12:08:40 +0100 Subject: [liberationtech] Namecoin: secure, anti-censorship naming system based on bitcoin Message-ID: <20121221110840.GU9750@leitl.org> ----- Forwarded message from "Fabio Pietrosanti (naif)" ----- From eugen at leitl.org Fri Dec 21 03:08:56 2012 From: eugen at leitl.org (Eugen Leitl) Date: Fri, 21 Dec 2012 12:08:56 +0100 Subject: [liberationtech] Skype redux Message-ID: <20121221110856.GV9750@leitl.org> ----- Forwarded message from Jacob Appelbaum ----- From Lila at familycaravanholidays.com Fri Dec 21 03:21:19 2012 From: Lila at familycaravanholidays.com (Arthur Mercado) Date: Fri, 21 Dec 2012 12:21:19 +0100 Subject: Arthur Mercado sent you a message Message-ID: <9E373CBB.6432923A@familycaravanholidays.com> A non-text attachment was scrubbed... Name: not available Type: text/html Size: 356 bytes Desc: not available URL: From gfoster at entersection.org Fri Dec 21 10:48:24 2012 From: gfoster at entersection.org (Gregory Foster) Date: Fri, 21 Dec 2012 12:48:24 -0600 Subject: [liberationtech] Social Media Combatants Message-ID: YouTube (Dec 20) - "Israel: Unlawful Attacks on Palestinian Media" by Human Rights Watch: http://www.youtube.com/watch?v=dz4gcp78Ix4 Documents HRW's on-the-ground research into Israeli targeting of journalists during the November 2012 war. The 3.5 minute video excerpts an Al Jazeera interview in which Israeli government spokesman Mark Regev advocates interpreting the broadcast of "command and control" information as criteria for distinguishing "legitimate" journalists protected by international law from non-legitimate journalists who can be regarded as combatants and targeted as such. gf > Australian Strategic Policy Institute blog "The Strategist" (Dec 13) - > "Are social media users now legitimate targets?" by Chloe Diggins: > http://www.aspistrategist.org.au/are-social-media-users-now-legitimate-targets/ > > Diggins is a Research and Analysis Officer in the Australian Army's > Directorate of Army Research and Analysis (DARA) Land Warfare Studies > Centre (LWSC): > http://www.army.gov.au/our-future/DARA/LWSC > > In the blog post, which is qualified as Diggins' personal opinion > rather than the established policy of her institution, Diggins reflects > on what is characterized as "Israel and Hamas' recent social media war": > >> Whether social media is making an effective contribution or not >> remains to be seen. However, by creating and perpetuating a narrative >> that influences public opinion, social media is contributing to a >> defined military operation and has become integral to the information >> and communication space. As a legitimate part of the conflict, social >> media (and its users) becomes a valid military objective. > > > HT @MartinHume via @cencio4: > http://twitter.com/cencio4/status/280420701599571970 > > gf -- Gregory Foster || gfoster at entersection.org @gregoryfoster <> http://entersection.com/ -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From eugen at leitl.org Fri Dec 21 04:16:02 2012 From: eugen at leitl.org (Eugen Leitl) Date: Fri, 21 Dec 2012 13:16:02 +0100 Subject: [liberationtech] In Ex-Soviet States, Russian Spy Tech Still Watches You Message-ID: <20121221121602.GA9750@leitl.org> ----- Forwarded message from Ronald Deibert ----- From scottywo98 at robinhumbard.com Fri Dec 21 01:27:44 2012 From: scottywo98 at robinhumbard.com (=?koi8-r?B?Iv7B09kgydog5dfSz9DZINcg7c/Ty9fFIg==?=) Date: Fri, 21 Dec 2012 16:27:44 +0700 Subject: =?koi8-r?B?88vJxMvJIMTPIDUwJSDOwSAxMDAlcmVmIPvXxcPB0tPLycggIN7B08/X?= =?koi8-r?B?IPDP08zFxM7JxSDEzskgxM/T1MHXy8kg0M8g7c/Ty9fFIQ==?= Message-ID: Лучший часовой интернет-бутик Москвы! Мы досатвим бесплатно а вы решите покупать или нет! Качество гаранируем 25 месяцами гарантии! Наш сайт http://часы-тут.рф From microsurgerynba7 at rcrinternational.com Fri Dec 21 02:41:12 2012 From: microsurgerynba7 at rcrinternational.com (=?koi8-r?B?Ik0tR3JvdXAmIPUgzsHTINPLycTLySEi?=) Date: Fri, 21 Dec 2012 18:41:12 +0800 Subject: =?koi8-r?B?8sHT09nMy8Eg18Hbycgg0MnTxc0sINLFy8zBzdkg0M8gzsHbxcogwsHa?= =?koi8-r?B?xSEg?= Message-ID: <1E8F2554A9B44B2490F026D5F31A7F0E@XP201203131253> Эффективные способы доставки информации Вашим клиентам по e-mail Наша База 8 5 0 0 0 0 0 подпискичков по Москве и России Декабрь. Пора зимних сюрпризов. Мы радуем Вас акциями. Цены указанны за рассылку по нашей базе! 1 рассылка - 2 500 (старая цена 3 000) 3 - 6 000 (старая цена 9000) 5 - 7 500 (старая цена 15000) Супер пакет! 10 - 12 000рублей! месяц - 25 000 (старая цена 60 000) контакты: +7 9ОЗ ООО 6ОЗ О a9030006030 at yahoo.com From schoen at eff.org Fri Dec 21 19:07:14 2012 From: schoen at eff.org (Seth David Schoen) Date: Fri, 21 Dec 2012 19:07:14 -0800 Subject: [liberationtech] Google Hangout the new, better skype? Was Re: Skype redux Message-ID: Christopher Soghoian writes: > I have asked Google's policy team, repeatedly, about what capabilities they > have for intercepting Hangout conversations, and I always get the same > vague no comment. > > Although Google is a clear transparency leader when it comes to reporting > aggregate stats on the # of requests that they receive, they still suck > when it comes to actually discussing their technical surveillance > capabilities, as well as the legal standards they follow when providing > surveillance assistance. I sympathize with your frustration about Google and other companies' unwillingness to talk about their interception capabilities. In the particular case of Hangouts, it seems clear that the Hangout data is encrypted only between the user and Google, and not end-to-end. If so, intercepting Hangouts is even easier for Google than intercepting Skype calls is for Microsoft, since they don't even have to tamper with the key exchange process. They can just program their servers to passively record cleartext data already in their possession. It's disconcerting to see what a low priority secure end-to-end encryption continues to be for most designers of communications systems. (There might be technical reasons, too -- like wanting to transcode video, translate it, add captions, etc., but if people won't talk about the subject at all, we might never know the exact balance of factors that led to their decisions.) Two challenges for end-to-end encryption which have been discussed on this list are that many people want to access particular communications systems from multiple devices, and they may expect to use some services with a web browser instead of by installing a native client. The former means they might expect to access a service from a device where their private key isn't available (and, if they manage to copy the private key onto many devices, the risk of key compromise goes way up); the latter means that they're at risk of receiving a fresh backdoored version every time they connect. But we may be able to solve both of these things to some extent. A thornier challenge is that articulated demand for end-to-end crypto is very low, and arguably _falling_. So even though many of us have strongly criticized Skype's security model for years, they've felt no obvious embarrassment or need to change it, and others have felt no compunction about introducing new products with even lower levels of cryptographic protection, or even with explicit backdoors (like current work at ETSI on next-generation GSM voice encryption)! If Google _were_ willing to comment, they might say that very few users had voiced any objection to the Hangout security model, and that the product continues to be adopted on a huge scale, providing incremental security benefits relative to using a telephone. -- Seth Schoen Senior Staff Technologist https://www.eff.org/ Electronic Frontier Foundation https://www.eff.org/join 454 Shotwell Street, San Francisco, CA 94110 +1 415 436 9333 x107 -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From eugen at leitl.org Fri Dec 21 10:33:20 2012 From: eugen at leitl.org (Eugen Leitl) Date: Fri, 21 Dec 2012 19:33:20 +0100 Subject: [cryptography] introducing =?utf-8?Q?BLAKE?= =?utf-8?B?MiDigJQ=?= an alternative to SHA-3, SHA-2 and MD5 Message-ID: <20121221183320.GN9750@leitl.org> ----- Forwarded message from Zooko O'Whielacronx ----- From eugen at leitl.org Fri Dec 21 10:53:06 2012 From: eugen at leitl.org (Eugen Leitl) Date: Fri, 21 Dec 2012 19:53:06 +0100 Subject: [liberationtech] Social Media Combatants Message-ID: <20121221185306.GP9750@leitl.org> ----- Forwarded message from Gregory Foster ----- From coderman at gmail.com Fri Dec 21 22:08:00 2012 From: coderman at gmail.com (coderman) Date: Fri, 21 Dec 2012 22:08:00 -0800 Subject: [liberationtech] Skype redux In-Reply-To: <50D5409A.7030209@gmail.com> References: <20121221110856.GV9750@leitl.org> <50D5409A.7030209@gmail.com> Message-ID: On Fri, Dec 21, 2012 at 9:09 PM, Threedev wrote: >... > Is there a FLOSS video calling system out there that is an alternative > to Skype that has some sort of encryption capability to it? I haven't > seen anything yet. csipsimple is getting closer. the ZRTP voice works great but video leaves much to be desired. twinkle does ZRTP but video still on the roadmap. ekiga claims to intend to add ZRTP support at some point, not holding my breath... yup, you're right. FLOSS video calling with end-to-end crypto sorely lacking. :/ From coderman at gmail.com Fri Dec 21 22:14:44 2012 From: coderman at gmail.com (coderman) Date: Fri, 21 Dec 2012 22:14:44 -0800 Subject: [liberationtech] Skype redux In-Reply-To: References: <20121221110856.GV9750@leitl.org> <50D5409A.7030209@gmail.com> Message-ID: On Fri, Dec 21, 2012 at 10:08 PM, coderman wrote: > ... > yup, you're right. FLOSS video calling with end-to-end crypto sorely lacking. > :/ yeah yeah don't forget jitsi. i just don't like it :) From coderman at gmail.com Fri Dec 21 23:01:31 2012 From: coderman at gmail.com (coderman) Date: Fri, 21 Dec 2012 23:01:31 -0800 Subject: [liberationtech] Skype redux In-Reply-To: <50D55470.8070203@gmail.com> References: <20121221110856.GV9750@leitl.org> <50D5409A.7030209@gmail.com> <50D55470.8070203@gmail.com> Message-ID: On Fri, Dec 21, 2012 at 10:34 PM, Threedev wrote: > ... > How would encryption work on video feeds? I'm confused on how that > would work. multi-stream mode: http://tools.ietf.org/html/rfc6189 From zerothreedev at gmail.com Fri Dec 21 21:09:46 2012 From: zerothreedev at gmail.com (Threedev) Date: Sat, 22 Dec 2012 00:09:46 -0500 Subject: [liberationtech] Skype redux In-Reply-To: <20121221110856.GV9750@leitl.org> References: <20121221110856.GV9750@leitl.org> Message-ID: <50D5409A.7030209@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Is there a FLOSS video calling system out there that is an alternative to Skype that has some sort of encryption capability to it? I haven't seen anything yet. On 12/21/2012 06:08 AM, Eugen Leitl wrote: > ----- Forwarded message from Jacob Appelbaum > ----- > > From: Jacob Appelbaum Date: Fri, 21 Dec 2012 > 07:49:42 +0000 To: "liberationtech at lists.stanford.edu" > Subject: [liberationtech] > Skype redux Reply-To: liberationtech > > > Hi, > > In light of the recent thread on journalism, I wanted to share > this link about Skype: > > > https://en.greatfire.org/blog/2012/dec/china-listening-skype-microsoft-assumes-you-approve > > > "With 250 million monthly connected users, Skype is one of the > most popular services for making phone calls as well as chatting > over the Internet. If you have friends, family or business > contacts abroad, chances are you are using Skype to keep in > contact. Having said that, you are probably not aware that all your > phone calls and text chats can be monitored by the censorship > authorities in China. And if you are aware, chances are that you do > not consent to such surveillence. Microsoft, however, assumes that > you do consent, as expressed in their Privacy Policy: > > "Skype, Skype's local partner, or the operator or company > facilitating your communication may provide personal data, > communications content and/or traffic data to an appropriate > judicial, law enforcement or government authority lawfully > requesting such information. Skype will provide reasonable > assistance and information to fulfill this request and you hereby > consent to such disclosure. > > All the best, Jacob -- Unsubscribe, change to digest, or change > password at: > https://mailman.stanford.edu/mailman/listinfo/liberationtech > > ----- End forwarded message ----- > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQIcBAEBAgAGBQJQ1UCQAAoJEB722LdozgKas9IP/316kZtkakMlvCFOcSisyZZz i67YOVKWJRcMyJQDl+UL45pi3jMTTuKkbfW+wvEZa1qZlqdWTliAwwhiVKhLo7rE JFRPSfu+zxy543mO3pDFFm2v5DVqUQcIztZW4XpCyW1Z1uTh01d7MeLYUnr46ora tjxRSvfbV46De2Ym4na4QcJmhNOW2DSa8AjOOwn6dmcKorTbixEFd9xLYregcW69 CE3W0rQtC+EYv6zNaHMDu59L3wXdzwYjPeJ6rKGoFcmSYWoAaRlyFkCup7gwaYfc PakDI+HGFt5OJ2kcGNIrnjtBR2cWacPVvhmbqC06i3p6+9WRPavOLlvhOqTNkihv NYWzuEUz1tLjZQ1n4PRbkvFPNR6/8B7PuA9j/PazGe1t5FLvH0hiF+aaQsxplPBv PDX5k8EW/Ok8w3P6Byp5m9x/XVAqcX491wdbAkwAbE3iBS3qQs08XyVBhWHWw7uB EhNxukxXK7Mmvwpj26UsbCrU5Qg10MsFh2kQMa7UljD7R1rUS3TiMSEw04F7q07j RbdlsRqVc+rnTCBPQJ3Htf3DmlUZUZfBA6lgYu/s4YbOjyhkRC6pbUGsmRy5cAD4 vf5ObhF1dWa4GNOXvFtmoWJk+wpAazhmCfOP8tI4531+UUfRac5OUCsIQCvbC4k/ 9o6YaMumCSq70uCBHehE =lPLw -----END PGP SIGNATURE----- From mussyoj32 at rfta.com Fri Dec 21 08:27:44 2012 From: mussyoj32 at rfta.com (=?koi8-r?B?IvvXxcrDwdLTy8nFICwg18XMycvJxSDEydrBys7ZISI=?=) Date: Sat, 22 Dec 2012 00:27:44 +0800 Subject: =?koi8-r?B?/sHT2SDTxcLFIMnMySDXINDPxMHSz8sgxM/T1MHXyc0g1yDPxsnTIMnM?= =?koi8-r?B?ySDOwcTPzSE=?= Message-ID: <499040862.79257637270818@rfta.com> Скидки до 50% Цены 9 999 ! Поверьте, они того стоят Выбрать модель можно на http://www.часы-тут.рф From zerothreedev at gmail.com Fri Dec 21 22:34:24 2012 From: zerothreedev at gmail.com (Threedev) Date: Sat, 22 Dec 2012 01:34:24 -0500 Subject: [liberationtech] Skype redux In-Reply-To: References: <20121221110856.GV9750@leitl.org> <50D5409A.7030209@gmail.com> Message-ID: <50D55470.8070203@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 How would encryption work on video feeds? I'm confused on how that would work. On 12/22/2012 01:08 AM, coderman wrote: > On Fri, Dec 21, 2012 at 9:09 PM, Threedev > wrote: >> ... Is there a FLOSS video calling system out there that is an >> alternative to Skype that has some sort of encryption capability >> to it? I haven't seen anything yet. > > csipsimple is getting closer. the ZRTP voice works great but > video leaves much to be desired. > > twinkle does ZRTP but video still on the roadmap. > > ekiga claims to intend to add ZRTP support at some point, not > holding my breath... > > > yup, you're right. FLOSS video calling with end-to-end crypto > sorely lacking. :/ > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQIcBAEBAgAGBQJQ1VRuAAoJEB722LdozgKaNSsQALISDM1Vsz6qAfQCV3SgskuB kpHM3dApQzQWPzmxbL+skCq0m/QR5nhPZqqNYL6dxjFfjjhk5LJgIoVg0FRugfLQ 8O1Vks1NERM0EQkPWYa5IvUF2u9t81M3RjETfIfMHa3VUkukauwu9AipONl6CFh/ Rz1s7zJEPsBNPgQes5TFJDjC2VIf1hzRPZ8lhCtgOP05fo4+FQ66kcgg4HW8cZLt amtuNoFe9nA/fVbPJfsDK+PmLxfpsWelULEvkxg1nGHZuM5Gx1qVkIcLX0dzQxEt 7PijxoMcr8eQLNPJ3Z+Z11yToBoNGjJlCVI6z+JolPp9oa7rjhacZjxmGqST8VIe XruX7/vm1MSAP/vU22ur9feuxL9Zagl+eT1atHWIfdvA0rtShML949rGjwe+TRoE 7wtvtHkrFfhRHJsL2pV4Pi9iwFa1BIPz89I5yYwjGNMObj6rczhGgVVyvz1VozB+ bv34shmE6S0/0RQ7LNsQQpkU2qIyV+9US0pzNs288elIRSgAVyi1Xpvi9suopBNx uY35j6VnwY7qvKaZ+ukhxHbxe9W0wEVy6XJCRW2q8fvqCTKYJ8DJVnhcw71CdlU3 DNJmDIWTb2e7splk1VydaTg/gp6T+GWSEkEv518qIVvNZtyQo5XebCCVxRCPL7AW NQD5VLGlLZQKuHe2F0N0 =Uli8 -----END PGP SIGNATURE----- From clairvoyantsow3 at regent-hiplas.com Fri Dec 21 16:47:28 2012 From: clairvoyantsow3 at regent-hiplas.com (=?koi8-r?B?Ik0tR3JvdXAmIPUgzsHTINPLycTLySEi?=) Date: Sat, 22 Dec 2012 08:47:28 +0800 Subject: =?koi8-r?B?8sHT09nMy8Eg18Hbycgg0MnTxc0sINLFy8zBzdkg0M8gzsHbxcogwsHa?= =?koi8-r?B?xSEg?= Message-ID: <19BC9403CB1340389C7079018C1475C5@WIN09141043> Эффективные способы доставки информации Вашим клиентам по e-mail Наша База 8 5 0 0 0 0 0 подпискичков по Москве и России Декабрь. Пора зимних сюрпризов. Мы радуем Вас акциями. Цены указанны за рассылку по нашей базе! 1 рассылка - 2 500 (старая цена 3 000) 3 - 6 000 (старая цена 9000) 5 - 7 500 (старая цена 15000) Супер пакет! 10 - 12 000рублей! месяц - 25 000 (старая цена 60 000) контакты: +7 9ОЗ ООО 6ОЗ О a9030006030 at yahoo.com From mp at aktivix.org Sat Dec 22 02:53:48 2012 From: mp at aktivix.org (mp) Date: Sat, 22 Dec 2012 11:53:48 +0100 Subject: "idle no more", Re: Gone (to) Viral: Facebook Doomsday Message-ID: On 20/12/12 13:57, Gita Hashemi wrote: > > i am not an advocate of facebook or other social media per se, but i do > have a facebook account, just as i have a phone line, and several email > addresses. frequently, i take a break from one or all. presently, i > login to fb 2-3 times a day as i follow the development of "idle no > more" indigenous rights movement in canada. IDLE NO MORE. > > i humbly suggest that it is possible to use fb for purposes other than > checking the latest narcissistic instagram pictures of our friends and > their lunch, cat or baby, or other time and energy draining purposeless > pursuits. and while there are many people who are not directly tied to > political, intellectual or other exalted circles but who are on fb, it > is possible to use fb as an effective communication tool to mobilize > beyond our immediate circles and usual participants. Indeed, and that is precisely what CIA/In-Q-Tel wants you to do. Generate intel and cash for them. To paraphrase indigenous activists: One minute spend on FB is one minute not spend in your flesh-and-blood community/neighbours (that is, there where political action traditionally begins). mp ------------------ http://www.corbettreport.com/meet-in-q-tel-the-cias-venture-capital-firm-preview/ The publicly available record on the Facebook/In-Q-Tel connection is tenuous. Facebook received $12.7 million in venture capital from Accel, whose manager, James Breyer, now sits on their board. He was formerly the chairman of the National Venture Capital Association, whose board included Gilman Louie, then the CEO of In-Q-Tel. The connection is indirect, but the suggestion of CIA involvement with Facebook, however tangential, is disturbing in the light of Facebookbs history of violating the privacy of its users. Googlebs connection to In-Q-Tel is more straightforward, if officially denied. In 2006, ex-CIA officer Robert David Steele told Homeland Security Today that Google bhas been taking money and direction for elements of the US Intelligence Community, including the Office of Research and Development at the Central Intelligence Agency, In-Q-Tel, and in all probability, both the National Security Agency (NSA) and the Armybs Intelligence and Security Command.b Later that year, a blogger claimed that an official Google spokesman had denied the claims, but no official press statement was released. Steelebs accusation is not the only suggestion of American intelligence involvement with Google, however. In 2005, In-Q-Tel sold over 5,000 shares of Google stock. The shares are widely presumed to have come from In-Q-Telbs investment in Keyhole Inc., which was subsequently bought out by Google, but this is uncertain. In 2010, it was announced that Google was working directly with the National Security Agency to secure its electronic assets. Also in 2010, Wired reported that In-Q-Tel and Google had jointly provided venture capital funding to Recorded Future Inc., a temporal analytics search engine company that analyzes tens of thousands of web sources to predict trends and events. But as potentially alarming as In-Q-Telbs connections to internet giants like Facebook and Google are, and as disturbing as its interest in data mining technologies may be, the CIAbs venture capital arm is interested in more than just web traffic monitoring. The In-Q-Tel website currently lists two bpractice areas,b bInformation and Communication Technologiesb and bPhysical and Biological Technologies.b The latter field consists of bcapabilities of interestb such as bThe on-site determination of individual human traits for IC purposesb and bTracking and/or authentication of both individuals and objects.b In-Q-Tel also lists two areas that are bon its radarb when it comes to biotech: Nano-bio Convergence and Physiological Intelligence. Detailed breakdowns of each area explain that the intelligence community is interested in, amongst other things, self-assembling batteries, single molecule detectors, targeted drug delivery platforms, and sensors that can tell where a person has been and what substances he has been handling from bbiomarkersb like trace compounds in the breath or samples of skin. In the years since its formation, many have been led to speculate about In-Q-Tel and its investments, but what requires no speculation is an understanding that a privately owned venture capital firm, created by and for the CIA, in which well-connected board members drawn from the private sector can then profit from the investments made with CIA funds that itself come from the taxpayer represent an erosion of the barrier between the public and private spheres that should give even the most credulous pause for thought. What does it mean that emerging technology companies are becoming wedded to the CIA as soon as their technology shows promise? What can be the public benefit in fostering and encouraging technologies which can be deployed for spying on all internet users, including American citizens, in direct contravention of the CIAbs own prohibitions against operating domestically? If new software and technology is being brought to market by companies with In-Q-Tel advisors on their boards, what faith can anyone purchasing American technologies have that their software and hardware is not designed with CIA backdoors to help the American intelligence community achieve its vision of bTotal Information Awarenessb? Rather than scrutinizing each individual investment that In-Q-Tel makes, perhaps an institutional approach is required. At this point, the American people have to ask themselves whether they want the CIA, an agency that has participated in the overthrow of foreign, democratically-elected governments, an agency that has implanted fake stories in the news media to justify American war interests, an agency that at this very moment is engaged in offensive drone strikes, killing suspected binsurgentsb and civilians alike in numerous theaters around the world, should be entrusted with developing such close relationships with the IT sector, or whether In-Q-Tel should be scrapped for good. # distributed via : no commercial use without permission # is a moderated mailing list for net criticism, # collaborative text filtering and cultural politics of the nets # more info: http://mx.kein.org/mailman/listinfo/nettime-l # archive: http://www.nettime.org contact: nettime at kein.org ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From liberationtech at lewman.us Sat Dec 22 06:52:51 2012 From: liberationtech at lewman.us (liberationtech at lewman.us) Date: Sat, 22 Dec 2012 14:52:51 +0000 Subject: [liberationtech] Google Hangout the new, better skype? Was Re: Skype redux Message-ID: On Fri, Dec 21, 2012 at 09:03:02AM -0800, brianc at smallworldnews.tv wrote 5.5K bytes in 0 lines about: : So I guess I'd say, who is going to fund a competitor to skype built on : jitsi? Without a. Convenient easy to use GUI b. Sexy advocates and adopters : and c. A marketing plan you aren't going to compete with Skype, Google : Hangout, etc. My guess would be the people behind jitsi, http://bluejimp.com/ and their partners, https://jitsi.org/index.php/Main/Partners ippi.fr worked pretty well, until they demanded a copy of my passport to continue service. : If security and privacy experts and developers are serious about broad : adoption of their tools and not just building a closed club of : cryptoexperts shouting "fire!" We have to work this out. I'm pretty busy Conversely, as I continue to work with global law enforcement, a shocking amount of crime still happens over the public telephone network. Even with its lack of encryption, centralized data collection, and lawful intercept, criminal organizations are still successfully coordinating, planning, and growing over this 100+ year old technology and networks. And for all of the fancy tools, analysis, and skills, law enforcement is still one step behind the criminals simply using the public phone networks. It's the 1% of criminals which use things like skype, tor, cryptocat, i2p, google hangouts, etc. And even then, they screw up and get caught because their ego grows larger than their skills. And to take a super-unpopular stance, empirical evidence says use of skype isn't the problem. Take Syria as an example, the problem is OSX and Windows on the laptops because that's what the Syrian state malware attacks. From a resource perspective, the Assad regime is being economically smart. Rather than trying to attack some cryptosystem and glean data from traffic analysis, just attack the end user and get all the data before it enters the cryptosystem. This is likely the same analysis the German's used. Rather than trying to crack skype, they got state-sponsored malware to crack the operating system and get the data before it enters skype. Vietnam approached the skype-problem by using parabolic microphones outside the houses of suspected activists. Solving the analog problem (voice, keystroke sound analysis, electrical grid background noise, etc) and user security weaknesses ("Oh look, an attachment! Let's load it up!") is probably a better place for solutions than yet another crypto-system. -- Andrew http://tpo.is/contact pgp 0x6B4D6475 -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From buyoutsup0 at redheron.com Fri Dec 21 23:00:41 2012 From: buyoutsup0 at redheron.com (=?koi8-r?B?Ik0tR3JvdXAmIPUgzsHTINPLycTLySEi?=) Date: Sat, 22 Dec 2012 15:00:41 +0800 Subject: =?koi8-r?B?8sHT09nMy8Eg18Hbycgg0MnTxc0sINLFy8zBzdkg0M8gzsHbxcogwsHa?= =?koi8-r?B?xSEg?= Message-ID: <945BCB51B9AD4012B81F3C76380EDC9F@01> Эффективные способы доставки информации Вашим клиентам по e-mail Наша База 8 5 0 0 0 0 0 подпискичков по Москве и России Декабрь. Пора зимних сюрпризов. Мы радуем Вас акциями. Цены указанны за рассылку по нашей базе! 1 рассылка - 2 500 (старая цена 3 000) 3 - 6 000 (старая цена 9000) 5 - 7 500 (старая цена 15000) Супер пакет! 10 - 12 000рублей! месяц - 25 000 (старая цена 60 000) контакты: +7 9ОЗ ООО 6ОЗ О a9030006030 at yahoo.com From ryan at rjgallagher.co.uk Sat Dec 22 08:24:29 2012 From: ryan at rjgallagher.co.uk (Ryan Gallagher) Date: Sat, 22 Dec 2012 16:24:29 +0000 Subject: [liberationtech] Call for Open Letter on Skype Message-ID: Nadim Kobeissi wrote: > > Isn't it time for an open letter regarding Skype? > I think this is a great idea. I tried and failed back in July to get straight answers from Skype regarding the data it is in a position to hand over to authorities. I found the level of obfuscation extremely frustrating. Skype has since denied that its architecture changes had anything to do with enabling comms interception ( http://blogs.skype.com/en/2012/07/what_does_skypes_architecture_do.html); however, it has failed to respond to other crucial questions, such as: why did Microsoft file a patent for a "legal intercept" technology specifically designed to help intercept Skype VoIP calls? Is the eventual aim to integrate this technology into the Skype architecture? I think Skype's 600 million users around the world have a right to know the answer to that question. As far as an open letter is concerned, it's worth noting that Eric King at Privacy International previously wrote to Skype asking some pertinent questions: https://www.privacyinternational.org/blog/skype-please-act-like-the-responsible-global-citizen-you-claim-to-be I'm not sure what response (if any) Eric received. Either way, I'm pretty sure he'd be willing to get involved with a fresh open letter effort. Personally speaking, I think any open letter should be endorsed by as diverse an array of groups as possible to reflect the broad range of stakeholders with legitimate concerns over Skype's security. This issue is extremely important to people working in my line of work (journalism), and of course it also matters not only to activists but to everyday citizens who want to know exactly what Skype can and can't do with their data. Feel free to get in touch with me if you are pushing forward with this, Nadim. I'd be more than happy to try to get on board some groups that represent the interests of journalists. Best, Ryan -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From eugen at leitl.org Sat Dec 22 09:00:37 2012 From: eugen at leitl.org (Eugen Leitl) Date: Sat, 22 Dec 2012 18:00:37 +0100 Subject: [liberationtech] Call for Open Letter on Skype Message-ID: <20121222170036.GX9750@leitl.org> ----- Forwarded message from Ryan Gallagher ----- From eugen at leitl.org Sat Dec 22 09:10:40 2012 From: eugen at leitl.org (Eugen Leitl) Date: Sat, 22 Dec 2012 18:10:40 +0100 Subject: [liberationtech] Google Hangout the new, better skype? Was Re: Skype redux Message-ID: <20121222171040.GY9750@leitl.org> ----- Forwarded message from liberationtech at lewman.us ----- From amontero at tinet.org Sat Dec 22 09:35:20 2012 From: amontero at tinet.org (Alfonso Montero Lspez) Date: Sat, 22 Dec 2012 18:35:20 +0100 Subject: [tahoe-dev] Tahoe-LAFS as web server file backend? Message-ID: Hi all. I'm watching and playing with tahoe to use it as a family/personal backup solution. Nothing working yet, just playing by now :) I tried once with the code but too difficult, too little time by then. At least, I added some novice notes to the docs, along the way. But, now I'm at it, I would like to say that I think Tahoe-LAFS is a brilliant piece of software with great ideas in it worth watching evolve. Thanks for the awesome work! Now I'm at another different thing. Thinking in ditributed/clustered web serving, I wonder what would be the best way to use Tahoe-LAFS as the file backend, if possible. I mean, you throw a bunch of webservers at the front, say Apache or nginx and point their webroots to a locally stored tahoe cap and serve/run files and scripts from there (PHP, for instance). Let's leave MySQL for another story :) Mounting would need to be read/write and performant enough for running apps such as CMS and other complex scripts. I still don't have a true sense/measurement of its performance by my current experience, and I'm not sure of it being possible to be handled. I know tahoe has its webapi but seems not easily pluggable into apache, without much coding (too far for me). I need to do it by gluing some pieces, and don't know where to look next. I suppose it has to be mounted in the filesystem r/w. In my experience don't think the FTP frontend being stable and current enough to handle it, let alone the complexity and layer performance hit. I recall seeing it somewhere being used as some web app backend, but the app was tahoe-specifically coded, I think. Inbetween of those some Apache-plugged reverse proxying module + WebAV trick could be the way, but my knowledge in that area is still limited. Or maybe WebDAV is currently working well enough to be used with davfs fuse. Any tried and tested stable mounting solution anybody can recommend? Any WebDAV/fuse/whatever layer (the lighter, the better) anyone can point to? Creating a package mounting a tahoe root in the appropiate place in the filesystem for the webserver makes it a tempting low-hanging fruit :) The file usage would be more reads than writes, since lots of software depend on DBs for really frequently used data and (perhaps?) file writes will be majority a single object with less frequent updates. There will be updates, anyway. But usage-wise, maybe I'm too CMS biased, anyway. Maybe it's not that relevant, but just for completeness. The write performance/consistency/concurrency/name-your-issue of several web servers has to be taken in account the first. I don't have any clue about its overhead and implications. But at least, it may be good enough to having a hot-standby or point-in-time secondary web server, anyway. Or maybe there is a better/easier way of doing this without tahoe-LAFS that I just don't know about. But if finally it makes sense for me, it will have a lot of sense to discuss it in public, too. So, pardon my verbosity. BTW, I should confess that about the hosted apps I'm a bit more biased to the Drupal CMS, since with its pluggable storage backends, even in a reduced version, tahoe might have sense for it as a file storage. And this would be a big pool of developers to attract their interest, the least. Might make for a howto. But I prefer to keep it general if possible. So, before exploring any further route, I would like to ask. How the bright minds I've seen here by lurking for some time would address this scenario? Since there an overwhemling number of moving parts and possibilities here for me, nobody with better knowledge than people in this list can provide feedback about the whole use case. It might be achievable maybe in a bunch of config files or scripts? (grid-updates smartness comes to mind). I would be happy in collaborating/sharing my work in a repo to make it a valid use case, when the time comes (no python by now, just bash scripting). But at least, if it is feasible, it makes for sure worth seeding some docs in the wiki to open discussion about it, and who knows, compiling some repos if some passerby decides it's worth going for it. Combined with some spice such as already existing Puppet manifests could make it a trully awesome tahoe-LAFS based solution, IMO. Many thanks in advance. Regards, -- Alfonso M. L. _______________________________________________ tahoe-dev mailing list tahoe-dev at tahoe-lafs.org https://tahoe-lafs.org/cgi-bin/mailman/listinfo/tahoe-dev ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From eugen at leitl.org Sat Dec 22 11:01:06 2012 From: eugen at leitl.org (Eugen Leitl) Date: Sat, 22 Dec 2012 20:01:06 +0100 Subject: [tahoe-dev] Tahoe-LAFS as web server file backend? Message-ID: <20121222190106.GH9750@leitl.org> ----- Forwarded message from Alfonso Montero Lspez ----- From eugen at leitl.org Sat Dec 22 11:37:25 2012 From: eugen at leitl.org (Eugen Leitl) Date: Sat, 22 Dec 2012 20:37:25 +0100 Subject: [liberationtech] Google Hangout the new, better skype? Was Re: Skype redux Message-ID: <20121222193725.GM9750@leitl.org> ----- Forwarded message from Seth David Schoen ----- From hippiesd0 at reiter-family.com Sun Dec 23 01:06:25 2012 From: hippiesd0 at reiter-family.com (=?koi8-r?B?IvLFy8/Nxc7Ez9fBzs8g7cnO2sTSwdfPzSI=?=) Date: Sun, 23 Dec 2012 11:06:25 +0200 Subject: =?koi8-r?B?4sHL1MXSycPJxM7ZyiDV18zB1s7J1MXM2CDXz9rE1cjBISDv1CDQ0s/J?= =?koi8-r?B?2tfPxMnUxczR?= Message-ID: <000d01cde0ec$c91431e0$6400a8c0@hippiesd0> Климатическая техника Здоровья. Бактерицидный увлажнитель воздуха! Ни каких микробов и бактерий в вашем доме и офисе! Современное средство борьбы с простудой, гриппом и ОРВИ Широко применяется в детских учреждениях Рекомендовано Минздравом! Заказывайте по телефону, на прямую от производителя: (495) 798 -61-66 From moxie at thoughtcrime.org Sun Dec 23 13:29:34 2012 From: moxie at thoughtcrime.org (Moxie Marlinspike) Date: Sun, 23 Dec 2012 13:29:34 -0800 Subject: [liberationtech] Skype redux Message-ID: On 12/22/2012 04:49 AM, Brian Conley wrote: > That said, thus far, neither redphone nor those over listed rivals skype > or Google hangouts quality of transmission. Depends. RedPhone's audio quality is (in general) substantially better on Android than Skype's has been. Skype's desktop audio quality is probably better than RedPhone's, however. I see this more as a desktop vs. android thing rather than a skype vs. redphone thing. Low-latency audio on Android is just hard, particularly over mobile data networks. It is true, however, that Skype has a much larger engineering team than we do. I like to think that RedPhone is getting better all the time, but if this is something that you or anyone on this list is interested in, we'd obviously welcome help improving things in any way that you can contribute. Please don't be shy about filing issues in the GitHub issue tracker for the project, even if they are user experience type things rather than strictly bugs. We need the feedback. > This is not meant to detract from them, its more a question, is a > revenue based model the only option to ensure high enough quality to > attract users and grow? I agree that it's a problem. I've pointed out before that user expectations for these types of apps are set by things like WhatsApp, which is an entire company focused *just* on a single chat app, with an engineering team that is larger than the number of developers in the whole "privacy enhancing technology" community put together. I think there are at least a couple of trends working in our favor though: 1) Mobile apps are a huge opportunity for us. It's difficult to do much in the security/privacy area strictly within the browser, and the barrier to installing native desktop apps is high enough that you need something like the network effect of skype to make it happen. The barrier to having users install mobile apps is much lower, and what we can do within that framework is much greater. 2) Infrastructure continues to get easier to deploy, manage, and scale. As depressing as it is that there are companies developing insecure communication tools with engineering teams larger than our entire community, there are also examples of very small teams that have done some really highly scalable stuff. The engineering team at Instagram, for instance, was quite small. They were able to leverage AWS to scale up without many problems, while focusing most of their effort on user experience and core features. Right now RedPhone has a global set of POPs deployed that offer less than 100ms RTT to a relay from almost anywhere in the world, and we don't have a dedicated infrastructure team. That would have been really hard to do in the past. - moxie -- http://www.thoughtcrime.org -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From noreply at amyrisediciones.com Sun Dec 23 10:35:32 2012 From: noreply at amyrisediciones.com (Canadian-Pills) Date: Sun, 23 Dec 2012 20:35:32 +0200 Subject: We have everything what you need to forget about all health problems you might have! Message-ID: Me ds hf or hM en Vi Ci Ci Le Pr ag al al vi op ra is is tr ec S a ia of t Ta bs $1 $1 $2 $2 $0 .8 .7 .5 .5 .5 5 5 0 0 2 (65+) See more... Me ds hf or hW om en Ac Cl De Fe Fe om om fl ma ma pl id uc le le ia an C V ia ia li gr s a $1 $0 $0 $1 $0 .8 .4 .7 .1 .9 1 5 2 1 7 (45+) See more... An ti bi ot ic s Am Au Ba Ce Ci ox gm ct ph pr ic en ri al o il ti m ex li n in n $0 $1 $0 $0 $0 .5 .5 .4 .2 .3 2 9 0 4 5 (60+) See more... Pa in ki ll er s Ar Ce Di Fl To co le cl ex ra xi br of er do a ex en il l ac G el $0 $0 $9 $0 $0 .3 .5 .0 .8 .5 8 9 0 9 9 (39+) See more... As th ma h font-size:13pt; font-weight:bold; color:white'>hA ll er gy Ad Fl Na Se Si va ov so re ng ir en ne ve ul t x nt ai r $2 $1 $1 $1 $2 4. 9. 7. 8. .0 95 95 99 95 9 (32+) See more... De al in gh wi th hD ep re ss io n Ce Cy Le Pr Pr le mb xa is oz xa al pr ti ac ta o q $0 $1 $0 $1 $0 .5 .1 .4 .1 .4 0 3 1 1 1 (24+) See more... Ge ne ra lh Me ds Ar Gr Li Pl Pr mo ow pi av ed ur th to ix ni H r so or lo mo ne ne $0 $4 $0 $0 $0 .2 3. .3 .8 .2 2 37 5 5 0 (55+) See more... Be st hB uy Am Ci Fe Le Tr ox al ma vi am ic is le tr ad il V a ol li ia n gr a $0 $1 $0 $2 $1 .5 .7 .9 .5 .5 2 5 7 0 0 (600+) See more... Unsubscribe [1] Links: ------ [1] http://www.raeymaeckers.net/stuver/themes/f513a.html?act=Unsubscribe -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 36041 bytes Desc: not available URL: From ensnaresly153 at rovip.com Sun Dec 23 07:32:29 2012 From: ensnaresly153 at rovip.com (=?koi8-r?B?IuTNydTSycog4c7E0sXF18neLiI=?=) Date: Sun, 23 Dec 2012 23:32:29 +0800 Subject: =?koi8-r?B?6d3FzSDT1NLPydTFzNjO1cAgy8/N0MHOycAhISE=?= Message-ID: <163B12A4DFC44C5F957CBF9173F970E7@gg> Ищем строительную компанию способную качественно и в короткие сроки произвести строительство туристической базы стилизованной под немецкое подворье, 30 км от Москвы по киевскому шоссе. Согласно плану на территории базы отдыха располагаются: 1. Административное здание примерной площади 300-400 кв.м. С Рестораном, летней кухней. Административными помещениями, залом для конференций на 50- 70 человек. 2. 10 гостевых домиков примерной площадью 60-80 м кВ. Гостевой дом рассчитан на размещение одной семьи, 4 -5 человек с двумя спальнями, небольшим холлом, душевой с сан. узлом. К дому должна быть пристроена веранда с барбекю. 3. Две небольшие отдельно стоящие баньки с душевой, парилкой и комнатой отдыха. 4. Мини-ферма размером 6 х9 м. для содержания домашних животных. 5. Ремесленная мастерская площадью 70-90 кв. м. с подсобными помещеньями и сувенирной лавкой. На территории базы отдыха необходимо построить открытый бассейн, пешеходные дорожки, выполнить ландшафтный дизайн и озеленение участка. Все коммуникации: газ, электричество, водопровод не далее20 мот границ участка. Канализация - Септики местные для каждого домика или для нескольких один. База отдыха предназначена для круглогодичного использования. Требуется рассчитать общую стоимость застройки под ключ. Готовы рассмотреть ваши наработки, типовые проекты домов, которые можно будет разместить в создаваемой туристической базе. Тел. 8-909-940-40-53 Дмитрий Андреевич. From eugen at leitl.org Mon Dec 24 01:24:45 2012 From: eugen at leitl.org (Eugen Leitl) Date: Mon, 24 Dec 2012 10:24:45 +0100 Subject: [liberationtech] Skype redux Message-ID: <20121224092444.GF9750@leitl.org> ----- Forwarded message from Moxie Marlinspike ----- From nathan at guardianproject.info Sun Dec 23 22:10:28 2012 From: nathan at guardianproject.info (Nathan of Guardian) Date: Mon, 24 Dec 2012 11:55:28 +0545 Subject: [liberationtech] Why Skype (real-time) is losing out to WeChat (async) Message-ID: I know in the LibTech and broader global activist/NGO community, there is still quite a bit of focus on Skype. However, during my recent time in India with the Tibetan community there, I have seen Skype, on mobiles at least, almost thoroughly replaced by WeChat, a WhatsApp/Kakao clone made by TenCent, the same Chinese company who created QQ. To my personal horror, we have gone from a somewhat secure Skype with a questionable backdoor policy, to a non-https, China-hosted service who is a known collaborator with the Chinese government. The only I thing I felt productive to do (other than scream and pull out my hair) was to think about why this is happening from a user perspective. Why is a text messaging/push-to-talk model winning out over an instant messaging/VoIP model, in places like Africa and Asia, regardless of known increased risk and decreased privacy and safety? Other than the typical "users are dumb" answer, I think there are some deeper useful factors to consider. Overall, I think we are seeing that when smartphones are plentiful, but bandwidth is still a challenge, we need to think about communications in a more asynchronous model than real-time. I don't think this community should get too caught up in building "Skype replacements". I think more we should think about what features otherwise great, secure apps like Cryptocat, RedPhone, TextSecure, Gibberbot, etc are missing to make it possible for them to replace the functionality and experience users are expecting today. Why Skype/real-time is losing 1) Noticeable impact on mobile battery life if left logged in all the time (holding open sockets to multiple servers? less efficient use of push?) 2) Real-time, full duplex communications requires constant, decent bandwidth; degradation is very noticeable, especially with video 3) App is very large (a good amount of native code), and a bit laggy during login and contacts lookup 4) Old and tired (aka not shiny) perception of brand; too much push of "pay" services 5) Requires "new" username and password (aka not based on existing phone number), and lookup/adding of new contacts 6) US/EU based super-nodes may increase latency issues; vs China/Asia based servers Why WeChat (and WhatsApp, Kakao, etc) async are winning 1) Push-to-talk voice negates nearly all bandwidth, throughput and latency issues of mobile. 2) Push-to-talk is better than instant messaging for low literacy, mixed-written language communities; The "bootstrap" process for Skype is very text heavy still 3) Apps feel more lightweight both from size, and from network stack (mostly just using HTTPS with some push mechanism) 5) Shiny, new hotness, with fun themes, personalization, and focus on "free" 6) Picture, video, file sharing made very easy - aka a first order operation, not a secondary feature; chats are a seamless mix of media 7) Persistent, group chat/messaging works very well (since its just async/store and forward, its very easy to send many-to-many) 8) Identity often based on existing phone number, so signup is easy, and messaging to existing contacts is seamless 9) More viral - you can message people not on the service, and they will be spammed to sign up for the service Anyone want to call b.s. on this theory? Is my thinking headed in the right direction? Should we try to turn Gibberbot into a more-secure WhatsApp/WeChat clone? All the best from the Himalayas, Nathan -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From Marco at katheryne.com Mon Dec 24 04:36:05 2012 From: Marco at katheryne.com (Bradly Vaughn) Date: Mon, 24 Dec 2012 13:36:05 +0100 Subject: Best blend for giving you a young =^f-alo's fervor in bed game+! Message-ID: <1652B861.FDB4F545@katheryne.com> A non-text attachment was scrubbed... Name: not available Type: text/html Size: 418 bytes Desc: not available URL: From =?koi8-r?B?IvDS0c3B0SDQ0s/EwdbBINrFzczJIWhpMzk4QHJvYmluc29ucGVhcm1h?=.=?koi8-r?B?bi5jb20+?= at jfet.org Sun Dec 23 22:24:11 2012 From: =?koi8-r?B?IvDS0c3B0SDQ0s/EwdbBINrFzczJIWhpMzk4QHJvYmluc29ucGVhcm1h?=.=?koi8-r?B?bi5jb20+?= at jfet.org (=?koi8-r?B?IvDS0c3B0SDQ0s/EwdbBINrFzczJIWhpMzk4QHJvYmluc29ucGVhcm1h?=.=?koi8-r?B?bi5jb20+?= at jfet.org) Date: Mon, 24 Dec 2012 14:24:11 +0800 Subject: =?koi8-r?B?8NLPxMHNICDV3sHT1M/LINDPxCDEz80gINcgy9LB08nXz80gzcXT1MUs?= =?koi8-r?B?IM/exc7YICDOxcTP0s/HzyEg68nF19PLz8Ug2y4=?= Message-ID: <000d01cde19f$49851300$6400a8c0@hi398> Срочно и недорого продаю участок под строительство загородного дома в КП по Киевскому ш. Собственник! Позвоните сейчас сделаю дополнительную скидку в 10% 8 903 193 0623 From caldwelll8 at rd-electrical.com Mon Dec 24 03:22:28 2012 From: caldwelll8 at rd-electrical.com (=?koi8-r?B?IvPSz97OzyEi?=) Date: Mon, 24 Dec 2012 19:22:28 +0800 Subject: =?koi8-r?B?6d3FzSDTz8nO18XT1M/Sz9cg1yDT1NLPydTFzNjT1NfFINTFzcHUyd7F?= =?koi8-r?B?08vPyiDCwdrZIM/UxNnIwSA=?= Message-ID: Ищем соинвесторов в строительстве туристической базы стилизованной под немецкое подворье, рядом с лесом, в ста метрах находится каскад прудов, 30 км от Москвы. База отдыха состоит из: Административное здание площадью 370 кв.м., с рестораном и залом для проведения конференций. Десять гостевых домов на 4-5 человек, по 70 кв.м. каждый. Ремесленная мастерская площадью 80 кв.м., с сувенирной лавкой. Две отдельностоящие баньки, с парилкой, душевой и комнатой отдыха. Мини ферма для содержания домашних животных. Открытый бассейн. Земля в собственности, 1.5 га. Все коммуникации: газ, электричество, водопровод, канализация. Подворье рассчитано на размещение до 50 отдыхающих. База отдыха предназначена для коммерческого использования и получения прибыли, от проведения в ней корпоративных мероприятий, семинаров, деловых встреч, семейного отдыха, свадеб, дней рождений. Готовы рассмотреть предложения Инвесторов, желающих быть совладельцем базы отдыха или владельцем одного из гостевых домов в базе отдыха. Что позволит Вам по Вашему желанию отдыхать в нем или получать прибыль от его аренды. Тел. 8-909-940-40-53 Дмитрий Андреевич. From eugen at leitl.org Tue Dec 25 05:05:37 2012 From: eugen at leitl.org (Eugen Leitl) Date: Tue, 25 Dec 2012 14:05:37 +0100 Subject: [liberationtech] Why Skype (real-time) is losing out to WeChat (async) Message-ID: <20121225130537.GL9750@leitl.org> ----- Forwarded message from Nathan of Guardian ----- From eugen at leitl.org Tue Dec 25 05:17:07 2012 From: eugen at leitl.org (Eugen Leitl) Date: Tue, 25 Dec 2012 14:17:07 +0100 Subject: "idle no more", Re: Gone (to) Viral: Facebook Doomsday Message-ID: <20121225131707.GP9750@leitl.org> ----- Forwarded message from mp ----- From eiderdownxjc646 at roth-media.com Mon Dec 24 23:26:00 2012 From: eiderdownxjc646 at roth-media.com (=?koi8-r?B?IuTNydTSycoi?=) Date: Tue, 25 Dec 2012 14:26:00 +0700 Subject: =?koi8-r?B?6d3FzSDTz8nO18XT1M/Sz9cg1yDT1NLPydTFzNjT1NfFINQvwiDuxc3F?= =?koi8-r?B?w8vPxSDQz8TXz9LYxQ==?= Message-ID: <000d01cde271$16bbf150$6400a8c0@eiderdownxjc646> Ищем соинвесторов в строительстве туристической базы стилизованной под немецкое подворье, рядом с лесом, в ста метрах находится каскад прудов, 30 км от Москвы. База отдыха состоит из: 1. Административное здание площадью 370 кв.м., с рестораном и залом для проведения конференций. 2. Десять гостевых домов на 4-5 человек, по 70 кв.м. каждый. 3. Ремесленная мастерская площадью 80 кв.м., с сувенирной лавкой. 4. Две отдельностоящие баньки, с парилкой, душевой и комнатой отдыха. 5. Мини ферма для содержания домашних животных. 6. Открытый бассейн. Земля в собственности, 1.5 га. Все коммуникации: газ, электричество, водопровод, канализация. Подворье рассчитано на размещение до 50 отдыхающих. База отдыха предназначена для коммерческого использования и получения прибыли, от проведения в ней корпоративных мероприятий, семинаров, деловых встреч, семейного отдыха, свадеб, дней рождений. Готовы рассмотреть предложения Инвесторов, желающих быть совладельцем базы отдыха или владельцем одного из гостевых домов в базе отдыха. Что позволит Вам по Вашему желанию отдыхать в нем или получать прибыль от сдачи его в аренду. Тел.8-909-940-24-22 Дмитрий. From planingj10 at royama.com Tue Dec 25 06:05:04 2012 From: planingj10 at royama.com (=?koi8-r?B?IvPSz97OzyEi?=) Date: Tue, 25 Dec 2012 22:05:04 +0800 Subject: =?koi8-r?B?6d3FzSDTz8nO18XT1M/Sz9cg1yDT1NLPydTFzNjT1NfFICDCwdrZIM/U?= =?koi8-r?B?xNnIwSEhIQ==?= Message-ID: Ищем соинвесторов в строительстве туристической базы стилизованной под немецкое подворье, рядом с лесом, в ста метрах находится каскад прудов, 30 км от Москвы. База отдыха состоит из: 1. Административное здание площадью 370 кв.м., с рестораном и залом для проведения конференций. 2. Десять гостевых домов на 4-5 человек, по 70 кв.м. каждый. 3. Ремесленная мастерская площадью 80 кв.м., с сувенирной лавкой. 4. Две отдельностоящие баньки, с парилкой, душевой и комнатой отдыха. 5. Мини ферма для содержания домашних животных. 6. Открытый бассейн. Земля в собственности, 1.5 га. Все коммуникации: газ, электричество, водопровод, канализация. Подворье рассчитано на размещение до 50 отдыхающих. База отдыха предназначена для коммерческого использования и получения прибыли, от проведения в ней корпоративных мероприятий, семинаров, деловых встреч, семейного отдыха, свадеб, дней рождений. Готовы рассмотреть предложения Инвесторов, желающих быть совладельцем базы отдыха или владельцем одного из гостевых домов в базе отдыха. Что позволит Вам по Вашему желанию отдыхать в нем или получать прибыль от сдачи его в аренду. Тел.8-909-940-24-22 Дмитрий. From eugen at leitl.org Tue Dec 25 23:01:20 2012 From: eugen at leitl.org (Eugen Leitl) Date: Wed, 26 Dec 2012 08:01:20 +0100 Subject: [liberationtech] Why Skype (real-time) is losing out to WeChat?(async) Message-ID: <20121226070119.GY9750@leitl.org> ----- Forwarded message from Eric S Johnson ----- From eugen at leitl.org Tue Dec 25 23:30:03 2012 From: eugen at leitl.org (Eugen Leitl) Date: Wed, 26 Dec 2012 08:30:03 +0100 Subject: [liberationtech] Why Skype (real-time) is losing out to WeChat (async) Message-ID: <20121226073003.GZ9750@leitl.org> ----- Forwarded message from Nathan of Guardian ----- From eugen at leitl.org Tue Dec 25 23:30:11 2012 From: eugen at leitl.org (Eugen Leitl) Date: Wed, 26 Dec 2012 08:30:11 +0100 Subject: [liberationtech] Why Skype (real-time) is losing out to WeChat (async) Message-ID: <20121226073011.GA9750@leitl.org> ----- Forwarded message from Nathan of Guardian ----- From Tomas at inmobiliariamadrid.com Tue Dec 25 23:38:43 2012 From: Tomas at inmobiliariamadrid.com (Ulysses Welch) Date: Wed, 26 Dec 2012 08:38:43 +0100 Subject: Create #=e powerful sup+ly f^r your desire! Message-ID: <928BC427.25C6BBF3@inmobiliariamadrid.com> A non-text attachment was scrubbed... Name: not available Type: text/html Size: 477 bytes Desc: not available URL: From crates at oneotaslopes.org Tue Dec 25 22:49:50 2012 From: crates at oneotaslopes.org (Eric S Johnson) Date: Wed, 26 Dec 2012 08:49:50 +0200 Subject: [liberationtech] Why Skype (real-time) is losing out to WeChat (async) Message-ID: > in India with the Tibetan community there, I have seen Skype, on mobiles > at least, almost thoroughly replaced by WeChat, a WhatsApp/Kakao clone > made by TenCent, the same Chinese company who created QQ. To my personal > horror, we have gone from a somewhat secure Skype with a questionable > backdoor policy, to a non-https, China-hosted service who is a known > collaborator with the Chinese government. I do a lot of cybersec trainings for activists. I take a lot of flak from crypto specialists for not deterring people from using Skype. My response isn't "Skype is safe"; it's, "show me the beef." We don't need to get into the "is Skype safe?" conversation here (we all agree that we are less able to prove its safety than we are OTR's, and Microsoft has a record of cooperating with (at least US) LEAs); my point is, I find we're only successful getting folks to change their habits when we can provide evidence (which they believe) that their old habit's unsafe. I haven't been able to do that with Skype, because Skype's insecurity is basically theoretical (for developing-worlds' activists' use cases). But the circumstantial evidence demonstrating WeChat's insecurity is much stronger ... viz. this super piece by John Kennedy: http://www.scmp.com/comment/blogs/article/1083025/hu-jia-explains-why-mobile -apps-make-activism-spooky Nathan, you've doubtless seen this article. What do your Tibetan friends say about this? "We don't care if they're monitoring our WeChat use--we're out of their reach?" ... or "what's good enough for Hu Jia is good enough for us" ... or "WeChat's convenience advantages outweigh its known security" (i.e. security isn't a sine qua non for them) ... Best, Eric -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From nathan at guardianproject.info Tue Dec 25 23:04:20 2012 From: nathan at guardianproject.info (Nathan of Guardian) Date: Wed, 26 Dec 2012 12:49:20 +0545 Subject: [liberationtech] Why Skype (real-time) is losing out to WeChat (async) Message-ID: On 12/26/2012 12:34 PM, Eric S Johnson wrote: > Nathan, you've doubtless seen this article. What do your Tibetan friends say > about this? It is a great article, and such a short, fascinating study into the mindset of an activist under clear, demonstrable state surveillance. I think the point about the greater efficiency these tools (aka moving to IP based comms vs. GSM/Telco) have given the state security/PSB is the most important one. "We don't care if they're monitoring our WeChat use--we're out > of their reach?" This is the mindset of Tibetans in exile, until they understand that every message they send, whether to their friend in India or Europe, or to their friend in Lhasa, is all going through China. Also, once it is made clear how chatting with someone in Tibetan exile community about anything political could be enough to incriminate a Tibetan in China on trumped up charges, they also think twice. Still, the growth in use continues... ... or "what's good enough for Hu Jia is good enough for > us" ... Actually, the inverse here - Hu Jia's post and others within the Tibetan community on this topic (VOA Tibetan had good coverage about mobile security), has actually increased awareness about the problem. At least now, everyone knows the risk, and can perhaps act accordingly. In a recent training to some monks, I said "before you open the app, do a meditation and visualize yourself walking in the central square in Lhasa being observed by surveillance cameras and having your every move and word spoke observed by the PSB." I figured only then would they safely use WeChat, if that is even possible. or "WeChat's convenience advantages outweigh its known security" > (i.e. security isn't a sine qua non for them) . This is the reason that is mostly given. "It's free", or "It's easy". Texting and calling between India and Tibet is much harder and more expensive that it seems, and that is just one-to-one. The group voice and picture message features of WeChat are really a game changer when it comes to (perceived) free flow of information. Almost all videos of protests (including the recent self-immolations) have come via WeChat. >From the users perspective, they feel the risk is no different than if they were using a telephone, so it doesn't feel *worse*. However, they don't understand the subtle difference and again, the increased efficiency, that IP-based surveillance gives to the Chinese authorities vs. GSM/TElco based surveillance. Since WeChat has no encryption at all, they don't even need to request anything of TenCent/QQ - no backdoors are required. As long as they know IP addresses and/or usernames, it is simple to monitor, capture and analyze packets. Best, Nathan -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From nathan at guardianproject.info Tue Dec 25 23:07:25 2012 From: nathan at guardianproject.info (Nathan of Guardian) Date: Wed, 26 Dec 2012 12:52:25 +0545 Subject: [liberationtech] Why Skype (real-time) is losing out to WeChat (async) Message-ID: On 12/24/2012 05:10 PM, Maxim Kammerer wrote: > I think that the reason is simple and obvious: society shifts to > preferring more impersonal communication. Same reason that teenagers > prefer texting to talking on phone, and hanging out to dating. >From what I can tell, it is the exact opposite. The ease of use and persistent connected design of these apps (aka you have these always-on, long running group chat rooms), and the ability to quickly send voice messages and video, makes it MORE personal. The users feel a constant connection to a whole group of friends no matter where they are on the planet, and can, with a press of a button, reach out and hear their voice. I am not saying this is a global phenom, applicable to all societies. I think within this occupied/exile dynamic, and also where standard telecomms are difficult, the impact of apps like WeChat and WhatsApp is perhaps greater than places where Skype, Facetime and Hangout work well. +n -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From jon at callas.org Wed Dec 26 13:38:35 2012 From: jon at callas.org (Jon Callas) Date: Wed, 26 Dec 2012 13:38:35 -0800 Subject: [cryptography] Tigerspike claims world first with Karacell for mobile security Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I took a look at it. Amusing. I didn't spend a lot of time on it. Probably not more than twice what it took me to write this. It has an obvious problem with known plaintext. You can work backward from known plaintext to get a piece of their "tumbler" and since the tumbler is just a big bitstring, work from there to pull out the whole thing. The encrypted Karacell file format has 64 bits that must decrypt to zero. Since encryption is an XOR onto a pseudo-one-time-pad, this leaks 64 bits of the tumbler. Similarly, the "checksum" at the end is a bunch of hash blocks of their special hash all XORed together. This doesn't work against malicious modificationp; you can cut-and-paste through XOR, etc. There are obvious vulnerabilities to linear and differential cryptanalysis. It is a lot of XORing on large-ish fixed longterm secrets with only bit-rotating through the secrets, and between the vulnerabilities of known plaintext as well as the leaks in it, I don't see a lot of long-term strength. I bet that you can use known structure of plaintext (like that it's ASCII/UTF8, let alone things like known headers on XML files) to start prying bits out of the tumblers and you just work backwards. But beyond that, it isn't even particularly fast. Since it needs a lot of bit extraction and rotations, I doubt it would be as fast as AES on a processor with AES-NI instructions. The whole thing is based on doing 16-bit calculations and some bit sliding; I don't expect it to be as fast as RC4 or some of the fast estream ciphers. Obviously, I could be missing something, but there are other errors of art that lead me to think there isn't a lot here. For example, if your basic encryption system is to take a one-time-pad and try to expand that out to more uses, zero constants are errors of art. You should know better. There are similar errors like easily deducible parameters that give more known plaintext. The author discusses using a text string directly as a key, which is very bad with his expansion system. He invented his own "message digest" functions, and they look like complete linear functions to me. They're in uncommented C that's light on indenting and whitespace. Confirmation bias might be making me miss something, but it's not like he made it easy for me. Jon -----BEGIN PGP SIGNATURE----- Version: PGP Universal 3.2.0 (Build 1672) Charset: us-ascii wj8DBQFQ225dsTedWZOD3gYRArauAKC5vrbr9HKPd0a0NoXL+eVQq428uQCgiiFE GFlyVpZAY6w80CBqxXl2qHs= =gncJ -----END PGP SIGNATURE----- _______________________________________________ cryptography mailing list cryptography at randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From eugen at leitl.org Wed Dec 26 13:54:45 2012 From: eugen at leitl.org (Eugen Leitl) Date: Wed, 26 Dec 2012 22:54:45 +0100 Subject: [cryptography] Tigerspike claims world first with Karacell for mobile security Message-ID: <20121226215445.GF9750@leitl.org> ----- Forwarded message from Jon Callas ----- From keikocarie at agora.bungi.com Thu Dec 27 08:14:42 2012 From: keikocarie at agora.bungi.com (MARGUERITA DALILA) Date: Thu, 27 Dec 2012 11:14:42 -0500 Subject: Enlarge Your Penis Size and Last Longer! Results that Last! Order Online Today Get 10% Off! vbn0ei2n Message-ID: <201212271814.FAFF92A01F5CB0BBABDA@443ya86ju7> Maximizer Male Enhancement Used for Penile Enlargement, Endurance, Girth Enhancement & Growth. Enlarge Your Penis Size and Last Longer! Results that Last! Order Online Today Get 10% Off! http://erosz.ru From spielberg at realitymouse.com Thu Dec 27 05:30:01 2012 From: spielberg at realitymouse.com (=?koi8-r?B?IvTPzNjLzyDEzNEg7c/Ty9fZIg==?=) Date: Thu, 27 Dec 2012 15:30:01 +0200 Subject: =?koi8-r?B?ODAlINPLycTLwSDOwSDz1c3LySDw0sHEwSwg59XeySwg+8HOxczY?= Message-ID: <4078C386C5744F678017189C8AB300E9@user> Только сегодня 80% скидка на женские и мужские сумки из Италии элитных брендов Закажите сегодня и мы успеем доставить к Вам до 30 го декабя! + подарок к каждой сумке на сайте www.прада-гучи.рф From liberationtech at lewman.us Thu Dec 27 14:22:21 2012 From: liberationtech at lewman.us (liberationtech at lewman.us) Date: Thu, 27 Dec 2012 17:22:21 -0500 Subject: [liberationtech] Travel with notebook habit Message-ID: On Thu, 27 Dec 2012 21:51:02 +0100 Jerzy Eogiewa wrote: > Without removing drive, what is the best habit for FDE for prevent > attacks as Schneier describe? Full power-down? No hibernate file? Any > other things? What comes to mind first is the EFF's guide: https://www.eff.org/wp/defending-privacy-us-border-guide-travelers-carrying-digital-devices Or https://ssd.eff.org for a full picture. Jake is somewhat extreme, but not without reason. I wrote up my practices after having the same conversation again and again with people around the world. Slightly less extreme, but here's what I do now, http://wiki.lewman.is/blog/2012-07-14-modern-day-weapons-dealers#how-i-travel-internationally While it's fun to worry about the borders and foreign agents, the real concern is the common criminal walking away with laptops and phones. -- Andrew http://tpo.is/contact pgp 0x6B4D6475 -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From mpm at selenic.com Thu Dec 27 17:36:16 2012 From: mpm at selenic.com (Matt Mackall) Date: Thu, 27 Dec 2012 19:36:16 -0600 Subject: [liberationtech] Travel with notebook habit Message-ID: On Thu, 2012-12-27 at 23:56 +0100, Radek Pilar wrote: > Full HDD encryption (including swap space and hibernate file) and > powered down or hibernated (s2disk) machine is the only way to go. Expect that if you're a target of state oppression that your laptop WILL be taken away from you for hours at border crossings. This was a routine occurrence for me between 2001 and 2006 or so. Fortunately for me, I didn't warrant the big guns: the customs officers involved usually reported their techs being completely thwarted/baffled by my Linux screensaver. However, it would be fairly straightforward to take apart a laptop, install a hardware keylogger inside, and reassemble it in that sort of timeframe, then recover your key and decrypt your laptop on your return trip. So unless you have some sort of tamper-proof seals on your laptop, you can't trust it once it leaves your physical possession. Also note that encryption is NOT sufficient. Canadian customs officials have demanded that I log in to my laptop so they could peruse my photo collection (?!) as a condition of entering the country and/or being released from customs. It's easy to imagine much more severe coercion if the authorities are actually interested in your data. Not having a hard disk is excellent defense against such coercive privacy invasions but encryption is not. Since then, I've personally started keeping a dummy, empty account on my laptop for basic deniability: nothing to see here but my travel itinerary, can I go now? But if the operational security or privacy of your laptop actually matters and you must take a laptop, I have to agree with Jacob: don't travel with your data. Same applies for cameras and phones. -- Mathematics is the supreme nostalgia of our time. -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From julian at julianoliver.com Thu Dec 27 16:56:25 2012 From: julian at julianoliver.com (Julian Oliver) Date: Fri, 28 Dec 2012 01:56:25 +0100 Subject: [liberationtech] Travel with notebook habit Message-ID: ..on Thu, Dec 27, 2012 at 09:51:02PM +0100, Jerzy Eogiewa wrote: > I am just reading this, > http://www.schneier.com/blog/archives/2012/12/breaking_hard-d.html > > Can we start some discussion about good notebook travel habit? I have read > Jacob Appelbaum say he does not travel with _ANY_ drive in notebook, and this > seem to be extreme. > > Without removing drive, what is the best habit for FDE for prevent attacks as > Schneier describe? Full power-down? No hibernate file? Any other things? Well, it's not the disk but what's on it. I don't trust closed platforms like OS X or Windows systems. Take what I write with a grain of salt but here's my general approach on a GNU/Linux system: First tar up all the documents/files you need at the destination, note the md5sum and then securely copy them to a server you trust. Then start an sshd instance on port 443 (https) on the file server, so as to get around standard filtering on port 22 on the other end. Even some hotels filter against ssh but none do 443. Then set up two bootable stock Linux distributions with *full disk encryption* on fast USB sticks andsetup user accounts. Ensure tsocks, macchanger and Tor Browser Bundle, ssh, nmap and a few other basics are on the machine. Install Do Not Track plugin (or similar) alongside a User Agent Switcher. Take the actual hard disk out of the machine. Put one stick in your pocket and another in your check-in luggage. Take a few external USB wireless internet adapters with you. Take the plane/train/car over the border. On arrival and when you know you have an Internet gateway, plug one of the sticks in and boot up and get online using the external USB wireless adapter. If you have a link using Ethernet cable (RJ45) with an onboard Ethernet adapter then use it but only if you change your MAC address. Use macchanger to do this like so: sudo ifconfig eth0 down # now plug in Ethernet cable sudo macchanger -A eth0 # A random hardware address will be assigned sudo ifconfig eth0 up sudo dhclient eth0 Now securely copy all the files back onto the local machine as a torified instance (only with tsocks to avoid UDP and DNS leaks) something like so: cd torify scp -P 443 you at remotehost.net:/path/to/files.tar.gz . md5sum files.tar.gz # check it's the real deal against noted md5sum earlier tar xvzf files.tar.gz Avoid using any web services that track you across sites (at the least use Do Not Track plugins and the like). Change your User Agent in the Torified browser you use to something ubiquitous like the Android browser (most popular smartphone by 3x in most countries). Always use SSL when connecting to mail services and the like. Before you fly again destroy that USB stick physically (smash with hammer and then burn). Destroy the USB network adapter you purchased also. Buy another USB stick, copy from the other stick you have (use 'dd' or 'cpio') and fly. I'm sure there's a far more user friendly approach that's sane enough out in the field. One can't expect journalists to learn the CLI (albeit I think anyone that needs to trust their machine, isolate and mitigate network threats (among others) ought to!). Cheers, -- Julian Oliver http://julianoliver.com http://criticalengineering.org -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From julian at julianoliver.com Fri Dec 28 00:49:05 2012 From: julian at julianoliver.com (Julian Oliver) Date: Fri, 28 Dec 2012 09:49:05 +0100 Subject: [liberationtech] Travel with notebook habit Message-ID: ..on Thu, Dec 27, 2012 at 07:36:16PM -0600, Matt Mackall wrote: > On Thu, 2012-12-27 at 23:56 +0100, Radek Pilar wrote: > > Full HDD encryption (including swap space and hibernate file) and > > powered down or hibernated (s2disk) machine is the only way to go. > > Expect that if you're a target of state oppression that your laptop WILL > be taken away from you for hours at border crossings. This was a routine > occurrence for me between 2001 and 2006 or so. Fortunately for me, I > didn't warrant the big guns: the customs officers involved usually > reported their techs being completely thwarted/baffled by my Linux > screensaver. > > However, it would be fairly straightforward to take apart a laptop, > install a hardware keylogger inside, and reassemble it in that sort of > timeframe, then recover your key and decrypt your laptop on your return > trip. So unless you have some sort of tamper-proof seals on your laptop, > you can't trust it once it leaves your physical possession. > > Also note that encryption is NOT sufficient. Canadian customs officials > have demanded that I log in to my laptop so they could peruse my photo > collection (?!) as a condition of entering the country and/or being > released from customs. It's easy to imagine much more severe coercion if > the authorities are actually interested in your data. Not having a hard > disk is excellent defense against such coercive privacy invasions but > encryption is not. Since then, I've personally started keeping a dummy, > empty account on my laptop for basic deniability: nothing to see here > but my travel itinerary, can I go now? > > But if the operational security or privacy of your laptop actually > matters and you must take a laptop, I have to agree with Jacob: don't > travel with your data. Same applies for cameras and phones. This is why I personally think it's wise to carry just a skeleton system over the border on a bootable USB stick, with full disk encryption. Once on the other side of the border, securely download the data required (as I said in last post). Sticks are easier to throw away/hide and if your laptop is stolen/seized within the country your data doesn't have to go with it - the stick's in your pocket or in your sock when walking around. Before you cross the border again the stick should be physically destroyed. This is better than trusting data deletion. It can be smart to have a stock standard Windows install on the physical hard-disk that wakes from sleep on lid-open with a picture of you and a dog laughing in the sunny grass. Invite them to browse around and find nothing. Never use that Windows install, of course. Boot Debian GNU/Linux or BackTrack Linux on the stick. I've been extensively questioned at the border on a few occassions over the years /because/ my laptops don't have a Desktop as such, no icons either. Both my arms were grabbed at the Australian border as I reached to type 'firefox' in a terminal, to start the browser in an attempt to show them a normal looking environment. Terminals at the border are not a good idea. To avoid the machine being tampered with, invest in a solid state netbook and super-glue the shell together. It's not a crime. Cheers! -- Julian Oliver http://julianoliver.com http://criticalengineering.org -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From eugen at leitl.org Fri Dec 28 01:34:26 2012 From: eugen at leitl.org (Eugen Leitl) Date: Fri, 28 Dec 2012 10:34:26 +0100 Subject: [liberationtech] Travel with notebook habit Message-ID: <20121228093426.GQ9750@leitl.org> ----- Forwarded message from liberationtech at lewman.us ----- From a at littleshoot.org Fri Dec 28 09:14:10 2012 From: a at littleshoot.org (Adam Fisk) Date: Fri, 28 Dec 2012 11:14:10 -0600 Subject: [liberationtech] Google Hangout the new, better skype? Was Re: Skype redux Message-ID: > > I sympathize with your frustration about Google and other companies' > unwillingness to talk about their interception capabilities. In the > particular case of Hangouts, it seems clear that the Hangout data is > encrypted only between the user and Google, and not end-to-end. That doesn't appear to be the case, Seth. See: https://developers.google.com/talk/call_signaling#Encryption -- Adam pgp A998 2B6E EF1C 373E 723F A813 045D A255 901A FD89 -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From eugen at leitl.org Fri Dec 28 03:25:16 2012 From: eugen at leitl.org (Eugen Leitl) Date: Fri, 28 Dec 2012 12:25:16 +0100 Subject: [liberationtech] Travel with notebook habit Message-ID: <20121228112516.GR9750@leitl.org> ----- Forwarded message from Julian Oliver ----- From eugen at leitl.org Fri Dec 28 03:25:52 2012 From: eugen at leitl.org (Eugen Leitl) Date: Fri, 28 Dec 2012 12:25:52 +0100 Subject: [liberationtech] Travel with notebook habit Message-ID: <20121228112552.GS9750@leitl.org> ----- Forwarded message from Matt Mackall ----- From coccisu at rexnord.com Thu Dec 27 22:45:55 2012 From: coccisu at rexnord.com (=?koi8-r?B?IvTPzNjLzyDEzNEg7c/Ty9fZIg==?=) Date: Fri, 28 Dec 2012 13:45:55 +0700 Subject: =?koi8-r?B?ODAlINPLycTLwSDOwSDz1c3LySDw0sHEwSwg59XeySwg+8HOxczY?= Message-ID: Только сегодня 80% скидка на женские и мужские сумки из Италии элитных брендов Закажите сегодня и мы успеем доставить к Вам до 30 го декабя! + подарок к каждой сумке на сайте www.прада-гучи.рф From drwho at virtadpt.net Fri Dec 28 14:54:01 2012 From: drwho at virtadpt.net (The Doctor) Date: Fri, 28 Dec 2012 17:54:01 -0500 Subject: [liberationtech] Modern FIDONET for net disable countries? Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/27/2012 11:54 AM, Jerzy Eogiewa wrote: > I wonder, is some FIDONET type service existing for countries where > all telecom is disabled? Kind of "sneakernet" for large packets of > messages to be delivered. There are a couple of projects like that right now, but I do no know how much action they are seeing. https://github.com/sanity/tahrir https://github.com/endymion/sneakernet Project Byzantium has considered using this to synch the datastores of unlinked meshes via sneakernet: https://github.com/campadrenalin/EJTP-lib-python Also, the FidoNET protocol is alive and well: http://sourceforge.net/projects/fidoip/ http://control.zcu.cz/~flidr/fido/ > 1- I write message to [username, address or hash], encrypt with > public/private pair. 2- Trusted "sneakernet" collector with some > software physically arrives and grabs my message, updates my 'ball' > (or blob?) of crypted messages, in case other > sneakernet collector comes. That would be doable. I am playing with something like that for CouchDB. > 3- Maybe when delivery is 100% confirmed this gets added to ball so > it can be pruned? Say, if originating nodes get their packets back (the distribution cycle is complete), and expire the message? > And so on. Bitcoin style blockchain confirmation seems useful? That might not be a good idea. Not only would it result in a list that can be used to identify nodes, but it also increases overhead and complexity. Perhaps 'best effort' is the way to go about this. It would be useful to determine the capabilities of existing implementations to see how many reimplementations of wheels could be avoided. - -- The Doctor [412/724/301/703] [ZS|Media] Developer, Project Byzantium: http://project-byzantium.org/ PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F DD89 3BD8 FF2B 807B 17C1 WWW: https://drwho.virtadpt.net/ Nondeterminism means never having to say you're wrong. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlDeIwgACgkQO9j/K4B7F8HUCACg8bYUyJLpICmEUIUxZ1rPVhtB CsQAn0QYRuBTD4H4sM4/PJY/z6OudM96 =LG8L -----END PGP SIGNATURE----- -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From thermoplasticna493 at riverolaw.com Fri Dec 28 18:08:33 2012 From: thermoplasticna493 at riverolaw.com (=?koi8-r?B?IvTPzNjLzyDEzNEg7c/Ty9fZIg==?=) Date: Sat, 29 Dec 2012 10:08:33 +0800 Subject: =?koi8-r?B?ODAlINPLycTLwSDOwSDz1c3LySDw0sHEwSwg59XeySwg+8HOxczY?= Message-ID: <9602A03CCF714DF89A8B2D5B8B251C13@ITQUANGNAM> Только сегодня 80% скидка на женские и мужские сумки из Италии элитных брендов Закажите сегодня и мы успеем доставить к Вам до 30 го декабя! + подарок к каждой сумке на сайте www.прада-гучи.рф From sdw at lig.net Sat Dec 29 14:43:51 2012 From: sdw at lig.net (Stephen D. Williams) Date: Sat, 29 Dec 2012 14:43:51 -0800 Subject: [FoRK] Recommendations for a reliable subscription-based SSL VPN or proxy service for "secure, portable, virtual" office? Message-ID: On 12/26/12 10:05 AM, Ben (B.K.) DeLong wrote: > Hi all - > > Hope everyone had/is having an enjoyable holiday break. I'm at my new > gig and thinking about being more vigilant regarding the separation of > personal life and work technologically. Any access of personal files > or activities, while at work, is done via a Portable Apps setup > through a Mountable TrueCrypt drive stored on DropBox. Surprised that works well without corruption... Although for a whole drive it would be a bit of an efficient storage use issue (requiring just periodic reset maintenance), SparkleShare+Gitolite git server via ssh is a great combination, with clients for Windows/Macosx/Linux or you can use any git client. If the git server were storing into a TrueCrypt loopback on the server, you'd ruin offline attacks against your data. Simply sync to another drive somewhere to get redundancy. Why not run an ephemeral VM (VirtualBox is free) that mounts a local host TrueCrypt volume that is a cache for SparkleShare/Git. You could run the VM from the TrueCrypt volume, but then it would be mounted on the local OS and Panopticon-like admin / system software would get to it. An ephemeral VM (that doesn't save updates to disk) that mounts the TrueCrypt volume is more difficult to attack. This was always a feature of VMWare; not sure how to do it with VirtualBox. Perhaps with snapshots or similar COW drive mounts with the drives in the TrueCrypt loopback. The VM should tunnel all network traffic over SSH to a shell server somewhere, home if you properly setup incoming ports. Use dynamic DNS to get to it or something simpler (file on the ssh server is enough). It's not to hard to get the beginnings of cover traffic to make traffic analysis tough. This could be done various ways from random data, traffic sensing reaction, to a smart tunnel that directly augments traffic patterns with chaff. Modify netcat and then run that over SSH socket proxies. > > It syncs regularly and while most of the activity is over SSL, I'd > like to ensure any and all activity being done from those particular > applications are done either over an encrypted hosted VPN or (if I > must) a hosted virtual machine that I can VPN/remote into from work. > > I'm not trying to be surreptitious here at my new job, but at the same > time, I've been trying to find the sweet-spot to this "secure, > portable, backed-up virtual office" solution for a while and the VPN > or Virtual machine setup is my last piece. > > I'm looking for something that's no more than $10-$30 a month. But I > am open to alternatives if I replace the dropbox solution. I've been running a colocated machine one way or another since 1992, with my own DNS server, etc. When I get around to building almost-never-fail mini-servers, I have at least two other stable but seldom visited locations to put servers. I currently have an underused Linux box with 4 large drives and 10Mb symmetric unlimited use. The hard drive wears out about once every 2 years; it gets rebooted about once every 6-12 months. It would probably be a good idea to share it and defray some of the costs, especially while I'm in (relative) vow-of-poverty startup mode again. > > Many thanks in advance for thoughts. I'll share what I come up with. > sdw _______________________________________________ FoRK mailing list http://xent.com/mailman/listinfo/fork ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From chandrasekharbg485 at roudeau.com Sat Dec 29 05:26:33 2012 From: chandrasekharbg485 at roudeau.com (=?koi8-r?B?IvTPzNjLzyDEzNEg7c/Ty9fZIg==?=) Date: Sat, 29 Dec 2012 21:26:33 +0800 Subject: =?koi8-r?B?ODAlINPLycTLwSDOwSDz1c3LySDw0sHEwSwg59XeySwg+8HOxczY?= Message-ID: Только сегодня 80% скидка на женские и мужские сумки из Италии элитных брендов Закажите сегодня и мы успеем доставить к Вам до 30 го декабя! + подарок к каждой сумке на сайте www.прада-гучи.рф From virtualadept at gmail.com Sun Dec 30 11:37:08 2012 From: virtualadept at gmail.com (Bryce Lynch) Date: Sun, 30 Dec 2012 14:37:08 -0500 Subject: [liberationtech] Travel with notebook habit Message-ID: On Sun, Dec 30, 2012 at 11:02 AM, Eugen Leitl wrote: > ----- Forwarded message from Julian Oliver > -----This is why I personally think it's wise to carry just a skeleton > system over > the border on a bootable USB stick, with full disk encryption. Once on > the > other side of the border, securely download the data required (as I said > in last > post). > This is what I do when I go OCONUS. I have an older 'burner' laptop that I only take on travel with me that has a 250GB hard drive. Before every trip I DBAN the drive and reinstall my usual desktop and applications (reinstallling Arch Linux is pretty fast once you're used to it, and I use Backpac ( https://github.com/altercation/backpac) to automate much of the construction process). I also make sure to copy some files into my home directory just so anyone poking around in there will have something to find - photographs from vacations, RPG books from Drive Thru, and whitepapers that I never seem to have the time to read at work. I try to shoot for looking like a harmless nerd. Before I left I built a file on a separate system that goes into a directory of videos on my website which is actually a TrueCrypt volume containing a KeePass database, a copy of the Tor Browser Bundle, Torchat, a set of SSH keys that are only used while on travel to log into certain IP addresses, a set of OpenVPN certificates to set up a VPN connection to a machine I trust back home, and a text file of URLs and IP addresses for things. Anything sensitive that I pick up while on the trip (like notes taken or documents) get copied into the TrueCrypt volume. The TrueCrypt volume is only opened when I need it, otherwise it just sits on the hard drive pretending to be a video. Bandwidth permitting, I download that file to my laptop for the duration of the trip, and (also bandwidth permitting) it's SCP'd up to the same web server it was downloaded from so there is always an offsite copy (which also gets backed up once a day along with the websites on that server). Just before heading home, one last copy is uploaded to the web server and then it's securely deleted from the drive. I don't use journaling file systems on my travel laptop, so it seems to have a better chance of irretrivability. I've also experimented with overwriting the file with ISO images (like the Arch Linux installation ISO) and other videos (concert footage is nice) prior to shredding the file. I haven't done a forensic analysis to test whether or not an actual overwrite takes place, so take that with a dose of sodium chloride. It makes me feel better, though. Sticks are easier to throw away/hide and if your laptop is stolen/seized > within > the country your data doesn't have to go with it - the stick's in your > pocket or > in your sock when walking around. Before you cross the border again the > stick > should be physically destroyed. This is better than trusting data deletion. > I would recommend microSD cards for this - much smaller, can be fitted into a USB key-like adapter for access, they're relatively cheap (so you can carry a lot of them with you, and if one goes missing it's hard to tell (*cough*)), and they can be destroyed with a pair of nail clippers or a flush if absolutely necessary. > It can be smart to have a stock standard Windows install on the physical > hard-disk that wakes from sleep on lid-open with a picture of you and a dog > laughing in the sunny grass. Invite them to browse around and find nothing. > Never use that Windows install, of course. Boot Debian GNU/Linux or > BackTrack > Linux on the stick. > That's a pretty good idea. Not the way I roll, but it works. > I've been extensively questioned at the border on a few occassions over the > years /because/ my laptops don't have a Desktop as such, no icons either. > Both > my arms were grabbed at the Australian border as I reached to type > 'firefox' in > a terminal, to start the browser in an attempt to show them a normal > looking > environment. > That was a concern of mine, but I've not heard of it happening before. Good to know it's a risk worth planning for (I do - Firefox, LibreOffice, Clementine, a couple of other familiar-seeming apps on the desktop). > Terminals at the border are not a good idea. > No, they're not. White text in black windows sets people off. Too many movies with thrilling scenes of people typing, I think. > To avoid the machine being tampered with, invest in a solid state netbook > and > super-glue the shell together. It's not a crime. > I put stickers on the seams on my notebooks in places where they would have to be damaged to gain access to the internals - on the sides, on the bottom over a screw or two, places like that. I use different stickers for every trip - sometimes Snoopy, sometimes My Little Pony, sometimes whatever is cheap in the kid's section at the drugstore. I switch them up to make it less likely that the sticker pack used can be guessed (maybe it's a bit overboard, but it's also minimal effort on my part). If the stickers have been creased, cut, or moved it would mean that someone had been poking around in the guts of my laptop. -- The Doctor [412/724/301/703] [ZS|Media] https://drwho.virtadpt.net/ "I am everywhere." -- You received this message because you are subscribed to the Google Groups "ZS-P2P" group. To post to this group, send email to zs-p2p at googlegroups.com. To unsubscribe from this group, send email to zs-p2p+unsubscribe at googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From pete at wearpants.org Sun Dec 30 12:05:14 2012 From: pete at wearpants.org (Peter Fein) Date: Sun, 30 Dec 2012 15:05:14 -0500 Subject: [liberationtech] Modern FIDONET for net disable countries? Message-ID: I & some other Telecomix agents have discussed using a local Usenet (NNTP) for exactly this purpose a few times since Tahrir. Run it off a liveCD + adhoc wifi or OpenWRT, with web gateway interface (so random users can participate without needing to install software). Long distance backhaul by dialup modem or motorcycle courier w/ USB stick. Rather than trying to build in centralized security/identity, force everything to anonymity/pseudonymity (the 4chan model). You don't need the access to the global Internet to organize your city... On Dec 27, 2012 11:54 AM, "Jerzy Eogiewa" wrote: > Hello! > > I wonder, is some FIDONET type service existing for countries where all > telecom is disabled? Kind of "sneakernet" for large packets of messages to > be delivered. > > 1- I write message to [username, address or hash], encrypt with > public/private pair. > 2- Trusted "sneakernet" collector with some software physically arrives > and grabs my message, updates my 'ball' (or blob?) of crypted messages, in > case other sneakernet collector comes. > 3- Maybe when delivery is 100% confirmed this gets added to ball so it can > be pruned? > > And so on. Bitcoin style blockchain confirmation seems useful? > > Does any service like this existing now? > > -- > Jerzy Eogiewa -- jerzyma at interia.eu > > -- > Unsubscribe, change to digest, or change password at: > https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From eugen at leitl.org Sun Dec 30 08:02:14 2012 From: eugen at leitl.org (Eugen Leitl) Date: Sun, 30 Dec 2012 17:02:14 +0100 Subject: [liberationtech] Travel with notebook habit Message-ID: <20121230160214.GW9750@leitl.org> ----- Forwarded message from Julian Oliver ----- From eugen at leitl.org Sun Dec 30 08:31:18 2012 From: eugen at leitl.org (Eugen Leitl) Date: Sun, 30 Dec 2012 17:31:18 +0100 Subject: [liberationtech] Google Hangout the new, better skype? Was Re: Skype redux Message-ID: <20121230163117.GY9750@leitl.org> ----- Forwarded message from Adam Fisk ----- From eugen at leitl.org Sun Dec 30 11:14:57 2012 From: eugen at leitl.org (Eugen Leitl) Date: Sun, 30 Dec 2012 20:14:57 +0100 Subject: [liberationtech] Modern FIDONET for net disable countries? Message-ID: <20121230191457.GF9750@leitl.org> ----- Forwarded message from The Doctor ----- From sky at aa6ax.us Mon Dec 31 12:48:46 2012 From: sky at aa6ax.us (Sky- AA6AX) Date: Mon, 31 Dec 2012 12:48:46 -0800 Subject: [HacDC:Byzantium] Future paths? Message-ID: I agree with making it really clear and in plain language. I think that having a desktop option and labeling it as the "normal" bootup is going to be critical in most emergency operations. Otherwise some folks might even think the computer did not boot up because it just "doesn't look right." So this has to be the default option. In terms of naming, I'd call the other option "Boot to shell" or "Boot to command line" or some phrase that every one of us geeks will recognize, plus 5% of muggles will recognize, and everyone else will go for the "normal" or "desktop" boot up process without even asking what that other one means. I'm certain that in the next San Francisco earthquake we will use the Byzantium nodes not only for setting up mesh connectivity, but also as communications terminals themselves, pounding on the node keyboards just as much as on other computers. So I would still urge "boot to desktop" as the topmost and default option even if I thought there was only a 10% chance that I'd need the screen and keyboard in order to participate in chat with network users. It's worth the overhead to not have to reboot the computer if I run out of stations to type at. I pay homage to those of you who helped out in NYC and I see an important lesson there -- which is that mesh communication even if not needed by first-responders may be needed by citizens, which I think might still be a similar configuration scenario. In my tests I had to use my local Byzantium node to participate in chat because I didn't have enough machines with enough battery power to keep them all powered up all the time. In our central EOC, of course, we have standby AC power, but out in the field it's going to be iffy. I'd guess that we would set up mesh at in-the-field command posts to connect a number of machines. If first-responder channels were down, we would use amateur radio for the longer distances if we couldn't hop to some Internet connection that has survived. The standard FEMA NIMS model is well-understood here and routinely drilled. And I'd think that I'd want to have several Byzantium nodes in a command center or staging location or field command center to increase reliability and probably stretch range as well since one center might be spread out over a city block or more. Our NERT (neighborhood) assembly and staging areas are usually playgrounds or other large sites. Maybe someone can briefly point out to me whether having "more Byzantium nodes than you think you'll need" is the best way to go or not. (I suspect it is.) And I wonder what your experience is with link distance and robustness. Here in my neighborhood my computers can see lots of Wi-fi systems that are maybe 200 to 300 feet away, and a few that (astoundingly) purport to be a couple of miles away, but without involving high-gain antennas I don't know that I can link them together. Will test that out next time. -Sky On Dec 31, 2012, at 11:26 AM, Ben Mendis wrote: > * PGP Signed by an unknown key > > > On 12/30/2012 11:33 PM, haxwithaxe wrote: >>> I've copied the contents of one of the USB keys we had in Red Hook >>> into a subdirectory on Windbringer, and I'm working on turning it into >>> something that is recognizable as v0.3a (because we've made enough >>> changes to the system that it pretty much warrants a new release). >>> I'm working on the boot splash right now (which is, strangely, the >>> hardest part to get right). We should probably write a new set of >>> release notes on ByzantiumPad that explains the changes we made >>> (namely, tearing out the control panel and the network apps, and >>> describing both the autoconfiguration daemon and how interoperability >>> with the Commotion Wireless firmware works). What I'm not so sure >>> about is whether or not we should have v0.3a boot to the desktop or >>> not. This release is fully self-configuring, so once it's up, it's >>> up. There isn't a whole lot of user interaction in this release >>> because we got rid of that during the Red Hook relief operation, but >>> that also confused people ("What? That's IT?!") >> i suggest we boot to the desktop as a normal porteus live distro does >> and have firefox popup with "you're up!" or "there was a problem :(" >> >>> We could set the desktop up in v0.3a to open Firefox and display a >>> page to the effect of "Your Byzantium node is now fully operational. >>> No, seriously - it's automatically configured itself.", but the >>> question is then whether or not it's worth the use of memory and >>> compute cycles on a running X server that isn't doing anything >>> helpful. >> they will likely want to use their laptop once it's running :P >> we can always rebrand a copy of the "text mode" boot item as "powersave" :P >> > I don't know about that renaming. I think it needs to be clear that > choosing one will result in a shell-prompt that won't be useful to most > people, but the other option results in a familiar desktop with a web > browser which could be essential to many people. > > > * Unknown Key > * 0x3233ED30 > -- You received this message because you are subscribed to the Google Groups "Project Byzantium (Emergency Mesh Networking)" group. To post to this group, send email to Byzantium at hacdc.org. To unsubscribe from this group, send email to Byzantium+unsubscribe at hacdc.org. For more options, visit this group at http://groups.google.com/a/hacdc.org/group/Byzantium/?hl=en. ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From jacob at appelbaum.net Mon Dec 31 05:45:38 2012 From: jacob at appelbaum.net (Jacob Appelbaum) Date: Mon, 31 Dec 2012 13:45:38 +0000 Subject: [liberationtech] Modern FIDONET for net disable countries? Message-ID: Eric S Johnson: > For the record, Burma/Myanmar (MM) has very little cybercensorship > now (the previous censorship started loosening up in about August > 2011 and was basicallybnot entirely, but mostlybdropped by the end of > October 2011). > Hi, I've just returned from Burma in the last month. There is total surveillance in Burma on the commercial YTP ISP. They censor plenty of sites and their BlueCoat proxy devices fail to deliver content for unblocked sites often. The other networks seem rather under surveillance as well and they also have censorship. We (OONI) have data from my trip there and it includes all of the major networks. We'll write it up and publish all of it soon. > Ibve been visiting MM since the mid-aughts and have never encountered > FidoNet there. Havenbt seen it since Africa, mid-nineties. But that > doesnbt mean it wasnbt/isnbt there. > I haven't seen FidoNet but I did see lots of WiMax, VSAT, GSM/CDMA and even some discussion of X.25, etc. > > > (Vietnam still has a measurable amount of online censorship, but itbs > not nearly as heavy-handed as Chinabs or Iranbs. Itbs more like > Ethiopiabs. > Ethiopia has extremely sophisticated censorship: https://blog.torproject.org/blog/ethiopia-introduces-deep-packet-inspection https://blog.torproject.org/blog/update-censorship-ethiopia > Some of Cambodiabs ~30 ISPs censor a half-dozen sites, but thatbs > hardly serious (the largest, Vietnamese-controlled, ISP doesnbt!).) > The serious problem is the infrastructure even if today it is only used on a few sites. All the best, Jake -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From julian at julianoliver.com Mon Dec 31 07:09:14 2012 From: julian at julianoliver.com (Julian Oliver) Date: Mon, 31 Dec 2012 16:09:14 +0100 Subject: [liberationtech] Modern FIDONET for net disable countries? Message-ID: ..on Mon, Dec 31, 2012 at 09:38:08AM -0500, Griffin Boyce wrote: > At HOPE this summer I talked a bit about a wireless mesh concept that > would allow people to communicate without internet access or phone access. > The real problem with a BBS is that it's trivial to take down. In most > countries, one call to the phone company can suspend a phone number > 'pending investigation.' > > Right now your best bet for the features you want would probably be Briar > [1]. If your community's needs are closer to chat and file-sharing, then > PirateBox is a promising solution [2]. (file-sharing ex: files that users > wanted everyone to have, or wanted to be published online). > > Your concept could be tricky for more than a handful of users, since > everything is manual. > > [1] http://briar.sourceforge.net/ > [2] http://wiki.daviddarts.com/PirateBox > > Best, > Griffin Boyce > > On Sun, Dec 30, 2012 at 3:05 PM, Peter Fein wrote: > > > I & some other Telecomix agents have discussed using a local Usenet (NNTP) > > for exactly this purpose a few times since Tahrir. Run it off a liveCD + > > adhoc wifi or OpenWRT, with web gateway interface (so random users can > > participate without needing to install software). Long distance backhaul by > > dialup modem or motorcycle courier w/ USB stick. Rather than trying to > > build in centralized security/identity, force everything to > > anonymity/pseudonymity (the 4chan model). Some years ago I read an article about an 'offline' mail transport system used (in India or Pakistan IIRC) that did precisely this. A motorcycle rider wearing an access point with 1W boosted antenna and a mass storage device pulls up outside a house in a rural area and waits a designated period while locals associate with the AP and pull and push email. Email pushed is later delivered when the driver is in contact with an Internet gateway (probably at the office). Regrettfully I can't find the article now. It would be trivial to do this with OpenWRT. You could even serve a simple webmail interface built atop lighttpd alongside cached news sites and other services for longer sessions. Many cheap WiFi routers these days run OpenWRT just fine, take 5v input and run at a very low amperage. Some have a USB port that supports USB OTG (for mass storage devices like USB sticks, SSDs, etc). We work a lot with OpenWRT and various SoC wireless router hardware here in Berlin at Studio Weise7. This would be a project we'd be very happy to host and 'sprint' over a weekend. Meshing is something we're very interested in also. Incidentally I may be developing a project for the city of Derry in Ireland that deploys low cost weather-proof, solar-powered offline access points (as a delivery platform for cultural material). If it goes ahead I will be happy to contribute all my findings, schematics and firmware. Cheers, -- Julian Oliver http://julianoliver.com http://criticalengineering.org -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From eugen at leitl.org Mon Dec 31 08:31:10 2012 From: eugen at leitl.org (Eugen Leitl) Date: Mon, 31 Dec 2012 17:31:10 +0100 Subject: [liberationtech] Modern FIDONET for net disable countries? Message-ID: <20121231163110.GS9750@leitl.org> ----- Forwarded message from Julian Oliver ----- From eugen at leitl.org Mon Dec 31 08:44:54 2012 From: eugen at leitl.org (Eugen Leitl) Date: Mon, 31 Dec 2012 17:44:54 +0100 Subject: [liberationtech] Modern FIDONET for net disable countries? Message-ID: <20121231164454.GU9750@leitl.org> ----- Forwarded message from Jacob Appelbaum ----- From Gerald at dcolemans.com Mon Dec 31 09:17:32 2012 From: Gerald at dcolemans.com (Jamel West) Date: Mon, 31 Dec 2012 18:17:32 +0100 Subject: Jamel West sent you a message Message-ID: A non-text attachment was scrubbed... Name: not available Type: text/html Size: 361 bytes Desc: not available URL: