From dispositionsiet1 at rock.ashcraftlaw.com  Mon Jul  1 10:18:11 2013
From: dispositionsiet1 at rock.ashcraftlaw.com (=?koi8-r?B?IunHz9LO2crEz80xIg==?=)
Date: Mon, 1 Jul 2013 12:18:11 -0500
Subject: =?koi8-r?B?88HN2cUgy9LV0M7ZxSDX2cnH0tnbySEg5dbFxM7F187ZxSDE1sXLcM/U?=
	=?koi8-r?B?2SEg99nTz97BytvJyiDLz87U0s/M2CDexdPUzs/T1Mkh?=
Message-ID: <000d01ce767e$f6c0f240$6400a8c0@dispositionsiet1>

Самые крyпные выигрыши! Ежедневные джекпоты!
Самый высокий контроль честности Европейского уровня!
Лучшие игровые автоматы и реальные девушки онлайн в live казино!

Сегодня увеличим Ваш любой депоzит на 200%

Наш сайт http://игорныйдом1.рф/




From transfusionf at renodepot.com  Mon Jul  1 09:24:24 2013
From: transfusionf at renodepot.com (=?koi8-r?B?IunHz9LO2crEz80xIg==?=)
Date: Mon, 1 Jul 2013 13:24:24 -0300
Subject: =?koi8-r?B?88HN2cUgy9LV0M7ZxSDX2cnH0tnbySEg5dbFxM7F187ZxSDE1sXLcM/U?=
	=?koi8-r?B?2SEg99nTz97BytvJyiDLz87U0s/M2CDexdPUzs/T1Mkh?=
Message-ID: <000d01ce7677$72fa11a0$6400a8c0@transfusionf>

Самые крyпные выигрыши! Ежедневные джекпоты!
Самый высокий контроль честности Европейского уровня!
Лучшие игровые автоматы и реальные девушки онлайн в live казино!

Сегодня увеличим Ваш любой депоzит на 200%

Наш сайт http://игорныйдом1.рф/




From oxygenated435 at listserv.eurasia.org  Mon Jul  1 03:45:36 2013
From: oxygenated435 at listserv.eurasia.org (=?koi8-r?B?IuTFztjHySI=?=)
Date: Mon, 1 Jul 2013 18:45:36 +0800
Subject: =?koi8-r?B?69LFxMnUzsHRIMvB0tTBIDQ1MCAwMDAg0tXCzMXKINTF0MXS2CDTINPS?=
	=?koi8-r?B?z97O2c0g19nQ1dPLz80g?=
Message-ID: <A73003BB2BAF4CB98EE9423A66153D66@PC200812291545>

Срочно нужны деньги? Кредитная карта с лимитом до 450 000 
подробнее >>> 
 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 381 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20130701/181aeabb/attachment.txt>

From ebullience3439 at raytheon-ssd.com  Tue Jul  2 05:39:33 2013
From: ebullience3439 at raytheon-ssd.com (=?koi8-r?B?IuHMxcvTwc7E0iDzxdLHxcXXIg==?=)
Date: Tue, 2 Jul 2013 09:39:33 -0300
Subject: =?koi8-r?B?5MnSxcvUz9LVLiDrz83NxdLexdPLz8Ug0NLFxMzP1sXOycUg0M8g0sXL?=
	=?koi8-r?B?zMHNxSDXwdvFyiDQ0s/E1cvDycku?=
Message-ID: <000d01ce7721$34634470$6400a8c0@ebullience3439>

Добрый день 

(пожалуйста передайте это письмо ген.директору или руководителю отдела  рекламы)

Возвожно вам будут интересны рекламные рассылки по E-mail!
Юр. и физ.лица! Москва, Россия и СНГ
База 15 000 000 адресов

1 рассылка 3 500 рублей
3 рассылки  7 500 рублей
5 рассылок 10 000 рублей 

Дополнительные скидки от 7 рассылок

Эффективная  рассылка не может быть дешевле!
Вы это прочитали? Рассылка работает.

Наши контакты:
Почта org.2013 at yahoo.com
Наш легкий телефон в Москве 8 (903) 000-603-0

Пишите или звоните, поможем с макетом письма и ответим на все вопросы!




From chumx331 at richardthomson.com  Tue Jul  2 08:13:32 2013
From: chumx331 at richardthomson.com (=?koi8-r?B?Iv7B09kg0M8gzNXe28nNIMPFzsEi?=)
Date: Tue, 2 Jul 2013 16:13:32 +0100
Subject: =?koi8-r?B?7NXe28nFIN7B08/X2cUgwtLFzsTZINMg7MXUzsnNySDTy8nEy8HNySE=?=
Message-ID: <000d01ce772e$553487b0$6400a8c0@chumx331>

Великолепные часы для Вашего статуса. Patek Philippe, Rolex, Vacheron Constantin - метры часового искусства стали доступней. Успей купить до конца лета.  Наш сайт  http://www.часы-года.рф




From baryshnikov02 at rotschild.com  Tue Jul  2 07:27:10 2013
From: baryshnikov02 at rotschild.com (=?koi8-r?B?IuHMxcvTwc7E0iDzxdLHxcXXIg==?=)
Date: Tue, 2 Jul 2013 16:27:10 +0200
Subject: =?koi8-r?B?5MnSxcvUz9LVLiDrz83NxdLexdPLz8Ug0NLFxMzP1sXOycUg0M8g0sXL?=
	=?koi8-r?B?zMHNxSDXwdvFyiDQ0s/E1cvDycku?=
Message-ID: <000d01ce7727$db0830a0$6400a8c0@baryshnikov02>

Добрый день 

(пожалуйста передайте это письмо ген.директору или руководителю отдела  рекламы)

Возвожно вам будут интересны рекламные рассылки по E-mail!
Юр. и физ.лица! Москва, Россия и СНГ
База 15 000 000 адресов

1 рассылка 3 500 рублей
3 рассылки  7 500 рублей
5 рассылок 10 000 рублей 

Дополнительные скидки от 7 рассылок

Эффективная  рассылка не может быть дешевле!
Вы это прочитали? Рассылка работает.

Наши контакты:
Почта org.2013 at yahoo.com
Наш легкий телефон в Москве 8 (903) 000-603-0

Пишите или звоните, поможем с макетом письма и ответим на все вопросы!




From scavengerqd1 at rbscrp.com  Tue Jul  2 05:28:23 2013
From: scavengerqd1 at rbscrp.com (=?koi8-r?B?IuHMxcvTwc7E0iDzxdLHxcXXIg==?=)
Date: Tue, 2 Jul 2013 17:58:23 +0530
Subject: =?koi8-r?B?5MnSxcvUz9LVLiDrz83NxdLexdPLz8Ug0NLFxMzP1sXOycUg0M8g0sXL?=
	=?koi8-r?B?zMHNxSDXwdvFyiDQ0s/E1cvDycku?=
Message-ID: <000d01ce771f$a517b950$6400a8c0@scavengerqd1>

Добрый день 

(пожалуйста передайте это письмо ген.директору или руководителю отдела  рекламы)

Возвожно вам будут интересны рекламные рассылки по E-mail!
Юр. и физ.лица! Москва, Россия и СНГ
База 15 000 000 адресов

1 рассылка 3 500 рублей
3 рассылки  7 500 рублей
5 рассылок 10 000 рублей 

Дополнительные скидки от 7 рассылок

Эффективная  рассылка не может быть дешевле!
Вы это прочитали? Рассылка работает.

Наши контакты:
Почта org.2013 at yahoo.com
Наш легкий телефон в Москве 8 (903) 000-603-0

Пишите или звоните, поможем с макетом письма и ответим на все вопросы!




From woodchucksi930 at superfoliation.com  Tue Jul  2 22:16:06 2013
From: woodchucksi930 at superfoliation.com (=?koi8-r?B?IvzMxcvU0s/OztnKIM3B0svF1MnOxyI=?=)
Date: Wed, 3 Jul 2013 13:16:06 +0800
Subject: =?koi8-r?B?OCDSwdPT2czPyyAtIDEwIDAwMCAgNDQg0sHT09nMy8kgLSAyMCAwMDAg?=
Message-ID: <1B12DBD708F14CC6B92058C0880A3CFD@xctest01>

1 рассылка - 3000
8 рассылок - 10 000 +  Хостинг в подарок и домен РФ

МЕСЯЦ: 44 рассылки 2 раза в день - 5 раз в неделю  - 20 000 + Хостинг в подарок и домен РФ


Базы:
Россия 23 млн -  в том 2,4 млн Юр. лица
Москва  8 млн - в том числе 1,3 млн Юр. лица
Украина 4 млн


- СБОР ИНДИВИДУАЛЬНЫХ ТЕМАТИЧЕСКИХ БАЗ!!!!
- Обновленные ОБЩИЕ базы
- Удобные акции
- Спец-хостинг
- Почтовые формы для принятия заказа
- Работа с базами клиента
- Рассылки в рабочее время по вашему графику


Тел: (495) 585-79-04
ICQ: 286-926-971




From goateem0 at rachuba.com  Mon Jul  8 06:55:00 2013
From: goateem0 at rachuba.com (=?koi8-r?B?IuXX0s8ty8Hayc7PIE4xINTF0MXS2CDXICDyz9PTycki?=)
Date: Mon, 8 Jul 2013 14:55:00 +0100
Subject: =?koi8-r?B?7NXe28nFIM/OzMHKziDJx9LZIM7BIMTFztjHySEg69LV0M7ZxSDX2cnH?=
	=?koi8-r?B?0tnbySwg0NLJ0dTO2cUgws/O1dPZIQ==?=
Message-ID: <000d01ce7bda$5b836db0$6400a8c0@goateem0>

Самое  лояльное казино Европы Теперь и в России
Моментальная регистрация и вывод выигрышей
Лучшие бонусы, подарки и акции
Самые крупные выигрыши  в рунете!
Многолетняя репутация  и высокий контроль честности MD5

Играй с удовольствием и выигрывай на сайте
http://евро-казино.рф/




From foresteruc8 at ranacansada.com  Mon Jul  8 21:27:50 2013
From: foresteruc8 at ranacansada.com (=?koi8-r?B?IvPVzcvJIMvPzMzFy8PJ0SAyMDEzLiAi?=)
Date: Tue, 9 Jul 2013 09:57:50 +0530
Subject: =?koi8-r?B?9M/M2MvPINcgycDMxSwg1c7Jy8HM2M7PxSDQ0sXEzM/Wxc7JxTogy8/W?=
	=?koi8-r?B?wc7ZxSDT1c3LySDX2dPP3sHK28XHzyDLwd7F09TXwSDQzyDT0MXDycHM?=
	=?koi8-r?B?2M7PyiDDxc7FLg==?=
Message-ID: <3F3AA59C1E2144EEB1D29FCF9371C62D@mre8f291b2d0b7>

Доказано: правильный выбор сумки положительно влияет на имидж и настроение девушки. Читать подобности здесь.  http://www.сумки-италия.рф   




From interpretative1 at rdhbe.com  Mon Jul  8 20:09:50 2013
From: interpretative1 at rdhbe.com (=?koi8-r?B?Iv7B08/Xz8ogwtXUycsi?=)
Date: Tue, 9 Jul 2013 10:09:50 +0700
Subject: =?koi8-r?B?7MXUztHRIMvPzMzFy8PJ0SDewdPP1yAtINvBztMgz8LOz9fJ1Ngg09fP?=
	=?koi8-r?B?wCDLz8zMxcvDycAh?=
Message-ID: <000d01ce7c51$c693c010$6400a8c0@interpretative1>

Летний сезон объявляем открытым! Море, пляж, путешествия┘Мы слишком долго ждали этого! Целая коллекция летних часов ждет Вас в нашем каталоге. Hublot, Rolex, Tag Heuer,Ulysse Nardin: любимые бренды с доставкой на дом! Наш сайт  http://часы-года.рф




From success3 at rideshareonline.com  Mon Jul  8 22:53:50 2013
From: success3 at rideshareonline.com (=?koi8-r?B?IuHQ1MXLwS3EzNEt19rSz9PM2cgi?=)
Date: Tue, 9 Jul 2013 11:23:50 +0530
Subject: =?koi8-r?B?/tXEzyDUwcLMxdTLySDXINfJxMUgy8/OxsXUIMTM0SDCxdrV0NLF3s7P?=
	=?koi8-r?B?yiDTxcvT1cHM2M7PyiDBy9TJ187P09TJIQ==?=
Message-ID: <000d01ce7c68$afc920c0$6400a8c0@success3>

Только у нас можно приобрести новинку гель и таблетки в виде конфет
Для безупречной сексуальной активности! 
Для мужчин и женщин! 

Доставим быстро и аккуратно, анонимно!
У нас в три раза дешевле чем в любой аптеке!

Наш сайт http://www.аптека-для-взрослых.рф 




From utterlyquz08 at ramains.com  Tue Jul  9 08:15:28 2013
From: utterlyquz08 at ramains.com (=?koi8-r?B?IunHz9LO2cogxM/NIE4xIg==?=)
Date: Tue, 9 Jul 2013 17:15:28 +0200
Subject: =?koi8-r?B?7NXe28nFIMnH0s/X2cUgwdfUz83B1NkgySDSxcHM2M7ZxSDExdfV28vJ?=
	=?koi8-r?B?IMvS1dDYxSDXICDPzszBys4gINcgy8Hayc7PIQ==?=
Message-ID: <8BD443A8C9AA4407901ACED0593D48C8@experien730a85>

Лучшие игровые автоматы, реальные девушки крупье в  онлайн  в казино, с самым высоким контролем честности MD5! Внеси любую сумму для игры и получи 100 Евро  на счет!!! 
Наш сайт http://евро-казино.рф/




From bleepedns3 at royal-basket.com  Wed Jul 10 02:59:21 2013
From: bleepedns3 at royal-basket.com (=?koi8-r?B?IuHQ1MXLwS3EzNEt19rSz9PM2cgi?=)
Date: Wed, 10 Jul 2013 11:59:21 +0200
Subject: =?koi8-r?B?/tXEzyDUwcLMxdTLySDXINfJxMUgy8/OxsXUIMTM0SDCxdrV0NLF3s7P?=
	=?koi8-r?B?yiDTxcvT1cHM2M7PyiDBy9TJ187P09TJIQ==?=
Message-ID: <000d01ce7d4b$c4ddc310$6400a8c0@bleepedns3>

Только у нас можно приобрести новинку гель и таблетки в виде конфет
Для безупречной сексуальной активности! 
Для мужчин и женщин! 

Доставим быстро и аккуратно, анонимно!
У нас в три раза дешевле чем в любой аптеке!

Наш сайт http://www.аптека-для-взрослых.рф 




From windscreensd5 at rnldesign.com  Wed Jul 10 03:52:04 2013
From: windscreensd5 at rnldesign.com (=?koi8-r?B?IvTPzNjLzyDEzNEg19rSz9PM2cgi?=)
Date: Wed, 10 Jul 2013 12:52:04 +0200
Subject: =?koi8-r?B?VmlhZ3JhK8TM0SDCxdrV0NLF3s7PyiDTxcvT1cHM2M7PyiDBy9TJ187P?=
	=?koi8-r?B?09TJIQ==?=
Message-ID: <000d01ce7d53$21c06ea0$6400a8c0@windscreensd5>

Только у нас можно приобрести новинку:

Виагра-гель и таблетки в виде конфет!

Для безупречной сексуальной активности!  
Для мужчин и женщин!

Доставим быстро и аккуратно, анонимно
У нас в три раза дешевле чем в любой аптеке!

-Наш сайт http://чудо-таблетки.рф 




From micheleq6 at rothchilds.com  Tue Jul  9 23:55:58 2013
From: micheleq6 at rothchilds.com (=?koi8-r?B?IvPPwtPU18XOzsnLIOvwIg==?=)
Date: Wed, 10 Jul 2013 14:55:58 +0800
Subject: =?koi8-r?B?797FztggzsXEz9LPx88g0NLPxMHNICDL0sHTydfZyiDV3sHT1M/LICDX?=
	=?koi8-r?B?IMvP1NTFxNYuINDP08XMy8Ug0M8g68nF19PLz83VINsuIQ==?=
Message-ID: <C2649CB1D6924D8D99188733CD939759@nknush5162>

Очень недорого продаю красивый  участок для строительства дачи, загородного дома, коттеджа площадью 250 соток (участок можно разделить на два по 125 соток)
Участок расположен  в коттеджном поселке. На территории участка  имеется возможность строительства своего пруда!

Для участка оплачено: подключение к магистрали газопровода 10м куб для трех больших домов, электричество 50квт., водопровод магистральныи подведен к участку.

С участка открывается великолепныи  панорамныи  вид, на участке большие сосны более восьми метров высотои  в количестве более 150шт.  
Киевское шоссе 100 км от МКАД г Москвы.

Продаю как собственник (без наценки и посредников) 
Позвоните расскажу подробнее 8 (962) 1774848  




From timberro0 at rc-imports.com  Wed Jul 10 12:41:00 2013
From: timberro0 at rc-imports.com (=?koi8-r?B?IuXX0s9OMSDXICDyz9PTycki?=)
Date: Wed, 10 Jul 2013 20:41:00 +0100
Subject: =?koi8-r?B?7NXe28XFIMvB2snOzyDS1c7F1MEgxMHSydQgMTAwIMXX0s8gIMvB1sTP?=
	=?koi8-r?B?zdUh?=
Message-ID: <96333FD039FB414B9F7DC3FBB3C2C61B@user483a4f2c23>

Самое  щедрое  казино рунета

Дарим 100 Евро за регистрацию!

Наши преимущества:
Моментальная регистрация и вывод выигрышей
Лучшие бонусы, подарки и акции
Самые крупные выигрыши  в рунете!
Многолетняя репутация  и высокий контроль честности MD5

Играй с удовольствием и выигрывай на сайте
http://евро-казино.рф/




From panics3 at radiofrance.com  Wed Jul 10 12:58:25 2013
From: panics3 at radiofrance.com (=?koi8-r?B?IuXX0s9OMSDXICDyz9PTycki?=)
Date: Wed, 10 Jul 2013 21:58:25 +0200
Subject: =?koi8-r?B?7NXe28XFIMvB2snOzyDS1c7F1MEgxMHSydQgMTAwIMXX0s8gIMvB1sTP?=
	=?koi8-r?B?zdUh?=
Message-ID: <000d01ce7d9f$74b42c40$6400a8c0@panics3>

Самое  щедрое  казино рунета

Дарим 100 Евро за регистрацию!

Наши преимущества:
Моментальная регистрация и вывод выигрышей
Лучшие бонусы, подарки и акции
Самые крупные выигрыши  в рунете!
Многолетняя репутация  и высокий контроль честности MD5

Играй с удовольствием и выигрывай на сайте
http://евро-казино.рф/




From helleboren775 at relymail.com  Thu Jul 11 03:45:16 2013
From: helleboren775 at relymail.com (ABC)
Date: Thu, 11 Jul 2013 11:45:16 +0100
Subject: =?koi8-r?B?7c/dzsHRINLFy8zBzc7B0SDSwdPT2czLwSDQzyDczC7BxNLF08HNIMDS?=
	=?koi8-r?B?IMkgxsnaIMzJwyE=?=
Message-ID: <000d01ce7e1b$58ee6bc0$6400a8c0@helleboren775>

Мощная рекламная рассылка по эл.адресам юр или физ лиц! Москва, Питер, Россия, СНГ (на выбор)
Общая база 15 000 000 адресов
Помогаем сделать макет письма
Предоставляем хостинг  для рассылки с сайтом 
Летние цены
1 рас-3 000 рублей
3 - 7 000
5 - 10 000
Спец скидки для пакетов от 7 рассылок!

Первичные заявки принимаем только на эту почту: abc.reklama at yahoo.com







From desegregateb38 at rossiluigi.com  Fri Jul 12 02:45:28 2013
From: desegregateb38 at rossiluigi.com (=?koi8-r?B?IvLP09PJytPLycog1NXSydPUyd7F08vJyiDDxc7U0iI=?=)
Date: Fri, 12 Jul 2013 01:45:28 -0800
Subject: =?koi8-r?B?79TL0s/KINPXz8ogwsnazsXTIC0gzcnOyc/UxczYINcgy9LV0M7FytvF?=
	=?koi8-r?B?zSDU1dLJ09TJ3sXTy8/NIMPFztTSxSEg78LF09DF3tggIMLVxNXdxcUg?=
	=?koi8-r?B?08XCxSDJIMTF1NHNIQ==?=
Message-ID: <000d01ce7edc$28e5b250$6400a8c0@desegregateb38>

Вы задумывались о своей пенсии?
Хотите иметь гарантированную пенсию к 50 годам?
    
Хотите быть уверенны в том, что ваши пенсионные деньги ни куда не пропадут, а преумножатся?

Мы разработали социально значимую программу, которая поможет Вам обеспечить вашу пенсию и сохранит и приумножит Ваши деньги!

Все просто - Мы предлагаем Вам приобрести миниотель в Российском туристическом центре международного уровня.
Вам необходимо иметь 1 млн.руб. Банк выдаст ипотечный кредит 3 млн.руб.

Управляющая компания будет обслуживать, и сдавать в аренду ваш миниотель. 
За счет доходов от работы отеля, кредит в течении 4-5 лет будет погашен. Дальше отель начнет работать на Вас и будет приносить Вам ежегодную прибыль от 700 до 1000 млн.руб. 

Таким образом, вы обеспечите свою гарантированную пенсию, застрахованную от невзгод.
 
Звоните прямо сейчас количество миниотелей ограниченно.

Телефон +7(968)6733649 мы предоставим Вам больше информации.





From swill185 at ricacorp.com  Fri Jul 12 10:11:17 2013
From: swill185 at ricacorp.com (=?koi8-r?B?IunHz9LO2cogxM/NIE4xIg==?=)
Date: Fri, 12 Jul 2013 09:11:17 -0800
Subject: =?koi8-r?B?7NXe28nFIMnH0s/X2cUgwdfUz83B1NkgySDSxcHM2M7ZxSDExdfV28vJ?=
	=?koi8-r?B?IMvS1dDYxSDXICDPzszBys4gINcgy8Hayc7PIQ==?=
Message-ID: <000d01ce7f1a$70cb9330$6400a8c0@swill185>

Лучшие игровые автоматы, реальные девушки крупье в  онлайн  в казино, с самым высоким контролем честности MD5! Внеси любую сумму для игры и получи 100 Евро  на счет!!! 
Наш сайт http://евро-казино.рф/




From geometerm4 at rockerpartners.com  Fri Jul 12 11:29:23 2013
From: geometerm4 at rockerpartners.com (=?koi8-r?B?IunHz9LO2crEz83Oz83F0jEi?=)
Date: Fri, 12 Jul 2013 10:29:23 -0800
Subject: =?koi8-r?B?88HNz8Ug3cXE0s/FIMvB2snOzyDF19LP0NkhIDEwMCDl9/LvIOvh9uTv?=
	=?koi8-r?B?7fUh?=
Message-ID: <000d01ce7f25$598fb1f0$6400a8c0@geometerm4>

Самое щедрое казино европы. Здесь каждый может почувствовать себя VIP гостем. 
Минимальная сумма депозита всего 1 евро. 
100 ЕВРО каждому новому игроку на реальный счет!
В казино представленны все самые известные а также новые 3D автоматы.
Наш сайт http://евро-казино.рф/




From deputizes at rnve.com  Fri Jul 12 02:41:33 2013
From: deputizes at rnve.com (=?koi8-r?B?IvLP09PJytPLycog1NXSydPUyd7F08vJyiDDxc7U0iI=?=)
Date: Fri, 12 Jul 2013 10:41:33 +0100
Subject: =?koi8-r?B?79TL0s/KINPXz8ogwsnazsXTIC0gzcnOyc/UxczYINcgy9LV0M7FytvF?=
	=?koi8-r?B?zSDU1dLJ09TJ3sXTy8/NIMPFztTSxSEg78LF09DF3tggIMLVxNXdxcUg?=
	=?koi8-r?B?08XCxSDJIMTF1NHNIQ==?=
Message-ID: <94740FF4F5234AF89DC94FDBE1BCD534@microsofw6pslt>

Вы задумывались о своей пенсии?
Хотите иметь гарантированную пенсию к 50 годам?
    
Хотите быть уверенны в том, что ваши пенсионные деньги ни куда не пропадут, а преумножатся?

Мы разработали социально значимую программу, которая поможет Вам обеспечить вашу пенсию и сохранит и приумножит Ваши деньги!

Все просто - Мы предлагаем Вам приобрести миниотель в Российском туристическом центре международного уровня.
Вам необходимо иметь 1 млн.руб. Банк выдаст ипотечный кредит 3 млн.руб.

Управляющая компания будет обслуживать, и сдавать в аренду ваш миниотель. 
За счет доходов от работы отеля, кредит в течении 4-5 лет будет погашен. Дальше отель начнет работать на Вас и будет приносить Вам ежегодную прибыль от 700 до 1000 млн.руб. 

Таким образом, вы обеспечите свою гарантированную пенсию, застрахованную от невзгод.
 
Звоните прямо сейчас количество миниотелей ограниченно.

Телефон +7(968)6733649 мы предоставим Вам больше информации.





From materials36 at rosedmi.com  Fri Jul 12 12:29:53 2013
From: materials36 at rosedmi.com (=?koi8-r?B?IuXX0s9OMSDXICDyz9PTycki?=)
Date: Fri, 12 Jul 2013 11:29:53 -0800
Subject: =?koi8-r?B?7NXe28XFIMvB2snOzyDS1c7F1MEgxMHSydQgMTAwIMXX0s8gIMvB1sTP?=
	=?koi8-r?B?zdUh?=
Message-ID: <000d01ce7f2d$cd526cb0$6400a8c0@materials36>

Самое  щедрое  казино рунета

Дарим 100 Евро за регистрацию!

Наши преимущества:
Моментальная регистрация и вывод выигрышей
Лучшие бонусы, подарки и акции
Самые крупные выигрыши  в рунете!
Многолетняя репутация  и высокий контроль честности MD5

Играй с удовольствием и выигрывай на сайте
http://евро-казино.рф/




From vilifiedhuf2 at reformer.com  Fri Jul 12 09:13:18 2013
From: vilifiedhuf2 at reformer.com (=?koi8-r?B?IunHz9LO2cogxM/NIE4xIg==?=)
Date: Fri, 12 Jul 2013 17:13:18 +0100
Subject: =?koi8-r?B?7NXe28nFIMnH0s/X2cUgwdfUz83B1NkgySDSxcHM2M7ZxSDExdfV28vJ?=
	=?koi8-r?B?IMvS1dDYxSDXICDPzszBys4gINcgy8Hayc7PIQ==?=
Message-ID: <000d01ce7f12$5715abe0$6400a8c0@vilifiedhuf2>

Лучшие игровые автоматы, реальные девушки крупье в  онлайн  в казино, с самым высоким контролем честности MD5! Внеси любую сумму для игры и получи 100 Евро  на счет!!! 
Наш сайт http://евро-казино.рф/




From hazelsm0 at redington.com  Fri Jul 12 10:03:43 2013
From: hazelsm0 at redington.com (=?koi8-r?B?IunHz9LO2cogxM/NIE4xIg==?=)
Date: Fri, 12 Jul 2013 18:03:43 +0100
Subject: =?koi8-r?B?7NXe28nFIMnH0s/X2cUgwdfUz83B1NkgySDSxcHM2M7ZxSDExdfV28vJ?=
	=?koi8-r?B?IMvS1dDYxSDXICDPzszBys4gINcgy8Hayc7PIQ==?=
Message-ID: <000d01ce7f19$61c2f640$6400a8c0@hazelsm0>

Лучшие игровые автоматы, реальные девушки крупье в  онлайн  в казино, с самым высоким контролем честности MD5! Внеси любую сумму для игры и получи 100 Евро  на счет!!! 
Наш сайт http://евро-казино.рф/




From cayuga461 at royalpark-bd.com  Tue Jul 16 06:31:17 2013
From: cayuga461 at royalpark-bd.com (=?koi8-r?B?IjE4IMnAzNEgxM/Hz9fP0s7RyyI=?=)
Date: Tue, 16 Jul 2013 13:31:17 +0000
Subject: =?koi8-r?B?8NLPxMHFzSDSxdrVzNjUwdTZIMTPx8/Xz9LO2cggxtXUws/M2M7ZyCDN?=
	=?koi8-r?B?wdTFyg==?=
Message-ID: <45281ADE13FC48C98B593D4CE9F24A35@star04dc26557b>

18 июля в одной из российских футбольных лиг состоится договорной матч. Гарантия на результат 100%. Стоимость информации составляет 8000 RUB. Мы работаем официально и принимаем оплату через банковский платежный шлюз множеством различных способов.

Подробная информация о матче: http://u.to/Jan3Aw




From accustomed11 at rentalexperts.com  Tue Jul 16 08:56:49 2013
From: accustomed11 at rentalexperts.com (=?koi8-r?B?IunH0tkgxMzRIM7B09TP0d3JyCDN1dbeyc4i?=)
Date: Tue, 16 Jul 2013 16:56:49 +0100
Subject: =?koi8-r?B?78TOz9LVy8nFIiDCwc7EydTZIiDJINDSxcvSwdPO2cUg5OX39fvr6SDL?=
	=?koi8-r?B?0tXQ2MUgzsEgzsHbxc0g08HK1MUg?=
Message-ID: <000d01ce8234$b30ac1e0$6400a8c0@accustomed11>

Однорукие" бандиты" и прекрасные ДЕВУШКИ крупье на нашем сайте !
Внеси на игровой счет сумму от 1 евро и мы увеличим ваши игровые деньги на 200%, а значит и возможность выиграть еще больше!!! 
Играй и выигрывай на сайте http://евро-казино.рф/




From punishmentm0 at resortac.com  Tue Jul 16 09:09:01 2013
From: punishmentm0 at resortac.com (=?koi8-r?B?IunH0tkgxMzRIM7B09TP0d3JyCDN1dbeyc4i?=)
Date: Tue, 16 Jul 2013 17:09:01 +0100
Subject: =?koi8-r?B?78TOz9LVy8nFIiDCwc7EydTZIiDJINDSxcvSwdPO2cUg5OX39fvr6SDL?=
	=?koi8-r?B?0tXQ2MUgzsEgzsHbxc0g08HK1MUg?=
Message-ID: <E406A7C1718B49738B3274E5F5DE8952@LocalHost>

Однорукие" бандиты" и прекрасные ДЕВУШКИ крупье на нашем сайте !
Внеси на игровой счет сумму от 1 евро и мы увеличим ваши игровые деньги на 200%, а значит и возможность выиграть еще больше!!! 
Играй и выигрывай на сайте http://евро-казино.рф/




From machxh8 at royalelastics.com  Tue Jul 16 07:34:48 2013
From: machxh8 at royalelastics.com (=?koi8-r?B?IunH0tkgxMzRIM7B09TP0d3JyCDN1dbeyc4i?=)
Date: Tue, 16 Jul 2013 20:04:48 +0530
Subject: =?koi8-r?B?78TOz9LVy8nFIiDCwc7EydTZIiDJINDSxcvSwdPO2cUg5OX39fvr6SDL?=
	=?koi8-r?B?0tXQ2MUgzsEgzsHbxc0g08HK1MUg?=
Message-ID: <000d01ce8231$9fc74c50$6400a8c0@machxh8>

Однорукие" бандиты" и прекрасные ДЕВУШКИ крупье на нашем сайте !
Внеси на игровой счет сумму от 1 евро и мы увеличим ваши игровые деньги на 200%, а значит и возможность выиграть еще больше!!! 
Играй и выигрывай на сайте http://евро-казино.рф/




From mainline5 at rontex.com  Tue Jul 16 07:03:40 2013
From: mainline5 at rontex.com (=?koi8-r?B?IunH0tkgxMzRIM7B09TP0d3JyCDN1dbeyc4i?=)
Date: Tue, 16 Jul 2013 22:03:40 +0800
Subject: =?koi8-r?B?78TOz9LVy8nFIiDCwc7EydTZIiDJINDSxcvSwdPO2cUg5OX39fvr6SDL?=
	=?koi8-r?B?0tXQ2MUgzsEgzsHbxc0g08HK1MUg?=
Message-ID: <000d01ce822d$46937090$6400a8c0@mainline5>

Однорукие" бандиты" и прекрасные ДЕВУШКИ крупье на нашем сайте !
Внеси на игровой счет сумму от 10 евро и мы увеличим ваши игровые деньги на 200%, а значит и возможность выиграть еще больше!!! 
Играй и выигрывай на сайте http://евро-казино.рф/




From boyishness3 at rmg-uk.com  Tue Jul 16 21:25:36 2013
From: boyishness3 at rmg-uk.com (=?koi8-r?B?IuHQ1MXLwSDEzNEg0M/Mzs/Dxc7Oz8og08XL09XBzNjOz8og1snazski?=)
Date: Wed, 17 Jul 2013 06:25:36 +0200
Subject: =?koi8-r?B?7sHU1dLBzNjO2cUg0NLF0MHSwdTZIMTM0SDQz9fZ28XOydEg08XL09XB?=
	=?koi8-r?B?zNjOzyDBy9TJ187P09TJIM3V1t7JziDJINbFzt3JziE=?=
Message-ID: <03A1A3B13B324A7FB2F07380F6B6A726@january92a6754>

В нашей Интернет-аптеке Вы можете быстро, анонимно и выгодно приобрести препараты ЭД группы, а так же наборы-пробники для тех, кто еще не знаком с этими препаратами. У нас в три раза дешевле,чем в любой городской аптеке! Доставим в любой город!  Наш сайт http://аптека-для-взрослых.рф




From borderlxv844 at remabec.com  Tue Jul 16 23:23:46 2013
From: borderlxv844 at remabec.com (=?koi8-r?B?IuHQ1MXLwSDEzNEg0M/Mzs/Dxc7Oz8og08XL09XBzNjOz8og1snazski?=)
Date: Wed, 17 Jul 2013 07:23:46 +0100
Subject: =?koi8-r?B?7sHU1dLBzNjO2cUg0NLF0MHSwdTZIMTM0SDQz9fZ28XOydEg08XL09XB?=
	=?koi8-r?B?zNjOzyDBy9TJ187P09TJIM3V1t7JziDJINbFzt3JziE=?=
Message-ID: <FF4B55A3DB94411F824B4360D92C152D@5f3150d57b6f4ec>

В нашей Интернет-аптеке Вы можете быстро, анонимно и выгодно приобрести препараты ЭД группы, а так же наборы-пробники для тех, кто еще не знаком с этими препаратами. У нас в три раза дешевле,чем в любой городской аптеке! Доставим в любой город!  Наш сайт http://аптека-для-взрослых.рф




From encumbere1 at relocation-today.com  Tue Jul 16 19:51:17 2013
From: encumbere1 at relocation-today.com (=?koi8-r?B?IuHQ1MXLwSDEzNEg0M/Mzs/Dxc7Oz8og08XL09XBzNjOz8og1snazski?=)
Date: Wed, 17 Jul 2013 09:51:17 +0700
Subject: =?koi8-r?B?7sHU1dLBzNjO2cUg0NLF0MHSwdTZIMTM0SDQz9fZ28XOydEg08XL09XB?=
	=?koi8-r?B?zNjOzyDBy9TJ187P09TJIM3V1t7JziDJINbFzt3JziE=?=
Message-ID: <000d01ce8298$82319350$6400a8c0@encumbere1>

В нашей Интернет-аптеке Вы можете быстро, анонимно и выгодно приобрести препараты ЭД группы, а так же наборы-пробники для тех, кто еще не знаком с этими препаратами. У нас в три раза дешевле,чем в любой городской аптеке! Доставим в любой город!  Наш сайт http://аптека-для-взрослых.рф




From lithographs9 at rcbinvest.com  Tue Jul 16 19:00:47 2013
From: lithographs9 at rcbinvest.com (=?koi8-r?B?IunHz9LO2cogxM/NIE4xIg==?=)
Date: Wed, 17 Jul 2013 10:00:47 +0800
Subject: =?koi8-r?B?7NXe28nFIMnH0s/X2cUgwdfUz83B1NkgySDSxcHM2M7ZxSDExdfV28vJ?=
	=?koi8-r?B?IMvS1dDYxSDXICDPzszBys4gINcgy8Hayc7PIQ==?=
Message-ID: <000d01ce8291$74543eb0$6400a8c0@lithographs9>

Лучшие игровые автоматы, реальные девушки крупье в  онлайн  в казино, с самым высоким контролем честности MD5! Внеси любую сумму для игры и получи 100 Евро  на счет!!! 
Наш сайт http://евро-казино.рф/




From traditional at roxcap.com  Tue Jul 16 19:18:24 2013
From: traditional at roxcap.com (=?koi8-r?B?IunHz9LO2cogxM/NIE4xIg==?=)
Date: Wed, 17 Jul 2013 10:18:24 +0800
Subject: =?koi8-r?B?7NXe28nFIMnH0s/X2cUgwdfUz83B1NkgySDSxcHM2M7ZxSDExdfV28vJ?=
	=?koi8-r?B?IMvS1dDYxSDXICDPzszBys4gINcgy8Hayc7PIQ==?=
Message-ID: <6938E2D99AB54FE6BC0626924C4D6D60@enk8q02ga4aiha>

Лучшие игровые автоматы, реальные девушки крупье в  онлайн  в казино, с самым высоким контролем честности MD5! Внеси любую сумму для игры и получи 100 Евро  на счет!!! 
Наш сайт http://евро-казино.рф/




From carcaseq4 at rosan.com  Wed Jul 17 02:48:07 2013
From: carcaseq4 at rosan.com (=?koi8-r?B?IkFCQy3SxcvMwc3BIg==?=)
Date: Wed, 17 Jul 2013 11:48:07 +0200
Subject: =?koi8-r?B?7c/dzsHRINLFy8zBzc7B0SDSwdPT2czLwSDQzyDczC7BxNLF08HNIMDS?=
	=?koi8-r?B?IMkgxsnaIMzJwyE=?=
Message-ID: <99C4E598CD164DCFB7F56F1E76814D82@pc>

Мощная рекламная рассылка по эл.адресам юр или физ лиц! Москва, Питер, Россия, СНГ (на выбор)
Общая база 15 000 000 адресов
Помогаем сделать макет письма
Предоставляем хостинг  для рассылки с сайтом 
Летние цены
1 рас-3 000 рублей
3 - 7 000
5 - 10 000
Спец скидки для пакетов от 7 рассылок!

Первичные заявки принимаем только на эту почту: abc.reklama at yahoo.com






From citronella133 at reviewmedia.com  Wed Jul 17 08:50:27 2013
From: citronella133 at reviewmedia.com (=?koi8-r?B?IunHz9LO2cogxM/NIE4xIg==?=)
Date: Wed, 17 Jul 2013 16:50:27 +0100
Subject: =?koi8-r?B?7NXe28nFIMnH0s/X2cUgwdfUz83B1NkgySDSxcHM2M7ZxSDExdfV28vJ?=
	=?koi8-r?B?IMvS1dDYxSDXICDPzszBys4gINcgy8Hayc7PIQ==?=
Message-ID: <9288341296F641118FBF7975CB132133@changeme1>

Лучшие игровые автоматы, реальные девушки крупье в  онлайн  в казино, с самым высоким контролем честности MD5! Внеси любую сумму для игры и получи 100 Евро  на счет!!! 
Наш сайт http://евро-казино.рф/




From loamy48 at rochesterboating.com  Wed Jul 17 15:32:28 2013
From: loamy48 at rochesterboating.com (=?koi8-r?B?Iu/OzMHKzi3C1dTJyyAi?=)
Date: Wed, 17 Jul 2013 18:02:28 -0430
Subject: =?koi8-r?B?89XNy8kgy8/MzMXLw8nRIDIwMTMuIA==?=
Message-ID: <000d01ce833d$84f6e5e0$6400a8c0@loamy48>

Наиболее верный путь к успеху √ все время пробовать еще один раз. Спешите! Только в июле, уникальное предложение: кожаные сумки высочайшего качества по специальной цене. До -40% на все модели.  http://www.сумки-италия.рф   




From pettifogsd34 at removethismindspring.com  Wed Jul 17 08:12:59 2013
From: pettifogsd34 at removethismindspring.com (=?koi8-r?B?IunHz9LO2cogxM/NIE4xIg==?=)
Date: Wed, 17 Jul 2013 22:12:59 +0700
Subject: =?koi8-r?B?7NXe28nFIMnH0s/X2cUgwdfUz83B1NkgySDSxcHM2M7ZxSDExdfV28vJ?=
	=?koi8-r?B?IMvS1dDYxSDXICDPzszBys4gINcgy8Hayc7PIQ==?=
Message-ID: <000d01ce8300$1fb901a0$6400a8c0@pettifogsd34>

Лучшие игровые автоматы, реальные девушки крупье в  онлайн  в казино, с самым высоким контролем честности MD5! Внеси любую сумму для игры и получи 100 Евро  на счет!!! 
Наш сайт http://евро-казино.рф/




From riposts92 at rochdale.com  Wed Jul 17 16:54:18 2013
From: riposts92 at rochdale.com (=?koi8-r?B?IuHQ1MXLwSwg1M/M2MvPIMTM0SDX2tLP08zZyCI=?=)
Date: Thu, 18 Jul 2013 02:54:18 +0300
Subject: =?koi8-r?B?/tXEzyDUwcLMxdTLyS3Lz87GxdTLySDEzNEg0M/Mzs/Dxc7Oz8og08XL?=
	=?koi8-r?B?09XBzNjOz8og1snazskhIO/exc7YIMTFzMnLwdTOwdEgxM/T1MHXy8Eh?=
Message-ID: <000d01ce8348$f36bb810$6400a8c0@riposts92>

Таблетки в виде конфет для повышения сексуального желания  и потенциала  мужчин и даже женщин! Доставим деликатно, быстро и анонимно. У нас самые низкие цены и очень большой выбор!  http://чудо-таблетки.рф




From industriousj736 at rantring.com  Thu Jul 18 03:33:48 2013
From: industriousj736 at rantring.com (=?koi8-r?B?IvDSz8TBwCDV3sHT1M/LIMLF2iDQz9PSxcTOycvP1yI=?=)
Date: Thu, 18 Jul 2013 11:33:48 +0100
Subject: =?koi8-r?B?7sXEz9LPx88g0NLPxMHNIMvSwdPJ19nKINXewdPUz8sg0M/EICDLz9TU?=
	=?koi8-r?B?xcTWLCAxMjUg08/Uz8suIOvJxdfTyyDbLg==?=
Message-ID: <000d01ce8399$e82002d0$6400a8c0@industriousj736>

Недорого продам красивый участок под  коттедж, 125 соток. Сосновый бор, газ, электричество. Киевск. ш 90 км от М К А Д телефон 8 (962) 1774848




From hahngiv34 at risk-manage.com  Thu Jul 18 20:59:19 2013
From: hahngiv34 at risk-manage.com (=?koi8-r?B?IuH38y3NwcnMIg==?=)
Date: Thu, 18 Jul 2013 20:59:19 -0700
Subject: =?koi8-r?B?4tnT1NLB0SDJINzGxsXL1MnXzsHRINLB09PZzMvBINLFy8zBzdkuIOPF?=
	=?koi8-r?B?zsEg19PFx88gz9QgMjAwMCDEzyAzMDAwINLVwszFyiE=?=
Message-ID: <0C3438C38BF542B0A458CAE0EC9631C1@ftgwsi>

Быстрая и эффективная рассылка рекламы 
Большая база Юр и физ лиц Москва, Россия и СНГ
Цена всего от 2000 до 3000 рублей!

Заявки присылайте  на почту: abc.reklama at yahoo.com

Пишите  поможем с макетом и ответим на все вопросы!




From sentriess63 at romarklogistics.com  Fri Jul 19 02:19:35 2013
From: sentriess63 at romarklogistics.com (=?koi8-r?B?IuTP09TB18vBIMfS1drP1yEi?=)
Date: Fri, 19 Jul 2013 09:19:35 +0000
Subject: =?koi8-r?B?4tnT1NLB0SDJINfZx8/EzsHRIMTP09TB18vBINPCz9LO2cggx9LV2s/X?=
	=?koi8-r?B?IMnaIOXX0s/Q2Swg9NXSw8nJLCDrydTB0SDtyc7JzcHM2M7ZxSDT0s/L?=
	=?koi8-r?B?ySDU0sHO09DP0tTJ0s/Xy8kuIO/LwdrBzsnFINTBzc/Wxc7O2cgg1dPM?=
	=?koi8-r?B?1ccgySDTxdLUycbJy8HDyckh?=
Message-ID: <516509000.65409493407461@romarklogistics.com>

A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 5689 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20130719/3b01efd0/attachment.txt>

From gmaxwell at gmail.com  Fri Jul 19 09:33:45 2013
From: gmaxwell at gmail.com (Gregory Maxwell)
Date: Fri, 19 Jul 2013 09:33:45 -0700
Subject: [tor-talk] Network diversity [was: Should I warn against Tor?]
Message-ID: <mailman.4371.1575949047.62801.testlist@lists.cpunks.org>

On Fri, Jul 19, 2013 at 8:35 AM, Jens Lechtenboerger
<tortalk at informationelle-selbstbestimmung-im-internet.de> wrote:
> [For those who are confused about the context of this: I started the
> original thread.  A write-up for my motivation is available at [0].]   I
> Links to my code and a README.txt clarifying necessary prerequisites are
> available at [0].   Best wishes Jens  [0]
> https://blogs.fsfe.org/jens.lechtenboerger/2013/07/19/how-i-select-tor-guard-nodes-under-global-surveillance/

It's _very_ hard to reason about this subject and act safely.

It is common for ISPs to use segments in their network which are
provided by third party providers, even providers who are almost
entirely facilities based will have some holes or redundancy gaps.
Because these are L1 (wave) and L2 (e.g. ethernet transport) they are
utterly invisible from the L3 topology.

You can make some guesses which are probably harmless: a guard that is
across the ocean is much more likely to take you across a compromised
path than one closer—    but going much further than that may well
decrease your security.

These concerns should be reminding us of the importance of high
latency mix networks... they're the only way to start getting any real
confidence against a global passive observer, and the are mostly a
missing item in our privacy tool toolbelt.
_______________________________________________
tor-talk mailing list
tor-talk at lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B  47EE F46E 3489 AC89 4EC5




From gmaxwell at gmail.com  Fri Jul 19 13:42:03 2013
From: gmaxwell at gmail.com (Gregory Maxwell)
Date: Fri, 19 Jul 2013 13:42:03 -0700
Subject: [tor-talk] Network diversity [was: Should I warn against Tor?]
Message-ID: <mailman.4372.1575949047.62801.testlist@lists.cpunks.org>

On Fri, Jul 19, 2013 at 9:45 AM, adrelanos <adrelanos at riseup.net> wrote:
> Seems like high latency mix networks failed already in practice. [1]
>
> Can't we somehow get confidence even against a global active adversary
> for low latency networks? Someone start a founding campaign?

So have low latency ones, some things fail.  Today you'd answer that
concern by running your high latency mix network over tor (or
integrated into tor) and so it cannot be worse. Answering the "you
need users first, and low latency networks are easier to get users
for" concern.

The point there remains that if you're assuming a (near) global
adversary doing timing attacks you cannot resist them effectively
using a low latency network.  Once you've taken that as your threat
model you can wax all you want about how low latency mix networks get
more users and so on.. it's irrelevant because they're really not
secure against that threat model. (Not that high latency ones are
automatically secure either— but they have a fighting chance)

On Fri, Jul 19, 2013 at 10:03 AM, Jens Lechtenboerger
<tortalk at informationelle-selbstbestimmung-im-internet.de> wrote:
>> but going much further than that may well decrease your security.
>
> How, actually?  I’m aware that what I’m doing is a departure from
> network diversity to obtain anonymity.  I’m excluding what I
> consider unsafe based on my current understanding.  It might be that
> in the end I’ll be unable to find anything that does not look unsafe
> to me.  I don’t know what then.

Because you're lowering the entropy of the nodes you are selecting
maybe all the hosts themselves are simply NSA operated, or if not now,
they be a smaller target to compromise.  Maybe it actually turns out
that they all use a metro fiber provider in munich which is owned by
an NSA shell company.

In Germany this may not be much of a risk. But if your logic is
applied to someplace that is less of a hotbed of Tor usage it wouldn't
be too shocking if all the nodes there were run by some foreign
intelligence agency.
_______________________________________________
tor-talk mailing list
tor-talk at lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B  47EE F46E 3489 AC89 4EC5




From whelkedg07 at rouse66.com  Fri Jul 19 06:40:18 2013
From: whelkedg07 at rouse66.com (=?koi8-r?B?IunH0tkgxMzRIM7B09TP0d3JyCDN1dbeyc4hIg==?=)
Date: Fri, 19 Jul 2013 15:40:18 +0200
Subject: =?koi8-r?B?78TOz9LVy8nFIiDCwc7EydTZIiDJINDSxcvSwdPO2cUg5OX39fvr6SDL?=
	=?koi8-r?B?0tXQ2MUgzsEgzsHbxc0g08HK1MUg?=
Message-ID: <000d01ce847d$2025f520$6400a8c0@whelkedg07>

Однорукие" бандиты" и прекрасные ДЕВУШКИ крупье на нашем сайте !
Дарим новым игрокам 100 евро на счет и увеличим ваши любой депозит на 200%
Играй и выигрывай на сайте http://евро-казино.рф/




From entertainerp at resumeaction.com  Fri Jul 19 05:19:43 2013
From: entertainerp at resumeaction.com (=?koi8-r?B?IunH0tkgxMzRIM7B09TP0d3JyCDN1dbeyc4hIg==?=)
Date: Fri, 19 Jul 2013 20:19:43 +0800
Subject: =?koi8-r?B?78TOz9LVy8nFIiDCwc7EydTZIiDJINDSxcvSwdPO2cUg5OX39fvr6SDL?=
	=?koi8-r?B?0tXQ2MUgzsEgzsHbxc0g08HK1MUg?=
Message-ID: <95B29B216B8A4C00A81055197394B394@PC201001151641>

Однорукие" бандиты" и прекрасные ДЕВУШКИ крупье на нашем сайте !
Дарим новым игрокам 100 евро на счет и увеличим ваши любой депозит на 200%
Играй и выигрывай на сайте http://евро-казино.рф/




From postmanstc87 at rotang.com  Fri Jul 19 07:07:21 2013
From: postmanstc87 at rotang.com (=?koi8-r?B?IunHz9LO2cogxM/NIE4xIg==?=)
Date: Fri, 19 Jul 2013 22:07:21 +0800
Subject: =?koi8-r?B?7NXe28nFIMnH0s/X2cUgwdfUz83B1NkgySDSxcHM2M7ZxSDExdfV28vJ?=
	=?koi8-r?B?IMvS1dDYxSDXICDPzszBys4gINcgy8Hayc7PIQ==?=
Message-ID: <94E4FA2657A24DAF97FF5483972B2265@nvideobcd285cf>

Лучшие игровые автоматы, реальные девушки крупье в  онлайн  в казино, с самым высоким контролем честности MD5! Внеси любую сумму для игры и получи 100 Евро  на счет!!! 
Наш сайт http://евро-казино.рф/




From rsw at jfet.org  Sat Jul 20 00:06:13 2013
From: rsw at jfet.org (Riad S. Wahby)
Date: Sat, 20 Jul 2013 03:06:13 -0400
Subject: back on the airwaves
Message-ID: <20130720070613.GA32396@jfet.org>

All,

Welcome back to the Cypherpunks mailing list. You've received a
subscription notice and are receiving this message now because you were
a member of the cypherpunks at al-qaeda.net or cypherpunks at jfet.org mailing
list before it went offline several (?) weeks ago.

First, my sincerest apologies for having failed to notice that messages
were silently dropping. All the bounces were still dropping into my
"cypherpunks bounces" mailbox, so from what I could tell all was running
normally (if perhaps at slightly low SNR). It turns out that some
package upgrade, most likely a new version of perl, broke majordomo.

(And of course, could I have picked a worse time to break everything?)

Well, that's the bad news. The good news is that cypherpunks is now
powered by Mailman, and should be a bit more reliable, easier to
maintain, and less Rube-Goldbergian. (I say this with all respect to my
cpunk admin predecessors; the CDR was a useful and interesting piece of
software, but---at least, in its most recent form---it was certainly not
a *pretty* piece of software.)

Nevertheless, since I haven't actually done much other than port the old
majordomo list over to mailman, the Distributed Remailer functionality
no longer obtains. Practically, this hasn't mattered for at least the
last 6 or 8 years, but perhaps that would change if I would just
modernize the software a bit. I'm planning on putting some thought into
that in the near future, but for now I figured it was more important to
just get *something* back up and running.

Once again, welcome back!

-=rsw




From micah at riseup.net  Sat Jul 20 07:05:42 2013
From: micah at riseup.net (micah)
Date: Sat, 20 Jul 2013 10:05:42 -0400
Subject: [liberationtech] Interesting things in keyservers
Message-ID: <mailman.4373.1575949047.62801.testlist@lists.cpunks.org>


Hi Micah!

Micah Lee <micahflee at riseup.net> writes:

> I'm working on a talk for OHM2013 about PGP. Can anyone send me examples
> of interesting keys in key servers that you know of?

Since you are preparing a talk about the subject, I'm going to be
pedantic and correct your usage of "PGP", because it is important to get
your terminology straight when giving a talk. I presume you aren't
giving a talk about the commercial software, but instead you are
actually giving a talk about OpenPGP which is the standard specified by
RFC4880 that different programs like GnuPG, Seahorse, MacGPG, and PGP
etc. all implement. If that is true, then you should refer to it as
OpenPGP, and not PGP.

I dont know what your talk will consist of, besides the funny enigmail
XSS and goatse.cx stuff (thanks for that! always good to have some
goatse early in the morning), but I would like to point out a few things
that might be useful to mention.

One is a wiki page that I created with some people:
https://we.riseup.net/riseuplabs+paow/openpgp-best-practices - it
contains some useful hints about using OpenPGP, maintaining a good key
and some general good practices that people often dont know about (such
as the importance of keeping your keys updated to get critical
revocation and expiration extension certifications!)

One thing mentioned on that page that I wanted to highlight, because you
used pgp.mit.edu links in your original email, is that the keyserver
pgp.mit.edu is not a good one to use/promote. Everyone uses it as their
'goto' keyserver, but it is a really bad idea! As a keyserver, it has
been broken for years. For a long time it was just dropping revocations,
subkey updates and expirations on the floor. That is *really*
bad. Eventually, they upgraded their keyserver software, but it is
*still* running an older version of SKS, a version that fails to handle
16-digit subkeyid lookups (among other failings).

So, please don't rely on pgp.mit.edu for your security, and please don't
include them in your slides! If you are looking for one to use, I highly
recommend using the SKS pool address (hkp://pool.sks-keyservers.net or
http://hkps.pool.sks-keyservers.net/ - or if you want a more close
geographical pool, have a look at
http://sks-keyservers.net/overview-of-pools.php). 

Finally, there seems to be some amazing misconceptions about keyservers,
keys and the web of trust. In particular this
http://cryptome.org/2013/07/mining-pgp-keyservers.htm circulated
recently and it pained me to see because it suggested various wreckless
conclusions that were dangerously off the mark[0] (and used pgp.mit.edu,
hah). While it is true that we've jokingly called the OpenPGP web of
trust "the original social network" because of the exposed social
relational graphing that can be done by querying keyservers, and it is
for this reason that many activists I know do not want to have
signatures uploaded to keyservers (and instead use the bulky local-only
signature work-around)...

... but for some reason people seem to think that if it is on a
keyserver, is true, or it means something that it doesn't. People don't
realize critical things, such as the fact that I can create a key with
the UID Nadim Kobeissi and upload it to the keyservers[1]. That doesn't
mean that is the real Nadim's key (this is what exchanging key
fingerprints and doing certifications is for, so you can know, with a
certain degree of certainty, that this person is the person who controls
that secret key material). 

Or people think that because I signed your key and that signature is on
the keyserver that indicates: I trust you; we met in person at that
date; we know each other; we are involved in a criminal conspiracy with
each other; or many other wrong assumptions about what that
certification means. I can sign Edward Snowden's key and send that to
the keyservers[1]. Hell, I can sign Snowden's key with my fake Nadim
Kobeissi key[1] and then send it to the keyservers. Does that mean that
Nadim and Snowden have met in person?! No, it does not at all.

Anyways, I can keep going... but I dont know what the focus of your OHM
talk is about, so going on like this isn't particularly useful to you
and your talk... however, I'd be happy to provide more feedback about
your talk if you would like![2]

After all, we Micahs need to stick together,
micah

0. "the cryptome article just sounds like impenetrable bullshit from
someone with no interest in actually understandning what's happening" -
I'm not saying who said this... 

1. no, I didn't do that, nor did I upload the edward snowden or bradly
manning keys.



--
Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech


----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B  47EE F46E 3489 AC89 4EC5




From jsalsman at gmail.com  Sat Jul 20 10:06:08 2013
From: jsalsman at gmail.com (James Salsman)
Date: Sat, 20 Jul 2013 11:06:08 -0600
Subject: [DIYbio] Science research papers require viewing Adverts, no-thanks to Science/AAAS
Message-ID: <mailman.4374.1575949047.62801.testlist@lists.cpunks.org>

I think there is some potential and nuance here that we should explore
in depth. Wouldn't free papers with clearly labeled ads be a
substantially better alternative to exclusively for-pay research
articles?  I mean, nobody would boycott a scientific journal which
paid for its publication by accepting responsible ads, would they?
Although I strongly approve of measures to automatically hide ads for
those who wish to do sp (and I advocate to protect such systems
frequently, occasionally at some inconvenience and risk to my ability
to continue research and development work with corporations funded by
ads) there are times when viewing ads unquestionably provides useful
data about existing and potential sponsorship. That information is
sometimes very valuable to researchers seeking supplemental funding
for their work, as well as understanding the economic attributes of
suppliers, re-sellers, large influencers and conglomerates affecting
their research landscape.


On Fri, Jul 19, 2013 at 8:58 PM, Bryan Bishop <kanzure at gmail.com> wrote:
> On Fri, Jul 19, 2013 at 9:44 PM, Jonathan Cline <jncline at gmail.com> wrote:
>>
>> I would like to register my distaste for seeing advertisements within
>> research publications aka journal articles.  Science/AAAS (Sciencemag.org)
>> is one major offender noticed so far.
>>
>> Taxpayers pay for research.
>> Journals are charging $$$ for access to that research.
>> Some journals are now inserting Advertisements directly into the research
>> papers.
>>
>> This is a very distasteful practice.  Frankly it is insulting. I would
>> purposely avoid purchasing products from advertisers who choose to attach
>> advertisements directly to published journal articles.
>
>
> Today I updated pdfparanoia to remove AAAS/sciencemag ads from papers. Call
> it "AdBlock for Science" if you will...
>
> https://github.com/kanzure/pdfparanoia/commit/cc7d14d173be9b4a79adb97fba092914255a92f4
>
> Samples:
> http://diyhpl.us/~bryan/papers2/paperbot/To%20Favor%20Survival%20Under%20Food%20Shortage%2C%20the%20Brain%20Disables%20Costly%20Memory.pdf
> http://diyhpl.us/~bryan/papers2/paperbot/Large-Pore%20Apertures%20in%20a%20Series%20of%20Metal-Organic%20Frameworks.pdf
> http://diyhpl.us/~bryan/papers2/paperbot/Reconstituting%20Organ-Level%20Lung%20Functions%20on%20a%20Chip.pdf
> http://diyhpl.us/~bryan/papers2/paperbot/Laser%20Scribing%20of%20High-Performance%20and%20Flexible%20Graphene-Based%20Electrochemical%20Capacitors.pdf
> http://www.era-mx.org/biblio/Ostrom,%202009.pdf
>
> I would also appreciate other samples if anyone has them. So far only papers
> since 2012 have these ads. But this is a disgusting trend.
>
> - Bryan
> http://heybryan.org/
> 1 512 203 0507
>
> --
> You received this message because you are subscribed to the Google Groups
> "science-liberation-front" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to science-liberation-front+unsubscribe at googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>

-- 
You received this message because you are subscribed to the Google Groups "science-liberation-front" group.
To unsubscribe from this group and stop receiving emails from it, send an email to science-liberation-front+unsubscribe at googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.



----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B  47EE F46E 3489 AC89 4EC5




From eugen at leitl.org  Sat Jul 20 04:29:04 2013
From: eugen at leitl.org (Eugen Leitl)
Date: Sat, 20 Jul 2013 13:29:04 +0200
Subject: [tor-talk] Network diversity [was: Should I warn against Tor?]
Message-ID: <20130720112904.GN29404@leitl.org>

----- Forwarded message from Gregory Maxwell <gmaxwell at gmail.com> -----


From noloader at gmail.com  Sat Jul 20 13:09:05 2013
From: noloader at gmail.com (Jeffrey Walton)
Date: Sat, 20 Jul 2013 16:09:05 -0400
Subject: [cryptography] [liberationtech] Random number generator, failure in Rasperri Pis?
Message-ID: <mailman.4375.1575949047.62801.testlist@lists.cpunks.org>

On Sat, Jul 20, 2013 at 2:57 AM, Peter Bowen <pzbowen at gmail.com> wrote:
> On Fri, Jul 19, 2013 at 10:35 PM, Yaron Sheffer <yaronf at porticor.com> wrote:
>> A few months ago I posted a query to the Amazon Web Services (the
>> largest public cloud, running on Xen) forum on whether they're using libvirt
>> for this purpose, and it was never answered. Does anybody around here have a
>> clue?
>
> Amazon EC2 does not support virtio-rng today.  Finding good sources of
> entropy in a virtual machine is always hard, so solutions like
> virtio-rng and Intel's RDRAND instruction can be very useful.
Also see:

When Good Randomness Goes Bad: Virtual Machine Reset Vulnerabilities
and Hedging Deployed Cryptography,
http://pages.cs.wisc.edu/~rist/papers/sslhedge.pdf

When Virtual is Harder than Real: Security Challenges in Virtual
Machine Based Computing Environments,
https://www.usenix.org/legacy/event/hotos05/final_papers/full_papers/garfinkel/garfinkel.pdf

Jeff
_______________________________________________
cryptography mailing list
cryptography at randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B  47EE F46E 3489 AC89 4EC5




From rsw at jfet.org  Sat Jul 20 13:17:30 2013
From: rsw at jfet.org (Riad S. Wahby)
Date: Sat, 20 Jul 2013 16:17:30 -0400
Subject: The Muslim Problem
In-Reply-To: <CAGUkT8afg-hRi8SxvnW0qWKVbooT5Vhc3hH7GETXSXhho3FFvA@mail.gmail.com>
References: <6B01D74F-8233-4458-9114-E6207E447E5A@rocketmail.com>
 <CAGUkT8afg-hRi8SxvnW0qWKVbooT5Vhc3hH7GETXSXhho3FFvA@mail.gmail.com>
Message-ID: <20130720201730.GA16631@jfet.org>

Karel Bílek <kb at karelbilek.com> wrote:
> Aaaaaand now is the time to unsubscribe from this mailing list.
> 
> On Sat, Jul 20, 2013 at 8:58 PM, Lorenz Szabo
> <lorenzszabo at rocketmail.com> wrote:
> > The Muslim Problem

Oof. Easy to appreciate Karel's notion here. It would appear someone
kept the dogwhistles warm wihle the list was on hiatus.

I propose we instead ponder just how short a perl script it would
take to automatically transform random selections from a library of
early 20th-century anti-miscegenation and anti-suffrage "literature"
into the newest us-vs-them flavor of the month drivel.

-=rsw




From pkejjy at gmail.com  Sat Jul 20 09:17:32 2013
From: pkejjy at gmail.com (Russell Leidich)
Date: Sat, 20 Jul 2013 16:17:32 +0000
Subject: [cryptography] [liberationtech] Random number generator failure in Rasperri Pis?
Message-ID: <mailman.4376.1575949047.62801.testlist@lists.cpunks.org>

I agree, in theory. But:

1. How many register reads would one need in order to show Birthday
compliance? (It's not the usual "root of the state space", because a single
collision isn't convincing.) These reads tend to be slow, because the
circuit designers generally need to guardband their entropy accrual to meet
some particular minimum. In particular, we're looking for "good" evidence
of a Poisson distribution, so we're up against a "lot" of reads relative to
what Birthday attacks would suggest. If we don't have enough bits in memory
to map the whole entropy register state space with acceptable access
latency, then we have to do a realtime index-and-lookup of historical
values, which is increasingly expensive over time. Even having generated
said distribution successfully, the temperature and EMI background change
with the wind. So wash, rinse, repeat.

2. More simply, we could generate a PRNG with a nice Poisson profile. While
the initial read might be somewhat random in order to spoof a decent TRNG,
subsequent reads would just iterate the PRNG, facilitating differential
attacks. But this wouldn't be easy to detect if, say, I had 128 bits of
state backing up a 32-bit fake TRNG register.

3. The hardware TRNG characterization process cannot be parallelized,
because we need to determine the trustworthiness of the particular CPU in
question. By contrast, an individual userspace TRNG (UTRNG) can be verified
by simply comparing a hash of its executable code against expected public
values. But we can't take the hash of a physical circuit.

4. Having verified that an individual UTRNG instance is identical to what's
expected, the only remaining question is how fast it can generate entropy
in the least entropic possible use case. That's not a trivial question to
answer, but at least, parallel processing can accelerate this
characterization. If it turns out to be a "good" TRNG, then at runtime, we
can simply check the hash, rather than repeating the characterization
because the physical environment is different.

Again, I'm no quantum denialist. There's plenty of noise out there. But
it's always nice to keep the trust radius to a manageable minimum.

On Sat, Jul 20, 2013 at 12:59 PM, Dean, James <Jdean at lsuhsc.edu> wrote:
>
> Ø  If my 64-bit hardware TRNG can only generate 1% of 64-bit numbers
(probably because I hacked it), how are you going to discover that anytime
soon?
>
>
>
> Test for more collisions than predicted by the birthday paradox.
>
>
> _______________________________________________
> cryptography mailing list
> cryptography at randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography
>

_______________________________________________
cryptography mailing list
cryptography at randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography


----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B  47EE F46E 3489 AC89 4EC5




From eugen at leitl.org  Sat Jul 20 07:17:40 2013
From: eugen at leitl.org (Eugen Leitl)
Date: Sat, 20 Jul 2013 16:17:40 +0200
Subject: [tor-talk] Network diversity [was: Should I warn against Tor?]
Message-ID: <20130720141740.GW29404@leitl.org>

----- Forwarded message from Gregory Maxwell <gmaxwell at gmail.com> -----


From froomkin at law.miami.edu  Sat Jul 20 13:41:44 2013
From: froomkin at law.miami.edu (Michael Froomkin - U.Miami School of Law)
Date: Sat, 20 Jul 2013 16:41:44 -0400 (EDT)
Subject: a Cypherpunks comeback
In-Reply-To: <20130720164125.GA12053@jfet.org>
References: <20130720164125.GA12053@jfet.org>
Message-ID: <alpine.LRH.2.00.1307201633070.15884@localhost.localdomain>

Good idea.  But, with all respect, I don't know you.  Epecially given the 
(very, very, very unfortunate) domain name, it would be much better to get 
an invite from someone I recall from the old days.  Preferably signed with 
a key on a keyserver with a decent trust chain.

And domain names are cheap.  CPUNKS-LIST.COM is available.  Why not pick a 
different one if you are serious about this? Or get someone to lend you a 
subdomain?


On Sat, 20 Jul 2013, Riad S. Wahby wrote:

> tl;dr:
> I'm writing to invite you back to the Cypherpunks mailing list. If
> you're interested, you can join via
>    https://al-qaeda.net/mailman/listinfo/cypherpunks
>
> Hello,
>
> In the past couple days I've exchanged emails with John Young and
> Eugen Leitl on some brokenness in the Cypherpunks mailing list. This
> discussion brought us to a discussion of attempting to resurrect the
> list's wetware, as it were, in addition to its software. At Eugen's
> request, John dug up a couple Majordomo WHO outputs from about 15 years
> ago; I tidied up the lists, and now I'm writing to you.
>
> So! if you still have an interest in crypto, privacy, and politics, and
> if you want to discuss that interest with a bunch of like-minded weirdos
> from the aether, you can subscribe yourself via the web interface above
> or by sending an email with "subscribe" in the body to
> cypherpunks-request at al-qaeda.net.
>
> (I am aware the provocative choice of domain name may discourage you
> somewhat. I can only tell you that I've been running a Cypherpunks list
> of some sort from this domain for a bit over a decade, and I haven't yet
> been spirited away in a black helicopter. Here's hoping for another
> helicopter-free decade.)
>
> Best regards, and welcome back, preemptively,
>
> -=rsw
> on behalf of jya, eugen, and rsw
>

-- 
A. Michael Froomkin, http://www.law.tm Blog: http://www.discourse.net
Laurie Silvers & Mitchell Rubenstein Distinguished Professor of Law
Editor, Jotwell: The Journal of Things We Like (Lots),  jotwell.com
U. Miami School of Law, P.O. Box 248087, Coral Gables, FL 33124 USA
+1 (305) 284-4285  |    +1 (305) 284-6506 (fax)  |  froomkin at law.tm
                        -->It's hot here.<--




From jya at pipeline.com  Sat Jul 20 14:18:32 2013
From: jya at pipeline.com (John Young)
Date: Sat, 20 Jul 2013 17:18:32 -0400
Subject: a Cypherpunks comeback
In-Reply-To: <alpine.LRH.2.00.1307201633070.15884@localhost.localdomain>
References: <20130720164125.GA12053@jfet.org>
 <alpine.LRH.2.00.1307201633070.15884@localhost.localdomain>
Message-ID: <E1V0eVE-0006bw-Jy@elasmtp-banded.atl.sa.earthlink.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Michael makes valid points. Skepticism is appropriate.

A name change would likely correct misapprehension
about an active list without a trust chain supporting it.

I attach a sig of mine with a few sigs from the past.
None of my other keys were signed probably wisely
to avoid implication.

Is it hot in Miami? Hot as hell in NYC.

JYA

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.3 (Build 3017)

wsBVAwUBUer+ic0LejsgyhlHAQh5zQf+OYuUvkuob2u2CXRSWvvYvRso4KE0JvBn
9UfM7Gwh9SE8HqHpE0fLbwNjT2KNR4utXH0n2q2c14DQ921wc/ULwFDTRLn9CsLw
MTFeZUK8LSH/IElhWgjPfFI7uBIvDAbH5YupCJrANVCLQakLDxkzRoGx08J1gAza
FL1/Qp6ZXU3qlR7WVVmYz6I174u3ruBR8Dv9lwhQUy5ws7799pROoLe+lP3inxk1
27I2M0sp4SvYKuM9P2WsOYk1SlzKKUDfcJjY4C//9VhU5s6PEo4YDhPO+BaGl9+B
hXfbejUOEfzp8S9ulEqt9biY0CWPHfjtKbw5w8hAKpb2Scqisu9fTQ==
=OQOf
-----END PGP SIGNATURE-----






From rsw at jfet.org  Sat Jul 20 14:34:29 2013
From: rsw at jfet.org (Riad S. Wahby)
Date: Sat, 20 Jul 2013 17:34:29 -0400
Subject: a Cypherpunks comeback
In-Reply-To: <alpine.LRH.2.00.1307201633070.15884@localhost.localdomain>
References: <20130720164125.GA12053@jfet.org>
 <alpine.LRH.2.00.1307201633070.15884@localhost.localdomain>
Message-ID: <20130720213429.GA20571@jfet.org>

"Michael Froomkin - U.Miami School of Law" <froomkin at law.miami.edu> wrote:
> Good idea.  But, with all respect, I don't know you.  Epecially
> given the (very, very, very unfortunate) domain name, it would be
> much better to get an invite from someone I recall from the old
> days.  Preferably signed with a key on a keyserver with a decent
> trust chain.
>
> And domain names are cheap.  CPUNKS-LIST.COM is available.  Why not
> pick a different one if you are serious about this? Or get someone
> to lend you a subdomain?

This is a fair objection, and you've suggested one good remedy. Seems
John was happy to oblige.

As I said in my first email, I've been running a cpunks node from this
address for quite some time. According to my notes, the last time any
other node in the CDR showed any life was 5/11/2005, but I've run
cypherpunks at al-qaeda.net and before that cypherpunks at jfet.org since
circa 2000. You should be able to verify all this with a couple Google
searches.

Fundamentally, though, you're right: I'm not the same rash college kid
who thought it would be hilarious to have an al-qaeda.net CDR node, and
if that's a sticking point for people, probably this little joke's best
days are seven or eight years gone already anyhow.

To that end, I just grabbed "cpunks.org"; as soon as it comes alive,
I'll change everything over to the new address.

-=rsw




From jya at pipeline.com  Sat Jul 20 14:49:51 2013
From: jya at pipeline.com (John Young)
Date: Sat, 20 Jul 2013 17:49:51 -0400
Subject: a Cypherpunks comeback
In-Reply-To: <alpine.LRH.2.00.1307201633070.15884@localhost.localdomain>
References: <20130720164125.GA12053@jfet.org>
 <alpine.LRH.2.00.1307201633070.15884@localhost.localdomain>
Message-ID: <E1V0ezX-0000nl-Dz@elasmtp-galgo.atl.sa.earthlink.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Wrong key, no sigs on it. This should do it.

Michael makes valid points. Skepticism is appropriate.

A name change would likely correct misapprehension
about an active list without a trust chain supporting it.

I attach a sig of mine with a few sigs from the past.
None of my other keys were signed probably wisely
to avoid implication.

Is it hot in Miami? Hot as hell in NYC.

JYA

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.3 (Build 3017)

wj8DBQFR6wXVg0Rfznk272ARAjejAKCBBtWhL2pEalqaWyT00U9vfv252gCgiS3T
myJOwa48z8UNwIhi80xna4A=
=ggG5
-----END PGP SIGNATURE-----





From rsw at jfet.org  Sat Jul 20 15:39:55 2013
From: rsw at jfet.org (Riad S. Wahby)
Date: Sat, 20 Jul 2013 18:39:55 -0400
Subject: domain change
Message-ID: <20130720223955.GA24509@jfet.org>

Friends,

A few people expressed some discomfiture off-list with the @al-qaeda.net
domain name. I'm not so attached that I'm willing to alienate posters,
so I've registered cpunks.org and updated the configs to reflect this.

Note that the way I have things configured, the mail server doesn't much
care which domain you submit to: if you're so inclined,
cypherpunks at al-qaeda.net should continue to work as a submission
address, ditto cypherpunks at jfet.org (which it seems remained in use
until somewhat recently).

I promise the administrative noise level on the list should return
to near-zero after this, assuming no one feels like flaming me about
the change.

-=rsw




From rsw at jfet.org  Sat Jul 20 16:03:20 2013
From: rsw at jfet.org (Riad S. Wahby)
Date: Sat, 20 Jul 2013 19:03:20 -0400
Subject: a Cypherpunks comeback
In-Reply-To: <20130720213429.GA20571@jfet.org>
References: <20130720164125.GA12053@jfet.org>
 <alpine.LRH.2.00.1307201633070.15884@localhost.localdomain>
 <20130720213429.GA20571@jfet.org>
Message-ID: <20130720230320.GA25770@jfet.org>

"Riad S. Wahby" <rsw at jfet.org> wrote:
> To that end, I just grabbed "cpunks.org"; as soon as it comes alive,
> I'll change everything over to the new address.

FYI, cypherpunks at cpunks.org is now live.
    https://cpunks.org/mailman/listinfo/cypherpunks

Regards,

-=rsw




From froomkin at law.miami.edu  Sat Jul 20 16:22:13 2013
From: froomkin at law.miami.edu (Michael Froomkin - U.Miami School of Law)
Date: Sat, 20 Jul 2013 19:22:13 -0400 (EDT)
Subject: a Cypherpunks comeback
In-Reply-To: <20130720213429.GA20571@jfet.org>
References: <20130720164125.GA12053@jfet.org> <alpine.LRH.2.00.1307201633070.15884@localhost.localdomain> <20130720213429.GA20571@jfet.org>
Message-ID: <alpine.LRH.2.00.1307201920210.16712@localhost.localdomain>


Will you send out a new notice when that happens, please?  Feel free to 
blame me if you need to.  Some of the old guard might be amused.


On Sat, 20 Jul 2013, Riad S. Wahby wrote:

> "Michael Froomkin - U.Miami School of Law" <froomkin at law.miami.edu> wrote:
>> Good idea.  But, with all respect, I don't know you.  Epecially
>> given the (very, very, very unfortunate) domain name, it would be
>> much better to get an invite from someone I recall from the old
>> days.  Preferably signed with a key on a keyserver with a decent
>> trust chain.
>>
>> And domain names are cheap.  CPUNKS-LIST.COM is available.  Why not
>> pick a different one if you are serious about this? Or get someone
>> to lend you a subdomain?
>
> This is a fair objection, and you've suggested one good remedy. Seems
> John was happy to oblige.
>
> As I said in my first email, I've been running a cpunks node from this
> address for quite some time. According to my notes, the last time any
> other node in the CDR showed any life was 5/11/2005, but I've run
> cypherpunks at al-qaeda.net and before that cypherpunks at jfet.org since
> circa 2000. You should be able to verify all this with a couple Google
> searches.
>
> Fundamentally, though, you're right: I'm not the same rash college kid
> who thought it would be hilarious to have an al-qaeda.net CDR node, and
> if that's a sticking point for people, probably this little joke's best
> days are seven or eight years gone already anyhow.
>
> To that end, I just grabbed "cpunks.org"; as soon as it comes alive,
> I'll change everything over to the new address.
>
> -=rsw
>

-- 
A. Michael Froomkin, http://www.law.tm Blog: http://www.discourse.net
Laurie Silvers & Mitchell Rubenstein Distinguished Professor of Law
Editor, Jotwell: The Journal of Things We Like (Lots),  jotwell.com
U. Miami School of Law, P.O. Box 248087, Coral Gables, FL 33124 USA
+1 (305) 284-4285  |    +1 (305) 284-6506 (fax)  |  froomkin at law.tm
                        -->It's hot here.<--




From lorenzszabo at rocketmail.com  Sat Jul 20 11:41:30 2013
From: lorenzszabo at rocketmail.com (BizDevCon (L0R3NZ 5Z4B0))
Date: Sat, 20 Jul 2013 20:41:30 +0200
Subject: Testing with a joke
Message-ID: <64C033EF-5DCC-42E5-9F00-7B239DDA8775@rocketmail.com>

Testing with a joke:

Q: What is the longest 10 years in the lifetime of a woman?

A: Between 38 and 42.




From lorenzszabo at rocketmail.com  Sat Jul 20 11:46:46 2013
From: lorenzszabo at rocketmail.com (BizDevCon (L0R3NZ 5Z4B0))
Date: Sat, 20 Jul 2013 20:46:46 +0200
Subject: War is Boring: Someone Just Built a Robot Sentry Gun
Message-ID: <10759882-9D22-46C5-9EBE-BBA86BE19527@rocketmail.com>

War is Boring: Someone Just Built a Robot Sentry Gun

July 19, 2013

Robert Beckhusen

NatSec writer at Medium. Contributor to Offiziere.ch

It only shoots foam bullets, but that doesn't mean we shouldn't be worried

Here's how German engineering student Britt Liv Ulrike Michelsen turned a Nerf gun into a robot. First, she connected the toy's electric motor to a microcontroller and a laptop computer, upgraded the firing spring to make it shoot faster and more accurately then connected the toy to a servo-driven stand, which allows it to swivel back and forth. Finally, she added a webcam and the open-source program Project Sentry Gun to make the device automatically track and attack anything that moves.

End result: an automated, foam-firing robot sentry gun.

Michelson's toy itself is harmless, but the idea behind it does raise some provocative questions. How easy is it to automate a real gun? What are the legal and ethical issues? (Spoiler: there are many.) And could we soon see automated weapons in the home?

For help, we asked Patrick Lin, a professor at California Polytechnic State University and a leading researcher on the ethics of robots, drones and unmanned machines. We also wanted to know what the Pentagon is doing with its own armed ground 'bots.

"What seems to be newsworthy is that a Nerf gun is involved, and some people may be unnerved by the juxtaposition of childhood innocence and visions of Terminator-style AI," Lin says. "But a Nerf gun isn't usually lethal, though it could harm targets if they were hit in the eye, for instance. So a non-lethal home security robot could be permitted by law, depending on how harmful it is."

A pepper-spraying home defense 'bot might go too far. A lethal autonomous sentry gun is out of the question, not the least of which is the inability to distinguish between an intruder and an innocent child. "Just like you can't rig a shotgun to shoot whatever opens your door," he adds. "The big problem here is that it would be an indiscriminate attack, even in states with 'Stand Your Ground or 'Castle' laws that permit lethal defense of the home."

The capability exists -- though only for the military. Years ago, Samsung defense subsidiary Samsung Techwin developed a robotic machine gun, the SGR-A1, which is also equipped with infrared cameras. The 'bot's destination was reportedly the South Korean side of the Korean demilitarized zone, but these were never deployed or turned into full-auto mode.

The Pentagon has its own projects. A weaponized robot called SWORDS was deployed to Iraq -- under Army control -- until funding was yanked. A follow-up program by the Marines, called MAARS, can roll around with a swappable weapons system, including both lethal bullets and non-lethal grenades and laser dazzlers. Its developer, defense contractor QinetiQ, describes the robot as "taking its place on the frontlines to keep warfighters at a safe distance from enemy fire while effectively executing security missions." MAARS hasn't been deployed and has not been made autonomous. The Pentagon is also very skeptical about taking its own personnel out of the decision-making process with it comes to lethal robots and drones.

"The important point, though, is that the capability already exists today," Lin says. "If it were to be deployed, that would be an important and, to many, regrettable milestone in future warfare."

But should we be worried about someone making a killbot at home and then automating to do something terrible? Sort of. Maybe. It's possible someone could do it. "It would seem so," Lin says. "But there are a lot of terrible things people can make that thankfully don't appear very much, such as privacy-infringing or bomb-carrying drones. We have laws that address most of those contingencies, and that seems to be enough to deter most rational people inclined to try them out."

One thing to watch out for, he notes, is for an engineer or activist to develop a lethal sentry gun just to provoke a debate, create a backlash or force regulation. We've seen that happen with 3-D printed guns. But even criminals getting ahold of those are a big stretch. Lin says, "Luckily, criminals tend to be dumb -- not so much the Lex Luthor type."

Subscribe to War is Boring: medium.com/feed/war-is-boring.




From lorenzszabo at rocketmail.com  Sat Jul 20 11:58:33 2013
From: lorenzszabo at rocketmail.com (Lorenz Szabo)
Date: Sat, 20 Jul 2013 20:58:33 +0200
Subject: The Muslim Problem
Message-ID: <6B01D74F-8233-4458-9114-E6207E447E5A@rocketmail.com>

Yeah, yeah, posted by an Austrian...

###

The Muslim Problem

Nicolai Sennels is a Danish psychologist who has done extensive research into a little-known problem in the Muslim world: the disastrous results of Muslim inbreeding brought about by the marriage of first-cousins.

This practice, which has been prohibited in the Judeo-Christian tradition since the days of Moses, was sanctioned by Muhammad and has been going on now for 50 generations (1,400 years) in the Muslim world.

This practice of inbreeding will never go away in the Muslim world, since Muhammad is the ultimate example and authority on all matters, including marriage.

The massive inbreeding in Muslim culture may well have done virtually irreversible damage to the Muslim gene pool, including xtensive damage to its intelligence, sanity, and health.

According to Sennels, close to half of all Muslims in the world are inbred. In Pakistan, the numbers approach 70%. Even in England, more than half of Pakistani immigrants are married to their first cousins, and in Denmark the number of inbred Pakistani immigrants is around 40%.

The numbers are equally devastating in other important Muslim countries: 67% in Saudi Arabia, 64% in Jordan, and Kuwait, 63% in Sudan, 60% in Iraq, and 54% in the United Arab Emirates and Qatar .

According to the BBC, this Pakistani, Muslim-inspired inbreeding is thought to explain the probability that a British Pakistani family is more than 13 times as likely to have children with recessive genetic disorders. While Pakistanis are responsible for three percent of the births in the UK, they account for 33% of children with genetic birth defects.

The risk of what are called autosomal recessive disorders such as cystic fibrosis and spinal muscular atrophy is 18 times higher an the risk of death due to malformations is 10 times higher.

Other negative consequences of inbreeding include a 100 percent increase in the risk of stillbirths and a 50% increase in the possibility that a child will die during labor.

Lowered intellectual capacity is another devastating consequence of Muslim marriage patterns. According to Sennels, research shows that children of consanguineous marriages lose 10-16 points off their IQ and that social abilities develop much slower in inbred babies.

The risk of having an IQ lower than 70, the official demarcation for being classified as "retarded," increases by an astonishing 400 percent among children of cousin marriages. (Similar effects were seen in the Pharaonic dynasties in ancient Egypt and in the British royal family, where inbreeding was the norm for a significant period of time.)

In Denmark, non-Western immigrants are more than 300 percent more likely to fail the intelligence test required for entrance into the Danish army.

Sennels says that "the ability to enjoy and produce knowledge and abstract thinking is simply lower in the Islamic world." He points out that the Arab world translates just 330 books every year, about 20% of what Greece alone does.

In the last 1,200 years of Islam, just 100,000 books have been translated into Arabic, about what Spain does in a single year. Seven out of 10 Turks have never even read a book.

Sennels points out the difficulties this creates for Muslims seeking to succeed in the West. "A lower IQ, together with a religion that denounces critical thinking, surely makes it harder for many Muslims to have success in our high-tech knowledge societies.."

Only nine Muslims have every won the Nobel Prize, and five of those were for the "Peace Prize." According to Nature magazine, Muslim countries produce just 10 percent of the world average when it comes to scientific research (measured by articles per million inhabitants).

In Denmark, Sennels' native country, Muslim children are grossly over represented among children with special needs. One-third of the budget for Danish schools is consumed by special education, and anywhere from 51% to 70% of retarded children with physical handicaps in Copenhagen have an immigrant background. Learning ability is severely affected as well.
Studies indicated that 64% of school children with Arabic parents are still illiterate after 10 years in the Danish school system. The immigrant drop-out rate in Danish high schools is twice that of the native-born.

Mental illness is also a product. The closer the blood relative, the higher the risk of schizophrenic illness. The increased risk of insanity may explain why more than 40% of the patients in Denmark's biggest ward for clinically insane criminals have an immigrant back-ground.

The U.S. is not immune. According to Sennels, "One study based on 300,000 Americans shows that the majority of Muslims in the USA have a lower income, are less educated, and have worse jobs than the population as a whole."

Sennels concludes:

There is no doubt that the wide spread tradition of first cousin marriages among Muslims has harmed the gene pool among Muslims. Because Muslims' religious beliefs prohibit marrying non-Muslims and thus prevents them from adding fresh genetic material to their population, the genetic damage done to their gene pool since their prophet allowed first cousin marriages 1,400 years ago are most likely massive. (This has produced) overwhelming direct and indirect human and societal consequences.

Bottom line: Islam is not simply a benign and morally equivalent alternative to the Judeo-Christian tradition. As Sennels points out, the first and biggest victims of Islam are Muslims. Simple Christian compassion for Muslims and a common-sense desire to protect Western civilization from the ravages of Islam dictate a vigorous opposition to the spread of this dark and dangerous
religion. These stark realities must be taken into account when we establish public polices dealing with immigration from Muslim countries and the building of mosques in the U.S.

Let's hope America wakes up before a blind naivete about the reality of Islam destroys what remains of our Judeo-Christian culture and our domestic tranquility.

Sent with Writer.


___
Lorenz Szabo
Vienna, Austria

Phone: +43 676 4167143 (T-Mobile Austria; iChat/Viber)
Skype: lorenzszabo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 7015 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20130720/3eeeb2a4/attachment.txt>

From rsw at jfet.org  Sat Jul 20 18:49:36 2013
From: rsw at jfet.org (Riad S. Wahby)
Date: Sat, 20 Jul 2013 21:49:36 -0400
Subject: a Cypherpunks comeback
In-Reply-To: <alpine.LRH.2.00.1307201920210.16712@localhost.localdomain>
References: <20130720164125.GA12053@jfet.org>
 <alpine.LRH.2.00.1307201633070.15884@localhost.localdomain>
 <20130720213429.GA20571@jfet.org>
 <alpine.LRH.2.00.1307201920210.16712@localhost.localdomain>
Message-ID: <20130721014936.GA28962@jfet.org>

"Michael Froomkin - U.Miami School of Law" <froomkin at law.miami.edu> wrote:
> Will you send out a new notice when that happens, please?  Feel free
> to blame me if you need to.  Some of the old guard might be amused.

Oof, let me think a little more about this. I really hesitate to spam
people who may not have given half a care about Cpunks for the last 15
years, especially since there are still seemingly a good 250+ valid
email addresses among the 1600+ comprising the list of yesteryear.

Note that visiting the old URL shows the updated domain name, which
may sufficiently allay the concerns of at least some who are tempted
to return.

-=rsw




From kb at karelbilek.com  Sat Jul 20 13:04:30 2013
From: kb at karelbilek.com (=?ISO-8859-1?Q?Karel_B=EDlek?=)
Date: Sat, 20 Jul 2013 22:04:30 +0200
Subject: The Muslim Problem
In-Reply-To: <6B01D74F-8233-4458-9114-E6207E447E5A@rocketmail.com>
References: <6B01D74F-8233-4458-9114-E6207E447E5A@rocketmail.com>
Message-ID: <CAGUkT8afg-hRi8SxvnW0qWKVbooT5Vhc3hH7GETXSXhho3FFvA@mail.gmail.com>

Aaaaaand now is the time to unsubscribe from this mailing list.

On Sat, Jul 20, 2013 at 8:58 PM, Lorenz Szabo
<lorenzszabo at rocketmail.com> wrote:
> Yeah, yeah, posted by an Austrian...
>
> ###
>
> The Muslim Problem
>
> Nicolai Sennels is a Danish psychologist who has done extensive research
> into a little-known problem in the Muslim world: the disastrous results of
> Muslim inbreeding brought about by the marriage of first-cousins.
>
> This practice, which has been prohibited in the Judeo-Christian tradition
> since the days of Moses, was sanctioned by Muhammad and has been going on
> now for 50 generations (1,400 years) in the Muslim world.
>
> This practice of inbreeding will never go away in the Muslim world, since
> Muhammad is the ultimate example and authority on all matters, including
> marriage.
>
> The massive inbreeding in Muslim culture may well have done virtually
> irreversible damage to the Muslim gene pool, including xtensive damage to
> its intelligence, sanity, and health.
>
> According to Sennels, close to half of all Muslims in the world are inbred.
> In Pakistan, the numbers approach 70%. Even in England, more than half of
> Pakistani immigrants are married to their first cousins, and in Denmark the
> number of inbred Pakistani immigrants is around 40%.
>
> The numbers are equally devastating in other important Muslim countries: 67%
> in Saudi Arabia, 64% in Jordan, and Kuwait, 63% in Sudan, 60% in Iraq, and
> 54% in the United Arab Emirates and Qatar .
>
> According to the BBC, this Pakistani, Muslim-inspired inbreeding is thought
> to explain the probability that a British Pakistani family is more than 13
> times as likely to have children with recessive genetic disorders. While
> Pakistanis are responsible for three percent of the births in the UK, they
> account for 33% of children with genetic birth defects.
>
> The risk of what are called autosomal recessive disorders such as cystic
> fibrosis and spinal muscular atrophy is 18 times higher an the risk of death
> due to malformations is 10 times higher.
>
> Other negative consequences of inbreeding include a 100 percent increase in
> the risk of stillbirths and a 50% increase in the possibility that a child
> will die during labor.
>
> Lowered intellectual capacity is another devastating consequence of Muslim
> marriage patterns. According to Sennels, research shows that children of
> consanguineous marriages lose 10-16 points off their IQ and that social
> abilities develop much slower in inbred babies.
>
> The risk of having an IQ lower than 70, the official demarcation for being
> classified as "retarded," increases by an astonishing 400 percent among
> children of cousin marriages. (Similar effects were seen in the Pharaonic
> dynasties in ancient Egypt and in the British royal family, where inbreeding
> was the norm for a significant period of time.)
>
> In Denmark, non-Western immigrants are more than 300 percent more likely to
> fail the intelligence test required for entrance into the Danish army.
>
> Sennels says that "the ability to enjoy and produce knowledge and abstract
> thinking is simply lower in the Islamic world." He points out that the Arab
> world translates just 330 books every year, about 20% of what Greece alone
> does.
>
> In the last 1,200 years of Islam, just 100,000 books have been translated
> into Arabic, about what Spain does in a single year. Seven out of 10 Turks
> have never even read a book.
>
> Sennels points out the difficulties this creates for Muslims seeking to
> succeed in the West. "A lower IQ, together with a religion that denounces
> critical thinking, surely makes it harder for many Muslims to have success
> in our high-tech knowledge societies.."
>
> Only nine Muslims have every won the Nobel Prize, and five of those were for
> the "Peace Prize." According to Nature magazine, Muslim countries produce
> just 10 percent of the world average when it comes to scientific research
> (measured by articles per million inhabitants).
>
> In Denmark, Sennels' native country, Muslim children are grossly over
> represented among children with special needs. One-third of the budget for
> Danish schools is consumed by special education, and anywhere from 51% to
> 70% of retarded children with physical handicaps in Copenhagen have an
> immigrant background. Learning ability is severely affected as well.
> Studies indicated that 64% of school children with Arabic parents are still
> illiterate after 10 years in the Danish school system. The immigrant
> drop-out rate in Danish high schools is twice that of the native-born.
>
> Mental illness is also a product. The closer the blood relative, the higher
> the risk of schizophrenic illness. The increased risk of insanity may
> explain why more than 40% of the patients in Denmark's biggest ward for
> clinically insane criminals have an immigrant back-ground.
>
> The U.S. is not immune. According to Sennels, "One study based on 300,000
> Americans shows that the majority of Muslims in the USA have a lower income,
> are less educated, and have worse jobs than the population as a whole."
>
> Sennels concludes:
>
> There is no doubt that the wide spread tradition of first cousin marriages
> among Muslims has harmed the gene pool among Muslims. Because Muslims'
> religious beliefs prohibit marrying non-Muslims and thus prevents them from
> adding fresh genetic material to their population, the genetic damage done
> to their gene pool since their prophet allowed first cousin marriages 1,400
> years ago are most likely massive. (This has produced) overwhelming direct
> and indirect human and societal consequences.
>
> Bottom line: Islam is not simply a benign and morally equivalent alternative
> to the Judeo-Christian tradition. As Sennels points out, the first and
> biggest victims of Islam are Muslims. Simple Christian compassion for
> Muslims and a common-sense desire to protect Western civilization from the
> ravages of Islam dictate a vigorous opposition to the spread of this dark
> and dangerous
> religion. These stark realities must be taken into account when we establish
> public polices dealing with immigration from Muslim countries and the
> building of mosques in the U.S.
>
> Let's hope America wakes up before a blind naivete about the reality of
> Islam destroys what remains of our Judeo-Christian culture and our domestic
> tranquility.
>
> Sent with Writer.
>
>
> ___
> Lorenz Szabo
> Vienna, Austria
>
> Phone: +43 676 4167143 (T-Mobile Austria; iChat/Viber)
> Skype: lorenzszabo




From jya at pipeline.com  Sun Jul 21 05:18:53 2013
From: jya at pipeline.com (John Young)
Date: Sun, 21 Jul 2013 08:18:53 -0400
Subject: [liberationtech] today's Spiegel edition
In-Reply-To: <20130721110716.GK29404@leitl.org>
References: <20130721110716.GK29404@leitl.org>
Message-ID: <E1V0sYX-0008Kh-TG@elasmtp-junco.atl.sa.earthlink.net>

Der Spiegel again, like Guardian, O'Globo, WaPo, publishes only snippets
of NSA documents, then bloated commentary. This titilating censorship is
complicit cowardice. The journalists who sign these articles should be ashamed
of providing a cover-up with commercial manipulation of Snowden's alleged
documents information which assures governments no media outlet will
"go too far." That is, share Snowden's serious risks, instead hang him
out alone with allegations of his frightening collection, cheerleading the
applauding crowd.

The full formulaic cravenly disappointing article in German:

https://linksunten.indymedia.org/de/system/files/data/2013/07/7223658275.pdf 
(6.1MB)



At 07:07 AM 7/21/2013, Eugen Leitl wrote:
>----- Forwarded message from Jacob Appelbaum <jacob at appelbaum.net> -----
>
>Date: Sun, 21 Jul 2013 10:52:43 +0000
>From: Jacob Appelbaum <jacob at appelbaum.net>
>To: liberationtech <liberationtech at lists.stanford.edu>
>Subject: [liberationtech] today's Spiegel edition
>Reply-To: liberationtech <liberationtech at lists.stanford.edu>
>
>A new Spiegel edition is out and it is awesome. It contains leaked
>documents that show that the BND, BfV, NSA and CIA worked together to do
>domestic spying in Germany. It also covers more information about XKEYSCORE.
>
>The PDF of the article has been leaked too:
>
>   https://twitter.com/derPUPE/status/358891530267815936
>
>For those that don't read German, I suggest reading anyway - the leaked
>NSA document is in English and very telling.
>
>Quote of the day:
>
>(S//REL TO USA, FVEY) The German government modified its interpretation
>of the G-10 Privacy Law, protecting the communications of German
>citizens, to afford the BND more flexibility in sharing protected
>information with foreign partners.
>
>Once again, privacy by policy fails.
>
>It is long past time for privacy by design through strong cryptography
>and unmistakably clear legislation. With such changes, a
>"re-interpretation" would cause those crypto systems to fail and this
>would be part of the way we would alert people that they are under attack.
>
>All the best,
>Jacob
>--
>Too many emails? Unsubscribe, change to digest, or change password 
>by emailing moderator at companys at stanford.edu or changing your 
>settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
>----- End forwarded message -----
>--
>Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
>______________________________________________________________
>ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
>AC894EC5: 38A5 5F46 A4FF 59B8 336B  47EE F46E 3489 AC89 4EC5





From jens at hillerup.net  Sat Jul 20 23:39:17 2013
From: jens at hillerup.net (Jens Christian Hillerup)
Date: Sun, 21 Jul 2013 08:39:17 +0200
Subject: The Muslim Problem
In-Reply-To: <CAGUkT8afg-hRi8SxvnW0qWKVbooT5Vhc3hH7GETXSXhho3FFvA@mail.gmail.com>
References: <6B01D74F-8233-4458-9114-E6207E447E5A@rocketmail.com>
 <CAGUkT8afg-hRi8SxvnW0qWKVbooT5Vhc3hH7GETXSXhho3FFvA@mail.gmail.com>
Message-ID: <CAMGhuPGcNdLAFGqCYz=mVEGzJNsK0Td3WBzN5Va3gzfQgcwbnA@mail.gmail.com>

On Sat, Jul 20, 2013 at 10:04 PM, Karel Bílek <kb at karelbilek.com> wrote:

> Aaaaaand now is the time to unsubscribe from this mailing list.


Whoa. Me too!

BTW, Nicolai Sennels is a racist nutcase. He's had a long career of nobody
taking him seriously in Denmark, resorting to having his hate speech
distributed by a publisher mostly known for its far-right affiliations:
http://en.wikipedia.org/wiki/International_Free_Press_Society. Just because
he has a degree in psychology doesn't mean his "scientific" writings should
be taken seriously if they aren't published in a peer-reviewed journal.* *
http://scholar.google.com/scholar?hl=en&q=nicolai+sennels&btnG=&as_sdt=1%2C5&as_sdtp=

Also, wasn't this list supposed to be about cypherpunk?

Best,
JC
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 2271 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20130721/acee7468/attachment.txt>

From jacob at appelbaum.net  Sun Jul 21 03:52:43 2013
From: jacob at appelbaum.net (Jacob Appelbaum)
Date: Sun, 21 Jul 2013 10:52:43 +0000
Subject: [liberationtech] today's Spiegel edition
Message-ID: <mailman.4377.1575949047.62801.testlist@lists.cpunks.org>

A new Spiegel edition is out and it is awesome. It contains leaked
documents that show that the BND, BfV, NSA and CIA worked together to do
domestic spying in Germany. It also covers more information about XKEYSCORE.

The PDF of the article has been leaked too:

  https://twitter.com/derPUPE/status/358891530267815936

For those that don't read German, I suggest reading anyway - the leaked
NSA document is in English and very telling.

Quote of the day:

(S//REL TO USA, FVEY) The German government modified its interpretation
of the G-10 Privacy Law, protecting the communications of German
citizens, to afford the BND more flexibility in sharing protected
information with foreign partners.

Once again, privacy by policy fails.

It is long past time for privacy by design through strong cryptography
and unmistakably clear legislation. With such changes, a
"re-interpretation" would cause those crypto systems to fail and this
would be part of the way we would alert people that they are under attack.

All the best,
Jacob
--
Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech

----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B  47EE F46E 3489 AC89 4EC5




From eugen at leitl.org  Sun Jul 21 02:22:51 2013
From: eugen at leitl.org (Eugen Leitl)
Date: Sun, 21 Jul 2013 11:22:51 +0200
Subject: [liberationtech] Interesting things in keyservers
Message-ID: <20130721092251.GB29404@leitl.org>

----- Forwarded message from micah <micah at riseup.net> -----


From eugen at leitl.org  Sun Jul 21 03:06:52 2013
From: eugen at leitl.org (Eugen Leitl)
Date: Sun, 21 Jul 2013 12:06:52 +0200
Subject: [cryptography] [liberationtech] Random number generator failure
 in Rasperri Pis?
Message-ID: <20130721100652.GC29404@leitl.org>

----- Forwarded message from Russell Leidich <pkejjy at gmail.com> -----


From eugen at leitl.org  Sun Jul 21 03:12:50 2013
From: eugen at leitl.org (Eugen Leitl)
Date: Sun, 21 Jul 2013 12:12:50 +0200
Subject: The Muslim Problem
In-Reply-To: <CAGUkT8afg-hRi8SxvnW0qWKVbooT5Vhc3hH7GETXSXhho3FFvA@mail.gmail.com>
References: <6B01D74F-8233-4458-9114-E6207E447E5A@rocketmail.com>
 <CAGUkT8afg-hRi8SxvnW0qWKVbooT5Vhc3hH7GETXSXhho3FFvA@mail.gmail.com>
Message-ID: <20130721101250.GE29404@leitl.org>

On Sat, Jul 20, 2013 at 10:04:30PM +0200, Karel Bílek wrote:

> Aaaaaand now is the time to unsubscribe from this mailing list.

We don't tolerate shitposters here. Just give it time to 
settle in.




From eugen at leitl.org  Sun Jul 21 03:43:36 2013
From: eugen at leitl.org (Eugen Leitl)
Date: Sun, 21 Jul 2013 12:43:36 +0200
Subject: [DIYbio] Science research papers require viewing Adverts,
 no-thanks to Science/AAAS
Message-ID: <20130721104336.GI29404@leitl.org>

----- Forwarded message from James Salsman <jsalsman at gmail.com> -----


From eugen at leitl.org  Sun Jul 21 04:07:16 2013
From: eugen at leitl.org (Eugen Leitl)
Date: Sun, 21 Jul 2013 13:07:16 +0200
Subject: [liberationtech] today's Spiegel edition
Message-ID: <20130721110716.GK29404@leitl.org>

----- Forwarded message from Jacob Appelbaum <jacob at appelbaum.net> -----


From eugen at leitl.org  Sun Jul 21 04:09:54 2013
From: eugen at leitl.org (Eugen Leitl)
Date: Sun, 21 Jul 2013 13:09:54 +0200
Subject: [cryptography] [liberationtech] Random number generator, failure
 in Rasperri Pis?
Message-ID: <20130721110954.GO29404@leitl.org>

----- Forwarded message from Jeffrey Walton <noloader at gmail.com> -----


From bill.stewart at pobox.com  Sun Jul 21 20:48:02 2013
From: bill.stewart at pobox.com (Bill Stewart)
Date: Sun, 21 Jul 2013 20:48:02 -0700
Subject: The Muslim Problem
In-Reply-To: <CAMGhuPGcNdLAFGqCYz=mVEGzJNsK0Td3WBzN5Va3gzfQgcwbnA@mail.g
 mail.com>
References: <6B01D74F-8233-4458-9114-E6207E447E5A@rocketmail.com>
 <CAGUkT8afg-hRi8SxvnW0qWKVbooT5Vhc3hH7GETXSXhho3FFvA@mail.gmail.com>
 <CAMGhuPGcNdLAFGqCYz=mVEGzJNsK0Td3WBzN5Va3gzfQgcwbnA@mail.gmail.com>
Message-ID: <20130722042953.9286DDB34@a-pb-sasl-quonix.pobox.com>

At 11:39 PM 7/20/2013, Jens Christian Hillerup wrote:
>BTW, Nicolai Sennels is a racist nutcase. He's had a long career of 
>nobody taking him seriously in Denmark
Too bad other racist nutcases don't get the same lack of respect everywhere.
He certainly won't find any around here, and we've had a fairly high 
tolerance for craziness over the years.

>Also, wasn't this list supposed to be about cypherpunk?
Absolutely.




From bill.stewart at pobox.com  Sun Jul 21 21:06:28 2013
From: bill.stewart at pobox.com (Bill Stewart)
Date: Sun, 21 Jul 2013 21:06:28 -0700
Subject: [DIYbio] Science research papers require viewing Adverts,
 no-thanks to Science/AAAS
In-Reply-To: <20130721104336.GI29404@leitl.org>
References: <20130721104336.GI29404@leitl.org>
Message-ID: <20130722042954.993EADB38@a-pb-sasl-quonix.pobox.com>


> >> I would like to register my distaste for seeing advertisements within
> >> research publications aka journal articles.  Science/AAAS (Sciencemag.org)
> >> is one major offender noticed so far.

I haven't read the AAAS's Science magazine in decades, but my father 
subscribed to the dead-tree version when I was a kid, and it's had 
ads as long as I can remember.  Most of them were for university 
jobs, and I can't remember whether other ads were in Science or in 
Chemical&Engineering News (an industry rag where ads wouldn't have 
been surprising; I suspect most of the ads for laboratory glassware 
were in C&EN.)




From bill.stewart at pobox.com  Sun Jul 21 21:21:58 2013
From: bill.stewart at pobox.com (Bill Stewart)
Date: Sun, 21 Jul 2013 21:21:58 -0700
Subject: MOAR perl for make benefit SnR! + don't feed trolls
In-Reply-To: <51EC4DCF.2060004@gmail.com>
References: <51EC4DCF.2060004@gmail.com>
Message-ID: <20130722042956.CE0E5DB3C@a-pb-sasl-quonix.pobox.com>

At 02:08 PM 7/21/2013, Samuel Carlisle wrote:
>I really hope there is a lot of exchange and that you can gently guide
>and support fledgling initiatives like Cryptoparty (of which I am a
>part) and that we can collaborate to extend the great work that was
>started by hackers in this community.

I haven't gotten connected with the Cryptoparty movement, but it's 
been really encouraging to have them around.  Apparently there have 
been a bunch of them in Germany recently in response to revelations 
that the Bundeswhatever have been hanging out with the NSA wiretapper gangs.

>re: disruptive cruft... the kids nowadays know, instinctively, 
>"never feed trolls".

There has been some tradition around here of baiting trolls for fun, 
but this troll really isn't worth the bother.  We certainly haven't 
had anyone of Detweiler's caliber around in ages.  (If the NSA can 
collect metadata on anybody connected to anybody they already collect 
metadata on, and we'll all Tentacles of Medusa, that means that 
either we're all targets or they've decided that the signal-to-noise 
ratio was too inconsistent.)





From bill.stewart at pobox.com  Sun Jul 21 21:47:51 2013
From: bill.stewart at pobox.com (Bill Stewart)
Date: Sun, 21 Jul 2013 21:47:51 -0700
Subject: [liberationtech] Interesting things in keyservers
In-Reply-To: <20130721092251.GB29404@leitl.org>
References: <20130721092251.GB29404@leitl.org>
Message-ID: <20130722044803.7EDBEDBEB@a-pb-sasl-quonix.pobox.com>

At 02:22 AM 7/21/2013, Eugen Leitl forwarded:

(somebody's, probably Micah's, excellent note on problems with 
incorrectly trusting key servers, especially the MIT one.)

> > 1. no, I didn't do that, nor did I upload the edward snowden or 
> bradley manning keys.

If nobody's uploaded fake Edward Snowden or Bradley Manning (or, more 
seriously, Glenn Greenwald) keys to the MIT key server yet, then 
there are a bunch of trolls who have really been slacking off on 
their jobs.  They don't call it the Keyserver of a Million Lies for nothing.

The usability of the Web of Trust as a set of connection metadata is 
potentially a serious problem - you want your friends to be able to 
verify your keys, but if your connections are as important as your 
messages, there's a lot to be said for handing out business cards 
with your key fingerprints on them.








From samuelcarlisle at gmail.com  Sun Jul 21 14:08:31 2013
From: samuelcarlisle at gmail.com (Samuel Carlisle)
Date: Sun, 21 Jul 2013 23:08:31 +0200
Subject: MOAR perl for make benefit SnR! + don't feed trolls
Message-ID: <51EC4DCF.2060004@gmail.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

As one of what I hope is a large new generation / wave of
cypherpunks...first off, thanks so much for putting the list back up.

I look forward to being able to connect back with the original
movement, to share perspectives and to tap into the collective
knowledge and wisdom that you have accumulated in your community.

I really hope there is a lot of exchange and that you can gently guide
and support fledgling initiatives like Cryptoparty (of which I am a
part) and that we can collaborate to extend the great work that was
started by hackers in this community.

re: disruptive cruft... the kids nowadays know, instinctively, "never
feed trolls"
http://memeblender.com/wp-content/uploads/2011/10/troll-face-meme-do-not-feed-the-trolls.jpg

I'd take it as a compliment that someone is on a payroll to try and
disrupt your comms ;)

In hope of seeing through the noise to the signal, I look forward to
reading and contributing to what is discussed here.

~samthetechie


Karel Bílek <kb at karelbilek.com> wrote:
> Aaaaaand now is the time to unsubscribe from this mailing list.
> 
> On Sat, Jul 20, 2013 at 8:58 PM, Lorenz Szabo <lorenzszabo at
> rocketmail.com> wrote:
>> The Muslim Problem

Oof. Easy to appreciate Karel's notion here. It would appear someone
kept the dogwhistles warm wihle the list was on hiatus.

I propose we instead ponder just how short a perl script it would
take to automatically transform random selections from a library of
early 20th-century anti-miscegenation and anti-suffrage "literature"
into the newest us-vs-them flavor of the month drivel.

- -=rsw

- -- 
Samuel Carlisle BEng (Hons) Dunelm MIET
pgp: 0x54828CAA
fingerprint: 9E01 D8A4 CFEB ED72 B0D2 70D7 1D57 A297 5482 8CAA
twitter: @samthetechie
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJR7E3PAAoJEB1XopdUgoyqCDYH/jE3JzD19A0hlg8Ar+bRDhmp
O1q9hXuw3ABB7dXFFETSZ/44+Scf2TeRD3nPBTq+A2pkb9t4agQbmLqPX5szIdv7
WqMpRcZlB9xPtvWCGaN4Zo98WIEatLwSbewTjYNA9JB1H4LU8plS5N11vKZIeKhV
h91/6wtSh0XOH3OXxZoCufOLl9jC/ezxHrpHDQ0h8Wk0kfAJTtOnHyZcLZG5f6Xl
OndCcDeC2/ymMjQL5D0eGRCOvmqZQNqJ1eB6ONwtV92Djya024XxlkI84iqLbe1s
ZiSxjy2fgS7j1OI1MGpURhNlsbRhRBLE61ezci0YIMRIyLOcQz4YDM51frVV+F8=
=A0Ep
-----END PGP SIGNATURE-----




From kanzure at gmail.com  Sun Jul 21 23:42:42 2013
From: kanzure at gmail.com (Bryan Bishop)
Date: Mon, 22 Jul 2013 01:42:42 -0500
Subject: [DIYbio] Science research papers require viewing Adverts,
 no-thanks to Science/AAAS
In-Reply-To: <20130722042954.993EADB38@a-pb-sasl-quonix.pobox.com>
References: <20130721104336.GI29404@leitl.org>
 <20130722042954.993EADB38@a-pb-sasl-quonix.pobox.com>
Message-ID: <CABaSBaxotZ-qPdD_3O1Ls=fO7ScERcAB3VpwzdL5HKQ83up9tQ@mail.gmail.com>

On Sun, Jul 21, 2013 at 11:06 PM, Bill Stewart <bill.stewart at pobox.com> wrote:
> I haven't read the AAAS's Science magazine in decades, but my father
> subscribed to the dead-tree version when I was a kid, and it's had ads as
> long as I can remember.  Most of them were for university jobs, and I can't
> remember whether other ads were in Science or in Chemical&Engineering News
> (an industry rag where ads wouldn't have been surprising; I suspect most of
> the ads for laboratory glassware were in C&EN.)

Yeah, but Jonathan (what you quoted) was talking about ads appearing
inside the individual pdfs. That didn't use to happen.

- Bryan
http://heybryan.org/
1 512 203 0507




From jya at pipeline.com  Mon Jul 22 04:42:48 2013
From: jya at pipeline.com (John Young)
Date: Mon, 22 Jul 2013 07:42:48 -0400
Subject: Cypherpunks
In-Reply-To: <20130722020043.GB17337@jfet.org>
References: <E1V091G-00023D-Ti@elasmtp-masked.atl.sa.earthlink.net>
 <20130719115513.GJ29404@leitl.org>
 <E1V09OT-0001Zu-I9@elasmtp-mealy.atl.sa.earthlink.net>
 <CAD2Ti28WY9aLsgwbKQ2KiX58hp6aRoY8nOoZwxbk5YnNVvy6SA@mail.gmail.com>
 <20130719193012.GB10434@jfet.org>
 <E1V0I8F-0006Wu-L7@elasmtp-masked.atl.sa.earthlink.net>
 <CAD2Ti29uSqFRi7ZuPGtNxkmRwWXasoDmUTe9WHhvuE6BWsq3wQ@mail.gmail.com>
 <20130720071720.GB32396@jfet.org>
 <E1V0VAY-0005v4-Ov@elasmtp-masked.atl.sa.earthlink.net>
 <CAD2Ti2-u+thKd_baufVkReviEaa+m5h+fM1TmiJbzKNgtFb1CQ@mail.gmail.com>
 <20130722020043.GB17337@jfet.org>
Message-ID: <E1V1EVu-0000hu-82@elasmtp-spurfowl.atl.sa.earthlink.net>

Opposition, disgust, revulsion, ridicule toward al-qaeda
is perfectly cypherpunkian. Never, ever unanimous nor
what's acceptable without merciless, obnoxious, off-topic
digression argument. "Fuck that to death." - A Sage

"Cypherpunks" -- the name, the adventure, the rise and
fall, and multiple rebirths and splits and plagiarisms --
has been subjected to as much irrational ridicule and
exploitation as hyper-plagiarized "al-qaeda."

"Cryptography" list is a bastard of a bastard of a bastard
of cypherpunks, each iteration trying to act snooty
about villanous cryptography and failing repeatedly to
hide its cypherpunkian malice.

There are thousands of vile and sappy posts in the
cpunk archives as with the "fucked to death and still
going" internet. Crud begets crud. Delete the crud and
there's nothing left of the shit-hole except the gargantuan
cesspools on Wayback and Wikipedia and Tor "hidden
services" and blacknet and undernet and intel.net and
virulent cheating, lying and fucking users and each
other.

Extra good shit:, big data crud is growing exponentially,
a golden bowl of explosive fertilizer likely leading to
global cyberwar over who runs the cess.

Never ask for permission, never give it.

Cross-sub everybody and spy them secretly.





From kanzure at gmail.com  Mon Jul 22 07:44:49 2013
From: kanzure at gmail.com (Bryan Bishop)
Date: Mon, 22 Jul 2013 09:44:49 -0500
Subject: [DIYbio] Science research papers require viewing Adverts,
 no-thanks to Science/AAAS
In-Reply-To: <CAGUkT8ZOyvir8ErVRFFZ7kAiv46z-9xvPA0vDSaqV=KU4eFUxg@mail.gmail.com>
References: <20130721104336.GI29404@leitl.org>
 <20130722042954.993EADB38@a-pb-sasl-quonix.pobox.com>
 <CABaSBaxotZ-qPdD_3O1Ls=fO7ScERcAB3VpwzdL5HKQ83up9tQ@mail.gmail.com>
 <CAGUkT8ZOyvir8ErVRFFZ7kAiv46z-9xvPA0vDSaqV=KU4eFUxg@mail.gmail.com>
Message-ID: <CABaSBaxv7_50aVagQme9tuogYfj3zqFTs_yf4zpN5z13SOsJDQ@mail.gmail.com>

On Mon, Jul 22, 2013 at 9:13 AM, Karel Bílek <kb at karelbilek.com> wrote:
> I agree that journals with ads is infinitely better thing for science
> than paid journals.

But.. it's already for-pay. We seem to be getting the bad end of the
deal here. Again.

- Bryan
http://heybryan.org/
1 512 203 0507




From adi at hexapodia.org  Mon Jul 22 14:46:15 2013
From: adi at hexapodia.org (Andy Isaacson)
Date: Mon, 22 Jul 2013 14:46:15 -0700
Subject: Python Random Number Generator for OTP
In-Reply-To: <alpine.DEB.2.00.1307221647450.28426@neptune.sinister.com>
References: <alpine.DEB.2.00.1307221647450.28426@neptune.sinister.com>
Message-ID: <20130722214614.GF25759@hexapodia.org>

On Mon, Jul 22, 2013 at 04:50:55PM -0400, Tom wrote:
> Does anyone on the list have some Python source code for an
> OTP-focused random number generator they'd be willing to share? I'm
> interested in seeing how different people would approach it?

Why not simply use /dev/urandom (after ensuring you have enough entropy,
etc, etc).  If you don't have systemic entropy collection, Python is not
going to be able to help.

Of course any entropy pool measurement is merely computationally
feasible randomness; you'll need to measure a physically
nondeterministic process directly if you want true information theoretic
entropy.  Something like an entropykey should do the trick, if you trust
their design and that they haven't included backdoors.

-andy




From kb at karelbilek.com  Mon Jul 22 07:13:13 2013
From: kb at karelbilek.com (=?ISO-8859-1?Q?Karel_B=EDlek?=)
Date: Mon, 22 Jul 2013 15:13:13 +0100
Subject: [DIYbio] Science research papers require viewing Adverts,
 no-thanks to Science/AAAS
In-Reply-To: <CABaSBaxotZ-qPdD_3O1Ls=fO7ScERcAB3VpwzdL5HKQ83up9tQ@mail.gmail.com>
References: <20130721104336.GI29404@leitl.org>
 <20130722042954.993EADB38@a-pb-sasl-quonix.pobox.com>
 <CABaSBaxotZ-qPdD_3O1Ls=fO7ScERcAB3VpwzdL5HKQ83up9tQ@mail.gmail.com>
Message-ID: <CAGUkT8ZOyvir8ErVRFFZ7kAiv46z-9xvPA0vDSaqV=KU4eFUxg@mail.gmail.com>

I agree that journals with ads is infinitely better thing for science
than paid journals.

On Mon, Jul 22, 2013 at 7:42 AM, Bryan Bishop <kanzure at gmail.com> wrote:
> On Sun, Jul 21, 2013 at 11:06 PM, Bill Stewart <bill.stewart at pobox.com> wrote:
>> I haven't read the AAAS's Science magazine in decades, but my father
>> subscribed to the dead-tree version when I was a kid, and it's had ads as
>> long as I can remember.  Most of them were for university jobs, and I can't
>> remember whether other ads were in Science or in Chemical&Engineering News
>> (an industry rag where ads wouldn't have been surprising; I suspect most of
>> the ads for laboratory glassware were in C&EN.)
>
> Yeah, but Jonathan (what you quoted) was talking about ads appearing
> inside the individual pdfs. That didn't use to happen.
>
> - Bryan
> http://heybryan.org/
> 1 512 203 0507




From ticom at sinister.com  Mon Jul 22 13:50:55 2013
From: ticom at sinister.com (Tom)
Date: Mon, 22 Jul 2013 16:50:55 -0400 (EDT)
Subject: Python Random Number Generator for OTP
Message-ID: <alpine.DEB.2.00.1307221647450.28426@neptune.sinister.com>

Does anyone on the list have some Python source code for an OTP-focused 
random number generator they'd be willing to share? I'm interested in 
seeing how different people would approach it?





From eugen at leitl.org  Mon Jul 22 08:49:15 2013
From: eugen at leitl.org (Eugen Leitl)
Date: Mon, 22 Jul 2013 17:49:15 +0200
Subject: remotely rooting SIM cards
Message-ID: <20130722154915.GG29404@leitl.org>


https://srlabs.de/rooting-sim-cards/

Rooting SIM cards

SIM cards are the de facto trust anchor of mobile devices worldwide. The
cards protect the mobile identity of subscribers, associate devices with
phone numbers, and increasingly store payment credentials, for example in
NFC-enabled phones with mobile wallets.

With over seven billion cards in active use, SIMs may well be the most widely
used security token in the world. Through over-the-air (OTA) updates deployed
via SMS, the cards are even extensible through custom Java software. While
this extensibility is rarely used so far, its existence already poses a
critical hacking risk.

Cracking SIM update keys. OTA commands, such as software updates, are
cryptographically-secured SMS messages, which are delivered directly to the
SIM. While the option exists to use state-of-the-art AES or the somewhat
outdated 3DES algorithm for OTA, many (if not most) SIM cards still rely on
the 70s-era DES cipher. DES keys were shown to be crackable within days using
FPGA clusters, but they can also be recovered much faster by leveraging
rainbow tables similar to those that made GSM’s A5/1 cipher breakable by
anyone.

To derive a DES OTA key, an attacker starts by sending a binary SMS to a
target device. The SIM does not execute the improperly signed OTA command,
but does in many cases respond to the attacker with an error code carrying a
cryptographic signature, once again sent over binary SMS. A rainbow table
resolves this plaintext-signature tuple to a 56-bit DES key within two
minutes on a standard computer.

Deploying SIM malware. The cracked DES key enables an attacker to send
properly signed binary SMS, which download Java applets onto the SIM. Applets
are allowed to send SMS, change voicemail numbers, and query the phone
location, among many other predefined functions. These capabilities alone
provide plenty of potential for abuse.

In principle, the Java virtual machine should assure that each Java applet
only accesses the predefined interfaces. The Java sandbox implementations of
at least two major SIM card vendors, however, are not secure: A Java applet
can break out of its realm and access the rest of the card. This allows for
remote cloning of possibly millions of SIM cards including their mobile
identity (IMSI, Ki) as well as payment credentials stored on the card.

Defenses. The risk of remote SIM exploitation can be mitigated on three
layers:

Better SIM cards. Cards need to use state-of-art cryptography with
sufficiently long keys, should not disclose signed plaintexts to attackers,
and must implement secure Java virtual machines. While some cards already
come close to this objective, the years needed to replace vulnerable legacy
cards warrant supplementary defenses.

Handset SMS firewall. One additional protection layer could be anchored in
handsets: Each user should be allowed to decide which sources of binary SMS
to trust and which others to discard. An SMS firewall on the phone would also
address other abuse scenarios including “silent SMS.”

In-network SMS filtering. Remote attackers rely on mobile networks to deliver
binary SMS to and from victim phones. Such SMS should only be allowed from a
few known sources, but most networks have not implemented such filtering yet.
“Home routing” is furthermore needed to increase the protection coverage to
customers when roaming. This would also provide long-requested protection
from remote tracking.

This research will be presented at BlackHat on Jul 31st and at the OHM
hacking camp on Aug 3rd 2013

Questions? – sim at srlabs.de




From ilsa at jpsecure.net  Mon Jul 22 18:20:16 2013
From: ilsa at jpsecure.net (ilsa bartlett)
Date: Mon, 22 Jul 2013 18:20:16 -0700
Subject: Cypherpunks
In-Reply-To: <E1V1EVu-0000hu-82@elasmtp-spurfowl.atl.sa.earthlink.net>
References: <E1V091G-00023D-Ti@elasmtp-masked.atl.sa.earthlink.net> <20130719115513.GJ29404@leitl.org> <E1V09OT-0001Zu-I9@elasmtp-mealy.atl.sa.earthlink.net> <CAD2Ti28WY9aLsgwbKQ2KiX58hp6aRoY8nOoZwxbk5YnNVvy6SA@mail.gmail.com> <20130719193012.GB10434@jfet.org> <E1V0I8F-0006Wu-L7@elasmtp-masked.atl.sa.earthlink.net> <CAD2Ti29uSqFRi7ZuPGtNxkmRwWXasoDmUTe9WHhvuE6BWsq3wQ@mail.gmail.com> <20130720071720.GB32396@jfet.org> <E1V0VAY-0005v4-Ov@elasmtp-masked.atl.sa.earthlink.net> <CAD2Ti2-u+thKd_baufVkReviEaa+m5h+fM1TmiJbzKNgtFb1CQ@mail.gmail.com> <20130722020043.GB17337@jfet.org> <E1V1EVu-0000hu-82@elasmtp-spurfowl.atl.sa.earthlink.net>
Message-ID: <51EDDA50.1010104@jpsecure.net>

Thank You all...
is this encrypted?  grin, ilsa

On 7/22/13 4:42 AM, John Young wrote:
> Opposition, disgust, revulsion, ridicule toward al-qaeda
> is perfectly cypherpunkian. Never, ever unanimous nor
> what's acceptable without merciless, obnoxious, off-topic
> digression argument. "Fuck that to death." - A Sage
>
> "Cypherpunks" -- the name, the adventure, the rise and
> fall, and multiple rebirths and splits and plagiarisms --
> has been subjected to as much irrational ridicule and
> exploitation as hyper-plagiarized "al-qaeda."
>
> "Cryptography" list is a bastard of a bastard of a bastard
> of cypherpunks, each iteration trying to act snooty
> about villanous cryptography and failing repeatedly to
> hide its cypherpunkian malice.
>
> There are thousands of vile and sappy posts in the
> cpunk archives as with the "fucked to death and still
> going" internet. Crud begets crud. Delete the crud and
> there's nothing left of the shit-hole except the gargantuan
> cesspools on Wayback and Wikipedia and Tor "hidden
> services" and blacknet and undernet and intel.net and
> virulent cheating, lying and fucking users and each
> other.
>
> Extra good shit:, big data crud is growing exponentially,
> a golden bowl of explosive fertilizer likely leading to
> global cyberwar over who runs the cess.
>
> Never ask for permission, never give it.
>
> Cross-sub everybody and spy them secretly.
>
>
>




From seanmckaybeck at lavabit.com  Mon Jul 22 20:18:33 2013
From: seanmckaybeck at lavabit.com (Sean Beck)
Date: Mon, 22 Jul 2013 21:18:33 -0600
Subject: Cypherpunks
In-Reply-To: <51EDDA50.1010104@jpsecure.net>
References: <E1V091G-00023D-Ti@elasmtp-masked.atl.sa.earthlink.net>
 <20130719115513.GJ29404@leitl.org>
 <E1V09OT-0001Zu-I9@elasmtp-mealy.atl.sa.earthlink.net>
 <CAD2Ti28WY9aLsgwbKQ2KiX58hp6aRoY8nOoZwxbk5YnNVvy6SA@mail.gmail.com>
 <20130719193012.GB10434@jfet.org>
 <E1V0I8F-0006Wu-L7@elasmtp-masked.atl.sa.earthlink.net>
 <CAD2Ti29uSqFRi7ZuPGtNxkmRwWXasoDmUTe9WHhvuE6BWsq3wQ@mail.gmail.com>
 <20130720071720.GB32396@jfet.org>
 <E1V0VAY-0005v4-Ov@elasmtp-masked.atl.sa.earthlink.net>
 <CAD2Ti2-u+thKd_baufVkReviEaa+m5h+fM1TmiJbzKNgtFb1CQ@mail.gmail.com>
 <20130722020043.GB17337@jfet.org>
 <E1V1EVu-0000hu-82@elasmtp-spurfowl.atl.sa.earthlink.net>
 <51EDDA50.1010104@jpsecure.net>
Message-ID: <ab94c71d-cc86-4304-9e1e-0dc7ddf7a0b3@email.android.com>

Does it look encrypted?

ilsa bartlett <ilsa at jpsecure.net> wrote:
>Thank You all...
>is this encrypted?  grin, ilsa
>
>On 7/22/13 4:42 AM, John Young wrote:
>> Opposition, disgust, revulsion, ridicule toward al-qaeda
>> is perfectly cypherpunkian. Never, ever unanimous nor
>> what's acceptable without merciless, obnoxious, off-topic
>> digression argument. "Fuck that to death." - A Sage
>>
>> "Cypherpunks" -- the name, the adventure, the rise and
>> fall, and multiple rebirths and splits and plagiarisms --
>> has been subjected to as much irrational ridicule and
>> exploitation as hyper-plagiarized "al-qaeda."
>>
>> "Cryptography" list is a bastard of a bastard of a bastard
>> of cypherpunks, each iteration trying to act snooty
>> about villanous cryptography and failing repeatedly to
>> hide its cypherpunkian malice.
>>
>> There are thousands of vile and sappy posts in the
>> cpunk archives as with the "fucked to death and still
>> going" internet. Crud begets crud. Delete the crud and
>> there's nothing left of the shit-hole except the gargantuan
>> cesspools on Wayback and Wikipedia and Tor "hidden
>> services" and blacknet and undernet and intel.net and
>> virulent cheating, lying and fucking users and each
>> other.
>>
>> Extra good shit:, big data crud is growing exponentially,
>> a golden bowl of explosive fertilizer likely leading to
>> global cyberwar over who runs the cess.
>>
>> Never ask for permission, never give it.
>>
>> Cross-sub everybody and spy them secretly.
>>
>>
>>
>
>
>____________________________________________________________________________________
>Clean the nasty crud out of the  tub for a nice safe enjoyable bath
>http://click.lavabit.com/p8imkxuf9mikcjhwibi6kzfi3ni6azuc1maqbg6darzsm5gzhity/
>____________________________________________________________________________________

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 2381 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20130722/8c72ce9b/attachment.txt>

From tony.arcieri at gmail.com  Mon Jul 22 21:32:41 2013
From: tony.arcieri at gmail.com (Tony Arcieri)
Date: Mon, 22 Jul 2013 21:32:41 -0700
Subject: Cypherpunks
In-Reply-To: <ab94c71d-cc86-4304-9e1e-0dc7ddf7a0b3@email.android.com>
References: <E1V091G-00023D-Ti@elasmtp-masked.atl.sa.earthlink.net>
 <20130719115513.GJ29404@leitl.org>
 <E1V09OT-0001Zu-I9@elasmtp-mealy.atl.sa.earthlink.net>
 <CAD2Ti28WY9aLsgwbKQ2KiX58hp6aRoY8nOoZwxbk5YnNVvy6SA@mail.gmail.com>
 <20130719193012.GB10434@jfet.org>
 <E1V0I8F-0006Wu-L7@elasmtp-masked.atl.sa.earthlink.net>
 <CAD2Ti29uSqFRi7ZuPGtNxkmRwWXasoDmUTe9WHhvuE6BWsq3wQ@mail.gmail.com>
 <20130720071720.GB32396@jfet.org>
 <E1V0VAY-0005v4-Ov@elasmtp-masked.atl.sa.earthlink.net>
 <CAD2Ti2-u+thKd_baufVkReviEaa+m5h+fM1TmiJbzKNgtFb1CQ@mail.gmail.com>
 <20130722020043.GB17337@jfet.org>
 <E1V1EVu-0000hu-82@elasmtp-spurfowl.atl.sa.earthlink.net>
 <51EDDA50.1010104@jpsecure.net>
 <ab94c71d-cc86-4304-9e1e-0dc7ddf7a0b3@email.android.com>
Message-ID: <CAHOTMVLDbSv-5WDmJnQHP8EHS2XPqc3p+LaW1YD4DBgG0xC1LQ@mail.gmail.com>

On Mon, Jul 22, 2013 at 8:18 PM, Sean Beck <seanmckaybeck at lavabit.com>wrote:

> Does it look encrypted?
>

Encrypted with a virus

-- 
Tony Arcieri
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 673 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20130722/f8d222e6/attachment.txt>

From l at odewijk.nl  Mon Jul 22 11:45:40 2013
From: l at odewijk.nl (=?UTF-8?Q?Lodewijk_andr=C3=A9_de_la_porte?=)
Date: Mon, 22 Jul 2013 21:45:40 +0300
Subject: The Muslim Problem
In-Reply-To: <20130722042953.9286DDB34@a-pb-sasl-quonix.pobox.com>
References: <6B01D74F-8233-4458-9114-E6207E447E5A@rocketmail.com>
 <CAGUkT8afg-hRi8SxvnW0qWKVbooT5Vhc3hH7GETXSXhho3FFvA@mail.gmail.com>
 <CAMGhuPGcNdLAFGqCYz=mVEGzJNsK0Td3WBzN5Va3gzfQgcwbnA@mail.gmail.com>
 <20130722042953.9286DDB34@a-pb-sasl-quonix.pobox.com>
Message-ID: <CAHWD2r+x-9Y3CdknDRJhpYoSqv6Wtbk_x5ToJ6oQFnn-KVRuzw@mail.gmail.com>

I enjoy hate speech. Especially about me. Inbreeding might be a serious
problem for muslims. Genetic diversity has always been a difficult subject
for me to fully grasp. I like how this article implies that British Royalty
are idiots.

I think if someone posts it here though, that should likely lead to a
(medium term) ban. To make this list less unsubscribe worthy it's better to
submit good matrial, and help or promote banning of those that don't.

-Lewis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 520 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20130722/f0d77298/attachment.txt>

From bill.stewart at pobox.com  Mon Jul 22 21:56:33 2013
From: bill.stewart at pobox.com (Bill Stewart)
Date: Mon, 22 Jul 2013 21:56:33 -0700
Subject: Python Random Number Generator for OTP
In-Reply-To: <alpine.DEB.2.00.1307221647450.28426@neptune.sinister.com>
References: <alpine.DEB.2.00.1307221647450.28426@neptune.sinister.com>
Message-ID: <20130723045640.EECEBD9E4@a-pb-sasl-quonix.pobox.com>

At 01:50 PM 7/22/2013, Tom wrote:
>Does anyone on the list have some Python source code for an 
>OTP-focused random number generator they'd be willing to share? I'm 
>interested in seeing how different people would approach it?

You can use Python or other languages to access your machine's 
hardware random number generator and mash them together with your plaintext.
But your question sounds like you want to generate the random numbers 
themselves with Python software?
         print "You can't generate true random numbers in 
software.  And you can't use pseudo-random numbers for OTP.\n %d", 1/0 ;
(My python's a bit rusty, so the syntax may be wrong, but if so, 
that's a feature; the divide-by-zero is there just for insurance.)





From bill.stewart at pobox.com  Mon Jul 22 22:00:24 2013
From: bill.stewart at pobox.com (Bill Stewart)
Date: Mon, 22 Jul 2013 22:00:24 -0700
Subject: [cryptography] a Cypherpunks comeback
In-Reply-To: <CAD2Ti28L-8QOd8XwbWMtrm6O1tqUPE4A2dQC18-+MjWeF2tTTQ@mail.g
 mail.com>
References: <20130721090726.GY29404@leitl.org>
 <20130722074114.GA22908@netbook.cypherspace.org>
 <CAD2Ti28L-8QOd8XwbWMtrm6O1tqUPE4A2dQC18-+MjWeF2tTTQ@mail.gmail.com>
Message-ID: <20130723050147.BC32CDA16@a-pb-sasl-quonix.pobox.com>


>On Mon, Jul 22, 2013 at 3:41 AM, Adam Back <adam at cypherspace.org> wrote:
> > Could you please get another domain name, that name is just ridiculous.

Absolutely. I mean, has anybody actually used JFETs in recent years?  :-)




From adi at hexapodia.org  Tue Jul 23 01:34:54 2013
From: adi at hexapodia.org (Andy Isaacson)
Date: Tue, 23 Jul 2013 01:34:54 -0700
Subject: Python Random Number Generator for OTP
In-Reply-To: <CAFDBa1VhiP13c-RgtpMycPs9tALxdBNT+6hQz+2zjXaCNKXfTw@mail.gmail.com>
References: <alpine.DEB.2.00.1307221647450.28426@neptune.sinister.com>
 <20130722214614.GF25759@hexapodia.org>
 <CAFDBa1VhiP13c-RgtpMycPs9tALxdBNT+6hQz+2zjXaCNKXfTw@mail.gmail.com>
Message-ID: <20130723083453.GC27178@hexapodia.org>

On Tue, Jul 23, 2013 at 08:31:16AM +0200, Yan Zhu wrote:
> Is there a secure way to timeshare a single entropy source such as an
> entropy key? High-quality entropy sources are often fragile, expensive, or
> difficult to manufacture and maintain. If Alice has a friggin' amazing
> entropy source, and Bob wants to use it from afar, what would be the best
> way for Alice to let Bob retrieve data from the entropy source when she
> wasn't using it?

If Bob requires *really* *great* entropy, why would he trust a network
link (secured with a non information theoretically secure cipher such as
AES) to transmit his entropy securely?

If Bob is willing to trust merely computationally secure methods such as
private key cryptography, he should gather "less high quality" entropy
locally, using a pool implementation with good mixing, and trust that.

In short -- asking someone else to generate your random numbers is, of
course, a state of sin.

-andy




From seanmckaybeck at lavabit.com  Mon Jul 22 21:36:48 2013
From: seanmckaybeck at lavabit.com (Sean Beck)
Date: Tue, 23 Jul 2013 04:36:48 +0000
Subject: Cypherpunks
In-Reply-To: <CAHOTMVLDbSv-5WDmJnQHP8EHS2XPqc3p+LaW1YD4DBgG0xC1LQ@mail.gmail.com>
References: <E1V091G-00023D-Ti@elasmtp-masked.atl.sa.earthlink.net>
 <20130719115513.GJ29404@leitl.org>
 <E1V09OT-0001Zu-I9@elasmtp-mealy.atl.sa.earthlink.net>
 <CAD2Ti28WY9aLsgwbKQ2KiX58hp6aRoY8nOoZwxbk5YnNVvy6SA@mail.gmail.com>
 <20130719193012.GB10434@jfet.org>
 <E1V0I8F-0006Wu-L7@elasmtp-masked.atl.sa.earthlink.net>
 <CAD2Ti29uSqFRi7ZuPGtNxkmRwWXasoDmUTe9WHhvuE6BWsq3wQ@mail.gmail.com>
 <20130720071720.GB32396@jfet.org>
 <E1V0VAY-0005v4-Ov@elasmtp-masked.atl.sa.earthlink.net>
 <CAD2Ti2-u+thKd_baufVkReviEaa+m5h+fM1TmiJbzKNgtFb1CQ@mail.gmail.com>
 <20130722020043.GB17337@jfet.org>
 <E1V1EVu-0000hu-82@elasmtp-spurfowl.atl.sa.earthlink.net>
 <51EDDA50.1010104@jpsecure.net>
 <ab94c71d-cc86-4304-9e1e-0dc7ddf7a0b3@email.android.com>
 <CAHOTMVLDbSv-5WDmJnQHP8EHS2XPqc3p+LaW1YD4DBgG0xC1LQ@mail.gmail.com>
Message-ID: <51EE0860.1060103@lavabit.com>

On 7/23/2013 4:32 AM, Tony Arcieri wrote:
> On Mon, Jul 22, 2013 at 8:18 PM, Sean Beck <seanmckaybeck at lavabit.com
> <mailto:seanmckaybeck at lavabit.com>> wrote:
>
>     Does it look encrypted?
>
>
> Encrypted with a virus
>  
> -- 
> Tony Arcieri
> 11 Positions Available. Fully Paid Beneifts - $22 Per Hour. See Now!
> http://click.lavabit.com/ja3j1eds33mfq39ypkrar1n9x8e4k6q4o9gjmpe67xjdxd9oom5b/
>
OH NOEZ o_O
http://media.urbandictionary.com/image/page/h4x0r5-7601.jpg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 2489 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20130723/c7fabbec/attachment.txt>

From StealthMonger at nym.mixmin.net  Mon Jul 22 21:06:58 2013
From: StealthMonger at nym.mixmin.net (StealthMonger)
Date: Tue, 23 Jul 2013 05:06:58 +0100 (BST)
Subject: Python Random Number Generator for OTP
In-Reply-To: <alpine.DEB.2.00.1307221647450.28426@neptune.sinister.com> (Tom's
 message of "Mon, 22 Jul 2013 16:50:55 -0400 (EDT)")
References: <alpine.DEB.2.00.1307221647450.28426@neptune.sinister.com>
Message-ID: <20130723040658.17DE3EAB0B@snorky.mixmin.net>

Tom <ticom at sinister.com> writes:

> Does anyone on the list have some Python source code for an OTP-focused 
> random number generator they'd be willing to share? I'm interested in 
> seeing how different people would approach it?

#! /usr/bin/python

# SYNOPSIS

#   random-bytes <n>

# DESCRIPTION

#   Writes n cryptographically strong random bytes to stdout.
#   Test with, e.g., random-bytes 16 | hd

From os import urandom
import sys

sys.stdout.write(urandom(int(sys.argv[1])))


-- 


 -- StealthMonger <StealthMonger at nym.mixmin.net>
    Long, random latency is part of the price of Internet anonymity.

   anonget: Is this anonymous browsing, or what?
   http://groups.google.ws/group/alt.privacy.anon-server/msg/073f34abb668df33?dmode=source&output=gplain

   stealthmail: Hide whether you're doing email, or when, or with whom.
   mailto:stealthsuite at nym.mixmin.net?subject=send%20index.html


Key: mailto:stealthsuite at nym.mixmin.net?subject=send%20stealthmonger-key

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20130723/0c328a5e/attachment.sig>

From yan at mit.edu  Mon Jul 22 23:31:16 2013
From: yan at mit.edu (Yan Zhu)
Date: Tue, 23 Jul 2013 08:31:16 +0200
Subject: Python Random Number Generator for OTP
In-Reply-To: <20130722214614.GF25759@hexapodia.org>
References: <alpine.DEB.2.00.1307221647450.28426@neptune.sinister.com>
 <20130722214614.GF25759@hexapodia.org>
Message-ID: <CAFDBa1VhiP13c-RgtpMycPs9tALxdBNT+6hQz+2zjXaCNKXfTw@mail.gmail.com>

On Mon, Jul 22, 2013 at 11:46 PM, Andy Isaacson <adi at hexapodia.org> wrote:

> On Mon, Jul 22, 2013 at 04:50:55PM -0400, Tom wrote:
> > Does anyone on the list have some Python source code for an
> > OTP-focused random number generator they'd be willing to share? I'm
> > interested in seeing how different people would approach it?
>
> Why not simply use /dev/urandom (after ensuring you have enough entropy,
> etc, etc).  If you don't have systemic entropy collection, Python is not
> going to be able to help.
>
> Of course any entropy pool measurement is merely computationally
> feasible randomness; you'll need to measure a physically
> nondeterministic process directly if you want true information theoretic
> entropy.  Something like an entropykey should do the trick, if you trust
> their design and that they haven't included backdoors.
>

Andy, maybe you or someone else has some insight into something I've
wondered about:

Is there a secure way to timeshare a single entropy source such as an
entropy key? High-quality entropy sources are often fragile, expensive, or
difficult to manufacture and maintain. If Alice has a friggin' amazing
entropy source, and Bob wants to use it from afar, what would be the best
way for Alice to let Bob retrieve data from the entropy source when she
wasn't using it?

-Yan

>
> -andy
>



-- 
Yan Zhu
http://web.mit.edu/zyan/www/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 2026 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20130723/949aeb61/attachment.txt>

From rsw at jfet.org  Tue Jul 23 05:35:09 2013
From: rsw at jfet.org (Riad S. Wahby)
Date: Tue, 23 Jul 2013 08:35:09 -0400
Subject: [cryptography] a Cypherpunks comeback
In-Reply-To: <20130723050147.BC32CDA16@a-pb-sasl-quonix.pobox.com>
References: <20130721090726.GY29404@leitl.org>
 <20130722074114.GA22908@netbook.cypherspace.org>
 <CAD2Ti28L-8QOd8XwbWMtrm6O1tqUPE4A2dQC18-+MjWeF2tTTQ@mail.gmail.com>
 <20130723050147.BC32CDA16@a-pb-sasl-quonix.pobox.com>
Message-ID: <20130723123509.GA26566@jfet.org>

Bill Stewart <bill.stewart at pobox.com> wrote:
> Absolutely. I mean, has anybody actually used JFETs in recent years?  :-)

Well played, sir. :)

By the way, the answer is in most cases no, sadly.

Most vanilla CMOS processes don't have high quality JFETs available. On
older nodes maybe you can get away with turning an N-well and a P+
diffusion into a JFET, but that doesn't work very well in more modern
processes because the N-wells have strongly retrograde doping, which
makes it hard to pinch off the "bottom" of the channel. Of course, even
at older nodes where it might be possible, the fabs don't bother
characterizing it for you. Sure, you can characterize it yourself, but
if the fab isn't supporting the device that implicitly means they're not
monitoring the quality of that device with their PCM structures, so good
luck with manufacturability long-term.

JFETs are pretty easy to make in high quality bipolar processes because
the base diffusion makes a decent JFET body. Doesn't add much/any cost
to have them in this case. Of course, if you have a BiCMOS process, then
you already have devices with high impedance gates, but for high
performance analog design a JFET beats the hell out of a MOSFET, since
the latter brings along with it a shitload of 1/f noise.

One place I've recently seen JFETs is in really high voltage processes.
Think like a mostly normal 0.18u CMOS process with a 600V (Vds) JFET
available. Haven't actually worked in such a beast, but you can imagine
that compared to MOSFETs, JFETs don't make such great power devices---
who ever heard of a depletion-mode power switch?

-=rsw




From hannes at mehnert.org  Tue Jul 23 00:32:28 2013
From: hannes at mehnert.org (Hannes Mehnert)
Date: Tue, 23 Jul 2013 09:32:28 +0200
Subject: Python Random Number Generator for OTP
In-Reply-To: <20130722214614.GF25759@hexapodia.org>
References: <alpine.DEB.2.00.1307221647450.28426@neptune.sinister.com>
 <20130722214614.GF25759@hexapodia.org>
Message-ID: <51EE318C.9070309@mehnert.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA384

On 22/07/2013 23:46, Andy Isaacson wrote:
> Why not simply use /dev/urandom (after ensuring you have enough
> entropy, etc, etc).

Why not use /dev/random, instead of "ensuring you have entropy" (how
would you do that?)?
/dev/random blocks if there's not enough entropy - whereas
/dev/urandom will produce some pseudo-random bits.


hannes
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (Darwin)

iQIcBAEBCQAGBQJR7jGJAAoJELyJZYjffCjuOZ8P/33PdQ7NklZbFHUiox/Oznn9
jFU+HUiW8qe/yVcOXuan91vD5F+fsM18uMmum7HCTBc6gbE/75UHuyitePQfZABm
Ffe4CnkbQBA9aJw6ZyDgJiqc39JQjK9jTOrVVGLaYAKIQgwpKwz2Pb5IZ3u5W9lH
z6eOlwRec3hfACjsfdLRBJ+DOjbR3y+2wCFUE4HyJjE8SjYF0go9qD95EGrWxQcW
gNba4yFqLO0H5HcD/YY4sKAfo/HQUloer2f9bKkqd9GLlA+ZD9M37k3UJilOiF3u
wpRo61jbgFc5IrmJS1TDuHBS71VR48S4GjHBLNmkTCJMBkwhJ1AGlNv2fTLKwaN9
Z5Pk5q3q+2l11BXdIwo8qfJb5Av9/ILXkeWtOlno/IvdDHCNMgFkPwZfswb83LDe
bS4yeYGZ15MBbgBlC9aTmSI2esAdtU/29jSda7I8xTVL9i4o/KTZcsqDfKubdyrV
5g11R4rw1DN0UlMqokShTmLojk2ebU7MKgVCnL/nVbF0l4laa6rnUazaFGppOXhf
gUrAw6K4GDsqs0Y2u9jHAaMk2t54zSv7I9KYFwdzVc08PFOFZp03x0qUSoRsE6qc
2yuQ8PJfRAAUAQAQulf1RLt+as++ROv8RxsbAtPGMK546aoa4Anp5b9mB5S5LVo+
/oDGKVtKZosxGBHhgfs6
=LFao
-----END PGP SIGNATURE-----




From 8f6e58ee at gmail.com  Tue Jul 23 00:50:05 2013
From: 8f6e58ee at gmail.com (8f6e58ee at gmail.com)
Date: Tue, 23 Jul 2013 09:50:05 +0200
Subject: [serval-project-dev] Building Dissent Networks: Towards Effective Countermeasures against Large-Scale Communications Blackouts
Message-ID: <mailman.4378.1575949047.62801.testlist@lists.cpunks.org>

Abstract:
Large-scale communications blackouts, such as those
carried out by Egypt and Libya in 2011 and Syria in
2012 and 2013, have motivated a series of projects that
aim to enable citizens to communicate even in the face
of such heavy-handed censorship efforts. A common
theme across these proposals has been the use of wire-
less mesh networks. We argue that such networks are
poorly equipped to serve as a meaningful countermea-
sure against large-scale blackouts due to their intrin-
sically poor scaling properties. We further argue that
projects in this space must consider user safety as first
design priority and thus far have failed to preserve user
anonymity and to rely only on innocuous hardware.
>From these two insights, we frame a definition of
dissent networks to capture the essential requirements for
blackout circumvention solutions

http://www.eecs.berkeley.edu/~yahel/papers/Building_Dissent_Networks-Towards_Effective_Countermeasures_against_Large-Scale_Communications_Blackouts.FOCI2013.pdf

-- 
You received this message because you are subscribed to the Google Groups "Serval Project Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to serval-project-developers+unsubscribe at googlegroups.com.
To post to this group, send email to serval-project-developers at googlegroups.com.
Visit this group at http://groups.google.com/group/serval-project-developers.
For more options, visit https://groups.google.com/groups/opt_out.



----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B  47EE F46E 3489 AC89 4EC5




From billstclair at gmail.com  Tue Jul 23 07:35:47 2013
From: billstclair at gmail.com (Bill St. Clair)
Date: Tue, 23 Jul 2013 10:35:47 -0400
Subject: Python Random Number Generator for OTP
In-Reply-To: <820323d3dd0dd4e28f5fc3deba096903.squirrel@letter.sics.se>
References: <alpine.DEB.2.00.1307221647450.28426@neptune.sinister.com>
 <820323d3dd0dd4e28f5fc3deba096903.squirrel@letter.sics.se>
Message-ID: <CAARJRB4uvAu=Aa+HKusKONC45K4WuYW-=5rmBt-Jw07KfoMXwQ@mail.gmail.com>

On Tue, Jul 23, 2013 at 10:04 AM, KPJ <kpj at sics.se> wrote:

> A sound card in your box then can deliver random numbers.
>
> You may wish to look into this:
>
>
> http://www.guyrutenberg.com/2010/05/14/audio-based-true-random-number-generator-poc/
>
> This may also interest you;
>
> http://www.volkerschatz.com/science/audiorng.html


For Debian-based Linux distros, e.g. Ubuntu, this is automated by the
"randomsound" package:

  http://packages.debian.org/wheezy/randomsound

  sudo apt-get install  randomsound

There's also audio-entropyd, but I haven't used that:

  http://www.vanheusden.com/aed/

He has links to other entropy generators.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 1536 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20130723/5767f5cd/attachment.txt>

From ronperry at cryptogroup.net  Tue Jul 23 02:52:02 2013
From: ronperry at cryptogroup.net (Ron Perry)
Date: Tue, 23 Jul 2013 10:52:02 +0100
Subject: Python Random Number Generator for OTP
In-Reply-To: <CAFDBa1VhiP13c-RgtpMycPs9tALxdBNT+6hQz+2zjXaCNKXfTw@mail.gmail.com>
References: <alpine.DEB.2.00.1307221647450.28426@neptune.sinister.com>
 <20130722214614.GF25759@hexapodia.org>
 <CAFDBa1VhiP13c-RgtpMycPs9tALxdBNT+6hQz+2zjXaCNKXfTw@mail.gmail.com>
Message-ID: <20130723105202.794afd7f@pilgrim.schema>

On Tue, 23 Jul 2013 08:31:16 +0200
Yan Zhu <yan at mit.edu> wrote:

> On Mon, Jul 22, 2013 at 11:46 PM, Andy Isaacson <adi at hexapodia.org>
> wrote:
> Is there a secure way to timeshare a single entropy source such as an
> entropy key? High-quality entropy sources are often fragile,
> expensive, or difficult to manufacture and maintain. If Alice has a
> friggin' amazing entropy source, and Bob wants to use it from afar,
> what would be the best way for Alice to let Bob retrieve data from
> the entropy source when she wasn't using it?

Reasonably good hardware RNGs are widely available. Just get yourself a
RaspberryPI and use it for RN and keygen and crypto and airgapped
computing and....




From sandyinchina at gmail.com  Tue Jul 23 08:22:00 2013
From: sandyinchina at gmail.com (Sandy Harris)
Date: Tue, 23 Jul 2013 11:22:00 -0400
Subject: Python Random Number Generator for OTP
In-Reply-To: <CAARJRB4uvAu=Aa+HKusKONC45K4WuYW-=5rmBt-Jw07KfoMXwQ@mail.gmail.com>
References: <alpine.DEB.2.00.1307221647450.28426@neptune.sinister.com>
 <820323d3dd0dd4e28f5fc3deba096903.squirrel@letter.sics.se>
 <CAARJRB4uvAu=Aa+HKusKONC45K4WuYW-=5rmBt-Jw07KfoMXwQ@mail.gmail.com>
Message-ID: <CACXcFmnCt_26BXsQ+as_va3xWcjpzh80CGASkXiUReBe50daxQ@mail.gmail.com>

If you want to use a sound card as an entropy source,
look at turbid, a solid design with well-documented
analysis of its randomness:

http://www.av8n.com/turbid/paper/turbid.htm

For a timing-based source, look at haveged
which is in Debian:
http://www.issihosts.com/haveged/

but consider this critique:
http://jakob.engbloms.se/archives/1374

For a cheap simple RNG that needs more
analysis before it is seriously trusted, see
my timing-based demon:
ftp://ftp.cs.sjtu.edu.cn:990/sandy/maxwell/


Documentation there discusses several
alternatives,




From jon at callas.org  Tue Jul 23 11:39:52 2013
From: jon at callas.org (Jon Callas)
Date: Tue, 23 Jul 2013 11:39:52 -0700
Subject: Python Random Number Generator for OTP
In-Reply-To: <20130723154517.GA29309@jfet.org>
References: <alpine.DEB.2.00.1307221647450.28426@neptune.sinister.com>
 <820323d3dd0dd4e28f5fc3deba096903.squirrel@letter.sics.se>
 <20130723154517.GA29309@jfet.org>
Message-ID: <CAEF332A-D47B-4F64-AF2E-CED17427C195@callas.org>

> As is the case with most random noise sources, you obviously want to
> whiten the output before adding it to your entropy pool.

Actually, you want to whiten it before output, not before input. Whitening before input is a problem, because you can't run an estimator on the input -- because it's been whitened.

If you want to know the unbiased entropy of a source, you want the raw inputs. If you don't care about the unbiased entropy, then you don't.

	Jon






From rsw at jfet.org  Tue Jul 23 08:45:17 2013
From: rsw at jfet.org (Riad S. Wahby)
Date: Tue, 23 Jul 2013 11:45:17 -0400
Subject: Python Random Number Generator for OTP
In-Reply-To: <820323d3dd0dd4e28f5fc3deba096903.squirrel@letter.sics.se>
References: <alpine.DEB.2.00.1307221647450.28426@neptune.sinister.com>
 <820323d3dd0dd4e28f5fc3deba096903.squirrel@letter.sics.se>
Message-ID: <20130723154517.GA29309@jfet.org>

You can also build an apparently pretty decent white noise source by
amplifying avalance noise in a reverse-biased diode.
    http://web.jfet.org/hw-rng.html

As is the case with most random noise sources, you obviously want to
whiten the output before adding it to your entropy pool.
    http://en.wikipedia.org/wiki/Hardware_random_number_generator#Software_whitening

-=rsw




From rsw at jfet.org  Tue Jul 23 08:52:45 2013
From: rsw at jfet.org (Riad S. Wahby)
Date: Tue, 23 Jul 2013 11:52:45 -0400
Subject: The Muslim Problem
In-Reply-To: <51EEE665.1030507@gmail.com>
References: <6B01D74F-8233-4458-9114-E6207E447E5A@rocketmail.com>
 <CAGUkT8afg-hRi8SxvnW0qWKVbooT5Vhc3hH7GETXSXhho3FFvA@mail.gmail.com>
 <CAMGhuPGcNdLAFGqCYz=mVEGzJNsK0Td3WBzN5Va3gzfQgcwbnA@mail.gmail.com>
 <20130722042953.9286DDB34@a-pb-sasl-quonix.pobox.com>
 <CAHWD2r+x-9Y3CdknDRJhpYoSqv6Wtbk_x5ToJ6oQFnn-KVRuzw@mail.gmail.com>
 <51EEE665.1030507@gmail.com>
Message-ID: <20130723155245.GB29309@jfet.org>

george torwell <bpmcontrol at gmail.com> wrote:
> newb here,
> wasnt that the reason the original list died?
> not the hate speech, the censorship of unpopular opinions <and competing
> products>?
> arent we trying to re insert the punk into cypherpunk?
> show me that punk aint dead list... <or send me hate mail. in true
> cypherpunk spirit>

My recollection is that it was a combination of people drifting away
onto other lists with a less, ahem, combative spirit, and many of the
old-timers losing interest. That the latter was coincident with many of
the CDR nodes going down was probably no coincidence, as it were.

In any case, there's been no censorship 'round these parts except the
now-standard filtering of posts by nonmembers (known remailers are also
whitelisted). If someone gets truly abusive I'm sure we could vote them
off the island, as it were, but in most cases I'm pretty sure the
community should be able to defend itself without resorting to
moderation.

-=rsw




From eugen at leitl.org  Tue Jul 23 02:53:06 2013
From: eugen at leitl.org (Eugen Leitl)
Date: Tue, 23 Jul 2013 11:53:06 +0200
Subject: [serval-project-dev] Building Dissent Networks: Towards Effective
 Countermeasures against Large-Scale Communications Blackouts
Message-ID: <20130723095306.GM29404@leitl.org>

----- Forwarded message from "8f6e58ee at gmail.com" <8f6e58ee at gmail.com> -----


From eugen at leitl.org  Tue Jul 23 03:26:25 2013
From: eugen at leitl.org (Eugen Leitl)
Date: Tue, 23 Jul 2013 12:26:25 +0200
Subject: NSA growth fueled by need to target terrorists
Message-ID: <20130723102625.GN29404@leitl.org>


"By September 2004, a new NSA technique enabled the agency 
to find cellphones even when they were turned off."

http://www.washingtonpost.com/world/national-security/nsa-growth-fueled-by-need-to-target-terrorists/2013/07/21/24c93cf4-f0b1-11e2-bed3-b9b6fe264871_story.html

NSA growth fueled by need to target terrorists

View Photo Gallery — The NSA’s growing footprint: The spy agency is in the
midst of a hiring, construction and contracting boom. Here is a look at some
of its sites.

By Dana Priest, Published: July 22 E-mail the writer Twelve years later, the
cranes and earthmovers around the National Security Agency are still at work,
tearing up pavement and uprooting trees to make room for a larger workforce
and more powerful computers. Already bigger than the Pentagon in square
footage, the NSA’s footprint will grow by an additional 50 percent when
construction is complete in a decade.

And that’s just at its headquarters at Fort Meade, Md.
 
In post-9/11 world, dramatic — but largely hidden — growth at NSA

Dana Priest JUL 22

The hiring, building and contracting boom at the agency has been fed by a
rising need for the data it provides.

The nation’s technical spying agency has enlarged all its major domestic
sites — in Colorado, Georgia, Hawaii, Texas and Utah — as well as those in
Australia and Britain.

Since the attacks of Sept. 11, 2001, its civilian and military workforce has
grown by one-third, to about 33,000, according to the NSA. Its budget has
roughly doubled, and the number of private companies it depends on has more
than tripled, from 150 to close to 500, according to a 2010 Washington Post
count.

The hiring, construction and contracting boom is symbolic of the hidden fact
that in the years after the Sept. 11 attacks, the NSA became the single most
important intelligence agency in finding al-Qaeda and other enemies overseas,
according to current and former counterterrorism officials and experts. “We
Track ’Em, You Whack ’Em” became a motto for one NSA unit, a former senior
agency official said.

The story of the NSA’s growth, obscured by the agency’s extreme secrecy, is
directly tied to the insatiable demand for its work product by the rest of
the U.S. intelligence community, military units and the FBI.

The NSA’s broad reach in servicing that demand is at the heart of the
controversy swirling around the agency these days. Both Congress and the
public have been roiled by the disclosure of top-secret documents detailing
the collection of U.S. phone records and the monitoring of e-mails,
­social-media posts and other Web traffic of foreign terrorism suspects and
their enablers.

Lacking a strong informant network to provide details about al-Qaeda, U.S.
intelligence and the military turned to the NSA’s technology to fill the
void. The demand for information also favored the agency’s many surveillance
techniques, which try to divine the intent of people by vacuuming up and
analyzing their communications.

“There was nothing that gave you more insight into the inner workings of
these organizations as the NSA,” said Michael Leiter, former director of the
National Counter­terrorism Center. “I can’t think of any terrorist
investigation where the NSA was not a pre­eminent or central player.”

One top-secret document recently disclosed by former intelligence contractor
Edward Snow­den, who is on the run from U.S. authorities, revealed that 60
percent of the president’s daily intelligence briefing came from the NSA in
2000, even before the surge in the agency’s capabilities began.

“The foreign signals that NSA collects are invaluable to national security,”
the agency said in a statement released Friday to The Post. “This information
helps the agency determine where adversaries are located, what they’re
planning, when they’re planning to carry it out, with whom they’re working,
and the kinds of weapons they’re using.”

A motto quickly caught on at Geo Cell: “We Track ’Em, You Whack ’Em.”

With the 2003 invasion of Iraq, and the surprisingly quick disintegration of
postwar conditions there, the NSA began sending collectors with surveillance
equipment to embed with Army brigades and Marine regimental combat teams to
target insurgents and terrorists. The units were called tactical cryptologic
support teams. The military commanders often had no prior understanding of
what the NSA did. But they quickly demanded more of the agency once they
learned what it could do.
 
At the same time, the NSA supported a parallel effort by CIA paramilitary
units and clandestine Joint Special Operations Command (JSOC) teams tasked
with capturing or killing al-Qaeda leaders, deemed “high-value targets.” NSA
analysts and collectors moved into the JSOC commander’s new and growing
operational headquarters in Balad, Iraq, which also serviced Afghanistan.

By September 2004, a new NSA technique enabled the agency to find cellphones
even when they were turned off. JSOC troops called this “The Find,” and it
gave them thousands of new targets, including members of a burgeoning
al-Qaeda-sponsored insurgency in Iraq, according to members of the unit.

At the same time, the NSA developed a new computer linkup called the Real
Time Regional Gateway into which the military and intelligence officers could
feed every bit of data or seized documents and get back a phone number or
list of potential targets. It also allowed commanders to see, on a screen,
every type of surveillance available in a given territory.

Air Force Gen. Michael V. Hayden, former director of the NSA, said in an
interview last week that he would tell people, “If we could do this half
well, this will be the golden age of sigint,” or signals intelligence.

A growing reach

The battlefield technology overseas was matched by a demand back in the
United States for larger amounts of data to mine using the NSA’s increasingly
sophisticated computers. Financial and biometric data, the movement of money
overseas, and pattern and link analysis became standard NSA tools. Another
example, recently revealed by Snowden, is the bulk collection of telephone
metadata — information about numbers dialed and the duration of the calls.

The NSA’s burgeoning secret activities splashed into public view in 2005 when
the New York Times reported on the warrantless surveillance of U.S.
communications, and subsequent statements by former NSA employees contended
that the agency was collecting Americans’ e-mails and phone calls. Some
suspected that NSA capabilities were limitless when it came to
counterterrorism investigations.

Although the NSA tries hard to maintain a low profile, the physical
manifestation of its growing importance has been quietly evident to the
communities that surround its major foreign and domestic bases.

Within the past couple of years, bulldozers have plowed through the earth
near Bluffdale, Utah, to ready a million-square-foot facility housing a
center that will store oceans of bulk data.

In 2007, ground was broken for a $1 billion facility on 120 acres at Fort
Gordon, where an NSA workforce of 4,000 collects and processes signals
intelligence from the Middle East, according to the agency.

In Hawaii, the NSA outgrew its Schofield Barracks Army site years ago and
opened a 250,000-square-foot, $358 million work space adjacent to it last
year. The Wahiawa Annex is the last place that Snowden, then a contractor for
Booz Allen Hamilton, worked before leaving with thousands of top-secret
documents. The main job of the NSA’s Hawaii facility is to process signals
intelligence from around the Pacific Rim.

In Texas, the agency has added facilities to its San Antonio-based
operations. Its main site, at Lackland Air Force Base, processes signals
intelligence from Central and South America. In Colorado, the NSA’s expanding
facilities on Buckley Air Force Base in Aurora collect and process
information about weapons systems around the globe.

Overseas, the NSA’s station at RAF Menwith Hill on the moors of Yorkshire is
planned to grow by one-third, to an estimated 2,500 employees, according to
studies undertaken by local activists. Although hidden from the main road, up
close it is hard to miss the 33 bright-white radar domes that sprout on the
deep green landscape. They are thought to collect signals intelligence from
parts of Europe, the Middle East and North Africa.

The NSA’s Pine Gap site in Australia has added hundreds of new employees and
several new facilities in recent years. Over the years, Pine Gap has played a
role in many U.S. and NATO military operations, including intercepting
communications about possible nuclear testing by the Soviet Union during the
Cold War and an analysis of the technical characteristics of Iraq’s GPS
jamming systems during the 2003 invasion, according to a book by David
Rosenberg, a former NSA analyst at Pine Gap. It also processes signals
intelligence from parts of Asia.

The upgrades to the cryptologic centers were done “to make the agency’s
global enterprise even more seamless as we confronted increasingly networked
adversaries,” according to the NSA statement to The Post. “However, we always
adjust our efforts to exploit the foreign communications of adversaries and
defend vital U.S. networks in accordance with national priorities and in full
accordance with U.S. law.”

It added: “The notion of constant, unchecked, or senseless growth is a myth.”


Julie Tate contributed to this report.




From codesinchaos at gmail.com  Tue Jul 23 03:49:23 2013
From: codesinchaos at gmail.com (CodesInChaos)
Date: Tue, 23 Jul 2013 12:49:23 +0200
Subject: Python Random Number Generator for OTP
In-Reply-To: <51EE318C.9070309@mehnert.org>
References: <alpine.DEB.2.00.1307221647450.28426@neptune.sinister.com>
 <20130722214614.GF25759@hexapodia.org>
 <51EE318C.9070309@mehnert.org>
Message-ID: <CAK9dnSzFnchEDs-rs7rCvgrdq5TFDWAA98keTobS3OdzAX7bbA@mail.gmail.com>

>  Why not use /dev/random, instead of "ensuring you have entropy"

/dev/random limits the output size to the estimated entropy. So it has
abysmal performance unless there are high performance entropy sources
available. After the initial seeding this gains very little security in
practice.
/dev/urandom unblocks before it has sufficient entropy on some systems. So
it's not guaranteed to be secure and sometimes fails in practice.

What you normally want is a source that blocks after boot until it has
accumulated enough initial entropy (say 256 bits), and then never blocks
again.
It's not like a good PRNG gets weaker as more data is read from it when
your adversaries are computationally bounded.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 832 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20130723/2dff84c5/attachment.txt>

From womefly at yahoo.ie  Tue Jul 23 05:05:51 2013
From: womefly at yahoo.ie (Dabby Kish)
Date: Tue, 23 Jul 2013 13:05:51 +0100 (BST)
Subject: Python Random Number Generator for OTP
In-Reply-To: <20130723083453.GC27178@hexapodia.org>
References: <alpine.DEB.2.00.1307221647450.28426@neptune.sinister.com>
 <20130722214614.GF25759@hexapodia.org>
 <CAFDBa1VhiP13c-RgtpMycPs9tALxdBNT+6hQz+2zjXaCNKXfTw@mail.gmail.com>
 <20130723083453.GC27178@hexapodia.org>
Message-ID: <1374581151.22803.YahooMailNeo@web171906.mail.ir2.yahoo.com>





________________________________
 On Tue, Jul 23, 2013 at 08:31:16AM +0200, Yan Zhu wrote:
>> Is there a secure way to timeshare a single entropy source such as an
>> entropy key? High-quality entropy sources are often fragile, expensive, or
>> difficult to manufacture and maintain. If Alice has a friggin' amazing
>> entropy source, and Bob wants to use it from afar, what would be the best
>> way for Alice to let Bob retrieve data from the entropy source when she
>> wasn't using it?

On Tuesday, 23 July 2013, 8:34:54, Andy Isaacson replied

>If Bob requires *really* *great* entropy, why would he trust a network
l>ink (secured with a non information theoretically secure cipher such as
>AES) to transmit his entropy securely?

Since the network seeks to compress data at every turn, I think we can
say it knows entropy when it sees it.

...

>In short -- asking someone else to generate your random numbers is, of
>course, a state of sin.

God told me to tell you to stop submitting the query

https://duckduckgo.com/?q=random+number+between+0+and+100
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 1710 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20130723/4b01b987/attachment.txt>

From virtualadept at gmail.com  Tue Jul 23 10:41:35 2013
From: virtualadept at gmail.com (Bryce Lynch)
Date: Tue, 23 Jul 2013 13:41:35 -0400
Subject: [serval-project-dev] mesh networking patent application - prior art request
Message-ID: <mailman.4379.1575949048.62801.testlist@lists.cpunks.org>

On Tue, Jul 23, 2013 at 7:54 AM, Dan Staples <
danstaples at opentechinstitute.org> wrote:

> That's sickening. Not paying a dime in US taxes on billions of dollars
> of profit apparently isn't enough for GE, now they have to patent mesh
> technology.
>

Mesh networking is too potentially dangerous to go unrestricted.

That said, I just posted a bunch of stuff to that thread with as many links
to verifiable code commits in public repos as I could.  Anybody so inclined
to check my work, please do, and some up-votes would be nice if they don't
suck too badly.

-- 
The Doctor [412/724/301/703] [ZS]
https://drwho.virtadpt.net/
"I am everywhere."

-- 
You received this message because you are subscribed to the Google Groups "Serval Project Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to serval-project-developers+unsubscribe at googlegroups.com.
To post to this group, send email to serval-project-developers at googlegroups.com.
Visit this group at http://groups.google.com/group/serval-project-developers.
For more options, visit https://groups.google.com/groups/opt_out.



----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B  47EE F46E 3489 AC89 4EC5




From rsw at jfet.org  Tue Jul 23 12:04:09 2013
From: rsw at jfet.org (Riad S. Wahby)
Date: Tue, 23 Jul 2013 15:04:09 -0400
Subject: Python Random Number Generator for OTP
In-Reply-To: <CAEF332A-D47B-4F64-AF2E-CED17427C195@callas.org>
References: <alpine.DEB.2.00.1307221647450.28426@neptune.sinister.com>
 <820323d3dd0dd4e28f5fc3deba096903.squirrel@letter.sics.se>
 <20130723154517.GA29309@jfet.org>
 <CAEF332A-D47B-4F64-AF2E-CED17427C195@callas.org>
Message-ID: <20130723190409.GA1271@jfet.org>

Jon Callas <jon at callas.org> wrote:
> If you want to know the unbiased entropy of a source, you want the raw
> inputs. If you don't care about the unbiased entropy, then you don't.

A fair point. I suppose what I should have said was that you want to
whiten it before you actually try to *use* it :)

-=rsw




From bill.stewart at pobox.com  Tue Jul 23 15:24:39 2013
From: bill.stewart at pobox.com (Bill Stewart)
Date: Tue, 23 Jul 2013 15:24:39 -0700
Subject: Python Random Number Generator for OTP
In-Reply-To: <CAK9dnSzFnchEDs-rs7rCvgrdq5TFDWAA98keTobS3OdzAX7bbA@mail.g
 mail.com>
References: <alpine.DEB.2.00.1307221647450.28426@neptune.sinister.com>
 <20130722214614.GF25759@hexapodia.org>
 <51EE318C.9070309@mehnert.org>
 <CAK9dnSzFnchEDs-rs7rCvgrdq5TFDWAA98keTobS3OdzAX7bbA@mail.gmail.com>
Message-ID: <20130723222446.98325D061@a-pb-sasl-quonix.pobox.com>


> > >Â  Why not use /dev/random, instead of "ensuring you have entropy"Â

> > /dev/random limits the output size to the 
> estimated entropy. So it has abysmal 
> performance unless there are high performance entropy sources available.

This is for a one-time pad.  Limiting the output 
size to the estimated entropy is a 
*requirement*.  Abysmal performance is fine, 
because you're going to transfer the pad using a 
briefcase handcuffed to a courier's arm or some 
similarly high-cost high-latency physical 
distribution method, though if you've got a 
higher-performance entropy source, great.

>  After the initial seeding this gains very little security in practice.

If "gains very little security in practice" is 
good enough for you, you don't need a one-time 
pad.  Yes, the pseudo-random bits you get out of 
/dev/urandom will probably be much better than 
the bits the Russians got by mashing down the 
keys on typewriters, and you're probably not 
going to be attacked with the persistence of the 
Venona decrypters, but don't waste your time 
using one-time pads unless you're going to use 
them perfectly.  You're much better off using a 
long-enough RSA key and some Diffie-Hellman 
session key generation.  (Of course, you still 
want good random numbers for those, but 
/dev/random is plenty fast enough for that, at 
least on any non-virtual machine.)





From kpj at sics.se  Tue Jul 23 07:04:22 2013
From: kpj at sics.se (KPJ)
Date: Tue, 23 Jul 2013 16:04:22 +0200
Subject: Python Random Number Generator for OTP
In-Reply-To: <alpine.DEB.2.00.1307221647450.28426@neptune.sinister.com>
References: <alpine.DEB.2.00.1307221647450.28426@neptune.sinister.com>
Message-ID: <820323d3dd0dd4e28f5fc3deba096903.squirrel@letter.sics.se>

2013-07-22 16:50:55 -0400 Tom <ticom at sinister.com>:
| Does anyone on the list have some Python source code for an OTP-focused
| random number generator they'd be willing to share? I'm interested in
| seeing how different people would approach it?

A sound card in your box then can deliver random numbers.

You may wish to look into this:

http://www.guyrutenberg.com/2010/05/14/audio-based-true-random-number-generator-poc/

This may also interest you;

http://www.volkerschatz.com/science/audiorng.html






From oxopz7 at riseup.net  Tue Jul 23 19:01:01 2013
From: oxopz7 at riseup.net (oxopz7 at riseup.net)
Date: Tue, 23 Jul 2013 19:01:01 -0700
Subject: Gnu PG is more Safe ?
Message-ID: <da1458b52ed2dbeea67c45764b3e3f0a.squirrel@fulvetta.riseup.net>

Hello everybody!

I hope all are fine, and doing well!

I'm good member :) I hope you will accept me!

I like to ask about GNU PG, if is more safe than other kind of software!
that talks about Crypto ?

I like to ask also about good resources in Crypto, specially about SSL/TLS?

Have a nice day,
Cheers,
Ζακάρια




From oxopz7 at riseup.net  Tue Jul 23 20:25:48 2013
From: oxopz7 at riseup.net (oxopz7 at riseup.net)
Date: Tue, 23 Jul 2013 20:25:48 -0700
Subject: Gnu PG is more Safe ?
In-Reply-To: <E1V1pRA-000228-Ta@login01.fos.auckland.ac.nz>
References: <E1V1pRA-000228-Ta@login01.fos.auckland.ac.nz>
Message-ID: <a65173e277244f0d176ae250c57a7b91.squirrel@fulvetta.riseup.net>


No results about the last two books Peter! :'(

What about these books:

SSL TLS Essentials  Securing the Web
SSL and TLS Theory and Practice
Implementing SSL TLS Using Cryptography and PKI

Actually; I want to focus on the algorithms that are used on it.
Not just know or implement and doing things with these protocols!

Cheers to all,
Best Regards,

> Anthony Papillion <papillion at gmail.com> writes:
>
>>Because GnuPG is open source, it's been extensively peer reviewed and
>> found
>>safe and secure.
>
> That should actually say "because GnuPG is open source, people assume that
> someone else has extensively peer reviewed it and therefore assume that
> it's
> safe and secure".  For example there was a long-standing RNG bug that was
> very
> obvious if you looked at the code, but was only discovered by chance when
> someone who was interested in the RNG happend to read through the code and
> thought "hmm, surely that can't be right".  Having code that's open source
> doesn't help at all if no-one looks at it.
>
>>One of the best ways to learn about tech topics is reading RFC's. The
>> entire
>>way SSL/TLS operates is detailed in an RFC. Read I'd and you will be
>>infinately more informed.
>
> Argh, no.  The best way to confuse someone is to get them to read an RFC.
> Find
> a good book on the topic, e.g. for SSL/TLS there's Eric Rescorla's "SSL
> and
> TLS: Designing and Building Secure Systems".  Before that, read "Network
> Security: Private Communication in a Public World" by Kaufman et al.
>
> Peter.
>





From blibbet at gmail.com  Tue Jul 23 20:29:59 2013
From: blibbet at gmail.com (Blibbet)
Date: Tue, 23 Jul 2013 20:29:59 -0700
Subject: Gnu PG is more Safe ?
In-Reply-To: <0CF92D52-755A-4E33-A783-E1F558A78242@gmail.com>
References: <0CF92D52-755A-4E33-A783-E1F558A78242@gmail.com>
Message-ID: <51EF4A37.6070907@gmail.com>

> Because GnuPG is open source, it's been extensively peer reviewed and
> found safe and secure.  That doesn't mean it's perfect and has no
> errors. But they are much less likely to exist in GnuPG than in some
> other solutions; particularly proprietary ones.

Are there more than 3 current OpenPGP tools?

1) GnuPG, GPL'ed open source, based on GnuPG's own libgcrypt family of 
libraries. Many many features, including NSA SuiteB support. Widely used 
in scripts, relied on by Thunderbird EnigMail, and other tools.

2) NetPGP, BSD'ed open source, depends on libOpenSSL, and it's own 
OpenPGP:SDK (C library). Basic features only, more like last pgpi.org 
PGP 2.x open source command line tool. Very few ports, besides NetBSD 
(NetPGP's sponsor). less peer review than GPG. No NSA SuiteB support 
(though libOpenSSL does support it). Someone needs to add SuiteB 
support, and a few more ports, support for opensource keyservers, and 
SuiteB, then it would be a nice option.

3) PGP product Symantec/PGPcorp. extremely expensive, closed source, 
patented keyserver tech, zero community review. Apparently a rich set of 
features for commercial enterprise use.

If there are other open source OpenPGP tools besides GnuPG and NetPGP, 
that would be welcome news.





From jd.cypherpunks at gmail.com  Tue Jul 23 11:58:05 2013
From: jd.cypherpunks at gmail.com (jd.cypherpunks at gmail.com)
Date: Tue, 23 Jul 2013 20:58:05 +0200
Subject: Python Random Number Generator for OTP
In-Reply-To: <CAEF332A-D47B-4F64-AF2E-CED17427C195@callas.org>
References: <alpine.DEB.2.00.1307221647450.28426@neptune.sinister.com>
 <820323d3dd0dd4e28f5fc3deba096903.squirrel@letter.sics.se>
 <20130723154517.GA29309@jfet.org>
 <CAEF332A-D47B-4F64-AF2E-CED17427C195@callas.org>
Message-ID: <62CE74F3-878E-4C3D-A074-76CEE79EC731@gmail.com>


Exactly. Thanks for clarification Jon.
--Michael


Am 23.07.2013 um 20:39 schrieb Jon Callas <jon at callas.org>:

>> As is the case with most random noise sources, you obviously want to
>> whiten the output before adding it to your entropy pool.
> 
> Actually, you want to whiten it before output, not before input. Whitening before input is a problem, because you can't run an estimator on the input -- because it's been whitened.
> 
> If you want to know the unbiased entropy of a source, you want the raw inputs. If you don't care about the unbiased entropy, then you don't.
> 
>    Jon
> 
> 
> 




From papillion at gmail.com  Tue Jul 23 19:24:50 2013
From: papillion at gmail.com (Anthony Papillion)
Date: Tue, 23 Jul 2013 21:24:50 -0500
Subject: Gnu PG is more Safe ?
Message-ID: <0CF92D52-755A-4E33-A783-E1F558A78242@gmail.com>

On Jul 23, 2013, at 9:01 PM, oxopz7 at riseup.net wrote:

> Hello everybody!
>
> I hope all are fine, and doing well!
>
> I'm good member :) I hope you will accept me!

Welcome to the list! It's good to see so many new members coming on  
board. I'm new myself.

> I like to ask about GNU PG, if is more safe than other kind of  
> software!
> that talks about Crypto ?

Because GnuPG is open source, it's been extensively peer reviewed and  
found safe and secure.  That doesn't mean it's perfect and has no  
errors. But they are much less likely to exist in GnuPG than in some  
other solutions; particularly proprietary ones.

> I like to ask also about good resources in Crypto, specially about  
> SSL/TLS?

One of the best ways to learn about tech topics is reading RFC's. The  
entire way SSL/TLS operates is detailed in an RFC. Read I'd and you  
will be infinately more informed.

Unfortunately, I can't really recommend any good crypto list because  
I've not found many. To learn about FnuPG and practice, you might want  
to look at the PGPNET list. Another of interest might be Cryptography.

Regards and Welcome!
Anthony




From papillion at gmail.com  Tue Jul 23 20:20:40 2013
From: papillion at gmail.com (Anthony Papillion)
Date: Tue, 23 Jul 2013 22:20:40 -0500
Subject: Gnu PG is more Safe ?
In-Reply-To: <E1V1pRA-000228-Ta@login01.fos.auckland.ac.nz>
References: <E1V1pRA-000228-Ta@login01.fos.auckland.ac.nz>
Message-ID: <A7CEB53C-CE89-4F0E-A334-FA870EC563B5@gmail.com>

On Jul 23, 2013, at 10:08 PM, Peter Gutmann  
<pgut001 at cs.auckland.ac.nz> wrote:

> Anthony Papillion <papillion at gmail.com> writes:
>
>> Because GnuPG is open source, it's been extensively peer reviewed  
>> and found
>> safe and secure.
>
> That should actually say "because GnuPG is open source, people  
> assume that
> someone else has extensively peer reviewed it and therefore assume  
> that it's
> safe and secure".  For example there was a long-standing RNG bug  
> that was very
> obvious if you looked at the code, but was only discovered by chance  
> when
> someone who was interested in the RNG happend to read through the  
> code and
> thought "hmm, surely that can't be right".  Having code that's open  
> source
> doesn't help at all if no-one looks at it.

True. So perhaps we can say it is "less likely" to have glaring bugs  
than it's proprietary counterparts. Sure, bugs will be overlooked or  
outright missed in any project of size. But with more eyes comes a  
better chance of bugs and backdiors being caught.

>> One of the best ways to learn about tech topics is reading RFC's.  
>> The entire
>> way SSL/TLS operates is detailed in an RFC. Read I'd and you will be
>> infinately more informed.
>
> Argh, no.  The best way to confuse someone is to get them to read an  
> RFC. Find
> a good book on the topic, e.g. for SSL/TLS there's Eric Rescorla's  
> "SSL and
> TLS: Designing and Building Secure Systems".  Before that, read  
> "Network
> Security: Private Communication in a Public World" by Kaufman et al.

It depends on the RFC and how it's written. I've read many RFC's that  
were very informative and easy to understand. A well written book on  
the topic is always better, but you can almost always find what you  
need in the RFC. It may not be optimal but it's not horrible.

Anthony




From bpmcontrol at gmail.com  Tue Jul 23 13:24:05 2013
From: bpmcontrol at gmail.com (george torwell)
Date: Tue, 23 Jul 2013 23:24:05 +0300
Subject: The Muslim Problem
In-Reply-To: <CAHWD2r+x-9Y3CdknDRJhpYoSqv6Wtbk_x5ToJ6oQFnn-KVRuzw@mail.gmail.com>
References: <6B01D74F-8233-4458-9114-E6207E447E5A@rocketmail.com>
 <CAGUkT8afg-hRi8SxvnW0qWKVbooT5Vhc3hH7GETXSXhho3FFvA@mail.gmail.com>
 <CAMGhuPGcNdLAFGqCYz=mVEGzJNsK0Td3WBzN5Va3gzfQgcwbnA@mail.gmail.com>
 <20130722042953.9286DDB34@a-pb-sasl-quonix.pobox.com>
 <CAHWD2r+x-9Y3CdknDRJhpYoSqv6Wtbk_x5ToJ6oQFnn-KVRuzw@mail.gmail.com>
Message-ID: <51EEE665.1030507@gmail.com>

newb here,
wasnt that the reason the original list died?
not the hate speech, the censorship of unpopular opinions <and competing
products>?
arent we trying to re insert the punk into cypherpunk?
show me that punk aint dead list... <or send me hate mail. in true
cypherpunk spirit>

On 07/22/2013 09:45 PM, Lodewijk andré de la porte wrote:
> I enjoy hate speech. Especially about me. Inbreeding might be a
> serious problem for muslims. Genetic diversity has always been a
> difficult subject for me to fully grasp. I like how this article
> implies that British Royalty are idiots.
>
> I think if someone posts it here though, that should likely lead to a
> (medium term) ban. To make this list less unsubscribe worthy it's
> better to submit good matrial, and help or promote banning of those
> that don't.
>
> -Lewis




From grarpamp at gmail.com  Wed Jul 24 00:29:48 2013
From: grarpamp at gmail.com (grarpamp)
Date: Wed, 24 Jul 2013 03:29:48 -0400
Subject: Crowdfunding code reviews [was: GnuPG Safe]
Message-ID: <CAD2Ti28pV2hvtzAp+j7rvqZhmPskSGokU2ou0dVinkk63s_nVw@mail.gmail.com>

On Tue, Jul 23, 2013 at 11:08 PM, Peter Gutmann
<pgut001 at cs.auckland.ac.nz> wrote:
> Having code that's open source doesn't help at all if no-one looks at it.

It is easy to write code. Harder to write it securely. Even harder to spot
your own mistakes. And unless perfect written from the start, will need
reviewed and fixed. Yet time to review and fix is not as free as the time
writing it, is often viewed as a chore, and happens far less than open
source assumes it does.

Are we developed enough to begin putting together lists of most critical
libraries/tools/apps and pipelining them through a crowdfunded independant
peer review program? (501c3 perhaps) Or at least put bounties on the
same lists.




From jya at pipeline.com  Wed Jul 24 05:00:26 2013
From: jya at pipeline.com (John Young)
Date: Wed, 24 Jul 2013 08:00:26 -0400
Subject: Gnu PG is more Safe ?
In-Reply-To: <E1V1tXc-0004x6-U2@login01.fos.auckland.ac.nz>
References: <51EF7B99.90207@gmail.com>
 <E1V1tXc-0004x6-U2@login01.fos.auckland.ac.nz>
Message-ID: <E1V1xjt-0002eA-Be@elasmtp-junco.atl.sa.earthlink.net>

Snarling disagreement, condescension and supplication,
nectar and myrrh. Read books, quaintness from hell
if not on SM in snippets.

Inspired, the need to monetize crypto attacks rather than
by "free cigarette sample" open source. That follows the
well-paid bounty model of major software producers recently
reported. Attackers build rep by hacks then convert to a business
model, why this very list has successful graduates of this
curriculum: if not extortion and exploits then by contracts,
aka peacekeeping needing daily deposit of gash.

It also follows the national intelligence model of grabbing
open source material then classifying it as gov property
sold back to the citizenry through the free market for
extortionate security. Get some and copyright it.

Cryptoanarchy is precisely this digital stash counterfeiting,
RTF Bible by Rt Rev TCM. Tap his steel gate and die by
his wildcats.

Oh, and newbies are open source thieves working for
OS spies, see the bible's classified Annex available
by continuous automatic updates, not free to SOB
TLAs running all possible crypto learning and hustling
initiatives. This is WK fact, see frequent references
in the archives, in the archives, oh, the archives will
make you sagely numb.

Need a numb sage lawyer to advise on your Crypto-AG
racket? Stewart Baker is top of the sages ex-NSA,
connected to all the others out to eat your baloney wich
or hire you cheaply under life-wrecking NDA if a new
immigrant still working in a cellar in PK.

"Fuck cpunks to death." Is this still redacted here?





From martin.rublik at gmail.com  Wed Jul 24 00:00:41 2013
From: martin.rublik at gmail.com (Martin Rublik)
Date: Wed, 24 Jul 2013 09:00:41 +0200
Subject: Gnu PG is more Safe ?
In-Reply-To: <A7CEB53C-CE89-4F0E-A334-FA870EC563B5@gmail.com>
References: <E1V1pRA-000228-Ta@login01.fos.auckland.ac.nz>
 <A7CEB53C-CE89-4F0E-A334-FA870EC563B5@gmail.com>
Message-ID: <51EF7B99.90207@gmail.com>

On 24. 7. 2013 5:20, Anthony Papillion wrote:
> 
> True. So perhaps we can say it is "less likely" to have glaring bugs than it's
> proprietary counterparts. Sure, bugs will be overlooked or outright missed in
> any project of size. But with more eyes comes a better chance of bugs and
> backdiors being caught.

There is a paper on discovering vulnerabilities in open source and proprietary
software you might find interesting:

Härtig, Hermann, Claude-Joachim Hamann, and Michael Roitzsch. "The Mathematics
of Obscurity: On the Trustworthiness of Open Source." Workshop on the Economics
of Information Security 2010.
http://weis2010.econinfosec.org/papers/session6/weis2010_haertig.pdf

Kind regards

Martin




From adi at hexapodia.org  Wed Jul 24 09:16:27 2013
From: adi at hexapodia.org (Andy Isaacson)
Date: Wed, 24 Jul 2013 09:16:27 -0700
Subject: Gnu PG is more Safe ?
In-Reply-To: <E1V1tXc-0004x6-U2@login01.fos.auckland.ac.nz>
References: <51EF7B99.90207@gmail.com>
 <E1V1tXc-0004x6-U2@login01.fos.auckland.ac.nz>
Message-ID: <20130724161627.GA13555@hexapodia.org>

On Wed, Jul 24, 2013 at 07:31:20PM +1200, Peter Gutmann wrote:
> unsurprisingly, that being open source doesn't magically make you more secure.
> You only find bugs (vulns) if someone looks for them, and a closed-source app
> that's actively analysed for vulns (because the vendor pays employees to do
> it) is going to be more secure than an open-source app that no-one looks at
> because they're not motivated to.

Of course open source isn't magic pixie dust, but neither is most
commercial software very well analyzed.  There are exceptions, but most
commercial software that I have direct experience with is lacking the
"active analysis" by people who are qualified and motivated to find
bugs.

-andy




From jens at kubieziel.de  Wed Jul 24 00:29:29 2013
From: jens at kubieziel.de (Jens Kubieziel)
Date: Wed, 24 Jul 2013 09:29:29 +0200
Subject: Gnu PG is more Safe ?
In-Reply-To: <da1458b52ed2dbeea67c45764b3e3f0a.squirrel@fulvetta.riseup.net>
References: <da1458b52ed2dbeea67c45764b3e3f0a.squirrel@fulvetta.riseup.net>
Message-ID: <20130724072929.GA17569@kubieziel.de>

* oxopz7 at riseup.net schrieb am 2013-07-24 um 04:01 Uhr:
> I like to ask about GNU PG, if is more safe than other kind of software!
> that talks about Crypto ?

Some years ago Felix von Leitner had a look at GnuPG. His findings were
quite disappointing (<URL:http://blog.fefe.de/?ts=bb5547d2>). However
now all things were quietly fixed. My impression from the episode is
that GnuPG needs a proper review. Maybe it has more bugs inside.
See <URL:https://duckduckgo.com/?q=gnupg+site%3Ablog.fefe.de> for Felix'
comment (in german).

-- 
Jens Kubieziel                                   http://www.kubieziel.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20130724/f30f7800/attachment.sig>

From adi at hexapodia.org  Wed Jul 24 10:27:06 2013
From: adi at hexapodia.org (Andy Isaacson)
Date: Wed, 24 Jul 2013 10:27:06 -0700
Subject: Python Random Number Generator for OTP
In-Reply-To: <20130723222446.98325D061@a-pb-sasl-quonix.pobox.com>
References: <alpine.DEB.2.00.1307221647450.28426@neptune.sinister.com>
 <20130722214614.GF25759@hexapodia.org>
 <51EE318C.9070309@mehnert.org>
 <CAK9dnSzFnchEDs-rs7rCvgrdq5TFDWAA98keTobS3OdzAX7bbA@mail.gmail.com>
 <20130723222446.98325D061@a-pb-sasl-quonix.pobox.com>
Message-ID: <20130724172706.GL27178@hexapodia.org>

On Tue, Jul 23, 2013 at 03:24:39PM -0700, Bill Stewart wrote:
> >> >  Why not use /dev/random, instead of "ensuring you have entropy"
> >> /dev/random limits the output size to the estimated entropy. So
> >it has abysmal performance unless there are high performance
> >entropy sources available.
> 
> This is for a one-time pad.  Limiting the output size to the
> estimated entropy is a *requirement*.  Abysmal performance is fine,
> because you're going to transfer the pad using a briefcase
> handcuffed to a courier's arm or some similarly high-cost
> high-latency physical distribution method, though if you've got a
> higher-performance entropy source, great.

My /dev/random generates a few hundred kilobytes a day.  I exchange OTPs
on a SD card to a friend sitting across the table.  I need to be able to
make a bigger pad than allowed by the horrifically overly conservative
entropy estimates provided by /dev/random.

-andy




From eugen at leitl.org  Wed Jul 24 02:26:55 2013
From: eugen at leitl.org (Eugen Leitl)
Date: Wed, 24 Jul 2013 11:26:55 +0200
Subject: [serval-project-dev] mesh networking patent application - prior
 art request
Message-ID: <20130724092654.GA29404@leitl.org>

----- Forwarded message from Bryce Lynch <virtualadept at gmail.com> -----


From adi at hexapodia.org  Wed Jul 24 12:46:24 2013
From: adi at hexapodia.org (Andy Isaacson)
Date: Wed, 24 Jul 2013 12:46:24 -0700
Subject: Python Random Number Generator for OTP
In-Reply-To: <CAGFRu2mdK3wLGqe86dNW8DUi8NU9G333xwqMW5U1KpPmrK_XdQ@mail.gmail.com>
References: <alpine.DEB.2.00.1307221647450.28426@neptune.sinister.com>
 <20130722214614.GF25759@hexapodia.org>
 <51EE318C.9070309@mehnert.org>
 <CAK9dnSzFnchEDs-rs7rCvgrdq5TFDWAA98keTobS3OdzAX7bbA@mail.gmail.com>
 <20130723222446.98325D061@a-pb-sasl-quonix.pobox.com>
 <20130724172706.GL27178@hexapodia.org>
 <CAGFRu2mdK3wLGqe86dNW8DUi8NU9G333xwqMW5U1KpPmrK_XdQ@mail.gmail.com>
Message-ID: <20130724194624.GA18524@hexapodia.org>

On Wed, Jul 24, 2013 at 09:37:10PM +0200, Albin Olsson wrote:
> On Wed, Jul 24, 2013 at 7:27 PM, Andy Isaacson <adi at hexapodia.org> wrote:
> > My /dev/random generates a few hundred kilobytes a day.  I exchange OTPs
> > on a SD card to a friend sitting across the table.  I need to be able to
> > make a bigger pad than allowed by the horrifically overly conservative
> > entropy estimates provided by /dev/random.
> 
> What OTP software do you use for actual communication?

I don't use it for anything real, because among other issues there's no
message integrity, but: onetime.

-andy




From dope457 at riseup.net  Wed Jul 24 05:06:09 2013
From: dope457 at riseup.net (dope457)
Date: Wed, 24 Jul 2013 14:06:09 +0200
Subject: [tor-talk] Tor Weekly News — July, 24th 2013
Message-ID: <mailman.4380.1575949048.62801.testlist@lists.cpunks.org>

========================================================================
Tor Weekly News                                          July 24th, 2013
========================================================================

Welcome to the 4th issue of Tor Weekly News, the weekly newsletter that
covers what is happening in the great Tor community.

The next newsletter is going to be posted to the resurrected tor-news
mailing-list. Just subscribe! [1]

   [1] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-news

Summer Development Meeting 2013
-------------------------------

About 40 core Tor contributors gathered over July 22-23 at the
Technische Universität München [2] in Germany for this year's Summer
Development Meeting [3]. That's quite a number, and as could be
expected, there are a huge number of topics up for discussion — the
brainstorming session generated around 150. Gunner from Aspiration
Tech [4] is once again facilitating the meeting, helping everyone focus
on the most pressing issues.

Rough notes from some of the break-out sessions are now up on the
wiki. A list of the topics and a brief summary of the discussions are
given below:

 * Love for volunteers: strategies for outreach and long-term support;
   identifying where they're most needed [5]
 * Censorship and pluggable transports: documenting the now-large number
   of pluggable transports; discussing countries' differing censorship
   strategies [6]
 * Fundraising: funding outlook seems to be positive, although diversity
   in funding sources is needed to reduce dependency on single institutions
   like the US Government [7]
 * Website Translation: notes from a discussion which led to the
   definition of a new translation review process and a list of
   actionables [8]
 * Service infrastructure: multiple fundamental services could use some
   more love: GetTor (TBB by email), website, Trac, check.tp.org,
   BridgeDB; shutting down unmaintained services [9]
 * Operational security: random notes on OpSec for Tor people [10]

On the sidelines of the dev meeting, Roger and Jake are doing a public
talk on the topic of 'Tor and the Censorship Arms Race'. [11]

If you want to meet people who spend their day making Tor a reality,
you can join them for a public hack day [12] on Friday, July 26,
2013. Bring your ideas, questions, projects, and technical expertise
with you!

   [2] http://www.tum.de/
   [3] https://trac.torproject.org/projects/tor/wiki/org/meetings/2013SummerDevMeeting
   [4] http://aspirationtech.org/
   [5] https://trac.torproject.org/projects/tor/wiki/org/meetings/2013SummerDevMeeting/LoveForVolunteers
   [6] https://trac.torproject.org/projects/tor/wiki/org/meetings/2013SummerDevMeeting/PluggableTransports0
   [7] https://trac.torproject.org/projects/tor/wiki/org/meetings/2013SummerDevMeeting/Fundraising
   [8] https://trac.torproject.org/projects/tor/wiki/org/meetings/2013SummerDevMeeting/WebsiteTranslation
   [9] https://trac.torproject.org/projects/tor/wiki/org/meetings/2013SummerDevMeeting/ServiceInfrastructure
  [10] https://trac.torproject.org/projects/tor/wiki/org/meetings/2013SummerDevMeeting/OpSec
  [11] https://gnunet.org/tor2013tum
  [12] https://blog.torproject.org/blog/join-us-tor-hack-day-munich-germany

Remote descriptor fetching in Stem
----------------------------------

Damian Johnson announced [13] having implemented remote descriptor
fetching in Stem [14], a feature to migrate more metrics measurement
tools to Python [15]. “Its usage is pleasantly simple” wrote Damian. See
for yourself in the excellent documentation! [16]

  [13] https://lists.torproject.org/pipermail/tor-dev/2013-July/005156.html
  [14] https://stem.torproject.org/
  [15] https://lists.torproject.org/pipermail/tor-dev/2013-May/004924.html
  [16] https://stem.torproject.org/api/descriptor/remote.html

Orbot 12.0.1 call for beta testing
----------------------------------

After a long interval, Nathan Freitas announced the release of a new
version of Orbot - a client for the Tor network on Android mobile
devices [17]. For Orbot 12.0.1, the developers have “switched
versioning styles to a simpler major.minor.bugfix model”, wrote Nathan.

He continues with a call for testing: “Since we haven't done a release
in a while, and we have some new build tools, I mostly want to make sure
I have not done something terribly wrong in the build process. Please
confirm back if you are able to successfully use this release.”

Updates in 12.0.1:

 * Updated to Tor 0.2.4.15-RC
 * flashy screen bug fixed now shows traffic
 * Stats in notification area
 * better handling of preference settings
 * Changes added superuser permission for Cyanogen

You can download and start testing this release here [18] or here [19].

  [17]
https://lists.torproject.org/pipermail/tor-talk/2013-July/029063.html
  [18] https://rink.hockeyapp.net/apps/92ace552aa5344d1a802decb71525897/
  [19]
https://guardianproject.info/releases/Orbot-release-12.0.1-beta-1.apk

Miscellaneous development news
------------------------------

Lunar reported on the trip to Brussels for LSM 2013. [20] To sum it up,
“people are really supportive of what we do these days”.

anonym outlined [21] the release schedule for Tails 0.20.

intrigeri announced [22] that Tails has switched to a more conventional
task manager. It might now be easier for you to see what needs to be
done. Have a look at the current list of 496 open issues [23], there
might be something waiting just for you.

Tor developers would love to find an easier way to debug tor when the
daemon crashes. Nick Mathewson came up with an initial piece of code
that could (when complete) dump stack traces on assertion, crash, or
general trouble to the logs. There's more work to be done before
it can be merged in Tor. Feel free to help — especially if you know how
to do this on Windows or BSD. [24]

Nick Mathewson along with Andrea created a wiki page for initial 0.2.5
series ticket triage [25]. If you have your own agenda for 0.2.5, you
should be talking to them now!

Kostas Jakeliunas reported on their GSoC project about producing a
searchable metrics archive. [26]

Arturo reported on his activities on Ooni probe in June. [27]

Pierre Lalet announced [28] that he started working on an implementation
of the Tor protocol in Python. The intent is to have an independent
implementation to test Tor. As the author puts it, "the purpose is NOT
to implement a secure or robust implementation that could be an
alternative to Tor." Have a look at the code [29]: "Comments, fixes
and questions welcome !"

  [20] https://lists.torproject.org/pipermail/tor-reports/2013-July/000292.html
  [21] https://mailman.boum.org/pipermail/tails-dev/2013-July/003292.html
  [22] https://mailman.boum.org/pipermail/tails-dev/2013-July/003297.html
  [23] https://labs.riseup.net/code/projects/tails/issues
  [24] https://trac.torproject.org/projects/tor/ticket/9299
  [25] https://trac.torproject.org/projects/tor/wiki/org/roadmaps/Tor/025/TicketTriage025
  [26] https://lists.torproject.org/pipermail/tor-dev/2013-July/005158.html
  [27] https://lists.torproject.org/pipermail/tor-reports/2013-July/000291.html
  [28] https://lists.torproject.org/pipermail/tor-dev/2013-July/005161.html
  [29] https://github.com/cea-sec/TorPylle

Upcoming events
---------------

Jul 26    | Tor Hack Day
          | München, Germany
          |
https://blog.torproject.org/blog/join-us-tor-hack-day-munich-germany
          |
Jul 31-05 | Tor at OHM
          | Geestmerambacht, Netherlands
          | https://ohm2013.org/
          |
Aug 1-4   | Runa Sandvik @ DEF-CON 21
          | Rio Hotel, Las Vegas, USA
          | https://www.defcon.org/html/defcon-21/dc-21-index.html
          |
Aug 13    | Roger at the 3rd USENIX Workshop on Free and Open
Communications on the Internet
          | Washington, DC, USA
          | https://www.usenix.org/conference/foci13/

This issue of Tor Weekly News has been assembled by Lunar, dope457,
harmony, moskvax, malaparte, whabib, and David Fifield.

Want to continue reading TWN? Please help us create this newsletter.
We still need more volunteers to watch the Tor community and report
important news. Please see the project page [30], write down your
name and subscribe to the team mailing-list [31] if you want to
get involved!

  [30] https://trac.torproject.org/projects/tor/wiki/TorWeeklyNews
  [31] https://lists.torproject.org/cgi-bin/mailman/listinfo/news-team
-- 
tor-talk mailing list - tor-talk at lists.torproject.org
To unsusbscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B  47EE F46E 3489 AC89 4EC5




From dahonig at cox.net  Wed Jul 24 14:56:17 2013
From: dahonig at cox.net (David Honig)
Date: Wed, 24 Jul 2013 14:56:17 -0700
Subject: Python Random Number Generator for OTP
In-Reply-To: <4Kn21m00l0kcRhR01Kn3GL>
References: <alpine.DEB.2.00.1307221647450.28426@neptune.sinister.com>
 <20130722214614.GF25759@hexapodia.org>
 <51EE318C.9070309@mehnert.org>
 <CAK9dnSzFnchEDs-rs7rCvgrdq5TFDWAA98keTobS3OdzAX7bbA@mail.gmail.com>
 <20130723222446.98325D061@a-pb-sasl-quonix.pobox.com>
 <20130724172706.GL27178@hexapodia.org>
 <CAGFRu2mdK3wLGqe86dNW8DUi8NU9G333xwqMW5U1KpPmrK_XdQ@mail.gmail.com>
 <4Kn21m00l0kcRhR01Kn3GL>
Message-ID: <20130724215618.BIAM3897.eastrmfepo102.cox.net@eastrmimpo210>


>
> > On Wed, Jul 24, 2013 at 7:27 PM, Andy Isaacson <adi at hexapodia.org> wrote:
> > > My /dev/random generates a few hundred kilobytes a day.  I exchange OTPs

A long time ago I bought a geiger counter for crypto 
exploration.  Problem is, you can't buy rad sources strong enough to 
generate enough entropy (which is *still* subject to conditioning of 
course, despite the hype, and any way a GM tube will 
saturate..).  Even if you take your smoke detector apart and use an 
alpha-windowed tube.

But a detuned FM radio card seemed to do quite well.  Admittedly, no 
white vans driving my amps.  Are these sources not supported as 
entropy sources?   (Pardon my linux randomness being out of date)

Also, why u no trust Intel's RNG? :-)




Physical otp key exchange can't be beaten... unless your correspondent
is beaten..  silk burns clean, cyanide terminates the session




"..trying to avoid sinning in the von Neumann sense.."





I wish to God these calculations could be done by a
steam engine," Babbage complained 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 1326 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20130724/d68b7ccc/attachment.txt>

From pgut001 at cs.auckland.ac.nz  Tue Jul 23 20:08:24 2013
From: pgut001 at cs.auckland.ac.nz (Peter Gutmann)
Date: Wed, 24 Jul 2013 15:08:24 +1200
Subject: Gnu PG is more Safe ?
In-Reply-To: <0CF92D52-755A-4E33-A783-E1F558A78242@gmail.com>
Message-ID: <E1V1pRA-000228-Ta@login01.fos.auckland.ac.nz>

Anthony Papillion <papillion at gmail.com> writes:

>Because GnuPG is open source, it's been extensively peer reviewed and found
>safe and secure.  

That should actually say "because GnuPG is open source, people assume that
someone else has extensively peer reviewed it and therefore assume that it's
safe and secure".  For example there was a long-standing RNG bug that was very
obvious if you looked at the code, but was only discovered by chance when
someone who was interested in the RNG happend to read through the code and
thought "hmm, surely that can't be right".  Having code that's open source
doesn't help at all if no-one looks at it.

>One of the best ways to learn about tech topics is reading RFC's. The entire
>way SSL/TLS operates is detailed in an RFC. Read I'd and you will be
>infinately more informed.

Argh, no.  The best way to confuse someone is to get them to read an RFC. Find
a good book on the topic, e.g. for SSL/TLS there's Eric Rescorla's "SSL and
TLS: Designing and Building Secure Systems".  Before that, read "Network
Security: Private Communication in a Public World" by Kaufman et al.

Peter.




From pgut001 at cs.auckland.ac.nz  Tue Jul 23 21:10:54 2013
From: pgut001 at cs.auckland.ac.nz (Peter Gutmann)
Date: Wed, 24 Jul 2013 16:10:54 +1200
Subject: Gnu PG is more Safe ?
In-Reply-To: <51EF4A37.6070907@gmail.com>
Message-ID: <E1V1qPe-0004iL-RX@login01.fos.auckland.ac.nz>

Blibbet <blibbet at gmail.com> writes:

>If there are other open source OpenPGP tools besides GnuPG and NetPGP, that
>would be welcome news.

cryptlib, http://www.cs.auckland.ac.nz/~pgut001/cryptlib/index.html, been
around for... well, longer than GPG has :-).

Peter.




From jya at pipeline.com  Wed Jul 24 16:01:34 2013
From: jya at pipeline.com (John Young)
Date: Wed, 24 Jul 2013 19:01:34 -0400
Subject: NSA History of Traffic Analysis
Message-ID: <E1V283W-0003rY-By@elasmtp-dupuy.atl.sa.earthlink.net>

NSA released on 23 July 2013 "The History of Traffic Analysis:
World War I-Vietnam."

http://www.nsa.gov/about/_files/cryptologic_heritage/publications/misc/traffic_analysis.pdf

It notes the formation of T/A (Traffic Analysis) and C/A (Cryptanalysis)
as the two elements of code-breaking, using the mail analogy of T/A
for the envelope, C/A for the contents.

As noted elsewhere T/A is now publicized as "metadata."





From jya at pipeline.com  Wed Jul 24 16:04:33 2013
From: jya at pipeline.com (John Young)
Date: Wed, 24 Jul 2013 19:04:33 -0400
Subject: Reduced NSA TA History
Message-ID: <E1V286P-00041c-1k@elasmtp-scoter.atl.sa.earthlink.net>

Th NSA Traffic Analysis history reduced from 11.5MB to 3.2MB:

http://cryptome.org/2013/07/nsa-traffic-analysis.pdf





From pgut001 at cs.auckland.ac.nz  Wed Jul 24 00:31:20 2013
From: pgut001 at cs.auckland.ac.nz (Peter Gutmann)
Date: Wed, 24 Jul 2013 19:31:20 +1200
Subject: Gnu PG is more Safe ?
In-Reply-To: <51EF7B99.90207@gmail.com>
Message-ID: <E1V1tXc-0004x6-U2@login01.fos.auckland.ac.nz>

Martin Rublik <martin.rublik at gmail.com> writes:

>There is a paper on discovering vulnerabilities in open source and
>proprietary software you might find interesting:

There's been a bunch of work done in this area, another one that springs to
mind is Coverity's scan reports.  The general conclusion from them is,
unsurprisingly, that being open source doesn't magically make you more secure.
You only find bugs (vulns) if someone looks for them, and a closed-source app
that's actively analysed for vulns (because the vendor pays employees to do
it) is going to be more secure than an open-source app that no-one looks at
because they're not motivated to.  In either case the ones with the highest
motivation to look are the attackers.

Peter.




From albin.olsson at gmail.com  Wed Jul 24 12:37:10 2013
From: albin.olsson at gmail.com (Albin Olsson)
Date: Wed, 24 Jul 2013 21:37:10 +0200
Subject: Python Random Number Generator for OTP
In-Reply-To: <20130724172706.GL27178@hexapodia.org>
References: <alpine.DEB.2.00.1307221647450.28426@neptune.sinister.com>
 <20130722214614.GF25759@hexapodia.org>
 <51EE318C.9070309@mehnert.org>
 <CAK9dnSzFnchEDs-rs7rCvgrdq5TFDWAA98keTobS3OdzAX7bbA@mail.gmail.com>
 <20130723222446.98325D061@a-pb-sasl-quonix.pobox.com>
 <20130724172706.GL27178@hexapodia.org>
Message-ID: <CAGFRu2mdK3wLGqe86dNW8DUi8NU9G333xwqMW5U1KpPmrK_XdQ@mail.gmail.com>

On Wed, Jul 24, 2013 at 7:27 PM, Andy Isaacson <adi at hexapodia.org> wrote:
> My /dev/random generates a few hundred kilobytes a day.  I exchange OTPs
> on a SD card to a friend sitting across the table.  I need to be able to
> make a bigger pad than allowed by the horrifically overly conservative
> entropy estimates provided by /dev/random.
>
> -andy


What OTP software do you use for actual communication?


A




From eugen at leitl.org  Wed Jul 24 14:02:37 2013
From: eugen at leitl.org (Eugen Leitl)
Date: Wed, 24 Jul 2013 23:02:37 +0200
Subject: Join us for a public hack day on Friday, July 26, 2013 in Munich,
 Germany.
Message-ID: <20130724210237.GF29404@leitl.org>


https://blog.torproject.org/blog/join-us-tor-hack-day-munich-germany

JOIN US - Tor Hack Day, Munich, Germany

Posted July 8th, 2013 by kelley in dev meeting hack day

Join us for a public hack day on Friday, July 26, 2013 in Munich, Germany.
Thank you to our hosts at the Technische Universität München
(http://www.tum.de).

The agenda and conversations will be determined by you and Tor's team of
developers and researchers - so bring your ideas, questions, projects and
technical expertise with you!

This event is open to the public and free of charge - no RSVP necessary.

Friday, July 26, 2013

Start Time: 10:00 am

Location: LRZ building, Sminarraum (H.E. 008), Bolzmannstrabe 1, 85748
Garching,

Germany. NOTE: the room is to the right of the main entrance.

For questions please contact execdir at torproject.org




From grarpamp at gmail.com  Wed Jul 24 21:55:32 2013
From: grarpamp at gmail.com (grarpamp)
Date: Thu, 25 Jul 2013 00:55:32 -0400
Subject: Forward Secrecy
Message-ID: <CAD2Ti2_xhWpP2p+7fRhq54VAhNdGSJ7u96odmWPJqCv6kBDdAQ@mail.gmail.com>

Check your preferences are set.
Somehow I bet there will be a move to this rather soon.
Yet note, Dec, a provider simply logging the session keys is still possible.
Though much costlier for evil pursue that cheap route if there are lots
of small mail providers out there for people to use... who says
you have to use the big three, or cannot run a mail service?
Or a distributed social / call / sharing platform, etc?
Next topic, DHT p2p tech... we are 'always on' right?

http://news.cnet.com/8301-13578_3-57595202-38/feds-put-heat-on-web-firms-for-master-encryption-keys/
http://news.cnet.com/8301-13578_3-57591179-38/data-meet-spies-the-unfinished-state-of-web-crypto/
http://googleonlinesecurity.blogspot.com/2011/11/protecting-data-for-long-term-with.html
http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html
http://nmav.gnutls.org/2011/12/price-to-pay-for-perfect-forward.html




From yan at mit.edu  Wed Jul 24 22:45:19 2013
From: yan at mit.edu (Yan Zhu)
Date: Thu, 25 Jul 2013 07:45:19 +0200
Subject: Python Random Number Generator for OTP
In-Reply-To: <20130724215618.BIAM3897.eastrmfepo102.cox.net@eastrmimpo210>
References: <alpine.DEB.2.00.1307221647450.28426@neptune.sinister.com>
 <20130722214614.GF25759@hexapodia.org>
 <51EE318C.9070309@mehnert.org>
 <CAK9dnSzFnchEDs-rs7rCvgrdq5TFDWAA98keTobS3OdzAX7bbA@mail.gmail.com>
 <20130723222446.98325D061@a-pb-sasl-quonix.pobox.com>
 <20130724172706.GL27178@hexapodia.org>
 <CAGFRu2mdK3wLGqe86dNW8DUi8NU9G333xwqMW5U1KpPmrK_XdQ@mail.gmail.com>
 <20130724215618.BIAM3897.eastrmfepo102.cox.net@eastrmimpo210>
Message-ID: <CAFDBa1UZZEAi7akEJf2XUE=sGgXr+hA9fKPFko_cipuocZPf=w@mail.gmail.com>

Has anyone tried using an entropy broker (see
https://lwn.net/Articles/546428/) for sharing entropy between devices on a
physical network? https://we.riseup.net/debian/entropy#entropy-key seems to
suggest that this is something that people do.


On Wed, Jul 24, 2013 at 11:56 PM, David Honig <dahonig at cox.net> wrote:

>
> > On Wed, Jul 24, 2013 at 7:27 PM, Andy Isaacson <adi at hexapodia.org>
> wrote:
> > > My /dev/random generates a few hundred kilobytes a day.  I exchange
> OTPs
>
>
> A long time ago I bought a geiger counter for crypto exploration.  Problem
> is, you can't buy rad sources strong enough to generate enough entropy
> (which is *still* subject to conditioning of course, despite the hype, and
> any way a GM tube will saturate..).  Even if you take your smoke detector
> apart and use an alpha-windowed tube.
>
> But a detuned FM radio card seemed to do quite well.  Admittedly, no white
> vans driving my amps.  Are these sources not supported as entropy
> sources?   (Pardon my linux randomness being out of date)
>
> Also, why u no trust Intel's RNG? :-)
>
>
>
>
> Physical otp key exchange can't be beaten... unless your correspondent
> is beaten..  silk burns clean, cyanide terminates the session
>
>
>
>
> "..trying to avoid sinning in the von Neumann sense.."
>
>
>
>
> **
>
> ** I wish to God these calculations could be done by a
> steam engine,” Babbage complained
>



-- 
Yan Zhu
http://web.mit.edu/zyan/www/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 2155 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20130725/4906ef28/attachment.txt>

From eugen at leitl.org  Thu Jul 25 02:19:22 2013
From: eugen at leitl.org (Eugen Leitl)
Date: Thu, 25 Jul 2013 11:19:22 +0200
Subject: Feds put heat on Web firms for master encryption keys
Message-ID: <20130725091922.GX29404@leitl.org>


(See also https://en.wikipedia.org/wiki/Convergence_(SSL) )

http://news.cnet.com/8301-13578_3-57595202-38/feds-put-heat-on-web-firms-for-master-encryption-keys/

Feds put heat on Web firms for master encryption keys

Whether the FBI and NSA have the legal authority to obtain the master keys
that companies use for Web encryption remains an open question, but it hasn't
stopped the U.S. government from trying.

Declan McCullagh by Declan McCullagh  July 24, 2013 4:00 AM PDT

Large Internet companies have resisted the government's demands for
encryption keys requests on the grounds that they go beyond what the law
permits, according to one person who has dealt with these attempts.

(Credit: Declan McCullagh)

The U.S. government has attempted to obtain the master encryption keys that
Internet companies use to shield millions of users' private Web
communications from eavesdropping.

These demands for master encryption keys, which have not been disclosed
previously, represent a technological escalation in the clandestine methods
that the FBI and the National Security Agency employ when conducting
electronic surveillance against Internet users.

If the government obtains a company's master encryption key, agents could
decrypt the contents of communications intercepted through a wiretap or by
invoking the potent surveillance authorities of the Foreign Intelligence
Surveillance Act. Web encryption -- which often appears in a browser with a
HTTPS lock icon when enabled -- uses a technique called SSL, or Secure
Sockets Layer.

"The government is definitely demanding SSL keys from providers," said one
person who has responded to government attempts to obtain encryption keys.
The source spoke with CNET on condition of anonymity.

The person said that large Internet companies have resisted the requests on
the grounds that they go beyond what the law permits, but voiced concern that
smaller companies without well-staffed legal departments might be less
willing to put up a fight. "I believe the government is beating up on the
little guys," the person said. "The government's view is that anything we can
think of, we can compel you to do."

A Microsoft spokesperson would not say whether the company has received such
requests from the government. But when asked whether Microsoft would turn
over a master key used for Web encryption or server-to-server e-mail
encryption, the spokesperson replied: "No, we don't, and we can't see a
circumstance in which we would provide it."

Google also declined to disclose whether it had received requests for
encryption keys. But a spokesperson said the company has "never handed over
keys" to the government, and that it carefully reviews each and every
request. "We're sticklers for details -- frequently pushing back when the
requests appear to be fishing expeditions or don't follow the correct
process," the spokesperson said.

Sarah Feinberg, a spokeswoman for Facebook, said that her employer has not
received requests for encryption keys from the U.S. government or other
governments. In response to a question about divulging encryption keys,
Feinberg said: "We have not, and we would fight aggressively against any
request for such information."

Apple, Yahoo, AOL, Verizon, AT&T, Opera Software's Fastmail.fm, Time Warner
Cable, and Comcast declined to respond to queries about whether they would
divulge encryption keys to government agencies.

Encryption used to armor Web communications was largely adopted not because
of fears of NSA surveillance -- but because of the popularity of open,
insecure Wi-Fi networks. The "Wall of Sheep," which highlights passwords
transmitted over networks through unencrypted links, has become a fixture of
computer security conventions, and Internet companies began adopting SSL in
earnest about three years ago.

"The requests are coming because the Internet is very rapidly changing to an
encrypted model," a former Justice Department official said. "SSL has really
impacted the capability of U.S. law enforcement. They're now going to the
ultimate application layer provider."

An FBI spokesman declined to comment, saying the bureau does not "discuss
specific strategies, techniques and tools that we may use."

NSA director Keith Alexander, shown here at a Washington, D.C. event this
month, has said that encrypted data are "virtually unreadable."

(Credit: Getty Images)

Top secret NSA documents leaked by former government contractor Edward
Snowden suggest an additional reason to ask for master encryption keys: they
can aid bulk surveillance conducted through the spy agency's fiber taps.

One of the leaked PRISM slides recommends that NSA analysts collect
communications "upstream" of data centers operated by Apple, Microsoft,
Google, Yahoo, and other Internet companies. That procedure relies on a FISA
order requiring backbone providers to aid in "collection of communications on
fiber cables and infrastructure as data flows past."

Mark Klein, who worked as an AT&T technician for over 22 years, disclosed in
2006 (PDF) that he met with NSA officials and witnessed domestic Internet
traffic being "diverted" through a "splitter cabinet" to secure room 641A in
one of the company's San Francisco facilities. Only NSA-cleared technicians
were allowed to work on equipment in the SG3 secure room, Klein said, adding
that he was told similar fiber taps existed in other major cities.

But an increasing amount of Internet traffic flowing through those fiber
cables is now armored against surveillance using SSL encryption. Google
enabled HTTPS by default for Gmail in 2010, followed soon after by
Microsoft's Hotmail. Facebook enabled encryption by default in 2012. Yahoo
now offers it as an option.

"Strongly encrypted data are virtually unreadable," NSA director Keith
Alexander told (PDF) the Senate earlier this year.

Unless, of course, the NSA can obtain an Internet company's private SSL key.
With a copy of that key, a government agency that intercepts the contents of
encrypted communications has the technical ability to decrypt and peruse
everything it acquires in transit, although actual policies may be more
restrictive.

One exception to that rule relies on a clever bit of mathematics called
perfect forward secrecy. PFS uses temporary individual keys, a different one
for each encrypted Web session, instead of relying on a single master key.
That means even a government agency with the master SSL key and the ability
to passively eavesdrop on the network can't decode private communications.

Google is the only major Internet company to offer PFS, though Facebook is
preparing to enable it by default.

Even PFS isn't complete proof against surveillance. It's possible to mount a
more advanced attack, sometimes called a man-in-the-middle or active attack,
and decode the contents of the communications.

A Wired article in 2010 disclosed that a company called Packet Forensics was
marketing to government agencies a box that would do precisely that. (There
is no evidence that the NSA performs active attacks as part of routine
surveillance, and even those could be detected in some circumstances.)

The Packet Forensics brochure said that government agencies would "have the
ability to import a copy of any legitimate key they obtain (potentially by
court order)." It predicted that agents or analysts will collect their "best
evidence while users are lulled into a false sense of security afforded by
Web, e-mail or VOIP encryption."

With a few exceptions, even if communications in transit are encrypted,
Internet companies typically do not encrypt e-mail or files stored in their
data centers. Those remain accessible to law enforcement or the NSA through
legal processes.

Leaked NSA surveillance procedures, authorized by Attorney General Eric
Holder, suggest that intercepted domestic communications are typically
destroyed -- unless they're encrypted. If that's the case, the procedures
say, "retention of all communications that are enciphered" is permissible.

Valerie Caproni, who was the FBI's general counsel at the time this file
photo was taken, told Congress that the government needs "individualized
solutions" when "individuals who put encryption on their traffic."

(Credit: Getty Images)

It's not entirely clear whether federal surveillance law gives the U.S.
government the authority to demand master encryption keys from Internet
companies.  "That's an unanswered question," said Jennifer Granick, director
of civil liberties at Stanford University's Center for Internet and Society.
"We don't know whether you can be compelled to do that or not."

The government has attempted to use subpoenas to request copies of encryption
keys in some cases, according to one person familiar with the requests.
Justice Department guidelines say subpoenas may be used to obtain information
"relevant" to an investigation, unless the request is "unreasonably
burdensome."

"I don't know anyone who would turn it over for a subpoena," said an attorney
who represents Internet companies but has not fielded requests for encryption
keys. Even a wiretap order in a criminal case would be insufficient, but a
FISA order might be a different story, the attorney said. "I'm sure there's
some logic in collecting the haystack."

Kurt Opsahl, a senior staff attorney at the Electronic Frontier Foundation,
challenged the notion that current law hands the government the power to
demand master encryption keys. Even with a FISA order for the private key,
Opsahl said, the amount of technical assistance that a company must provide
to the NSA or other federal agencies "has a limit."

Federal and state law enforcement officials have previously said encrypted
communications were beginning to pose an obstacle to lawful surveillance.
Valerie Caproni, the FBI's general counsel at the time, told a congressional
hearing in 2011, according to a transcript:

 Encryption is a problem, and it is a problem that we see for certain
providers... For individuals who put encryption on their traffic, we
understand that there would need to be some individualized solutions if we
get a wiretap order for such persons... We are suggesting that if the
provider has the communications in the clear and we have a wiretap order,
that the provider should give us those communications in the clear.

"One of the biggest problems with compelling the [private key] is it gives
you access to not just the target's communications, but all communications
flowing through the system, which is exceedingly dangerous," said Stanford's
Granick.

Update, 11:40 a.m. PT: Adds additional comments from a Facebook
representative saying the company has not received such requests.

Disclosure: McCullagh is married to a Google employee not involved with this
issue.




From eugen at leitl.org  Thu Jul 25 02:59:51 2013
From: eugen at leitl.org (Eugen Leitl)
Date: Thu, 25 Jul 2013 11:59:51 +0200
Subject: [tor-talk] Tor Weekly News =?utf-8?B?4oCU?= =?utf-8?Q?_July=2C?=
 24th 2013
Message-ID: <20130725095951.GG29404@leitl.org>

----- Forwarded message from dope457 <dope457 at riseup.net> -----


From j2tracey at gmail.com  Thu Jul 25 16:25:33 2013
From: j2tracey at gmail.com (Justin Tracey)
Date: Thu, 25 Jul 2013 16:25:33 -0700
Subject: Feds put heat on Web firms for master encryption keys
In-Reply-To: <20130725091922.GX29404@leitl.org>
References: <20130725091922.GX29404@leitl.org>
Message-ID: <51F1B3ED.10001@gmail.com>

On 07/25/2013 02:19 AM, Eugen Leitl wrote:
>
> (See also https://en.wikipedia.org/wiki/Convergence_(SSL) )
>
Convergence is an interesting idea, but I'm not sure how it addresses
the issue in the article. Convergence is designed to deal with
shortcomings of certificate authorities (by providing what Moxie calls
"trust agility," the ability to change who you trust to confirm public
keys). The problem is companies are sharing their private keys. If they
do this, how you get their public key is irrelevant - the content you
send them is accessible by a third party and the content you receive
from them can be tampered with.

Also, Convergence hasn't been updated in over a year and is full of
bugs. I don't think it even works on recent Firefox versions at all (at
least, the official git repo doesn't).




From thomas at mich.com  Thu Jul 25 18:01:46 2013
From: thomas at mich.com (tz)
Date: Thu, 25 Jul 2013 21:01:46 -0400
Subject: SSLegance
Message-ID: <CAFv7Oijz0yvbbPsz2BQDXGD3wzrxkax=r++YLwwzQEQRjCkChg@mail.gmail.com>

For the interim, the solution might be to have an extension that
besides pushing PFS (and alerting when it doesn't work) would cache
the Cert hashes or more and allow a browser (e.g. firefox) to run with
all CAs as untrusted, but then do a verification on a per-site basis.

The big hole in web page security is that there is the web page, then
there is the extra info like javascript and css.

So, for example, https://amazon.com might be accepted, but
https://images-na.cdn.azws.com is in the background ready to rewrite
the entire page.

And the page will be broken until you manually "view source" and open
a link and allow the cert/CA/page for the
javascript/css/images/metadata.




From calebdelisle at lavabit.com  Thu Jul 25 13:58:34 2013
From: calebdelisle at lavabit.com (Caleb James DeLisle)
Date: Thu, 25 Jul 2013 23:58:34 +0300
Subject: [liberationtech] CJDNS hype
Message-ID: <mailman.4381.1575949048.62801.testlist@lists.cpunks.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Michael,

Sorry for the wait on my part as well, I was very busy last week.

On 07/24/2013 05:27 AM, Michael Rogers wrote:
> Hi Caleb,
> 
> Thanks for the detailed answers - I'm sorry it's taken me so long to reply.
> 
> - From your answers and the whitepaper I think I'm starting to understand how the switching and routing layers fit together. Would I be right in thinking that each node populates its DHT routing table with nodes that are one or more hops away at the switching layer, and that each hop at the switching layer is a link between two people who know each other? So two nodes that are neighbours at the DHT layer are't necessarily neighbours at the switching/social layer?

Exactly. There is no real concept of "neighbors" at the DHT layer but
there is address space distance so some nodes are "close".

> 
> And if there's more than one candidate for a slot in the DHT routing table, am I right in thinking that some weighted combination of DHT ping time and label length is used to pick the best candidate, where label length is a combination of path length (at the switching layer) and the degree of the nodes along the path (with short paths and low-degree nodes resulting in shorter labels)?

Yup.

> 
>>> More generally, could you explain how CJDNS detects and routes around faults?
> 
>> The simple version is that it pings at random nodes in it's table. When a node is unresponsive, it and anyone who is behind it is dropped from the table.
> 
> A few questions about pings:
> 
> Is it possible for a node that's being pinged to distinguish a ping from a data packet? (What would happen if a node responded correctly to pings but dropped data packets?)

Yes, the destination of the ping does know that it's a ping since it
needs to respond to it. If it dropped non-pings it would be unreachable
and if it dropped layer3 "forward me" messages then it would break the
network.

> 
> Can a node on the switching path between the pinger and the pingee distinguish a ping from a data packet?

Only by guessing based on size and timing.

> 
> Can a node on the switching path between the pinger and the pingee respond to a ping on the pingee's behalf?

Never ever. That's critical to the model that when you are told about
a node that you don't trust that it's real until you're sure that
you've talked to it.

> 
>>> Could you explain what a route prefix is and how you can be sure that a set of Sybil identities will share a route prefix? How is the route prefix used in detecting and routing around faults?
> 
>> This requires understanding the base method by which cjdns works. When I start up my router, I connect to my specified peers which I have manually configured, these are people whom I know well enough to be assured that they are honest peers.
> 
>> Then my node's switch core assigns each one an interface index. My node then compresses the interface indexes of it's neighbors into a label and inserts the entries with key and label into it's routing table.
> 
>> My node randomly asks nodes in it's routing table for pieces of their table, the question could be simplified as "who do you know, how do you reach them", the response from them is entries taken directly from their routing table.
> 
>> When Alice tells me that she knows Bob and his label is 12345, I take Alice's label which might be abcd and splice them together to have a label which routes from me to Alice to Bob, then after Bob has been pinged along this path, I begin to trust it.
> 
>> This is all an oversimplification, for the actual way it works please consult the whitepaper.
> 
> Thanks, that's a really helpful explanation. So it seems to me that you're using the same observation as SybilGuard and similar systems: although the number of Sybils is unlimited, the number of social edges between Sybils and non-Sybils is limited, so those edges can be used to limit the impact of Sybils.
> 
> It's a cool observation, but the devil's in the details - how do you actually apply that observation in practice? Is there some algorithm in cjdns that detects anomalous routing table entries by examining the prefixes of their switching labels?

Other than short paths (labels) being preferred, there are only a few
tricks aimed specifically at accidental problems. If I discover route
a->b->c->d->w->x->y->z->d
then I discover
a->b->c->d
I will replace the first with the second since I can prove that the
first is an indirect representation of the second.

There are no specific defenses against sybil attacks but I don't think
any are needed given the fact that it's inherently different from a
traditional overlay network.

> 
>>> Could you explain why a set of Sybil identities will produce an absurdly long path, and how you can be sure that the routing table has already been populated with fast non-Sybil nodes?
> 
>> Re the absurd length of paths, since more nodes mean more interface indexes, it stands to reason that the more interface indexes will make a longer label. Long labels are avoided by cjdns.
> 
> Bear in mind that Sybils don't have to exist simultaneously. For example, Alice could tell me that she has one neighbour other than me, Bob. I add Bob to my routing table, but later I detect that he's not routing packets correctly, so I drop him. Then Alice tells me that Bob's no longer her neighbour but she has a new neighbour, Carol. I add Carol to my routing table, but later I detect that she's not routing packets correctly, so I drop her. Then Alice tells me that Carol's no longer her
> neighbour but she has a new neighbour, Dave...
> 
> At any given time, Alice only has two interfaces, so my labels for Bob, Carol, Dave, etc will be short.
> 
> Obviously this is just a toy example, but it shows that in the general case a Sybil attack doesn't necessarily produce long labels.


That's a valid point. We tried to avoid trapping bad behavior and
dropping a node because in my opinion it is too brittle and is more
likely to introduce a vulnerability.

Rather than trust early and detect known bad behavior, cjdns is slow to
trust. If you tell me about a new node I will generally not use it until
the node I'm currently using fails. This hurts performance but helps
stability once the network is functional.

> 
>>> It sounds like you're saying that a Sybil attack won't work because the victims have already populated their routing tables prior to the attack - but what about a new node joining the network after the attack has started?
> 
>> Unless your direct peers (with whom you have a relationship) are sybil nodes, they will keep their tables clean and when you ask them for nodes, they will give you honest nodes whom also have clean tables. You will see a few sybil nodes in your table but they will also come with many valid nodes which will cause the router to slow down it's search for nodes, curtailing their effort to pollute the routing table
> 
> I think I need more detail to understand how this works. I receive routing information from my peers, who receive it from their own peers, etc. Each node is supposed to keep its table clean in order to share clean information with its peers - how does it do that? What operations are performed to clean the information before sharing it with peers? When I receive information from my peers, how do I know whether it's clean?

I'm on very unstable ground here, possibly bullshitting...
None of this has been simulated so I have to tread carefully.

Basically each route has a "value", when a node is inserted, the route
to that node has a value of 0, valid ping responses increment the number
and timeouts halve it. High numbers and short paths are favored but even
a long path is favored over a "0 value route".

When you ask a node for routes, it will give you routes which are either:

1. A perfect match to the ip address you queries (even if 0 reach)
2. The highest reach node which is closet to the query target than them.
(them == the node to whom you sent the query)

Since cjdns populates it's table by periodically querying randomly generated
ip addresses, nodes share their best paths causing a sort of "wisdom of the
crowd" effect and making it difficult for a sybil attack to gain traction.

> 
>>> Nevertheless, a node could selectively drop traffic bound for certain recursive routing hops, while forwarding other traffic, right?
> 
>> Yes but each node is a recursive router and you're allowed to forward to any router whose address is numerically closer to the destination than your own so if someone is blocking a router, there are many others to choose from.
> 
>> Granted we don't have any tools for detecting that a recursive router is misbehaving and blacklist it but this is an implementation cat-and-mouse game which the protocol will support.
> 
> What mechanism in the protocol would make it possible for future implementations to detect misbehaving nodes?

We would have to make some small protocol changes to make this work
but what immediately comes to mind is A sending a forward request to
B to forward to C then sending a switch level packet to C asking if
he got the message.

Only A and C need to have the protocol patch and there is already a
protocol versioning system in place so this would be trivial to
integrate.

You have to trust C not to lie to you though. This kind of complexity
is why I have tried to avoid explicit detection and why I say "cat and
mouse game".

> 
>>> The point I was trying to make in my previous email is that whatever information the packets carry to distinguish one packet from another, the adversary can use that information to target certain packets while maintaining the appearance of high overall reliability.
> 
>> All of the distinguishing information (IPv6 header) is encrypted so the only thing is the routing label (unless you're at the recursive routing layer)
> 
> Sorry, I'm confused about layers again. An IPv6 packet's journey across the network consists of one or more DHT hops, each of which consists of one or more switching hops, is that right? And the IPv6 header is encrypted at each DHT hop, so nodes along the switching path of each DHT hop can only read the switching label (and maybe the DHT address of the next DHT node), but not the IPv6 header?

Basically correct, the switch can read the label and likely use it's
routing table to determine the address of the next hop but cannot determine
the destination.

For performance and scalability this feature may be removed.

> 
> How does a node learn the keys of its DHT neighbours in order to encrypt packets that only they can decrypt? (Obviously when its DHT neighbours are also its social neighbours this is easy, but what happens when they're not?)

When you do a DHT query, you get the keys (and protocol version numbers)
along with the paths.

> 
>>>> Can't spoof a packet because the IPv6 address is the public key hash.
> 
>>> Is every packet signed with the corresponding private key? Seems like that would be expensive.
> 
>> Not signed, encrypted with an authenticator, this is very fast. If you don't know the symmetrical key, you can't modify any packet without me knowing and you obviously can't read my packets. The symmetrical key only needs to be derived once.
> 
> I can see how that would prove to the IPv6 destination that the claimed IPv6 source was the real source of the packet - but I can't see how it would prove to any other node that the claimed source was the real source (presumably the symmetric key is only known to the source and destination). So it seems to me that it's still possible to make /some/ nodes believe that a packet originated from a different source than its true source, which might be a building block for other attacks (eg
> manipulating the fault detection mechanism).

Your technical analysis is spot on.
There is no code which relies on the packets originating from someone
else so your attack building block this is not much of an issue for me.
Anyway signing packets for all the world to see not only performs poorly
but is problematic in other ways. I'm not sure people would want their
packets to be linked to their identity forever, they can be decrypted
after all, by the destination if no one else.

Thanks,
Caleb

> 
> Cheers, Michael
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJR8ZF6AAoJECYAmptlsgnW+Y0P/3ts2lZ7LCAJBujU0SZKFHBn
EnFdhNfXSqIGKi2wo+8zO8RIvnCC60IcMqljVbkQiqE8jTZBVwsSuIuob9P4pukm
E2vwLd7PJ1s4JR/t/vxoKep84s+S5xbfJT/bNDNwBMWZSTVYUeC1a7wmou1d/uIj
oBn9ELWk9iRuc5OTkNdXuCNr/tT57QjYuhIuE9KIySZ+a+Jn4TPC6cMaQ90lwbKS
UFlcuDU9EvDWp4ATGSqTLhkoPp5cVqj+Kz9iGIBml3xKW50h+6Ol0C10iYo7e/qP
1AcUHa/kU6r2uCSHyQndzoL6PzWmJ4gRz1PCZe+xPPFcBojeBNdApPylmsqfvB5r
YBIESmsr4mexEqrwFJqJRlvk0s1iJya47uAH3JH/23xFvYGTV4X05Eh/nrwGxo5z
5swfE2GKHIDA5SoszkGLMLu6SgpFBCQjy6lSlI6VNjh0ElL76lu2uLxxrS6XQQLw
YetGH2PTgzZoaSwydG6OnZkTX9Ae5FdMNlIn68RijP26xMAY84W0M6uEEBNZvC+W
Vau16LFTk6MmHi7PHtQLkjlEVLuoFX0EsPWHti8l+9my7sRCCVO4n6vD11+FSMg6
uAelkHGJ0TZEC36DiU67wnZpSo7KBBw0re2GOaewATm0NNnwm44a0ie58z7IunCM
0wu9uJ6jNuVmLM9I8C4E
=2PzJ
-----END PGP SIGNATURE-----

--
Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech

----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B  47EE F46E 3489 AC89 4EC5




From eugen at leitl.org  Thu Jul 25 15:12:04 2013
From: eugen at leitl.org (Eugen Leitl)
Date: Fri, 26 Jul 2013 00:12:04 +0200
Subject: [liberationtech] CJDNS hype
Message-ID: <20130725221204.GS29404@leitl.org>

----- Forwarded message from Caleb James DeLisle <calebdelisle at lavabit.com> -----


From adi at hexapodia.org  Fri Jul 26 05:27:44 2013
From: adi at hexapodia.org (Andy Isaacson)
Date: Fri, 26 Jul 2013 05:27:44 -0700
Subject: SSLegance
In-Reply-To: <CAFv7Oijz0yvbbPsz2BQDXGD3wzrxkax=r++YLwwzQEQRjCkChg@mail.gmail.com>
References: <CAFv7Oijz0yvbbPsz2BQDXGD3wzrxkax=r++YLwwzQEQRjCkChg@mail.gmail.com>
Message-ID: <20130726122744.GH27178@hexapodia.org>

On Thu, Jul 25, 2013 at 09:01:46PM -0400, tz wrote:
> For the interim, the solution might be to have an extension that
> besides pushing PFS (and alerting when it doesn't work) would cache
> the Cert hashes or more and allow a browser (e.g. firefox) to run with
> all CAs as untrusted, but then do a verification on a per-site basis.
> 
> The big hole in web page security is that there is the web page, then
> there is the extra info like javascript and css.
> 
> So, for example, https://amazon.com might be accepted, but
> https://images-na.cdn.azws.com is in the background ready to rewrite
> the entire page.
> 
> And the page will be broken until you manually "view source" and open
> a link and allow the cert/CA/page for the
> javascript/css/images/metadata.

I've run my primary browser with no trusted CAs, manually TOFUing
certificates for sites, for months on end.  It's slightly easier than
"view source" to use control-shift-K (in Firefox) and reload the page,
then watch for resource load errors in the console.  Some fairly small
adjustments to browser UIs would make this use case much easier.  The
biggest problem is that Firefox's SSL exception implementation only
allows a single certificate per hostname, so load-balanced hosts such as
p.twimg.com which toggle between multiple valid certificates are
annoying.

(I also VPN this browser through a fairly trusted datacenter, so I'm not
TOFUing over the local WLAN of course.)

It's fairly helpful to use SSL errors as a firewall to help me avoid
accidentally loading sites whose TOS I refuse to accept, such as G+ and
Facebook.

It also functions as a primitive adblock for some sites since you don't
have to accept the certificates for doubleclick.net et al.

-andy




From j2tracey at gmail.com  Fri Jul 26 10:58:50 2013
From: j2tracey at gmail.com (Justin Tracey)
Date: Fri, 26 Jul 2013 10:58:50 -0700
Subject: SSLegance
In-Reply-To: <CAFv7Oiirasi1HYp1bAd8PCyYabTVtsnKcOyfcOZpEca2kU8dRQ@mail.gmail.com>
References: <CAFv7Oijz0yvbbPsz2BQDXGD3wzrxkax=r++YLwwzQEQRjCkChg@mail.gmail.com>
 <20130726122744.GH27178@hexapodia.org>
 <CAFv7Oiirasi1HYp1bAd8PCyYabTVtsnKcOyfcOZpEca2kU8dRQ@mail.gmail.com>
Message-ID: <51F2B8DA.6070101@gmail.com>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Trust On First Use. It's a key-exchange method where you trust the first
time you grab a key, and use that, instead of a cert-authority or
anything like that. It's used for SSH iirc, though I could be wrong. The
idea behind it is that unless the MITM performs a MITM the first time
and every time thereafter, you'll at least notice the attack, and likely
prevent it.

I was going to provide a Wikipedia link, but I couldn't seem to find
one, other than this one hidden in a user page.
https://en.wikipedia.org/wiki/User:Dotdotike/Trust_Upon_First_Use

On 07/26/2013 09:06 AM, tz wrote:
> Sorry for being slow, but what is TOFUing?
>
> On Fri, Jul 26, 2013 at 8:27 AM, Andy Isaacson <adi at hexapodia.org
<mailto:adi at hexapodia.org>> wrote:
>
>
>     I've run my primary browser with no trusted CAs, manually TOFUing
>     certificates for sites, for months on end.  It's slightly easier than
>     "view source" to use control-shift-K (in Firefox) and reload the page,
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBAgAGBQJR8rjVAAoJED2aKxR1HF9BsDkQAOiqrPvw6ClM5mZ3zdMgzZQ1
jsyKmZMCOEUJtrlJA2LGN6ybhQ0ESCubrBD9izHOt80fTqpYoDkd27ziwGeEUw/m
h3+VATV0zr0Pr569e71sIhsRs3rlGXJfDeoyDDJrb/t+fbSDXccecIpz8uQiByb6
hAAIqFGjFSozikAtdRfbeiXGBQQD6nlzzT6/FWZ5jygX4XElRvcF/ElEfsFJ2N6+
4oRMt6irhirDzPSCFuXtbSrNXZ+GQ7k3YRt2uC6uLzHEjpatbdVw420AQlm3fEZs
IN20NTIRHlJl81sB1a37d30JjqLI35f1HbUHBBuFO25ArUnTRQoN973D6vnSAZLj
v8/LFCYM+rhpabpZ21e2kBywJoo+t1iy9506VbGNyfZV4xxxVPaBVpwmANfoK0SO
MeHXfz8sTR7wjiMc/m735GLRCZMonYcejZ0BY9wDTBC9iCjaGB+6bFgcV4cop4vt
WakfqQKp1j+qrly5sZcRZG8AWQzCGlUbEkfXuknmEVSxED0zEE6DZlnEbYOftvoG
8M1Z8hMAI+sO4mhbyDEBbsY3y+GbfyShLFmyxR82HXh7Vw/NyYjkE4Px9uoGGwPl
hTgXOTxB/teA0jpVVO96SFG1YrhCt+98LlcCAKwM/xuv5jPVp9ipz0QuyF9C3AE3
EJfQHrhI/qyfoBCklYt+
=iakG
-----END PGP SIGNATURE-----

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 2930 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20130726/05aafe57/attachment.txt>

From thomas at mich.com  Fri Jul 26 09:06:47 2013
From: thomas at mich.com (tz)
Date: Fri, 26 Jul 2013 12:06:47 -0400
Subject: SSLegance
In-Reply-To: <20130726122744.GH27178@hexapodia.org>
References: <CAFv7Oijz0yvbbPsz2BQDXGD3wzrxkax=r++YLwwzQEQRjCkChg@mail.gmail.com>
 <20130726122744.GH27178@hexapodia.org>
Message-ID: <CAFv7Oiirasi1HYp1bAd8PCyYabTVtsnKcOyfcOZpEca2kU8dRQ@mail.gmail.com>

Sorry for being slow, but what is TOFUing?

On Fri, Jul 26, 2013 at 8:27 AM, Andy Isaacson <adi at hexapodia.org> wrote:

>
> I've run my primary browser with no trusted CAs, manually TOFUing
> certificates for sites, for months on end.  It's slightly easier than
> "view source" to use control-shift-K (in Firefox) and reload the page,
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 649 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20130726/f9610e7c/attachment.txt>

From jya at pipeline.com  Fri Jul 26 09:43:52 2013
From: jya at pipeline.com (John Young)
Date: Fri, 26 Jul 2013 12:43:52 -0400
Subject: Subquantum Crypto Attack
In-Reply-To: <CAFv7Oiirasi1HYp1bAd8PCyYabTVtsnKcOyfcOZpEca2kU8dRQ@mail.g
 mail.com>
References: <CAFv7Oijz0yvbbPsz2BQDXGD3wzrxkax=r++YLwwzQEQRjCkChg@mail.gmail.com>
 <20130726122744.GH27178@hexapodia.org>
 <CAFv7Oiirasi1HYp1bAd8PCyYabTVtsnKcOyfcOZpEca2kU8dRQ@mail.gmail.com>
Message-ID: <E1V2l6o-0000VP-Kh@elasmtp-mealy.atl.sa.earthlink.net>

Has subquantum crypto attack been substantiated?

arXiv:quant-ph/0203049v2 12 Apr 2002

Subquantum Information and Computation

Antony Valentini

It is argued that immense physical resources – for nonlocal communication,
espionage, and exponentially-fast computation – are hidden from us by quantum
noise, and that this noise is not fundamental but merely a property of an
equilibrium state in which the universe happens to be at the present time. It
is suggested that ‘non-quantum’ or nonequilibrium matter might exist today in
the form of relic particles from the early 
universe. We describe how such matter
could be detected and put to practical use. Nonequilibrium matter could be
used to send instantaneous signals, to violate 
the uncertainty principle, to distinguish
non-orthogonal quantum states without disturbing them, to eavesdrop
on quantum key distribution, and to outpace quantum computation (solving
NP-complete problems in polynomial time). ...

6 Eavesdropping on Quantum Key Distribution

Alice and Bob want to share a secret sequence of bits that will be used as a
key for cryptography. During distribution of the key between them, they must
be able to detect any eavesdropping by Eve. Three protocols for quantum key
distribution – BB84 [20], B92 [21], and E91 (or EPR) [22] – are known to be
secure against classical or quantum attacks (that 
is, against eavesdropping based
on classical or quantum physics) [23]. But these 
protocols are not secure against
a ‘subquantum’ attack [7]. ...

E91 is particularly interesting for it relies on the completeness of quantum
theory – that is, on the assumption that there 
are no hidden ‘elements of reality’.
Pairs of spin-1/2 particles in the singlet state 
are shared by Alice and Bob, who
perform spin measurements along random axes. For coincident axes the same bit
sequence is generated at each wing, by apparently random quantum outcomes.
‘The eavesdropper cannot elicit any information from the particles while in
transit ..... because there is no information 
encoded there’ [22]. But our Eve has
access to information outside the domain of quantum theory. She can measure
the particle positions while in transit, without 
disturbing the wavefunction, and
so predict the outcomes of spin measurements at the two wings (for the publicly
announced axes).12 Thus Eve is able to predict the key shared by Alice and
Bob.








From kb at karelbilek.com  Fri Jul 26 05:46:02 2013
From: kb at karelbilek.com (=?ISO-8859-1?Q?Karel_B=EDlek?=)
Date: Fri, 26 Jul 2013 13:46:02 +0100
Subject: Feds put heat on Web firms for master encryption keys
In-Reply-To: <20130725091922.GX29404@leitl.org>
References: <20130725091922.GX29404@leitl.org>
Message-ID: <CAGUkT8YouTP96a-8NLc4vPFtaSPrsbnhVp_-GTHObpB1pwo8+A@mail.gmail.com>

this is fucking disgusting

(I am sorry, I had to say that)

why do the big US companies bother with encryption anymore...

On Thu, Jul 25, 2013 at 10:19 AM, Eugen Leitl <eugen at leitl.org> wrote:
>
> (See also https://en.wikipedia.org/wiki/Convergence_(SSL) )
>
> http://news.cnet.com/8301-13578_3-57595202-38/feds-put-heat-on-web-firms-for-master-encryption-keys/
>
> Feds put heat on Web firms for master encryption keys
>
> Whether the FBI and NSA have the legal authority to obtain the master keys
> that companies use for Web encryption remains an open question, but it hasn't
> stopped the U.S. government from trying.
>
> Declan McCullagh by Declan McCullagh  July 24, 2013 4:00 AM PDT
>
> Large Internet companies have resisted the government's demands for
> encryption keys requests on the grounds that they go beyond what the law
> permits, according to one person who has dealt with these attempts.
>
> (Credit: Declan McCullagh)
>
> The U.S. government has attempted to obtain the master encryption keys that
> Internet companies use to shield millions of users' private Web
> communications from eavesdropping.
>
> These demands for master encryption keys, which have not been disclosed
> previously, represent a technological escalation in the clandestine methods
> that the FBI and the National Security Agency employ when conducting
> electronic surveillance against Internet users.
>
> If the government obtains a company's master encryption key, agents could
> decrypt the contents of communications intercepted through a wiretap or by
> invoking the potent surveillance authorities of the Foreign Intelligence
> Surveillance Act. Web encryption -- which often appears in a browser with a
> HTTPS lock icon when enabled -- uses a technique called SSL, or Secure
> Sockets Layer.
>
> "The government is definitely demanding SSL keys from providers," said one
> person who has responded to government attempts to obtain encryption keys.
> The source spoke with CNET on condition of anonymity.
>
> The person said that large Internet companies have resisted the requests on
> the grounds that they go beyond what the law permits, but voiced concern that
> smaller companies without well-staffed legal departments might be less
> willing to put up a fight. "I believe the government is beating up on the
> little guys," the person said. "The government's view is that anything we can
> think of, we can compel you to do."
>
> A Microsoft spokesperson would not say whether the company has received such
> requests from the government. But when asked whether Microsoft would turn
> over a master key used for Web encryption or server-to-server e-mail
> encryption, the spokesperson replied: "No, we don't, and we can't see a
> circumstance in which we would provide it."
>
> Google also declined to disclose whether it had received requests for
> encryption keys. But a spokesperson said the company has "never handed over
> keys" to the government, and that it carefully reviews each and every
> request. "We're sticklers for details -- frequently pushing back when the
> requests appear to be fishing expeditions or don't follow the correct
> process," the spokesperson said.
>
> Sarah Feinberg, a spokeswoman for Facebook, said that her employer has not
> received requests for encryption keys from the U.S. government or other
> governments. In response to a question about divulging encryption keys,
> Feinberg said: "We have not, and we would fight aggressively against any
> request for such information."
>
> Apple, Yahoo, AOL, Verizon, AT&T, Opera Software's Fastmail.fm, Time Warner
> Cable, and Comcast declined to respond to queries about whether they would
> divulge encryption keys to government agencies.
>
> Encryption used to armor Web communications was largely adopted not because
> of fears of NSA surveillance -- but because of the popularity of open,
> insecure Wi-Fi networks. The "Wall of Sheep," which highlights passwords
> transmitted over networks through unencrypted links, has become a fixture of
> computer security conventions, and Internet companies began adopting SSL in
> earnest about three years ago.
>
> "The requests are coming because the Internet is very rapidly changing to an
> encrypted model," a former Justice Department official said. "SSL has really
> impacted the capability of U.S. law enforcement. They're now going to the
> ultimate application layer provider."
>
> An FBI spokesman declined to comment, saying the bureau does not "discuss
> specific strategies, techniques and tools that we may use."
>
> NSA director Keith Alexander, shown here at a Washington, D.C. event this
> month, has said that encrypted data are "virtually unreadable."
>
> (Credit: Getty Images)
>
> Top secret NSA documents leaked by former government contractor Edward
> Snowden suggest an additional reason to ask for master encryption keys: they
> can aid bulk surveillance conducted through the spy agency's fiber taps.
>
> One of the leaked PRISM slides recommends that NSA analysts collect
> communications "upstream" of data centers operated by Apple, Microsoft,
> Google, Yahoo, and other Internet companies. That procedure relies on a FISA
> order requiring backbone providers to aid in "collection of communications on
> fiber cables and infrastructure as data flows past."
>
> Mark Klein, who worked as an AT&T technician for over 22 years, disclosed in
> 2006 (PDF) that he met with NSA officials and witnessed domestic Internet
> traffic being "diverted" through a "splitter cabinet" to secure room 641A in
> one of the company's San Francisco facilities. Only NSA-cleared technicians
> were allowed to work on equipment in the SG3 secure room, Klein said, adding
> that he was told similar fiber taps existed in other major cities.
>
> But an increasing amount of Internet traffic flowing through those fiber
> cables is now armored against surveillance using SSL encryption. Google
> enabled HTTPS by default for Gmail in 2010, followed soon after by
> Microsoft's Hotmail. Facebook enabled encryption by default in 2012. Yahoo
> now offers it as an option.
>
> "Strongly encrypted data are virtually unreadable," NSA director Keith
> Alexander told (PDF) the Senate earlier this year.
>
> Unless, of course, the NSA can obtain an Internet company's private SSL key.
> With a copy of that key, a government agency that intercepts the contents of
> encrypted communications has the technical ability to decrypt and peruse
> everything it acquires in transit, although actual policies may be more
> restrictive.
>
> One exception to that rule relies on a clever bit of mathematics called
> perfect forward secrecy. PFS uses temporary individual keys, a different one
> for each encrypted Web session, instead of relying on a single master key.
> That means even a government agency with the master SSL key and the ability
> to passively eavesdrop on the network can't decode private communications.
>
> Google is the only major Internet company to offer PFS, though Facebook is
> preparing to enable it by default.
>
> Even PFS isn't complete proof against surveillance. It's possible to mount a
> more advanced attack, sometimes called a man-in-the-middle or active attack,
> and decode the contents of the communications.
>
> A Wired article in 2010 disclosed that a company called Packet Forensics was
> marketing to government agencies a box that would do precisely that. (There
> is no evidence that the NSA performs active attacks as part of routine
> surveillance, and even those could be detected in some circumstances.)
>
> The Packet Forensics brochure said that government agencies would "have the
> ability to import a copy of any legitimate key they obtain (potentially by
> court order)." It predicted that agents or analysts will collect their "best
> evidence while users are lulled into a false sense of security afforded by
> Web, e-mail or VOIP encryption."
>
> With a few exceptions, even if communications in transit are encrypted,
> Internet companies typically do not encrypt e-mail or files stored in their
> data centers. Those remain accessible to law enforcement or the NSA through
> legal processes.
>
> Leaked NSA surveillance procedures, authorized by Attorney General Eric
> Holder, suggest that intercepted domestic communications are typically
> destroyed -- unless they're encrypted. If that's the case, the procedures
> say, "retention of all communications that are enciphered" is permissible.
>
> Valerie Caproni, who was the FBI's general counsel at the time this file
> photo was taken, told Congress that the government needs "individualized
> solutions" when "individuals who put encryption on their traffic."
>
> (Credit: Getty Images)
>
> It's not entirely clear whether federal surveillance law gives the U.S.
> government the authority to demand master encryption keys from Internet
> companies.  "That's an unanswered question," said Jennifer Granick, director
> of civil liberties at Stanford University's Center for Internet and Society.
> "We don't know whether you can be compelled to do that or not."
>
> The government has attempted to use subpoenas to request copies of encryption
> keys in some cases, according to one person familiar with the requests.
> Justice Department guidelines say subpoenas may be used to obtain information
> "relevant" to an investigation, unless the request is "unreasonably
> burdensome."
>
> "I don't know anyone who would turn it over for a subpoena," said an attorney
> who represents Internet companies but has not fielded requests for encryption
> keys. Even a wiretap order in a criminal case would be insufficient, but a
> FISA order might be a different story, the attorney said. "I'm sure there's
> some logic in collecting the haystack."
>
> Kurt Opsahl, a senior staff attorney at the Electronic Frontier Foundation,
> challenged the notion that current law hands the government the power to
> demand master encryption keys. Even with a FISA order for the private key,
> Opsahl said, the amount of technical assistance that a company must provide
> to the NSA or other federal agencies "has a limit."
>
> Federal and state law enforcement officials have previously said encrypted
> communications were beginning to pose an obstacle to lawful surveillance.
> Valerie Caproni, the FBI's general counsel at the time, told a congressional
> hearing in 2011, according to a transcript:
>
>  Encryption is a problem, and it is a problem that we see for certain
> providers... For individuals who put encryption on their traffic, we
> understand that there would need to be some individualized solutions if we
> get a wiretap order for such persons... We are suggesting that if the
> provider has the communications in the clear and we have a wiretap order,
> that the provider should give us those communications in the clear.
>
> "One of the biggest problems with compelling the [private key] is it gives
> you access to not just the target's communications, but all communications
> flowing through the system, which is exceedingly dangerous," said Stanford's
> Granick.
>
> Update, 11:40 a.m. PT: Adds additional comments from a Facebook
> representative saying the company has not received such requests.
>
> Disclosure: McCullagh is married to a Google employee not involved with this
> issue.




From rsw at jfet.org  Fri Jul 26 11:26:58 2013
From: rsw at jfet.org (Riad S. Wahby)
Date: Fri, 26 Jul 2013 14:26:58 -0400
Subject: Feds put heat on Web firms for master encryption keys
In-Reply-To: <20130726141057.GA30797@netbook.cypherspace.org>
References: <20130725091922.GX29404@leitl.org>
 <CAGUkT8YouTP96a-8NLc4vPFtaSPrsbnhVp_-GTHObpB1pwo8+A@mail.gmail.com>
 <20130726141057.GA30797@netbook.cypherspace.org>
Message-ID: <20130726182658.GA9649@jfet.org>

Adam Back <adam at cypherspace.org> wrote:
> Forward secrecy is a good step, and its confusing why not everyone is using
> it.

At a guess, I'd say a mix of laziness, inconsistent (client and server)
software support, and worries about additional CPU overhead.

Really high traffic sites are incentivized to use the least resource
intensive SSL algorithms they can, and generally speaking the forward
secrecy algorithms take more CPU time and more entropy for key exchange.
How many web servers these days are running on VMs like AWS where
entropy is a precious resource?

Apache 2.2 and earlier, without specific patches, didn't support forward
secrecy for a majority of browsers. I had to pull Apache 2.4 out of Sid
on the cpunks.org machine to get forward secrecy working with all modern
browsers.

Speaking of browsers, there are still a huge number of really old
browsers out there that won't or can't (corporate policy, et cetera) be
updated any time in the near future. Turning off non-FS algos breaks SSL
for a *lot* of people.

Oh, and don't forget, OpenSSL 0.98(ish) and before didn't support the FS
algorithms. So the many servers where OpenSSL isn't getting upgraded any
time soon can't do it either.

Even if you do happen to have a conforming version of the appropriate
software server-side, you've still got to worry about actually setting
up the key order preferences appropriately. Few if any vendors are
shipping default configs that enable FS.

At least this last one is something we stand a chance of changing,
though: perhaps a start would be to submit bugs against the web server
packages from the usual suspects (debian et al) asking them to turn on
forward secrecy by default?

-=rsw




From bill.stewart at pobox.com  Fri Jul 26 14:43:33 2013
From: bill.stewart at pobox.com (Bill Stewart)
Date: Fri, 26 Jul 2013 14:43:33 -0700
Subject: [zs-p2p] Forward Secrecy
In-Reply-To: <51F13523.1020704@zerostate.is>
References: <CAD2Ti2_xhWpP2p+7fRhq54VAhNdGSJ7u96odmWPJqCv6kBDdAQ@mail.gmail.com>
 <51F13523.1020704@zerostate.is>
Message-ID: <20130726214339.1668DCCD4@a-pb-sasl-quonix.pobox.com>

At 07:24 AM 7/25/2013, Bryce Lynch wrote:
> > Yet note, Dec, a provider simply logging the session keys is 
> still possible.
>On the server side, or in their production networks?

A web server (or SSL box in front of a web server) could 
theoretically log session keys, even with "Perfect" Forward Secrecy.
After all, both ends of the Diffie-Hellman exchange do get the actual 
shared session key (which is the point of the exchange :-), and it 
would be possible to save it in addition to using it.  From a 
security perspective, it'd be a really bad idea to do so, and AFAICT 
there's no useful business purpose for doing so, and you're not going 
to be able to pay Peter Gutman enough to modify OpenSSL to do that, 
but one of the fun things about security of open source software is 
that the some miscreant could easily do it themselves, using the 
modules that are already available, and position it as a "feature" 
that lets you support efficient load-balancing across multiple web 
servers in a single session, with an "auditing" or "debugging" 
feature to let you be sure the load-balancing is implemented 
successfully in your cloud.  (And oops, the UI feature that turns off 
debugging didn't get implemented in this sprint.)




From adam at cypherspace.org  Fri Jul 26 07:10:57 2013
From: adam at cypherspace.org (Adam Back)
Date: Fri, 26 Jul 2013 16:10:57 +0200
Subject: Feds put heat on Web firms for master encryption keys
In-Reply-To: <CAGUkT8YouTP96a-8NLc4vPFtaSPrsbnhVp_-GTHObpB1pwo8+A@mail.gmail.com>
References: <20130725091922.GX29404@leitl.org>
 <CAGUkT8YouTP96a-8NLc4vPFtaSPrsbnhVp_-GTHObpB1pwo8+A@mail.gmail.com>
Message-ID: <20130726141057.GA30797@netbook.cypherspace.org>

I suspect the companies cleverly saying they do not give keys are giving
account access or emails directly, and just engaging in misleading PR spin. 
There's a lot of it been going on lately and people are seemingly niave
about reading PR spin.  (Push vs pull access to data under blanket FISA blah
blah, right).

Basically the defacto behavior of justice system supoenas for ISPs is that
they'll try to get anything you have, and they'll even try to get things
they are legally prohibited from getting.  So your best bet is to not have
anything useful to give.

Like "zero-knowledge" (spider oak, mozy online backup) meaning end2end
secure so only the user has the keys and the ISP holds cyphertext.

I do think asking for the server keys is too far, probably contravenes
multiple laws, and is ridiculously intrusive - giving access to everything.

Forward secrecy is a good step, and its confusing why not everyone is using
it.  Google apparently is.  Others not so much.  People have been talking
about that since early 1990s.  Still not prefering or enforcing forward
secret ciphersuite, seriously?

Probably time to deprecate HTTP (in favor of HTTPS) and deprecate
non-forward-secret ciphersuites, to a should-not or whathave you
(implementations might implement but must warn).

ps Pretty cool to see cypherpunks list back in action.  And first post I
read was John Youngs longer dense poetic post.  Just like old times :)

Adam

On Fri, Jul 26, 2013 at 01:46:02PM +0100, Karel Bílek wrote:
>this is fucking disgusting
>
>(I am sorry, I had to say that)
>
>why do the big US companies bother with encryption anymore...
>
>On Thu, Jul 25, 2013 at 10:19 AM, Eugen Leitl <eugen at leitl.org> wrote:
>>
>> (See also https://en.wikipedia.org/wiki/Convergence_(SSL) )
>>
>> http://news.cnet.com/8301-13578_3-57595202-38/feds-put-heat-on-web-firms-for-master-encryption-keys/
>>
>> Feds put heat on Web firms for master encryption keys
>>
>> Whether the FBI and NSA have the legal authority to obtain the master keys
>> that companies use for Web encryption remains an open question, but it hasn't
>> stopped the U.S. government from trying.
>>
>> Declan McCullagh by Declan McCullagh  July 24, 2013 4:00 AM PDT
>>
>> Large Internet companies have resisted the government's demands for
>> encryption keys requests on the grounds that they go beyond what the law
>> permits, according to one person who has dealt with these attempts.
>>
>> (Credit: Declan McCullagh)
>>
>> The U.S. government has attempted to obtain the master encryption keys that
>> Internet companies use to shield millions of users' private Web
>> communications from eavesdropping.
>>
>> These demands for master encryption keys, which have not been disclosed
>> previously, represent a technological escalation in the clandestine methods
>> that the FBI and the National Security Agency employ when conducting
>> electronic surveillance against Internet users.
>>
>> If the government obtains a company's master encryption key, agents could
>> decrypt the contents of communications intercepted through a wiretap or by
>> invoking the potent surveillance authorities of the Foreign Intelligence
>> Surveillance Act. Web encryption -- which often appears in a browser with a
>> HTTPS lock icon when enabled -- uses a technique called SSL, or Secure
>> Sockets Layer.
>>
>> "The government is definitely demanding SSL keys from providers," said one
>> person who has responded to government attempts to obtain encryption keys.
>> The source spoke with CNET on condition of anonymity.
>>
>> The person said that large Internet companies have resisted the requests on
>> the grounds that they go beyond what the law permits, but voiced concern that
>> smaller companies without well-staffed legal departments might be less
>> willing to put up a fight. "I believe the government is beating up on the
>> little guys," the person said. "The government's view is that anything we can
>> think of, we can compel you to do."
>>
>> A Microsoft spokesperson would not say whether the company has received such
>> requests from the government. But when asked whether Microsoft would turn
>> over a master key used for Web encryption or server-to-server e-mail
>> encryption, the spokesperson replied: "No, we don't, and we can't see a
>> circumstance in which we would provide it."
>>
>> Google also declined to disclose whether it had received requests for
>> encryption keys. But a spokesperson said the company has "never handed over
>> keys" to the government, and that it carefully reviews each and every
>> request. "We're sticklers for details -- frequently pushing back when the
>> requests appear to be fishing expeditions or don't follow the correct
>> process," the spokesperson said.
>>
>> Sarah Feinberg, a spokeswoman for Facebook, said that her employer has not
>> received requests for encryption keys from the U.S. government or other
>> governments. In response to a question about divulging encryption keys,
>> Feinberg said: "We have not, and we would fight aggressively against any
>> request for such information."
>>
>> Apple, Yahoo, AOL, Verizon, AT&T, Opera Software's Fastmail.fm, Time Warner
>> Cable, and Comcast declined to respond to queries about whether they would
>> divulge encryption keys to government agencies.
>>
>> Encryption used to armor Web communications was largely adopted not because
>> of fears of NSA surveillance -- but because of the popularity of open,
>> insecure Wi-Fi networks. The "Wall of Sheep," which highlights passwords
>> transmitted over networks through unencrypted links, has become a fixture of
>> computer security conventions, and Internet companies began adopting SSL in
>> earnest about three years ago.
>>
>> "The requests are coming because the Internet is very rapidly changing to an
>> encrypted model," a former Justice Department official said. "SSL has really
>> impacted the capability of U.S. law enforcement. They're now going to the
>> ultimate application layer provider."
>>
>> An FBI spokesman declined to comment, saying the bureau does not "discuss
>> specific strategies, techniques and tools that we may use."
>>
>> NSA director Keith Alexander, shown here at a Washington, D.C. event this
>> month, has said that encrypted data are "virtually unreadable."
>>
>> (Credit: Getty Images)
>>
>> Top secret NSA documents leaked by former government contractor Edward
>> Snowden suggest an additional reason to ask for master encryption keys: they
>> can aid bulk surveillance conducted through the spy agency's fiber taps.
>>
>> One of the leaked PRISM slides recommends that NSA analysts collect
>> communications "upstream" of data centers operated by Apple, Microsoft,
>> Google, Yahoo, and other Internet companies. That procedure relies on a FISA
>> order requiring backbone providers to aid in "collection of communications on
>> fiber cables and infrastructure as data flows past."
>>
>> Mark Klein, who worked as an AT&T technician for over 22 years, disclosed in
>> 2006 (PDF) that he met with NSA officials and witnessed domestic Internet
>> traffic being "diverted" through a "splitter cabinet" to secure room 641A in
>> one of the company's San Francisco facilities. Only NSA-cleared technicians
>> were allowed to work on equipment in the SG3 secure room, Klein said, adding
>> that he was told similar fiber taps existed in other major cities.
>>
>> But an increasing amount of Internet traffic flowing through those fiber
>> cables is now armored against surveillance using SSL encryption. Google
>> enabled HTTPS by default for Gmail in 2010, followed soon after by
>> Microsoft's Hotmail. Facebook enabled encryption by default in 2012. Yahoo
>> now offers it as an option.
>>
>> "Strongly encrypted data are virtually unreadable," NSA director Keith
>> Alexander told (PDF) the Senate earlier this year.
>>
>> Unless, of course, the NSA can obtain an Internet company's private SSL key.
>> With a copy of that key, a government agency that intercepts the contents of
>> encrypted communications has the technical ability to decrypt and peruse
>> everything it acquires in transit, although actual policies may be more
>> restrictive.
>>
>> One exception to that rule relies on a clever bit of mathematics called
>> perfect forward secrecy. PFS uses temporary individual keys, a different one
>> for each encrypted Web session, instead of relying on a single master key.
>> That means even a government agency with the master SSL key and the ability
>> to passively eavesdrop on the network can't decode private communications.
>>
>> Google is the only major Internet company to offer PFS, though Facebook is
>> preparing to enable it by default.
>>
>> Even PFS isn't complete proof against surveillance. It's possible to mount a
>> more advanced attack, sometimes called a man-in-the-middle or active attack,
>> and decode the contents of the communications.
>>
>> A Wired article in 2010 disclosed that a company called Packet Forensics was
>> marketing to government agencies a box that would do precisely that. (There
>> is no evidence that the NSA performs active attacks as part of routine
>> surveillance, and even those could be detected in some circumstances.)
>>
>> The Packet Forensics brochure said that government agencies would "have the
>> ability to import a copy of any legitimate key they obtain (potentially by
>> court order)." It predicted that agents or analysts will collect their "best
>> evidence while users are lulled into a false sense of security afforded by
>> Web, e-mail or VOIP encryption."
>>
>> With a few exceptions, even if communications in transit are encrypted,
>> Internet companies typically do not encrypt e-mail or files stored in their
>> data centers. Those remain accessible to law enforcement or the NSA through
>> legal processes.
>>
>> Leaked NSA surveillance procedures, authorized by Attorney General Eric
>> Holder, suggest that intercepted domestic communications are typically
>> destroyed -- unless they're encrypted. If that's the case, the procedures
>> say, "retention of all communications that are enciphered" is permissible.
>>
>> Valerie Caproni, who was the FBI's general counsel at the time this file
>> photo was taken, told Congress that the government needs "individualized
>> solutions" when "individuals who put encryption on their traffic."
>>
>> (Credit: Getty Images)
>>
>> It's not entirely clear whether federal surveillance law gives the U.S.
>> government the authority to demand master encryption keys from Internet
>> companies.  "That's an unanswered question," said Jennifer Granick, director
>> of civil liberties at Stanford University's Center for Internet and Society.
>> "We don't know whether you can be compelled to do that or not."
>>
>> The government has attempted to use subpoenas to request copies of encryption
>> keys in some cases, according to one person familiar with the requests.
>> Justice Department guidelines say subpoenas may be used to obtain information
>> "relevant" to an investigation, unless the request is "unreasonably
>> burdensome."
>>
>> "I don't know anyone who would turn it over for a subpoena," said an attorney
>> who represents Internet companies but has not fielded requests for encryption
>> keys. Even a wiretap order in a criminal case would be insufficient, but a
>> FISA order might be a different story, the attorney said. "I'm sure there's
>> some logic in collecting the haystack."
>>
>> Kurt Opsahl, a senior staff attorney at the Electronic Frontier Foundation,
>> challenged the notion that current law hands the government the power to
>> demand master encryption keys. Even with a FISA order for the private key,
>> Opsahl said, the amount of technical assistance that a company must provide
>> to the NSA or other federal agencies "has a limit."
>>
>> Federal and state law enforcement officials have previously said encrypted
>> communications were beginning to pose an obstacle to lawful surveillance.
>> Valerie Caproni, the FBI's general counsel at the time, told a congressional
>> hearing in 2011, according to a transcript:
>>
>>  Encryption is a problem, and it is a problem that we see for certain
>> providers... For individuals who put encryption on their traffic, we
>> understand that there would need to be some individualized solutions if we
>> get a wiretap order for such persons... We are suggesting that if the
>> provider has the communications in the clear and we have a wiretap order,
>> that the provider should give us those communications in the clear.
>>
>> "One of the biggest problems with compelling the [private key] is it gives
>> you access to not just the target's communications, but all communications
>> flowing through the system, which is exceedingly dangerous," said Stanford's
>> Granick.
>>
>> Update, 11:40 a.m. PT: Adds additional comments from a Facebook
>> representative saying the company has not received such requests.
>>
>> Disclosure: McCullagh is married to a Google employee not involved with this
>> issue.




From grarpamp at gmail.com  Fri Jul 26 13:32:44 2013
From: grarpamp at gmail.com (grarpamp)
Date: Fri, 26 Jul 2013 16:32:44 -0400
Subject: Forward Secrecy
Message-ID: <CAD2Ti2-rFrQAJ2x_EsTkvGPF-tkO5-46YMx1nZDzOkQGv7y5Vw@mail.gmail.com>

>> Somehow I bet there will be a move to this rather soon.

> I have my doubts.  Newer SSL libraries have PFS support but whether or
> not admins or hosting providers will upgrade to them (or enable PFS
> ciphersuites) in a reasonable period of time remains to be seen.  For
> example, Dreamhost has no immediate plans to upgrade their server
> infrastructure to include releases of OpenSSL that support PFS.

It could be viewed as an interesting differentiator given the leaks in the
news. Who will, who won't? What's their motivation? And does it matter?

>> Yet note, Dec, a provider simply logging the session keys is still
>> possible.

> On the server side, or in their production networks?

>From the servers obviously, it's just another log item, master/session key...
openssl s_client -connect google.com:https -cipher ECDHE-RSA-AES256-GCM-SHA384
(leaving in the -no_ticket and not using -reconnect as some might not.)

>> Though much costlier for evil pursue that cheap route if there are
>> lots of small mail providers out there for people to use... who
>> says you have to use the big three, or cannot run a mail service?

> running a personal mail service is problematic today for several
> reasons.
> Firstly, the CPU power required to perform decent spam filtering is significant.

No, CPU is cheap and largely sits idle, particularly for limited nodes.

> it makes more sense to buy the services of a provider who factors that in.

You are your own provider, often protected by current provider law.
So run things, a mesh, a node, whatever might be of interest. Noting
whatever contract law you wish to recognize...

> Second, if your server is on a net in CONUS, it can be blackbagged.

As is no different than any other country.

> Third, antispam blacklists are notorious for deciding that an IP is hostile and blacklisting it

Then further develop heuristic science, markov windows, various
local classifiers and distributed consensus subscriptions, non
soley IP based things.

> this is why I stopped running my own, incidentally -
> fewer and fewer people were receiving mail from me

Stop chickening out and relying on sole services, complain according
to your inalienable rights, stay strong and force the market to
incorporate and honor distributed ones.

There's been talk of coordinating a next gen mix mail deployment, tor/i2p
nodes, etc... well those are already sunk costs, same as your own internet
connection is, so give them a domain and call it free/bitcoin email up to 25k
accounts per node. Today that's a few thousand nodes or 75mil people.
Much costlier to produce/demand session keys from 3k nodes around the
world than from say google's 10.

> A few of us have been testing Retroshare (http://retroshare.sf.net/)

Yes, people should openly publish invitations to their technology tests,
joining up in them to qualify the technologies and models would be a
good thing.

We need to break free of this simple 'get it all in one place' mentality.
Start signing your current apparrent node into a global DHT.
Start looking at things like diaspora.
Start distributing services.
Start using anonymization and encryption by default.




From grarpamp at gmail.com  Fri Jul 26 13:52:02 2013
From: grarpamp at gmail.com (grarpamp)
Date: Fri, 26 Jul 2013 16:52:02 -0400
Subject: Feds put heat on Web firms for master encryption keys
In-Reply-To: <20130726182658.GA9649@jfet.org>
References: <20130725091922.GX29404@leitl.org>
 <CAGUkT8YouTP96a-8NLc4vPFtaSPrsbnhVp_-GTHObpB1pwo8+A@mail.gmail.com>
 <20130726141057.GA30797@netbook.cypherspace.org>
 <20130726182658.GA9649@jfet.org>
Message-ID: <CAD2Ti2863k5dzm09iqYn7Nr9pkZSQNTC8QnD7kVXFC=xQ3HcUg@mail.gmail.com>

> inconsistent (client and server) software support

This is taken care of by preferences. Set the highest you
are able to support and keep pushing it higher. Clients do
the same. It's negotiable preferences, no flag days, everyone
wins.

> At a guess, I'd say a mix of laziness,
> and worries about additional CPU overhead.

These are more common.

> I had to pull Apache 2.4 out of Sid

Unfortunately port/package repos can be a bit behind
state of the art. Locally... untar ; ./configure ; make
is not that hard to learn.

> corporate policy

If only as to doing mandated things like TLS termination and DPI.

> Turning off non-FS algos breaks SSL for a *lot* of people.

Set preferences, not hard cutoffs.

> So the many servers where OpenSSL isn't getting upgraded any
> time soon can't do it either.

I've only found compiling new software on old systems to be
a problem like this. ie: 1.0.1 won't compile on them. I grant that
it can be hard to migrate off old platforms.

> submit bugs against the web server packages from the usual
> suspects (debian et al) asking them to turn on forward secrecy
> by default?

Legitimately squeaky wheels get greased first.




From rsw at jfet.org  Fri Jul 26 14:04:23 2013
From: rsw at jfet.org (Riad S. Wahby)
Date: Fri, 26 Jul 2013 17:04:23 -0400
Subject: Feds put heat on Web firms for master encryption keys
In-Reply-To: <CAD2Ti2863k5dzm09iqYn7Nr9pkZSQNTC8QnD7kVXFC=xQ3HcUg@mail.gmail.com>
References: <20130725091922.GX29404@leitl.org>
 <CAGUkT8YouTP96a-8NLc4vPFtaSPrsbnhVp_-GTHObpB1pwo8+A@mail.gmail.com>
 <20130726141057.GA30797@netbook.cypherspace.org>
 <20130726182658.GA9649@jfet.org>
 <CAD2Ti2863k5dzm09iqYn7Nr9pkZSQNTC8QnD7kVXFC=xQ3HcUg@mail.gmail.com>
Message-ID: <20130726210423.GA13070@jfet.org>

grarpamp <grarpamp at gmail.com> wrote:
> Unfortunately port/package repos can be a bit behind
> state of the art. Locally... untar ; ./configure ; make
> is not that hard to learn.

I have no problem with building anything and everything on my own if I
have to, and I've done Linux From Scratch before, but there is an
*immediate* increase in maintenance headache associated with breaking
out of the package manager, especially in distributions like debian
where there isn't much of a premium on flexibility.

But in the worst case, yes, of course!

> > So the many servers where OpenSSL isn't getting upgraded any
> > time soon can't do it either.
> 
> I've only found compiling new software on old systems to be
> a problem like this. ie: 1.0.1 won't compile on them. I grant that
> it can be hard to migrate off old platforms.

I've done some godawful things before like build new versions of libc
and run chrooted out of my homedir on machines with outdated software.
It is doable, but it is very painful.

There are plenty of tools that make this a lot easier, though: you can
use vagrant to painlessly get a modern distribution running inside
VirtualBox, assuming you can get the latter running on your machine.
These approaches aren't particularly high performance, but we're
obviously optimizing for something else in this case.

> Legitimately squeaky wheels get greased first.

Provide a patch with your bug report. Never underestimate the power of
an easily-closed ticket.

-=rsw




From rvh40 at insightbb.com  Fri Jul 26 14:31:20 2013
From: rvh40 at insightbb.com (Randall Webmail)
Date: Fri, 26 Jul 2013 17:31:20 -0400 (EDT)
Subject: Feds put heat on Web firms for master encryption keys
In-Reply-To: <20130726141057.GA30797@netbook.cypherspace.org>
Message-ID: <78302349.171763.1374874280657.JavaMail.root@md13.insight.synacor.com>

From: "Adam Back" <adam at cypherspace.org>

>ps Pretty cool to see cypherpunks list back in action.  And first post I
>read was John Youngs longer dense poetic post.  Just like old times :)

It is often difficult to tell what JYA says, but it is never hard
to tell what he means.




From grarpamp at gmail.com  Fri Jul 26 15:12:42 2013
From: grarpamp at gmail.com (grarpamp)
Date: Fri, 26 Jul 2013 18:12:42 -0400
Subject: SSLegance
In-Reply-To: <51F2B8DA.6070101@gmail.com>
References: <CAFv7Oijz0yvbbPsz2BQDXGD3wzrxkax=r++YLwwzQEQRjCkChg@mail.gmail.com>
 <20130726122744.GH27178@hexapodia.org>
 <CAFv7Oiirasi1HYp1bAd8PCyYabTVtsnKcOyfcOZpEca2kU8dRQ@mail.gmail.com>
 <51F2B8DA.6070101@gmail.com>
Message-ID: <CAD2Ti29N7quygkQ01OpHqtmkOXaOCFi7FNpjcrh0+Ps2ObsttQ@mail.gmail.com>

> TOFU... It's used for SSH iirc, though I could be wrong.

No, you're right. That that single, assumed to be legitimate,
and first introduced key, is trusted and used for all subsequent
encounters. Any later unvalidated change in key would indicate
suspect brokenness. Authentication of said former key, via any
particular mechanism, is a secondary bonus.

For instance, you may first check mail to a given fingerprint
gets you to the mail/context you expect. Then a web search
of that fingerprint may yield independent bloggers affirming their
similar expierience, then some reasonable trust of that
key is established.

Though it is encouraged that such lone keys be signed
by some web of trust that you can then reach. This new
environment of weak CA's will, in hope, yield a stronger
more articulated sense of what we all are signing for
each other.




From grarpamp at gmail.com  Fri Jul 26 16:56:49 2013
From: grarpamp at gmail.com (grarpamp)
Date: Fri, 26 Jul 2013 19:56:49 -0400
Subject: SSLegance
In-Reply-To: <1D5CB4EE-CB33-471B-B6D9-FBA0C4819B00@datavibe.net>
References: <CAFv7Oijz0yvbbPsz2BQDXGD3wzrxkax=r++YLwwzQEQRjCkChg@mail.gmail.com>
 <20130726122744.GH27178@hexapodia.org>
 <CAFv7Oiirasi1HYp1bAd8PCyYabTVtsnKcOyfcOZpEca2kU8dRQ@mail.gmail.com>
 <51F2B8DA.6070101@gmail.com>
 <CAD2Ti29N7quygkQ01OpHqtmkOXaOCFi7FNpjcrh0+Ps2ObsttQ@mail.gmail.com>
 <1D5CB4EE-CB33-471B-B6D9-FBA0C4819B00@datavibe.net>
Message-ID: <CAD2Ti28TPQYDkn+w2QRXpngQDnJxC868D178M_1iKAf-q2J9zA@mail.gmail.com>

> This does nothing for the case of "server gives their keys to the feds"

Can SSH operate in ephemeral mode?

> is active MITM a big enough threat that we need to be worrying
> about it other than in airports and hotels?

Recent news apparently confirms that 'cooperating' with large
adversaries centrally is apparently easier and less costly than
those same entities screwing around in the wiring closets of
such random local places against specific targets.




From gfoster at entersection.org  Fri Jul 26 21:06:36 2013
From: gfoster at entersection.org (Gregory Foster)
Date: Fri, 26 Jul 2013 23:06:36 -0500
Subject: EFF presentation at SIGINT
Message-ID: <51F3474C.9060509@entersection.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

EFF (Jul 5) - "The Politics of Surveillance: Understanding the
National Security Agency" by @RaineyReitman:
http://www.youtube.com/watch?v=OESf9y-638k

Kudos to EFF for fighting the good fight, and kudos to Rainey for
synthesizing and presenting a lot of useful information.

Mentioned in the talk,

Freedom of the Press Foundation (Jul 2) - "Encryption Works: How to
Protect Your Privacy in the Age of NSA Surveillance" by @micahflee:
https://pressfreedomfoundation.org/encryption-works

gf

- -- 
Gregory Foster || gfoster at entersection.org
@gregoryfoster <> http://entersection.com/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCgAGBQJR80dJAAoJEMaAACmjGtgj9PwP/2O6erOD9Zciwh1wEWe/RpAm
av4b9ZDQhcIwkMbCBKL7ptlKYe5lHIlTXqsrfdOJFRCekJYBoenKbyex2qHGi/S+
1w0C3Qc2CNtjsIOmynDGS2dNa6YeuaRvZkQZ/BkxG5VTV703+JafaCmS2+bGL3uD
oWdlbEgLIn/pGM8Hc0Epa7hsrkKt8CuQWSmqu74uuOtzUfCBYQ77/ojDlcOD/CG4
FQVNyB/PyrXXJKg/gPbhRxoWyEQ3DtfFE5/NwVKnpxCJmYeFQy3XV2ZRvGg63xat
m4e49c5irQy4MOsJ6eXCvCy+uWIp7/+ce1BFHVS2SxsdAjpsyT2ZnSi9XwGJ0nGd
mp9It1cbZ44N+NbrBOOC6nN3tzdFS/jbnaq2GKjnssRAamEdNG/2cYQUtK8EGtMd
nWy6rKuJwNxrk8IIqJFNaACPxyeEkhckkajKoUUJRqGOth7LDv0zZI8Y0mEU07OW
cZIIBr5KOn1PhPGbqNbPMJjba3cdBVAOauHmlFlWB/0vqv0x3fv8tUhji5hoZOgC
Vb2YyfcdkKcvu4m7iKkLOXtLdbwITmzC8iavYFcrurUh3jdvDNcr4aw2+gJFeFBR
p/+yMSfb29hW2/5G3QZUNK24+eFAsiGaUG7XFgS480PvTJV0fFxFDzkW0KTFx9qF
vbug+icoNC2cBwG1Ju3o
=gnIq
-----END PGP SIGNATURE-----




From grarpamp at gmail.com  Fri Jul 26 20:22:01 2013
From: grarpamp at gmail.com (grarpamp)
Date: Fri, 26 Jul 2013 23:22:01 -0400
Subject: Fwd: Goldbug.sf.net - Secure Multi-Crypto-Messenger v0.1 released
In-Reply-To: <CAEvNM8m7ESgs8uG=3X5jDoSU17_YOYB4nP8-qZ3myySjw593Lg@mail.gmail.com>
References: <CAEvNM8m7ESgs8uG=3X5jDoSU17_YOYB4nP8-qZ3myySjw593Lg@mail.gmail.com>
Message-ID: <CAD2Ti2_WWuPtDd0EpT+n=-HPg5T_x_52yNXK604ovFxWuVExKw@mail.gmail.com>

This was bcc'd to me for some unknown reason.
Kicking it over to a somewhat more appropriate destination.


---------- Forwarded message ----------
From: Randolph D. <rdohm321 at gmail.com>
Date: 2013/7/26
Subject: Fwd: Goldbug.sf.net - Secure Multi-Crypto-Messenger v0.1 released
To: "Randolph D." <rdohm321 at gmail.com>


Does anyone know, if this tool is really secure?


Fwd:
>>>
   DOWNLOAD & PRESS RELEASE 2013-07-27 - English / Deutsch weiter unten

  _____       _     _ ____
 / ____|     | |   | |  _ \
| |  __  ___ | | __| | |_) |_   _  __ _
| | |_ |/ _ \| |/ _` |  _ <| | | |/ _` |
| |__| | (_) | | (_| | |_) | |_| | (_| |  GoldBug.sf.net
 \_____|\___/|_|\__,_|____/ \__,_|\__, |
                                   __/ |
                                  |___/

TITLE:
GoldBug.sf.net: Secure Instant Messenger V0.1 has been released -
with p2p Email and decentral IRC public chat

DOWNLOAD:
https://sourceforge.net/projects/goldbug/files/?source=navbar

SHORTY:
While today thousands of members of the Stop-Watching-Us initiative
against surveillance programs like PRISM demonstrated in several
cities all around the globe, the EFF in conjunction with the Chaos
Computer Club announced a new secure Instant Messenger called:
GoldBug.sf.net (http://goldbug.sf.net)
Next to chat as well a serverless Email-System and public IRC-Chat has
been introduced with Multi-Encryption: a kind of PGP secured with AES
over SSL. The new protocol driving this is called "Echo" and has many
potentials to be deployed as well for further secure and anonymous
communication applications.
Some net communities already call it the Neuland Messenger due to the
Font Name of the Logo.


DESCRIPTION:

StopWatching.Us [3] is the initiative half a million web users have
signed due to the mass-surveillance programs like PRISM in USA;
TEMPORA in Great Britain, MICS in France and XKEYSCORE Software as
well deployed e.g. in Germany. While the governments are powerless in
regard to prevent foreign agencies to grab internet-line data and to
protect their citizens' privacy, the end-users themself are forced to
encrypt their communication and stand up for their Human
Rights.Thousands of facebook [4] and twitter [5] members declared to
demonstrate on the streets on (last) Saturday, July 27, in many
decentral cities.

As well at this date, the first release of the Secure Instant
Messenger GoldBug (http://goldbug.sf.net)  has been announced. It uses
multi-encryption (a kind of PGP secured with AES over SSL) based on
the new echo protocol. While Mega´s "Spy-proof Email" [6] and Pirate
Bay Founder´s "Hemlis Mobile Chat" [7] still play around at
crypto-parties to find the right development, the open-source project
"GoldBug" has chosen the crypto-library "Lib-Spot-On v. 0.1" (based on
libGcrypt).

The project brought out not only a secure, beautiful and easy to use
messenger, but also a new peer protocol behind it: The Echo Protocol.
The so called "Echo" creates a peer-2-peer (p2p), respective
friend-2-friend (f2f) network, which sends every (strong encrypted)
data packet to everyone connected in that network to your node. When
you can decrypt the packet, it is yours and readable, if not, you
share it with all your connected neighbors. So far so simple.


Thinking other Protocols like Jabber, IRC, Torrent etc. based on the
Echo opens up a new perspective, as this new kind of Distant-Chat
currently shown in the GoldBug Chat Reference Model introduces a
detachment with IP addresses and Private/Public Encryption Keys. The
Echo Modus can be half or full: half means, to create a dedicated line
to your neighbor, and the Echo stops there: Messages are not shared in
the half modus. This creates a Web-of-Trust (friend-to-friend)-network
within a p2p network (and not vice versa), which is not detectable -
as the user defines at each node how to utilize the Echo. This creates
a new view on trust and enables a plausible deniability of having ever
utilized a Web of Trust (WoT). An important point in times of
100%-surveillance and data retention tracking over several, but stable
line-hops.

While for example RetroShare [8] as anonymous, decentral network is a
good practice model for a Web of Trust, in a Web of Trust with added
echo the user can disconnect from the neighbour while keeping the
trust and communication - based on the encryption-key (so called
"REPLEO") e.g. shown in the GoldBug Messenger Application. Next to
chat as well a serverless Email-System and public IRC-Chat has been
inlcuded with the GoldBug-release based on the echo protocol and
deployed by the Library Libspoton.

How the communities of other apps and protocols will evaluate, discuss
and test and maybe adopt the security features of the echo protocol,
will be shown by some next hybrid applications - and who knows, maybe
the Hemlis-Mobile application or the new secure email systems like
BitMail [9] or StartMail [10]  announced by IXQUICK will integrate the
echo as well.


WHY THE NAME:
GoldBug was the title of a short story of Edgar Allan Poe about
cryptograms in 1843. In the short story Mr. LeGrand, who was recently
bitten by a gold-colored bug, starts an adventure with two other
friends after deciphering a secret message. Poe took advantage of the
popularity of cryptography and the success of the story centers on one
such cryptogram. "The Gold-Bug" was an instant success and was the
most popular and most widely read of Poe's works during his lifetime.
It also helped to popularize cryptograms and secured writing. Even 150
Years later a still vaid approach due to the current events in this
time.


FEATURES:

# Instant Messenger Function: Direct Chat, Group Chat, Public Chat.

# the integrated Email Client enables encrypted communication without
the usage of a central server. You

can even email to offline-friends: other friends from you chace the
message for you until your friends

come online again.

# IPV6 Support: As IPV6 integrates the IP-Adress of the senders into
each Datapacket, you can drop this

with the Gemini-Feature of a detached communication.

# The so called Repleo-Feature based on the Echo-Protocols enables the
detachment of logged data

retention, that means Data Retention has a solution: a TTL+1 function
in an elastic network environment.

# Optional you can use furthermore the "GoldBug"-Feature, a kind of
password, a hybride-multi-encryption,

which integrates a kind of pgp with AES end to end encryption, which
offers new standards in regard to

Instant Messaging and the Agenda Setting of crypto parties.

# Hybrid, optional P2P and F2F Modi.

# Proxy Modus: Can run over Tor, 127.0.0.1. : 9150


The GoldBug logo uses the Neuland font: "Neuland is a German typeface
that was designed in 1923 by Rudolf Koch. It is often used today when
an “exotic” or “primitive” look is desired, such as the logos for the
Jurassic Park films", says Wikipedia. That has to be regarded just as
a coincidence, no one in the net community would ever have the view to
call it the Neuland Messenger or subscribe it to a person, e.g. like
Rudolf Koch.


WEBSITE:
http://goldbug.sourceforge.net
https://sourceforge.net/projects/goldbug/?source=navbar

DOWNLOAD:
https://sourceforge.net/projects/goldbug/files/?source=navbar

SOURCE:
http://spot-on.svn.sourceforge.net/viewvc/spot-on/?view=tar
(as well included in the GB windows installer for your convenience)
DEVELOPER-SVN:
svn checkout svn://svn.code.sf.net/p/spot-on/code/ spot-on-code
PROTOCOL-SIMULATION:
http://goldbug.sourceforge.net/img/bitmail.gif
Add this gadget to your bog or website - it describes, how the echo
protocol works.



References:
[01] http://goldbug.sourceforge.net
[02] https://sourceforge.net/projects/goldbug/?source=navbar
[03] https://optin.stopwatching.us/
[04] https://www.facebook.com/events/566858663364951/
[05] https://twitter.com/stopwatchingus
[06] http://torrentfreak.com/dotcoms-mega-debuts-spy-proof-messaging-this-summer-email-follows-130711/
[07] http://torrentfreak.com/pirate-bay-founder-announces-encrypted-nsa-proof-communication-apps-130710/
[08] http://retroshare.sourceforge.net/
[09] http://bitmail.sourceforge.net/
[10] https://beta.startmail.com/


>>>>>>>>>>>>>>>
GERMAN LANGUAGE / DEUTSCHE SPRACHE:

TITEL:
GoldBug.sf.net: Sicherer Messenger mit Multi-Crypto V0.1 veröffentlicht -
Auch p2p Email und dezentraler IRC Chat

DOWNLOAD:
https://sourceforge.net/projects/goldbug/files/?source=navbar

KURZ:
Während heute tausende von Mitgliedrn der Stop-Watching-Us Initiative
gegen Massen-Überwachungsprogramme wie PRISM in vielen Städten rund um
den Globus demonstrieren, hat die EFF in Verbindung mit dem CCC
mitgeteilt, dass es ein neues Sofortnachrichtenprogramm gibt mit dem
Namen GoldBug.sf.net (http://goldbug.sf.net) - zu Deutsch: Goldkäfer.

Neben dem Chat wird damit auch ein Email-System ohne zentralen Server
und ein öffentlicher IRC Chat vorgestellt mit Multi-Verschlüsselung
durch eine Art von PGP abgesichert mit den Verschlüsselungsstandards
AES über SSL. Das neue Protokoll, das dieses umsetzt, wird "Echo"
genannt und hat zahlreiche Potentiale auch für weitere sichere und
anonym eKommunikationsanwendungen genutzt zu werden. Einige
Netz-Gemeinschaften nennen das Programm inzwischen auch den
Neuland-Messenger.


BESCHREIBUNG:

StopWatching.Us [3] ist die Initiative, bei der mehr als eine halbe
Million Internetnutzer unterzeichnet haben und sich gehen
Massenüberwachungsprogramme wie PRISM in den USA, TEMPORA in
Großbritannien, MICS in Frankeich sowie der XKEYSCORE SOftware, die
ebenso auch in Deutschland angewandt wird.

Während die Regierungen kraftlos sind in bezug die jeweils
außländischen Agenturen davon abzuhalten, die Daten der
Internet-Leitungen abzugreifen und ihre Bürger entsprechend zu
schützen, sind die End-Nutzer auf sich selbst gestellt, ihre
Kommunikation zu verschlüsseln und für ihre Menschen- und Grundrechte
auf Privatheit aufzustehen.Tausende von Facebook [4] und Twitter [5]
Mitglieder erklärten, am (letzten) Samstag, 27. Juli, in den Straßen
von vielen dezentralen Städten demonstrieren zu wollen.Ebenso an
diesem Datum wurde die erste Veröffentlichung des Sicheren
Sofortnachrichten Programms /

INstant Messengers Golbug (http://goldbug.sf.net) bekannt gegeben. Es
nutzt eine Multi-Verschlüsselung (eine Art PGP mit zusätzlichem AES
und SSL Standard) basierend auf dem neuen Echo-Protokol.


Während für das "abhörsichere Email" von Mega [6] oder dem mobilen
"Hemlis Chat" [7] des TPB Gründers immer noch auf
Verschlüsselungsparties nach dem richtigen Entwicklungsansatz gesucht
wird, hat das quelloffene Project "GoldBug" die
Verschlüpsselungs-Bibliothek "Lib-Spot-On v. 0.1" (basierend auf
libGcrypt) ausgewählt.

Das Projet brachte nicht nur einen sicheren, schönen und einfach zu
nutzenden Chat Messenger heraus, sondern auch ein neues Peer-Protokol
dahinter: Das Echo-Protokol. Das sogenannte "Echo" erstellt ein
peer-zu-peer (p2p), respektive ein freund-zu-freund (f2f) netzwerk,
welches jedes (stark verschlüsselte) Datenpaket an jeden der
vorhandenen Kontaktknoten senden. Wenn das Datenpacket entschlüsselt
werden kann, ist es Deins, und es ist lesbar, wenn nicht, wird es
weiterhin mit  allen verbundenen Netzwerkknoten geteilt. Soweit so
einfach.

Andere Protokolle insbesondere der Kommuikation wie Jabber, IRC,
Torrent etc neu zu denken basierend auf dem Echo eröffnet ganz neue
Perspektiven, als dass diese neue Art einer Distanz-Kommunikation
derzeit  gezeigt in dem Forschungs- und Entwicklungsmodell Gold Bug
Chat eine neues Beziehungsgefüge von IP  Adressen und
privaten-öffentlichen Schlüsseln vorstellt. Der Echo-Modus kann halb
oder voll sein: Halb bedeutet, eine direkte Verbindung mit dem
Nachbarn herzustelen und das Echo stoppt dann auch dort: Nachrichten
werden nicht weiter geteilt in dem Halb-Modus. Somit wird ein
Vertrauensgeflecht, ein Web of Trust (WoT) inmitten eines
Peer-zu-Peer-Netzwerkes erstellt (und gerade nicht umgekehrt), das
nicht erkennbar ist, weil der Nutzer selbst definiert an jedem
Knotenpunkt, we er das Echo einsetzen möchte. Das ermöglicht eine neue
Sichtweise auf Vertrauen im Interner und eröffnet auch eine Plausible
Abstreitbarkeit ein Vertrauensnetzwerk (WoT) jemals eingesetzt zu
haben. Das kann ein bedeutender Punkt in Zeiten von
100-Prozent-Überwachung der Netzwerkkommunikation und der
Vorratsdatenspeicherung selbst über mehrer, aber stablile
Netzwerküberleitungen.


Während beispielsweise RetroShare [8] als anonymes und dezentrales
Netzwerk ein gutes Anwenderbeispiel für ein Vertrauensnetzwerk (Web of
Trust) ist, kann der Nutzer jedoch in einem Web of Trust mit
hinzugefügtem Echo sich vom Nachbarn abmelden, während die
Vertrauens-Signatur und die Kommunikatiosnfähigkeit erhalten bleibt -
basieren auf dem Verschlüsselungs-Code (so genanntes "Repleo") wie es
beispielsweise in der Anwendung GoldBug Messenger genutz wird.

Neben dem Chat is tauch ein dezentrales, severloses Email System und
ein öffentlicher IRC CHat in dem GoldBug Release integriert - ebenso
basierend auf dem Echo Protokol, das von der Bibliothel Lib-Spot-On
umgesetzt wird.

Wie nun die Netzgemeinden von anderen Applikationen und Protokollen
die Sicherheitsmerkmale und das Echo protokoll evaluieren,
diskutieren, testen und möglicherweise auch übernehmen, wir durch ggf.
entstehende Hybrid Applikationen gezeigt werden können. Und wer weiss,
möglicherweise werden die Hemlis-Mobilanwendung oder die neuen
sicheren Emailsysteme wie BitMail [9] oder StartMail [10], angekündigt
durch IXQUICK, das Echo ebenso integrieren.


WARUM DER NAME:
GoldBug wer der Title einer Kurzgeschichte von Edgar Allan Poe über
Cryptogramme im Jahr 1843. In der Geshichte startet Herr LeGrand, der
neulich von einem gold-farbenen Käfer gebissen wurde, ein Abenteuer
mit zwei weiteren Freunden - nachdem sie eine geheime Botschaft
entschlüsseln konnten.
Der Dichter Poe hat die Popularität von Verschlüsselung damals schon
verhergesehen und der Erfolg der Kurzgeschichte basiert auf der
Entschlüsselung eines solchen Kryptogramms. "Der GoldKäfer" war ein
sofortiger Erfolg and das am meisten populäre und von vielen
Bevölkerngsschichten gelesene Werk von Edgar Allan Poe während seiner
gesamten Lebenszeit. Es halt ebenso geholfen, die Verwendung von
Kryptogrammen und das Schreiben mit Verschlüsselungstechniken populär
zu machen. Auch 150 Jahre später ein gültoger Anspruch in Anbetracht
der derzeitigen Ereignisse in dieser Zeit.


FEATURES:

# Instant Messenger Function: Direct Chat, Group Chat, Public Chat.

# the integrated Email Client enables encrypted communication without
the usage of a central server. You

can even email to offline-friends: other friends from you chace the
message for you until your friends

come online again.

# IPV6 Support: As IPV6 integrates the IP-Adress of the senders into
each Datapacket, you can drop this

with the Gemini-Feature of a detached communication.

# The so called Repleo-Feature based on the Echo-Protocols enables the
detachment of logged data

retention, that means Data Retention has a solution: a TTL+1 function
in an elastic network environment.

# Optional you can use furthermore the "GoldBug"-Feature, a kind of
password, a hybride-multi-encryption,

which integrates a kind of pgp with AES end to end encryption, which
offers new standards in regard to

Instant Messaging and the Agenda Setting of crypto parties.

# Hybrid, optional P2P and F2F Modi.

# Proxy Modus: Can run over Tor, 127.0.0.1. : 9150


The GoldBug logo uses the Neuland font: "Neuland is a German typeface
that was designed in 1923 by Rudolf

Koch. It is often used today when an “exotic” or “primitive” look is
desired, such as the logos for the

Jurassic Park films", says Wikipedia. That has to be regarded just as
a coincidence, no one in the net

community would ever have the view to call it the Neuland Messenger or
subscribe it to a person, e.g.

like Rudolf Koch.


WEBSITE:
http://goldbug.sourceforge.net
https://sourceforge.net/projects/goldbug/?source=navbar

DOWNLOAD:
https://sourceforge.net/projects/goldbug/files/?source=navbar

SOURCE:
http://spot-on.svn.sourceforge.net/viewvc/spot-on/?view=tar
(as well included in the GB windows installer for your convenience)
DEVELOPER-SVN:
svn checkout svn://svn.code.sf.net/p/spot-on/code/ spot-on-code
PROTOCOL-SIMULATION:
http://goldbug.sourceforge.net/img/bitmail.gif
Add this gadget to your bog or website - it describes, how the echo
protocol works.



References:
[01] http://goldbug.sourceforge.net
[02] https://sourceforge.net/projects/goldbug/?source=navbar
[03] https://optin.stopwatching.us/
[04] https://www.facebook.com/events/566858663364951/
[05] https://twitter.com/stopwatchingus
[06] http://torrentfreak.com/dotcoms-mega-debuts-spy-proof-messaging-this-summer-email-follows-130711/
[07] http://torrentfreak.com/pirate-bay-founder-announces-encrypted-nsa-proof-communication-apps-130710/
[08] http://retroshare.sourceforge.net/
[09] http://bitmail.sourceforge.net/
[10] https://beta.startmail.com/




From grarpamp at gmail.com  Fri Jul 26 21:47:34 2013
From: grarpamp at gmail.com (grarpamp)
Date: Sat, 27 Jul 2013 00:47:34 -0400
Subject: EFF presentation at SIGINT
In-Reply-To: <51F3474C.9060509@entersection.org>
References: <51F3474C.9060509@entersection.org>
Message-ID: <CAD2Ti2-AnNVdnd8eUWZ4MvqBfnJUbPK=SaPxiZxMXe0yGRJSzA@mail.gmail.com>

> Mentioned in the talk,
>
> Freedom of the Press Foundation (Jul 2) - "Encryption Works: How to
> Protect Your Privacy in the Age of NSA Surveillance" by @micahflee:
> https://pressfreedomfoundation.org/encryption-works

Interesting to see the above 'Encryption works' quote making
the rounds.

Similarly interesting is this seemingly opposing (yet unattributed)
'Breakthrough' quote from a year ago (search references to
the word in the text)...

http://www.wired.com/threatlevel/2012/03/ff_nsadatacenter/all/1




From rysiek at hackerspace.pl  Fri Jul 26 18:16:50 2013
From: rysiek at hackerspace.pl (rysiek)
Date: Sat, 27 Jul 2013 03:16:50 +0200
Subject: OHAI. Also: the shortest Internet censorship debate... EVAH
Message-ID: <2126172.UsFLPxO8sD@laptosid>

OHAI Cypherpunks,

I am new here, I am not however new to the topics discussed here. I was 
involved in many a thing related to privacy, anonymity, freedom of speech (and 
*after* speech), copyright reform, yadda, yadda, etc.

Aaanyway, I bring bad tidings from Poland: yesterday morning the Minister of 
Justice praised David Censormoron's plan to filter porn in the UK and 
suggested that maybe it should be implemented in Poland as well.

I also bring good tidings from Poland: yesterday evening Polish Prime Minister 
and the Minister of Administration and Digitization (you should get one of 
those in your country, they're great) strongly denounced any such ideas.

Hence, I have been involved in the shortest Internet porn censorship... ever:
http://rys.io/en/109

-- 
Pozdr
rysiek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 316 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20130727/a48e54f8/attachment.sig>

From thomas at mich.com  Sat Jul 27 05:39:44 2013
From: thomas at mich.com (tz)
Date: Sat, 27 Jul 2013 08:39:44 -0400
Subject: SSLegance
In-Reply-To: <CAFv7Oiirasi1HYp1bAd8PCyYabTVtsnKcOyfcOZpEca2kU8dRQ@mail.gmail.com>
References: <CAFv7Oijz0yvbbPsz2BQDXGD3wzrxkax=r++YLwwzQEQRjCkChg@mail.gmail.com>
 <20130726122744.GH27178@hexapodia.org>
 <CAFv7Oiirasi1HYp1bAd8PCyYabTVtsnKcOyfcOZpEca2kU8dRQ@mail.gmail.com>
Message-ID: <CAFv7Oij05h-th6vrG-yC5mZFh6KLnc+06YxGhkMA3Lk4DLF=AQ@mail.gmail.com>

Perhaps the best way would be an indicator that PFS is active.

Think EV cert - they push that blue is safer than green.

If Chrome and Firefox and others simply would try PFS first and indicate in
a conspicuous way, like EA certs, that "you are safe but could be safer"
v.s. "Safest possible", it must help push adoption.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 368 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20130727/d2c1cbc9/attachment.txt>

From thomas at mich.com  Sat Jul 27 16:42:54 2013
From: thomas at mich.com (tz)
Date: Sat, 27 Jul 2013 19:42:54 -0400
Subject: SSLegance
In-Reply-To: <CAHWD2r+-AyG_HnMv1Hk5SiL2OKXcKNMbcPoLo95KYaFEzPzJFw@mail.gmail.com>
References: <CAFv7Oijz0yvbbPsz2BQDXGD3wzrxkax=r++YLwwzQEQRjCkChg@mail.gmail.com>
 <20130726122744.GH27178@hexapodia.org>
 <CAFv7Oiirasi1HYp1bAd8PCyYabTVtsnKcOyfcOZpEca2kU8dRQ@mail.gmail.com>
 <CAFv7Oij05h-th6vrG-yC5mZFh6KLnc+06YxGhkMA3Lk4DLF=AQ@mail.gmail.com>
 <CAHWD2r+-AyG_HnMv1Hk5SiL2OKXcKNMbcPoLo95KYaFEzPzJFw@mail.gmail.com>
Message-ID: <CAFv7OihqjNpAt71DN_EVPrG3eM+ct_0ss474HOnvUOZ-NQxThg@mail.gmail.com>

There are two problems.

First, CA AND/OR ToFU, or notaries or some other kind of acceptance of the
certificates.  That is a large issue, but the CA model is broken.  It would
be even more convenient not to have to bother with any authentication,
encryption and passwords, but if we are going to bother with it, it may as
well be actually secure.  We need not trust them collectively - the
difficulty comes when there are lots of different certs from the same site,
but I might trust a google domain cert signed with a google signing cert
over one signed by diginotar.

Second, they generally don't escrow the ephemeral keys, but, if I
understand correctly, if the key exchange does not have perfect forward
secrecy, if the traffic is recorded, and the original private keys are
exposed (subpoenaed, hacked, broken) any session is as well.  Note that the
exposure of one private key unlocks ALL such recorded sessions.  This would
apply even if I generate my own keypair and private cert.

On Sat, Jul 27, 2013 at 5:56 PM, Lodewijk andré de la porte <l at odewijk.nl>wrote:

> What problem are we solving, exactly? No eavesdropping is simple enough.
> No MITM is not preventable without information known to come from the
> intended source. Presently we have "all knowers" called certificate
> authorities. We trust them as a collective not individually. Their security
> depending on their collective is a fatal mistake. The idea of an all-knower
> is very, very convenient for the design of these systems.
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 1766 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20130727/4364b217/attachment.txt>

From l at odewijk.nl  Sat Jul 27 14:56:46 2013
From: l at odewijk.nl (=?UTF-8?Q?Lodewijk_andr=C3=A9_de_la_porte?=)
Date: Sun, 28 Jul 2013 00:56:46 +0300
Subject: SSLegance
In-Reply-To: <CAFv7Oij05h-th6vrG-yC5mZFh6KLnc+06YxGhkMA3Lk4DLF=AQ@mail.gmail.com>
References: <CAFv7Oijz0yvbbPsz2BQDXGD3wzrxkax=r++YLwwzQEQRjCkChg@mail.gmail.com>
 <20130726122744.GH27178@hexapodia.org>
 <CAFv7Oiirasi1HYp1bAd8PCyYabTVtsnKcOyfcOZpEca2kU8dRQ@mail.gmail.com>
 <CAFv7Oij05h-th6vrG-yC5mZFh6KLnc+06YxGhkMA3Lk4DLF=AQ@mail.gmail.com>
Message-ID: <CAHWD2r+-AyG_HnMv1Hk5SiL2OKXcKNMbcPoLo95KYaFEzPzJFw@mail.gmail.com>

What problem are we solving, exactly? No eavesdropping is simple enough. No
MITM is not preventable without information known to come from the intended
source. Presently we have "all knowers" called certificate authorities. We
trust them as a collective not individually. Their security depending on
their collective is a fatal mistake. The idea of an all-knower is very,
very convenient for the design of these systems.

Yet, is it required? Surely there must be a distributed, not decentralized*
approach that works to spread information with certainty.

The problem then lies with the link between the security record (signature,
proof of private key) and the name record (DNS). Simply signing the DNS
records would be enough, then the DNS records must be provided properly.
This is moving the problem. Yet, it is moving the problem to the DNS
provider, which also suffers from the centralization weakness that persists
in such decentralized arrangements.

Having a DHT in which several known friends are anchored might allow that
DHT to "vote" on the subject. Every node will accumulate the votes from its
trusted neighbors and vote on what the majority agrees on. Heuristic, but
typically functional. And we swat two flies with one blow. SDNS, (Secure
Distributed Name Server) a mapping from name to signed machine location
data.

In this future the overhead for security is as big as the signature for the
SDNS record, and the encryption and decryption on the data itself.

--Lewis

*the current approach defies the boundary between centralized and
decentralized. I believe that, in practice, we could better describe it as
centralized.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 1819 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20130728/e7e0d12f/attachment.txt>

From ericm at lne.com  Sun Jul 28 06:16:20 2013
From: ericm at lne.com (Eric Murray)
Date: Sun, 28 Jul 2013 06:16:20 -0700
Subject: Urea at NSA Utah Data Center
In-Reply-To: <E1V3QHf-0007aC-GK@elasmtp-kukur.atl.sa.earthlink.net>
References: <E1V3QHf-0007aC-GK@elasmtp-kukur.atl.sa.earthlink.net>
Message-ID: <51F519A4.4080907@lne.com>




On 07/28/2013 05:41 AM, John Young wrote:
> There are two spaces labeled "Urea Tank Room" in the NSA Utah
> Data Center's Generator Plant shown in construction drawings
> recently leaked:
> 
> http://cryptome.org/2013-info/07/nsa-utah-dc/nsa-utah-dc.htm

> 
> Urea is used in fuel cells. Are there other uses of urea in generator
> or data processing equipment?

It is used to clean diesel exhaust.

Eric




From jya at pipeline.com  Sun Jul 28 05:41:28 2013
From: jya at pipeline.com (John Young)
Date: Sun, 28 Jul 2013 08:41:28 -0400
Subject: Urea at NSA Utah Data Center
Message-ID: <E1V3QHf-0007aC-GK@elasmtp-kukur.atl.sa.earthlink.net>

There are two spaces labeled "Urea Tank Room" in the NSA Utah
Data Center's Generator Plant shown in construction drawings
recently leaked:

http://cryptome.org/2013-info/07/nsa-utah-dc/nsa-utah-dc.htm

See Generator Plant floor plan drawing 11.2 A101 at bottom and
top left, spaces labeled "UT."

Urea is used in fuel cells. Are there other uses of urea in generator
or data processing equipment?





From patrice at xs4all.nl  Sun Jul 28 00:47:11 2013
From: patrice at xs4all.nl (Patrice Riemens)
Date: Sun, 28 Jul 2013 09:47:11 +0200
Subject: <nettime> John Naughton: Edward Snowden's not the story. The fate of the
Message-ID: <mailman.4382.1575949048.62801.testlist@lists.cpunks.org>

original to:
http://www.guardian.co.uk/technology/2013/jul/28/edward-snowden-death-of-internet


Edward Snowden's not the story. The fate of the internet is
John Naughton
The Observer, Sunday 28 July 2013

The press has lost the plot over the Snowden revelations. The fact is that
the net is finished as a global network and that US firms' cloud services
cannot be trusted


Repeat after me: Edward Snowden is not the story. The story is what he has
revealed about the hidden wiring of our networked world. This insight
seems to have escaped most of the world's mainstream media, for reasons
that escape me but would not have surprised Evelyn Waugh, whose contempt
for journalists was one of his few endearing characteristics. The obvious
explanations are: incorrigible ignorance; the imperative to personalise
stories; or gullibility in swallowing US government spin, which brands
Snowden as a spy rather than a whistleblower.

In a way, it doesn't matter why the media lost the scent. What matters is
that they did. So as a public service, let us summarise what Snowden has
achieved thus far.

Without him, we would not know how the National Security Agency (NSA) had
been able to access the emails, Facebook accounts and videos of citizens
across the world; or how it had secretly acquired the phone records of
millions of Americans; or how, through a secret court, it has been able to
bend nine US internet companies to its demands for access to their users'
data.

Similarly, without Snowden, we would not be debating whether the US
government should have turned surveillance into a huge, privatised
business, offering data-mining contracts to private contractors such as
Booz Allen Hamilton and, in the process, high-level security clearance to
thousands of people who shouldn't have it. Nor would there be -- finally --
a serious debate between Europe (excluding the UK, which in these matters
is just an overseas franchise of the US) and the United States about where
the proper balance between freedom and security lies.

These are pretty significant outcomes and they're just the first-order
consequences of Snowden's activities. As far as most of our mass media are
concerned, though, they have gone largely unremarked. Instead, we have
been fed a constant stream of journalistic pap -- speculation about
Snowden's travel plans, asylum requests, state of mind, physical
appearance, etc. The "human interest" angle has trumped the real story,
which is what the NSA revelations tell us about how our networked world
actually works and the direction in which it is heading.

As an antidote, here are some of the things we should be thinking about as
a result of what we have learned so far.

The first is that the days of the internet as a truly global network are
numbered. It was always a possibility that the system would eventually be
Balkanised, ie divided into a number of geographical or
jurisdiction-determined subnets as societies such as China, Russia, Iran
and other Islamic states decided that they needed to control how their
citizens communicated. Now, Balkanisation is a certainty.

Second, the issue of internet governance is about to become _very_
contentious. Given what we now know about how the US and its satraps have
been abusing their privileged position in the global infrastructure, the
idea that the western powers can be allowed to continue to control it has
become untenable.

Third, as Evgeny Morozov has pointed out, the Obama administration's
"internet freedom agenda" has been exposed as patronising cant. "Today,"
he writes, "the rhetoric of the 'internet freedom agenda' looks as
trustworthy as George Bush's 'freedom agenda' after Abu Ghraib."

That's all at nation-state level. But the Snowden revelations also have
implications for you and me.

They tell us, for example, that no US-based internet company can be
trusted to protect our privacy or data. The fact is that Google, Facebook,
Yahoo, Amazon, Apple and Microsoft are all integral components of the US
cyber-surveillance system. Nothing, but nothing, that is stored in their
"cloud" services can be guaranteed to be safe from surveillance or from
illicit downloading by employees of the consultancies employed by the NSA.
That means that if you're thinking of outsourcing your troublesome IT
operations to, say, Google or Microsoft, then think again.

And if you think that that sounds like the paranoid fantasising of a
newspaper columnist, then consider what Neelie Kroes, vice-president of
the European Commission, had to say on the matter recently. "If businesses
or governments think they might be spied on," she said, "they will have
less reason to trust the cloud, and it will be cloud providers who
ultimately miss out. Why would you pay someone else to hold your
commercial or other secrets, if you suspect or know they are being shared
against your wishes? Front or back door -- it doesn't matter -- any smart
person doesn't want the information shared at all. Customers will act
rationally and providers will miss out on a great opportunity."

Spot on. So when your chief information officer proposes to use the Amazon
or Google cloud as a data-store for your company's confidential documents,
tell him where to file the proposal. In the shredder.



#  distributed via <nettime>: no commercial use without permission
#  <nettime>  is a moderated mailing list for net criticism,
#  collaborative text filtering and cultural politics of the nets
#  more info: http://mx.kein.org/mailman/listinfo/nettime-l
#  archive: http://www.nettime.org contact: nettime at kein.org

----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B  47EE F46E 3489 AC89 4EC5




From jya at pipeline.com  Sun Jul 28 08:44:15 2013
From: jya at pipeline.com (John Young)
Date: Sun, 28 Jul 2013 11:44:15 -0400
Subject: NSA Utah Data Center Cabling, Emanations and Bizarre Planning
Message-ID: <E1V3T7v-0001B2-L7@elasmtp-masked.atl.sa.earthlink.net>

Not much publicly available on the cabling and emanations
protection of the NSA Utah Data Center. Surely highly advanced
measures are being applied.

Google Earth shows a couple of stages of construction, Bing
Maps a couple more. AP has published a dozen or so hi-rez photos
of construction.

A lot of earthwork was done to create a flat site on a mountain side
(preceded by a small air field).

No indication of underground construction except pits and trenches
under the buildngs. With none on the surface there must be trenches
for power and signal cable.

No antenna have appeared on the site for transceiving data
like those of other of its data centers, so presumably it is done
by UG fiber optic (or antenna are hidden or remote).

Photos of construction progress of the two data buildings show
windowless envelopes made of panels and flat roofs without
various rooftop ductwork, grilles, piping and the like which appear
on roofs of other NSA and TLA facilities which might emanate
signal although not likely. (Some are littered with the stuff which
might be decoy.)

Steel structural framing is shown at Utah despite its known transmittal
of inadvertent signal, compared to say, reinforced concrete, metalized
fabric or synthetics. although are ample countermeasures available.

The pairing of structures at Utah, two of each type, data center,
generator, AC, fuel tanks, etc., show redundancy also not seen
elsewhere.

Not much to see of protection against missiles and aerial attack
but that is the same at other NSA facilities. Wonder what supports
that confidence.

The odd bent shape of the site plan, with buildings not parallel to
one another is intriguing. Could be aesthetic but may have another
role, say to disperse richochet of inadvertent emanations.

Quite a few recent government buildings avoid the traditional
rectilinear site planning of buildings long considered to be most
cost effective and authoritarian. Some like NGA HQ, NSA Utah
and several at Ft. Meade look almost byzantine in layout, if not
a shrewd design to limit echo, amplification, richochet, or best,
to befuddle satellite peepers.





From tony.arcieri at gmail.com  Sun Jul 28 15:41:07 2013
From: tony.arcieri at gmail.com (Tony Arcieri)
Date: Sun, 28 Jul 2013 15:41:07 -0700
Subject: Redecentralize podcast on the Cryptosphere
Message-ID: <CAHOTMVLwQk=22626a+gMqP_qATWXUKNfNUn4nUnXDHzHqKoOVg@mail.gmail.com>

Ohai various lists. Here's what I've been working on. Hope you like it. If
you want to chat and you happen to be coming to DEFCON, hit me up.

https://www.youtube.com/watch?v=NjOqYZzWqI0

Links:

- Cryptosphere: http://cryptosphere.org
- Celluloid: http://celluloid.io/
- Oasis.js: http://oasisjs.com/
- Conductor.js: https://github.com/tildeio/conductor.js
- Xanadu: https://en.wikipedia.org/wiki/Project_Xanadu
- Tahoe-LAFS: https://tahoe-lafs.org/trac/tahoe-lafs

-- 
Tony Arcieri
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 959 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20130728/c2dd822b/attachment.txt>

From eugen at leitl.org  Sun Jul 28 07:35:07 2013
From: eugen at leitl.org (Eugen Leitl)
Date: Sun, 28 Jul 2013 16:35:07 +0200
Subject: <nettime> John Naughton: Edward Snowden's not the story. The fate of
 the
Message-ID: <20130728143507.GP29404@leitl.org>

----- Forwarded message from Patrice Riemens <patrice at xs4all.nl> -----


From thomas at mich.com  Sun Jul 28 14:16:29 2013
From: thomas at mich.com (tz)
Date: Sun, 28 Jul 2013 17:16:29 -0400
Subject: Stronghold, revisited
Message-ID: <CAFv7OiifAa2YhwjaqyKQ5-w707a05=oQeiQwv7eSrY6ei219pQ@mail.gmail.com>

Way back when I was writing SSLeay encrypting proxies so Lynx could use
them, there was a commercial product called StrongHold.  I apologize for my
insufficient memory.

However much of the problem with forcing browsers to update might be solved
with an encryption proxy (on a raspi if needed).

For those who are too young to remember, during the "crypto is munitions"
period where the source to strong crypto needed to be sent via FAX,
Stronghold was a proxy that would take ordinary sessions (or I assume 40
bit - yes, 40 bit, that was "export" strength) crypto on the browser end
and transform it to the maximum strength on the remote end.

IE apparently has some problems with PFS.

One way to maybe fix this is to create an encrypting proxy that would do
full strength, PFS encryption and remove the other weaknesses, and run on
the local machine or LAN (if that isn't secure there are bigger problems).
And it would refuse or at least complain if the strength wasn't up to
snuff, and could itself add things like cert/CA validation management -
trust on first time and the rest as options.

If I had a box (DD-WRT?) that would warn me if something was amiss, I would
be in a better position.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 1268 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20130728/26011aec/attachment.txt>

From bill.stewart at pobox.com  Sun Jul 28 21:20:51 2013
From: bill.stewart at pobox.com (Bill Stewart)
Date: Sun, 28 Jul 2013 21:20:51 -0700
Subject: Urea at NSA Utah Data Center
In-Reply-To: <E1V3QHf-0007aC-GK@elasmtp-kukur.atl.sa.earthlink.net>
References: <E1V3QHf-0007aC-GK@elasmtp-kukur.atl.sa.earthlink.net>
Message-ID: <20130729042053.079A3CCD0@a-pb-sasl-quonix.pobox.com>

At 05:41 AM 7/28/2013, John Young wrote:
>There are two spaces labeled "Urea Tank Room" in the NSA Utah
>Data Center's Generator Plant shown in construction drawings
>recently leaked:
>
>http://cryptome.org/2013-info/07/nsa-utah-dc/nsa-utah-dc.htm
>
>See Generator Plant floor plan drawing 11.2 A101 at bottom and
>top left, spaces labeled "UT."
>
>Urea is used in fuel cells. Are there other uses of urea in generator
>or data processing equipment?

It could also be a snide comment about being in Utah, or an 
alternative to a sign saying "These aren't the droids you're looking 
for" or "Beware of the leopard".

Back in ~1990 when we bid on rewiring the Pentagon, there were a lot 
of "we can't tell you what's here" or "too secret to let you run 
wires through it" spaces, along with a bunch of areas that almost 
certainly had too much asbestos to actually run wires through the 
plenum.  (Our prime contractor didn't win the bid, which was probably 
just as well for them.)




From gbroiles at gmail.com  Sun Jul 28 21:54:28 2013
From: gbroiles at gmail.com (Greg Broiles)
Date: Sun, 28 Jul 2013 21:54:28 -0700
Subject: Stronghold, revisited
In-Reply-To: <CAFv7OiifAa2YhwjaqyKQ5-w707a05=oQeiQwv7eSrY6ei219pQ@mail.gmail.com>
References: <CAFv7OiifAa2YhwjaqyKQ5-w707a05=oQeiQwv7eSrY6ei219pQ@mail.gmail.com>
Message-ID: <CAL=nDpsfkJB+XF3so2d9tBmL-g+=4ra0=kF4ymD3H_cQxPc8uA@mail.gmail.com>

On Sun, Jul 28, 2013 at 2:16 PM, tz <thomas at mich.com> wrote:

> For those who are too young to remember, during the "crypto is munitions"
> period where the source to strong crypto needed to be sent via FAX,
> Stronghold was a proxy that would take ordinary sessions (or I assume 40
> bit - yes, 40 bit, that was "export" strength) crypto on the browser end
> and transform it to the maximum strength on the remote end.


That was C2Net's SafePassage product, Stronghold was an Apache-based
webserver capable of strong crypto SSL.

That seems like a nice idea for today - get a router running DD-WRT or a
Raspberry Pi or similar to proxy all SSL connections and enforce the use of
PFS, watch for CA hijinks, and otherwise make a hard shell around the soft
Windows computers at the center. See, e.g.,
http://translate.google.com/translate?hl=en&sl=de&tl=en&u=http%3A%2F%2Fwww.heise.de%2Fct%2Fartikel%2FMicrosofts-Hintertuer-1921730.html

-- 
Greg Broiles
gbroiles at gmail.com (Lists only. Not for confidential communications.)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 1692 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20130728/eddf9910/attachment.txt>

From rysiek at hackerspace.pl  Sun Jul 28 13:24:36 2013
From: rysiek at hackerspace.pl (rysiek)
Date: Sun, 28 Jul 2013 22:24:36 +0200
Subject: NSA Utah Data Center Cabling, Emanations and Bizarre Planning
In-Reply-To: <E1V3T7v-0001B2-L7@elasmtp-masked.atl.sa.earthlink.net>
References: <E1V3T7v-0001B2-L7@elasmtp-masked.atl.sa.earthlink.net>
Message-ID: <2028332.lFVsBAozCn@laptosid>

Dnia niedziela, 28 lipca 2013 11:44:15 John Young pisze:
> Not much to see of protection against missiles and aerial attack
> but that is the same at other NSA facilities. Wonder what supports
> that confidence.

I would suppose that this site is not meant to hold crucially important (as 
in: crucially important to have access to at all times) data.

I would guess it is just the first line, the large tank that gathers *every 
single bit of information* they can get their hands on. The information then 
gets processed and filtered, and the important -- really important -- bits are 
sent somewhere else.

But hey, that's just my wild guess.

-- 
Pozdr
rysiek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 316 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20130728/f3855371/attachment.sig>

From jya at pipeline.com  Mon Jul 29 04:26:55 2013
From: jya at pipeline.com (John Young)
Date: Mon, 29 Jul 2013 07:26:55 -0400
Subject: Urea at NSA Utah Data Center
In-Reply-To: <20130729042053.079A3CCD0@a-pb-sasl-quonix.pobox.com>
References: <E1V3QHf-0007aC-GK@elasmtp-kukur.atl.sa.earthlink.net>
 <20130729042053.079A3CCD0@a-pb-sasl-quonix.pobox.com>
Message-ID: <E1V3lbA-0007pN-Hd@elasmtp-galgo.atl.sa.earthlink.net>

For the shrewd decryption of "UT" U R being sent
a set of asbestos Underwear for eternal sleep protection
at UG H.

At 12:20 AM 7/29/2013, you wrote:

>It could also be a snide comment about being in Utah, or an 
>alternative to a sign saying "These aren't the droids you're looking 
>for" or "Beware of the leopard".
>
>Back in ~1990 when we bid on rewiring the Pentagon, there were a lot 
>of "we can't tell you what's here" or "too secret to let you run 
>wires through it" spaces, along with a bunch of areas that almost 
>certainly had too much asbestos to actually run wires through the 
>plenum.  (Our prime contractor didn't win the bid, which was 
>probably just as well for them.)
>





From cypherpunks-list at njw.me.uk  Mon Jul 29 06:58:47 2013
From: cypherpunks-list at njw.me.uk (Nick)
Date: Mon, 29 Jul 2013 14:58:47 +0100
Subject: how much havoc can a compromised baseband do to a Guardian ROM
 device?
In-Reply-To: <20130729130004.GW29404@leitl.org>
References: <20130729130004.GW29404@leitl.org>
Message-ID: <20130729135846.GA3284@starfish>

On Mon, Jul 29, 2013 at 03:00:05PM +0200, Eugen Leitl wrote:
> 
> Anyone knows whether a Nexus 4 baseband processor has r/w
> access to system memory? The firmware doesn't seem to be
> loaded at boot, so I presume it's entirely out of reach/
> reversing?

At a talk GNUtoo from Replicant did recently he covered the danger
of some phones' layouts; slides linked from here:
https://archive.fosdem.org/2013/schedule/event/android_freedom_and_replicant/

Slide 39 has info about the Galaxy Nexus, explaining that the modem
communicates with the main CPU over HSI, but how it talks to the GPS
is unknown. They also warn that the camera does its work through
shared memory, so could also be a vector for a slightly more
imaginative attack. They didn't cover the Nexus 4, I don't know how
similar the hardware is. Might be worth asking the Replicant team
(http://replicant.us)




From eugen at leitl.org  Mon Jul 29 06:00:05 2013
From: eugen at leitl.org (Eugen Leitl)
Date: Mon, 29 Jul 2013 15:00:05 +0200
Subject: how much havoc can a compromised baseband do to a Guardian ROM device?
Message-ID: <20130729130004.GW29404@leitl.org>


Anyone knows whether a Nexus 4 baseband processor has r/w
access to system memory? The firmware doesn't seem to be
loaded at boot, so I presume it's entirely out of reach/
reversing?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20130729/b62753aa/attachment.sig>

From tony.arcieri at gmail.com  Mon Jul 29 16:22:24 2013
From: tony.arcieri at gmail.com (Tony Arcieri)
Date: Mon, 29 Jul 2013 16:22:24 -0700
Subject: OpenPGP adoption post-PRISM
Message-ID: <CAHOTMVLSrYAzXaDi38GJwThPJvgYTXL9rZCHNgzYNRkH90Uf-Q@mail.gmail.com>

Interesting chart:

https://pbs.twimg.com/media/BQYA_qWCEAIoUFT.png

-- 
Tony Arcieri
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 230 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20130729/d43bd277/attachment.txt>

From tony.arcieri at gmail.com  Mon Jul 29 16:25:31 2013
From: tony.arcieri at gmail.com (Tony Arcieri)
Date: Mon, 29 Jul 2013 16:25:31 -0700
Subject: OpenPGP adoption post-PRISM
In-Reply-To: <CAHOTMVLSrYAzXaDi38GJwThPJvgYTXL9rZCHNgzYNRkH90Uf-Q@mail.gmail.com>
References: <CAHOTMVLSrYAzXaDi38GJwThPJvgYTXL9rZCHNgzYNRkH90Uf-Q@mail.gmail.com>
Message-ID: <CAHOTMVJSwfueKXKxteU3ORro8+FzHzNynRp8aZF0vsEA13EaGw@mail.gmail.com>

Here's the source of the data, if you're curious:

https://sks-keyservers.net/


On Mon, Jul 29, 2013 at 4:22 PM, Tony Arcieri <tony.arcieri at gmail.com>wrote:

> Interesting chart:
>
> https://pbs.twimg.com/media/BQYA_qWCEAIoUFT.png
>
> --
> Tony Arcieri
>



-- 
Tony Arcieri
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 901 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20130729/433ac089/attachment.txt>

From michael at briarproject.org  Mon Jul 29 08:46:35 2013
From: michael at briarproject.org (Michael Rogers)
Date: Mon, 29 Jul 2013 16:46:35 +0100
Subject: [p2p-hackers] Dealing with malicious nodes in decentralized p2p network
Message-ID: <mailman.4383.1575949048.62801.testlist@lists.cpunks.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I'm not sure whether your message just came through to the list or
whether I just noticed it. Either way, I hope it's not too late to reply.

The following papers describe attacks that can be carried out by
malicious nodes in structured P2P networks:

E. Sit and R. Morris. Security considerations for peer-to-peer
distributed hash tables. 1st International Workshop on Peer-to-Peer
Systems (IPTPS ?02), Cambridge, MA, USA, March 2002.

http://citeseer.ist.psu.edu/viewdoc/summary?doi=10.1.1.11.7175

M. Castro, P. Druschel, A. Ganesh, A. Rowstron, and D.S. Wallach.
Secure routing for structured peer-to-peer overlay networks. 5th
Symposium on Operating Systems Design and Implementation, Boston, MA,
USA, December 2002.

http://citeseer.ist.psu.edu/viewdoc/summary?doi=10.1.1.118.1870

I'd recommend checking out the papers that cite those papers, some of
which propose solutions to some of the attacks.

Cheers,
Michael

On 13/03/13 05:44, offbynull wrote:
> Hi,
> 
> Does anyone know of any strategies to prevent, identify, or
> work-around malicious nodes in a structured overlay? I'm
> specifically interested in Chord's ring overlay. It seems like
> there are a lot of things a malicious node could to to interfere
> with normal operations (e.g. routing / lookup / etc..), or to
> bypass certain regions of the ring.
> 
> Examples of things that a malicious node could do ...
> 
> 1. Imagine someone wanted to prevent others from accessing a
> key-value pair. That person would create a malicious node with an
> id of hash(key), ensuring that queries for that key would end up at
> the malicious node. When the malicious node receives queries for
> that key, it simply ignores them or responds that the key was never
> set.
> 
> 2. This is similar to the one above. Imagine someone wanted to
> prevent others from accessing a key-value pair, but a legitimate
> node already existed with an id of hash(key). That person would
> create a malicious node with an id of hash(key) - 1. When other
> nodes ask the malicious node to be routed to that key, the
> malicious node would respond with a node other than it's successor,
> ensuring that the request never gets routed to its true
> destination.
> 
> 3. Imagine someone wanted to cut out a portion of the nodes in the
> overlay. That person would create a malicious node that has its
> finger table set to skip over a bunch of existing nodes in front of
> it.
> 
> 
> Are there strategies to deal with this, or is this just something
> that's expected with Chord's design (as in peers can't be untrusted
> nodes)?
> 
> _______________________________________________ p2p-hackers mailing
> list p2p-hackers at lists.zooko.com 
> http://lists.zooko.com/mailman/listinfo/p2p-hackers
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJR9o5bAAoJEBEET9GfxSfMj0AIALZ+lSnA7GDh+Y3iifdVotwK
YXdjGjv+qJcvOIO/rHtTEyPMzp7yqz0X0VxeiC8XIjXP6rwvFGOXuClqd0NAjFW9
lHYtO9tHBkCV/LOU5hHrD3510Ry6gYkuDnyDeWBlwQ2i/zUU160PqGr+Esd1IpNP
zu5JKSHHq61wr5GisXOB+pWOxrKEEKtQAtv3ibFNBDXhGyJwg+U/LCe9Q14V9Q4t
BiOKgce8xHhbytY8B/5t3HW6cCavQAq/TR0CfjpWRtz823hs0lTdepJJXPnKVYIo
HD0u+cwnCGr7LNF5szMvkvdEkyXsbXGLYX+2cK7aHBPO4kGoXw5DrNAhS2Gkh+g=
=xMmD
-----END PGP SIGNATURE-----
_______________________________________________
p2p-hackers mailing list
p2p-hackers at lists.zooko.com
http://lists.zooko.com/mailman/listinfo/p2p-hackers

----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B  47EE F46E 3489 AC89 4EC5




From rich at openwatch.net  Mon Jul 29 15:57:19 2013
From: rich at openwatch.net (Rich Jones)
Date: Mon, 29 Jul 2013 18:57:19 -0400
Subject: NSA Utah Data Center Cabling, Emanations and Bizarre Planning
In-Reply-To: <2028332.lFVsBAozCn@laptosid>
References: <E1V3T7v-0001B2-L7@elasmtp-masked.atl.sa.earthlink.net>
 <2028332.lFVsBAozCn@laptosid>
Message-ID: <CADJYzxKjOBFJDn-nCfQ241dUqEYwVS57pDLyWuz021DO-6-t=Q@mail.gmail.com>

Personally very interested on the E2E security on that UGFO line - is Utah
part of DARPA quantum key distribution network? Perhaps paranoid.


On Sun, Jul 28, 2013 at 4:24 PM, rysiek <rysiek at hackerspace.pl> wrote:

> Dnia niedziela, 28 lipca 2013 11:44:15 John Young pisze:
> > Not much to see of protection against missiles and aerial attack
> > but that is the same at other NSA facilities. Wonder what supports
> > that confidence.
>
> I would suppose that this site is not meant to hold crucially important (as
> in: crucially important to have access to at all times) data.
>
> I would guess it is just the first line, the large tank that gathers *every
> single bit of information* they can get their hands on. The information
> then
> gets processed and filtered, and the important -- really important -- bits
> are
> sent somewhere else.
>
> But hey, that's just my wild guess.
>
> --
> Pozdr
> rysiek




-- 
—————————————

Rich Jones
*
OpenWatch* is a global investigative network using mobile technology to
build a more transparent world. Download OpenWatch for
iOS<https://itunes.apple.com/us/app/openwatch-social-muckraking/id642680756?ls=1&mt=8>and
for
Android<https://play.google.com/store/apps/details?id=org.ale.openwatch&hl=en>
!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 2390 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20130729/c70c514a/attachment.txt>

From eugen at leitl.org  Mon Jul 29 12:50:32 2013
From: eugen at leitl.org (Eugen Leitl)
Date: Mon, 29 Jul 2013 21:50:32 +0200
Subject: [p2p-hackers] Dealing with malicious nodes in decentralized p2p
 network
Message-ID: <20130729195032.GH29404@leitl.org>

----- Forwarded message from Michael Rogers <michael at briarproject.org> -----


From rdohm321 at gmail.com  Mon Jul 29 22:01:02 2013
From: rdohm321 at gmail.com (Randolph D.)
Date: Tue, 30 Jul 2013 07:01:02 +0200
Subject: [bitcoin-list] BitMail - p2p Email 0.1. beta
Message-ID: <mailman.4384.1575949048.62801.testlist@lists.cpunks.org>

http://bitmail.sourceforge.net/


   - Secure P2P Email from Friend to Friend without relying on a central
   server.
   - Key- / Repleo-Exchange.
   - Full decentral Email-Network using the Echo Protocol.
   - Store Email for Offline-Friends in the P2P Network.
   - Chat and Instant Messaging is build in. Define & Add your friends.
   - Strong e2e Multi-Encryption (PGP-kind/AES over SSL: using
libgcrypt<http://www.gnu.org/software/libgcrypt/>).

   - Libspoton Integration.
   - Additional Security Layer with the GB-Feature for Emails.
   - Preventing Data Retention (VDS). WoT-less.
   - HTTP & HTTPS Connections.
   - Open Source. BSD License.

anyone with a Server? Key?
------------------------------------------------------------------------------
Get your SQL database under version control now!
Version control is standard for application code, but databases havent 
caught up. So what steps can you take to put your SQL databases under 
version control? Why should you start doing it? Read more to find out.
http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk
_______________________________________________
bitcoin-list mailing list
bitcoin-list at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bitcoin-list

----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B  47EE F46E 3489 AC89 4EC5




From John at deRivaz.com  Tue Jul 30 01:07:32 2013
From: John at deRivaz.com (John de Rivaz)
Date: Tue, 30 Jul 2013 09:07:32 +0100
Subject: [Cryonet_AP] Lawyers in Thailand ban Bitcoin
Message-ID: <mailman.4385.1575949048.62801.testlist@lists.cpunks.org>

Thailand has become the first country to ban bitcoins after the central bank ruled it is not a currency.

In a statement on its website , Bitcoin said it had given a presentation to the Bank of Thailand about how the currency works in a bid to operate in the country.

However, at the end of the meeting, "senior members of the Foreign Exchange Administration and Policy Department advised that due to lack of existing applicable laws, capital controls and the fact that Bitcoin straddles multiple financial facets... Bitcoin activities are illegal in Thailand". 

more on

http://uk.finance.yahoo.com/news/bitcoins-banned-thailand-203840004.html



-- 
Sincerely, John de Rivaz: http://John.deRivaz.com

----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B  47EE F46E 3489 AC89 4EC5




From rysiek at hackerspace.pl  Tue Jul 30 00:22:23 2013
From: rysiek at hackerspace.pl (rysiek)
Date: Tue, 30 Jul 2013 09:22:23 +0200
Subject: OpenPGP adoption post-PRISM
In-Reply-To: <CAHOTMVJSwfueKXKxteU3ORro8+FzHzNynRp8aZF0vsEA13EaGw@mail.gmail.com>
References: <CAHOTMVLSrYAzXaDi38GJwThPJvgYTXL9rZCHNgzYNRkH90Uf-Q@mail.gmail.com>
 <CAHOTMVJSwfueKXKxteU3ORro8+FzHzNynRp8aZF0vsEA13EaGw@mail.gmail.com>
Message-ID: <3122874.zXbmf9MeP4@laptosid>

Dnia poniedziałek, 29 lipca 2013 16:25:31 Tony Arcieri pisze:
> https://sks-keyservers.net/
>
> On Mon, Jul 29, 2013 at 4:22 PM, Tony Arcieri <tony.arcieri at gmail.com>wrote:
> > https://pbs.twimg.com/media/BQYA_qWCEAIoUFT.png

Correlation does not imply causation...

...however...

"Nobody really cares about PRISM" my ass.

-- 
Pozdr
rysiek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 316 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20130730/4f43e1fd/attachment.sig>

From jya at pipeline.com  Tue Jul 30 06:25:41 2013
From: jya at pipeline.com (John Young)
Date: Tue, 30 Jul 2013 09:25:41 -0400
Subject: Radiation Emission Controls
Message-ID: <E1V49uL-0003Rj-HH@elasmtp-curtail.atl.sa.earthlink.net>

An engineer formerly working at the National Radio Astronomy
Observatory (http://www.gb.nrao.edu/nrqz/) lists its radiation
emissions controls:

http://cryptome.org/2013/07/radiated-emissions-control.htm

Among them is the banning of vehicles which use spark plugs,
thus diesel-fueled are required.

Which suggests a question about radiation emissions at
NSA Utah Data Center's 32 large generators.

Since nearly all government and commercial data centers
have generator back-ups, how are emissions from generators
controlled?

NRAO also "banned digital cameras down range after they
proved quite noisy."

Are noisy digital camera emissions more privacy threatening
than phone signals? Is NSA harvesting those emissions?





From jon at callas.org  Tue Jul 30 10:28:46 2013
From: jon at callas.org (Jon Callas)
Date: Tue, 30 Jul 2013 10:28:46 -0700
Subject: Python Random Number Generator for OTP
In-Reply-To: <CAFDBa1UZZEAi7akEJf2XUE=sGgXr+hA9fKPFko_cipuocZPf=w@mail.gmail.com>
References: <alpine.DEB.2.00.1307221647450.28426@neptune.sinister.com>
 <20130722214614.GF25759@hexapodia.org> <51EE318C.9070309@mehnert.org>
 <CAK9dnSzFnchEDs-rs7rCvgrdq5TFDWAA98keTobS3OdzAX7bbA@mail.gmail.com>
 <20130723222446.98325D061@a-pb-sasl-quonix.pobox.com>
 <20130724172706.GL27178@hexapodia.org>
 <CAGFRu2mdK3wLGqe86dNW8DUi8NU9G333xwqMW5U1KpPmrK_XdQ@mail.gmail.com>
 <20130724215618.BIAM3897.eastrmfepo102.cox.net@eastrmimpo210>
 <CAFDBa1UZZEAi7akEJf2XUE=sGgXr+hA9fKPFko_cipuocZPf=w@mail.gmail.com>
Message-ID: <65EAF83B-9F83-42B1-B636-975086A82DC3@callas.org>


On Jul 24, 2013, at 10:45 PM, Yan Zhu <yan at mit.edu> wrote:

> Has anyone tried using an entropy broker (see https://lwn.net/Articles/546428/) for sharing entropy between devices on a physical network? https://we.riseup.net/debian/entropy#entropy-key seems to suggest that this is something that people do.
> 

Some time ago, I ended up being a mentor in some coding thing. Vagueness is there to protect the guilty.

The project in question was for some program to communicate using one-time pads. That the pad in a one-time-pad must be full-entropy is why it's relevant. The question came up of how you distribute the pads, because that's the key problem (nyuck, nyuck) in doing a one-time-pad system.

The solution the person came up with was to encrypt them with PGP using a 4K-bit RSA key. I leave commentary on this system to the reader, and won't spoil the thought experiment with my own, at the moment.

This entropy broker strikes me as exactly the same sort of understanding.

	Jon


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 1653 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20130730/ea6ef4a1/attachment.txt>

From mike at plan99.net  Tue Jul 30 01:40:45 2013
From: mike at plan99.net (Mike Hearn)
Date: Tue, 30 Jul 2013 10:40:45 +0200
Subject: [bitcoin-list] [Bitcoin-development] BitMail - p2p Email 0.1. beta
Message-ID: <mailman.4386.1575949048.62801.testlist@lists.cpunks.org>

For people who are interested in such technologies, I recommend looking at
Pond:

https://pond.imperialviolet.org/

It is written by Adam Langley, so it comes with some serious credentials
behind it. It provides asynchronous email-like messaging that's forward
secure, resistant to traffic analysis and the whole thing runs over Tor.
Messages are stored for a week and are strictly limited in size. There's no
spam because nobody has an address - instead you have to grant someone the
ability to message you by giving them a small file. So, not really intended
as an email competitor convenience wise, but it has many interesting ideas
and a reasonable GUI.

As a testament to the seriousness with which Pond takes forward security,
it can use the NVRAM in a TPM chip to reliably destroy keys for data that
an SSD device might have otherwise made un-erasable.

The main downside - it's written in Go :)


On Tue, Jul 30, 2013 at 8:50 AM, Gregory Maxwell <gmaxwell at gmail.com> wrote:

> On Mon, Jul 29, 2013 at 10:01 PM, Randolph D. <rdohm321 at gmail.com> wrote:
> > Secure P2P Email from Friend to Friend without relying on a central
> server.
> > Key- / Repleo-Exchange.
> > Full decentral Email-Network using the Echo Protocol.
> > Store Email for Offline-Friends in the P2P Network.
> > Chat and Instant Messaging is build in. Define & Add your friends.
> > Strong e2e Multi-Encryption (PGP-kind/AES over SSL: using libgcrypt).
> > Libspoton Integration.
> > Additional Security Layer with the GB-Feature for Emails.
> > Preventing Data Retention (VDS). WoT-less.
> > HTTP & HTTPS Connections.
> > Open Source. BSD License.
> >
> > anyone with a Server? Key?
>
> Keep safe everyone:
>
> A number of apparent sock accounts has been posting about what appears
> to be the same software under the name "goldbug" for a couple days
> now:
>
> e.g.
> https://lists.torproject.org/pipermail/tor-talk/2013-July/029107.html
> https://lists.torproject.org/pipermail/tor-talk/2013-July/029125.html
> http://lists.gnupg.org/pipermail/gnupg-users/2013-July/047137.html
>
>
> ------------------------------------------------------------------------------
> Get your SQL database under version control now!
> Version control is standard for application code, but databases havent
> caught up. So what steps can you take to put your SQL databases under
> version control? Why should you start doing it? Read more to find out.
> http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk
> _______________________________________________
> Bitcoin-development mailing list
> Bitcoin-development at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>
------------------------------------------------------------------------------
Get your SQL database under version control now!
Version control is standard for application code, but databases havent 
caught up. So what steps can you take to put your SQL databases under 
version control? Why should you start doing it? Read more to find out.
http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk
_______________________________________________
bitcoin-list mailing list
bitcoin-list at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bitcoin-list

----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B  47EE F46E 3489 AC89 4EC5




From eugen at leitl.org  Tue Jul 30 01:55:08 2013
From: eugen at leitl.org (Eugen Leitl)
Date: Tue, 30 Jul 2013 10:55:08 +0200
Subject: [Cryonet_AP] Lawyers in Thailand ban Bitcoin
Message-ID: <20130730085508.GR29404@leitl.org>

----- Forwarded message from John de Rivaz <John at deRivaz.com> -----


From eugen at leitl.org  Tue Jul 30 01:56:38 2013
From: eugen at leitl.org (Eugen Leitl)
Date: Tue, 30 Jul 2013 10:56:38 +0200
Subject: Moscow Metro says new tracking system is to find stolen phones; no
 one believes them
Message-ID: <20130730085637.GT29404@leitl.org>


http://arstechnica.com/tech-policy/2013/07/moscow-metro-says-new-tracking-system-is-to-find-stolen-phones-no-one-believes-them/


Moscow Metro says new tracking system is to find stolen phones; no one
believes them

Experts: Russians are probably using fake cell tower devices for
surveillance.

by Cyrus Farivar - July 29 2013, 11:10pm +0200

On Monday, a major Russian newspaper reported that Moscow’s metro system is
planning what appears to be a mobile phone tracking device in its metro
stations—ostensibly to search for stolen phones.

According to Izvestia (Google Translate), Andrey Mokhov, the operations chief
of the Moscow Metro system’s police department, said that the system will
have a range of five meters (16 feet). “If the [SIM] card is wanted, the
system automatically creates a route of its movement and passes that
information to the station attendant,” Mokhov said.

Many outside experts, both in and outside Russia, though, believe that what
local authorities are actually deploying is a “stingray,” or “IMSI catcher”—a
device that can fool a phone and SIM into reading from a fake mobile phone
tower. (IMSI, or an International Mobile Subscriber Identity number, is a
15-digit unique number that sits on every SIM card.) Such devices can be used
as a simple way to see what phone numbers are being used in a given area or
even to intercept the audio of voice calls.

The Moscow Metro did not immediately respond to our request for comment.

“Many surveillance technologies are created and deployed with legitimate aims
in mind, however the deploying of IMSI catchers sniffing mobile phones en
masse is neither proportionate nor necessary for the stated aims of
identifying stolen phones,” Eric King of Privacy International told Ars.

“Likewise the legal loophole they claim to be using to legitimize the
practice—distinguishing between tracking a person from a SIM card—is
nonsensical and unjustifiable. It's surprising it's being discussed so
openly, given in many countries like the United Kingdom, they refuse to even
acknowledge the existence of IMSI catchers, and any government use of the
technology is strictly national security exempted.”

These devices are in use, typically by law enforcement agencies worldwide,
including some in the United States. Portable, commercial IMSI catchers are
made by Swiss and British companies, among others, but in 2010, security
researcher Chris Paget announced that he built his own IMSI catcher for only
$1,500. Still, mobile security remains spy-versus-spy to some degree, each
measure matched by a countermeasure. In December 2011, Karsten Nohl, another
noted mobile security researcher, released "Catcher Catcher"—a piece of
software that monitors network traffic and looks at the likelihood an IMSI
catcher is in use.

Keir Giles, of the Conflict Studies Research Centre, an Oxford-based Russian
think tank, told Ars that Russian authorities are claiming a legal
technicality.

"They are claiming that although they are legally prohibited from
indiscriminate surveillance of people, the fact that they are following SIM
cards which are the property of the mobile phone operators rather than the
individuals carrying those SIM cards makes the tracking plans perfectly
legal," he said, adding that this reasoning is "weaselly and ridiculous."

The Russian newspaper also quoted Alexander Ivanchenko, executive director of
the Russian Security Industry Association, who pointed out that even to be
effective, such a system would need these devices every 10 meters (32 feet).

“It is obvious that the cost of the system is not commensurate with the value
of all the stolen phones,” he said. “Also, effective anti-theft technology is
already known: in the US, for example, the owner of the stolen phone knows
enough to call the operator—and the stolen device stops working, even if
another SIM-card is inserted.”

Two major Russian mobile providers, Beeline and Megafon, have told Russian
media (Google Translate) that they are unaware of this supposed anti-theft
measure. On the other hand, BBC Russian reports (Google Translate) that the
system is due to come online in late 2013 or early 2014.




From loki at obscura.com  Tue Jul 30 10:57:51 2013
From: loki at obscura.com (Lance Cottrell)
Date: Tue, 30 Jul 2013 10:57:51 -0700
Subject: Python Random Number Generator for OTP
In-Reply-To: <65EAF83B-9F83-42B1-B636-975086A82DC3@callas.org>
References: <alpine.DEB.2.00.1307221647450.28426@neptune.sinister.com>
 <20130722214614.GF25759@hexapodia.org> <51EE318C.9070309@mehnert.org>
 <CAK9dnSzFnchEDs-rs7rCvgrdq5TFDWAA98keTobS3OdzAX7bbA@mail.gmail.com>
 <20130723222446.98325D061@a-pb-sasl-quonix.pobox.com>
 <20130724172706.GL27178@hexapodia.org>
 <CAGFRu2mdK3wLGqe86dNW8DUi8NU9G333xwqMW5U1KpPmrK_XdQ@mail.gmail.com>
 <20130724215618.BIAM3897.eastrmfepo102.cox.net@eastrmimpo210>
 <CAFDBa1UZZEAi7akEJf2XUE=sGgXr+hA9fKPFko_cipuocZPf=w@mail.gmail.com>
 <65EAF83B-9F83-42B1-B636-975086A82DC3@callas.org>
Message-ID: <120C4D4B-4FC8-4BAB-83B3-0050B6CAD109@obscura.com>

It is easy to be a central source for randomness. The problem is that, for crypto, you want secret and private randomness. 
Whether it is reasonable to use randomness from an outside source to supplement the entropy on your own system depends on your threat model.

If you absolutely require true randomness, and you are entropy constrained on the local device, and you are not concerned about compromise of the entropy server or the path between you and that server, then this might make sense. 

Lots of "ifs".

	-Lance

--
Lance Cottrell
loki at obscura.com



On Jul 30, 2013, at 10:28 AM, Jon Callas <jon at callas.org> wrote:

> 
> On Jul 24, 2013, at 10:45 PM, Yan Zhu <yan at mit.edu> wrote:
> 
>> Has anyone tried using an entropy broker (see https://lwn.net/Articles/546428/) for sharing entropy between devices on a physical network? https://we.riseup.net/debian/entropy#entropy-key seems to suggest that this is something that people do.
>> 
> 
> Some time ago, I ended up being a mentor in some coding thing. Vagueness is there to protect the guilty.
> 
> The project in question was for some program to communicate using one-time pads. That the pad in a one-time-pad must be full-entropy is why it's relevant. The question came up of how you distribute the pads, because that's the key problem (nyuck, nyuck) in doing a one-time-pad system.
> 
> The solution the person came up with was to encrypt them with PGP using a 4K-bit RSA key. I leave commentary on this system to the reader, and won't spoil the thought experiment with my own, at the moment.
> 
> This entropy broker strikes me as exactly the same sort of understanding.
> 
> 	Jon
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 3491 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20130730/85b89ec4/attachment.txt>

From eugen at leitl.org  Tue Jul 30 02:05:56 2013
From: eugen at leitl.org (Eugen Leitl)
Date: Tue, 30 Jul 2013 11:05:56 +0200
Subject: [bitcoin-list] BitMail - p2p Email 0.1. beta
Message-ID: <20130730090556.GV29404@leitl.org>

----- Forwarded message from "Randolph D." <rdohm321 at gmail.com> -----


From shelley at misanthropia.info  Tue Jul 30 11:16:33 2013
From: shelley at misanthropia.info (Shelley)
Date: Tue, 30 Jul 2013 11:16:33 -0700
Subject: Bradley Manning Verdict
Message-ID: <20130730181636.99887C00E7F@frontend1.nyi.mail.srv.osa>

-Convicted of multiple Espionage Act violations
-Acquitted of 'aiding the enemy' charge

http://www.theguardian.com/world/2013/jul/30/bradley-manning-wikileaks-judge-verdict

Ed Pilkington at Fort Meade
theguardian.com, Tuesday 30 July 2013 13.30 EDT

Bradley Manning has already spent 1,157 days in detention since his arrest in May 2010.

Bradley Manning, the source of the massive WikiLeaks trove of secret disclosures, faces a possible maximum sentence of more than 130 years in military jail after he was convicted of most charges on which he stood trial.

Colonel Denise Lind, the military judge presiding over the court martial of the US soldier, delivered her verdict in curt and pointed language. "Guilty, guilty, guilty, guilty," she repeated over and over, as the reality of a prolonged prison sentence for Manning – on top of the three years he has already spent in detention – dawned.

The one ray of light in an otherwise bleak outcome for Manning was that he was found not guilty of the single most serious charge against him – that he knowingly "aided the enemy", in practice al-Qaida, by disclosing information to the WikiLeaks website that in turn made it accessible to all users including enemy groups.

Lind's decision to avoid setting a precedent by applying the swingeing "aiding the enemy" charge to an official leaker will invoke a sigh of relief from news organisations and civil liberties groups who had feared a guilty verdict would send a chill across public interest journalism.

The judge also found Manning not guilty of having leaked an encrypted copy of a video of a US air strike in the Farah province of Aghanistan in which many civilians died. Manning's defence team had argued vociferously that he was not the source of this video, though the soldier did admit to later disclosure of an unencrypted version of the video and related documents.

Lind also accepted Manning's version of several of the key dates in the WikiLeaks disclosures, and took some of the edge from other less serious charges. But the overriding toughness of the verdict remains: the soldier was found guilty in their entirety of 17 out of the 22 counts against him, and of an amended version of four others.

Manning was also found guilty of "wrongfully and wantonly" causing to be published on the internet intelligence belonging to the US, "having knowledge that intelligence published on the internet is accesible to the enemy". That guilty ruling could still have widest ramifications for news organisations working on investigations relating to US national security.

Once the counts are added up, the prospects for the Manning are bleak. Barring reduction of sentence for mitigation, which becomes the subject of another mini-trial dedicated to sentencing that starts tomorrow, Manning will face a substantial chunk of his adult life in military custody.

He has already spent 1,157 days in detention since his arrest in May 2010 – most recently in Fort Leavenworth in Kansas – which will be deducted from his eventual sentence.

A further 112 days will be taken off the sentence as part of a pre-trial ruling in which Lind compensated him for the excessively harsh treatment he endured at the Quantico marine base in Virginia between July 2010 and April 2011. He was kept on suicide watch for long stretches despite expert opinion from military psychiatrists who deemed him to be at low risk of self-harm, and at one point was forced to strip naked at night in conditions that the UN denounced as a form of torture.

Lind has indicated that she will go straight into the sentencing phase of the trial, in which both defence and prosecution lawyers will call new witnesses. This is being seen as the critical stage of the trial for Manning's defence: the soldier admitted months ago to being the source of the WikiLeaks disclosures, and much of the defence strategy has been focused on attempting to reduce his sentence through mitigation.

With that in mind, the soldier's main counsel, David Coombs, is likely to present evidence during the sentencing phase that Manning was in a fragile emotional state at the time he began leaking and was struggling with issues over his sexuality. In pre-trial hearings, the defence has argued that despite his at times erratic behaviour, the accused was offered very little support or counselling from his superiors at Forward Operating Base Hammer outside Baghdad.

The outcome will now be pored over by government agencies, lawyers, journalists and civil liberties groups for its implications for whistleblowing, investigative reporting and the guarding of state secrets in the digital age. By passing to WikiLeaks more than 700,000 documents, Manning became the first mass digital leaker in history, opening a whole new chapter in the age-old tug-of-war between government secrecy and the public's right to information in a democracy.

Among those who will also be closely analysing the verdict are Edward Snowden, the former NSA contractor who has disclosed the existence of secret government dragnets of the phone records of millions of Americans, who has indicated that the treatment of Manning was one reason for his decision to seek asylum in another country rather than face similar aggressive prosecution in America. The British government will also be dissecting the courtroom results after the Guardian disclosed that Manning is a joint British American citizen.

Another party that will be intimately engaged with the verdict is WikiLeaks, and its founder, Julian Assange. They have been the subject of a secret grand jury investigation in Virginia that has been looking into whether to prosecute them for their role in the Manning disclosures.

WikiLeaks and Assange were mentioned repeatedly during the trial by the US government which tried to prove that the anti-secrecy organisation had directly steered Manning in his leaking activities, an allegation strongly denied by the accused. Prosecutors drew heavily on still classified web conversations between Manning and an individual going by the name of "Press Association", whom the government alleges was Assange.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 6377 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20130730/e0be463f/attachment.txt>

From eugen at leitl.org  Tue Jul 30 02:16:53 2013
From: eugen at leitl.org (Eugen Leitl)
Date: Tue, 30 Jul 2013 11:16:53 +0200
Subject: [bitcoin-list] [Bitcoin-development] BitMail - p2p Email 0.1. beta
Message-ID: <20130730091653.GX29404@leitl.org>

----- Forwarded message from Mike Hearn <mike at plan99.net> -----


From tony.arcieri at gmail.com  Tue Jul 30 12:39:31 2013
From: tony.arcieri at gmail.com (Tony Arcieri)
Date: Tue, 30 Jul 2013 12:39:31 -0700
Subject: OpenPGP adoption post-PRISM
In-Reply-To: <3122874.zXbmf9MeP4@laptosid>
References: <CAHOTMVLSrYAzXaDi38GJwThPJvgYTXL9rZCHNgzYNRkH90Uf-Q@mail.gmail.com>
 <CAHOTMVJSwfueKXKxteU3ORro8+FzHzNynRp8aZF0vsEA13EaGw@mail.gmail.com>
 <3122874.zXbmf9MeP4@laptosid>
Message-ID: <CAHOTMVLn60_hu-TBf6Xn-z1JS5at0nvLgj0MxLOtxtwZfGSNfA@mail.gmail.com>

On Tue, Jul 30, 2013 at 12:22 AM, rysiek <rysiek at hackerspace.pl> wrote:

> Correlation does not imply causation...


Guilty as charged on this. But the timing is pretty uncanny...

-- 
Tony Arcieri
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 533 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20130730/2992337b/attachment.txt>

From eugen at leitl.org  Tue Jul 30 04:12:15 2013
From: eugen at leitl.org (Eugen Leitl)
Date: Tue, 30 Jul 2013 13:12:15 +0200
Subject: [cryptography] evidence for threat modelling -- street-sold hardware
 has been compromised
Message-ID: <20130730111215.GB29404@leitl.org>

----- Forwarded message from ianG <iang at iang.org> -----


From eugen at leitl.org  Tue Jul 30 04:23:32 2013
From: eugen at leitl.org (Eugen Leitl)
Date: Tue, 30 Jul 2013 13:23:32 +0200
Subject: ZeroReserve -- a friend 2 friend payment scheme and Bitcoin exchange
Message-ID: <20130730112332.GD29404@leitl.org>


Implemented as a RetroShare plugin.

https://github.com/zeroreserve/ZeroReserve

ZeroReserve

Friend 2 Friend Payment and Bitcoin exchange

Prerequisite for building is a successful RetroShare build and sqlite3.

To build, checkout the sources to the plugins directory of Retroshare and build with

$ qmake && make clean && make

To install on Windows, drop the resulting DLL into the %APPDATA%\Retroshare\extensions directory.

To install on Linux, drop the resulting shared object into ~/.retroshare/extensions




From iang at iang.org  Tue Jul 30 04:07:44 2013
From: iang at iang.org (ianG)
Date: Tue, 30 Jul 2013 14:07:44 +0300
Subject: [cryptography] evidence for threat modelling -- street-sold hardware has been compromised
Message-ID: <mailman.4387.1575949048.62801.testlist@lists.cpunks.org>

It might be important to get this into the record for threat
modelling.  The suggestion that normally-purchased hardware has been
compromised by the bogeyman is often poo-pooed, and paying attention
to this is often thought to be too black-helicopterish to be serious.
E.g., recent discussions on the possibility of perversion of on-chip
RNGs.

This doesn't tell us how big the threat is, but it does raise it to
the level of 'evidenced'.



http://www.afr.com/p/technology/spy_agencies_ban_lenovo_pcs_on_security_HVgcKTHp4bIA4ulCPqC7SL

Computers manufactured by the world’s biggest personal computer maker,
Lenovo, have been banned from the “secret” and ‘‘top secret” ­networks
of the intelligence and defence services of Australia, the US,
Britain, Canada, and New Zealand, because of concerns they are
vulnerable to being hacked.

Multiple intelligence and defence sources in Britain and Australia
confirmed there is a written ban on computers made by the Chinese
company being used in “classified” networks.

The ban was introduced in the mid-2000s after intensive laboratory
testing of its equipment allegedly documented “back-door” hardware and
“firmware” vulnerabilities in Lenovo chips.

...
_______________________________________________
cryptography mailing list
cryptography at randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B  47EE F46E 3489 AC89 4EC5




From mike at plan99.net  Tue Jul 30 05:12:51 2013
From: mike at plan99.net (Mike Hearn)
Date: Tue, 30 Jul 2013 14:12:51 +0200
Subject: [bitcoin-list] [Bitcoin-development] BitMail - p2p Email 0.1. beta
Message-ID: <mailman.4388.1575949048.62801.testlist@lists.cpunks.org>

The TPM is a piece of secure* hardware that provides various cryptographic
services to the host system. It is important to understand that it is not a
crypto accelerator. It is a place to store keys and small pieces of data
(like hashes, counters) where it's difficult for someone to extract them
even if they have physical access.

The TPM is designed to support trusted computing, a rather splendid set of
extensions to the x86 architecture that let you do remote attestation,
software sealing and other things. Or at least it would be splendid if it
had been really finished off and pushed to completion by the designers.
Unfortunately due to various political issues it exists in a
quasi-finished, semi-broken state which only experts can use. Without a
doubt you have never run any software in a TC environment.

As part of that role, the TPM provides some permanent storage in the form
of NVRAM. Because the TPM is designed to be as cheap as possible, it has a
limited number of write cycles. Normally you're meant to store Intel TXT
launch control policies and sealed keys there, but Pond uses it in a
different way by storing keys there that it encrypts local data with. By
erasing the key in the TPM chips memory area, the data on disk is
effectively destroyed too.

This is useful because modern "disks" are often SSD drives, or physical
metal disks that use log structured file systems. Because flash memory has
a limited number of write cycles per cell, internally SSDs have firmware
that remap writes from logical addresses to different physical addresses,
the goal is to avoid wearing down the drive and extend its useful life.
Normally it doesn't matter, but if you want to delete data such that it's
really really gone, it obviously poses a problem. Using TPM NVRAM solves
it, albiet, at a high usability cost.



*note: actual tamper resistance of real-world TPM chips is not something
that seems to have been studied much


On Tue, Jul 30, 2013 at 1:27 PM, Wendell <w at grabhive.com> wrote:

> Can you explain this process for those of us not too familiar with TPM
> chips?
>
> -wendell
>
> grabhive.com | twitter.com/grabhive | gpg: 6C0C9411
>
> On Jul 30, 2013, at 10:40 AM, Mike Hearn wrote:
>
> > As a testament to the seriousness with which Pond takes forward
> security, it can use the NVRAM in a TPM chip to reliably destroy keys for
> data that an SSD device might have otherwise made un-erasable.
>
------------------------------------------------------------------------------
Get your SQL database under version control now!
Version control is standard for application code, but databases havent 
caught up. So what steps can you take to put your SQL databases under 
version control? Why should you start doing it? Read more to find out.
http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk
_______________________________________________
bitcoin-list mailing list
bitcoin-list at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bitcoin-list

----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B  47EE F46E 3489 AC89 4EC5




From eugen at leitl.org  Tue Jul 30 05:23:09 2013
From: eugen at leitl.org (Eugen Leitl)
Date: Tue, 30 Jul 2013 14:23:09 +0200
Subject: [bitcoin-list] [Bitcoin-development] BitMail - p2p Email 0.1. beta
Message-ID: <20130730122309.GF29404@leitl.org>

----- Forwarded message from Mike Hearn <mike at plan99.net> -----


From rsw at jfet.org  Tue Jul 30 12:18:51 2013
From: rsw at jfet.org (Riad S. Wahby)
Date: Tue, 30 Jul 2013 15:18:51 -0400
Subject: Radiation Emission Controls
In-Reply-To: <E1V49uL-0003Rj-HH@elasmtp-curtail.atl.sa.earthlink.net>
References: <E1V49uL-0003Rj-HH@elasmtp-curtail.atl.sa.earthlink.net>
Message-ID: <20130730191851.GA21042@jfet.org>

John Young <jya at pipeline.com> wrote:
> Since nearly all government and commercial data centers
> have generator back-ups, how are emissions from generators
> controlled?

On assumes that transient emissions, e.g., from a starter motor, follow
less stringent guidelines. And if the generators are diesel, they also
don't use spark plugs.

This is also consistent with having some urea on site for treating
diesel exhaust.

-=rsw




From eugen at leitl.org  Tue Jul 30 06:55:53 2013
From: eugen at leitl.org (Eugen Leitl)
Date: Tue, 30 Jul 2013 15:55:53 +0200
Subject: Max Blumenthal on Security Forum
Message-ID: <20130730135553.GK29404@leitl.org>


(it's Alternet, so caveat lector)

http://www.alternet.org/tea-party-and-right/shocking-extermination-fantasies-people-running-americas-empire-full-display?paging=off


Shocking 'Extermination' Fantasies By the People Running America's Empire on
Full Display at Aspen Summit

Security Forum participants expressed total confidence in American empire,
but could not contain their panic at the mention of Snowden.

July 25, 2013  |  

Seated on a stool before an audience packed with spooks, lawmakers, lawyers
and mercenaries, CNN’s Wolf Blitzer introduced recently retired CENTCOM chief
General James Mattis. “I’ve worked with him and I’ve worked with his
predecessors,” Blitzer said of Mattis. “I know how hard it is to run an
operation like this.”

Reminding the crowd that CENTCOM is “really, really important,” Blitzer urged
them to celebrate Mattis: “Let’s give the general a round of applause.”

Following the gales of cheering that resounded from the room, Mattis, the
gruff 40-year Marine veteran who once volunteered his opinion that “it’s fun
to shoot some people,” outlined the challenge ahead. The “war on terror” that
began on 9/11 has no discernable end, he said, likening it to the “the
constant skirmishing between [the US cavalry] and the Indians” during the
genocidal Indian Wars of the 19th century.

“The skirmishing will go on likely for a generation,” Mattis declared.

Mattis’ remarks, made beside a cable news personality who acted more like a
sidekick than a journalist, set the tone for the entire 2013 Aspen Security
Forum this July. A project of the Aspen Institute, the Security Forum brought
together the key figures behind America’s vast national security state, from
military chieftains like Mattis to embattled National Security Agency Chief
General Keith Alexander to top FBI and CIA officials, along with the bookish
functionaries attempting to establish legal groundwork for expanding the war
on terror.

Partisan lines and ideological disagreements faded away inside the darkened
conference hall, as a parade of American securitocrats from administrations
both past and present appeared on stage to defend endless global warfare and
total information awareness while uniting in a single voice of condemnation
against a single whistleblower bunkered inside the waiting room of Moscow
International Airport: Edward Snowden.

With perhaps one notable exception, none of the high-flying reporters
junketed to Aspen to act as interlocutors seemed terribly interested in
interrogating the logic of the war on terror. The spectacle was a perfect
window into the world of access journalism, with media professionals
brown-nosing national security elites committed to secrecy and surveillance,
avoiding overly adversarial questions but making sure to ask the requisite
question about how much Snowden has caused terrorists to change their
behavior.

Jeff Harris, the communications director for the Aspen Institute, did not
respond to questions I submitted about whether the journalists who
participated in the Security Forum accepted fees. (It is likely that all
relied on Aspen to at least cover lodging and travel costs). CNN sponsored
the forum through a special new website called CNN Security Clearance,
promoting the event through Twitter and specially commissioned op-eds from
participating national security figures like former CIA director John
McLaughlin.

Another forum sponsor was Academi, the private mercenary corporation formerly
known as Blackwater. In fact, Academi is Blackwater’s third incarnation (it
was first renamed “Xe”) since revelations of widespread human rights abuses
and possible war crimes in Iraq and Afghanistan threw the mercenary firm into
full damage control mode. The Aspen Institute did not respond to my questions
about whether accepting sponsorship from such an unsavory entity fit within
its ethical guidelines.

'Exterminating People'

John Ashcroft, the former Attorney General who prosecuted the war on terror
under the administration of George W. Bush, appeared at Aspen as a board
member of Academi. Responding to a question about U.S. over-reliance on the
“kinetic” approach of drone strikes and special forces, Ashcroft reminded the
audience that the U.S. also likes to torture terror suspects, not just
“exterminate” them.

“It's not true that we have relied solely on the kinetic option,” Ashcroft
insisted. “We wouldn't have so many detainees if we'd relied on the ability
to exterminate people…We've had a blended and nuanced approach and for the
guy who's on the other end of a Hellfire missile he doesn't see that as a
nuance.”

Hearty laughs erupted from the crowd and fellow panelists. With a broad smile
on her face, moderator Catherine Herridge of Fox News joked to Ashcroft, “You
have a way with words.”

But Ashcroft was not done. He proceeded to boast about the pain inflicted on
detainees during long CIA torture sessions: “And maybe there are people who
wish they were on the end of one of those missiles.”

Competing with Ashcroft for the High Authoritarian prize was former NSA chief
Michael Hayden, who emphasized the importance of Obama’s drone
assassinations, at least in countries the U.S. has deemed to be Al Qaeda
havens. “Here's the strategic question,” Hayden said. “People in Pakistan? I
think that's very clear. Kill 'em. People in Yemen? The same. Kill 'em.”

“We don’t smoke [drug] cartel leaders but personally I’d support it,”
remarked Philip Mudd, the former deputy director of Bush’s Counterterrorism
Center, earning more guffaws from his fellow panelists and from Herridge.
Ironically, Mudd was attempting to argue that counter-terror should no longer
be a top U.S. security priority because it poses less of a threat to
Americans than synthetic drugs and child obesity.

Reflection was not on the agenda for most of the Security Forum’s
participants. When asked by a former US ambassador to Denmark the seminal
question “This is a great country, why are we always the bad guy?,” Mudd
replied, “They think that anything the U.S. does [in the Middle East], even
though we helped Muslim communities in Bosnia and Kuwait, everything is
rewritten to make us the bad guys.”

The clamoring about U.S. invasions, drone strikes, bankrolling of Israel’s
occupation, and general political meddling, could all be written off as
fevered anti-Americanism borne from the desert canyons of the paranoid Arab
mind.

And the wars could go on.

Delusions of Empire

Throughout the three days of the Security Forum, the almost uniformly white
cast of speakers were called on to discuss recent geopolitical developments,
from "Eye-rak" and "Eye-ran" to Egypt, where a military coup had just toppled
the first elected government in the country’s history.

Mattis carefully toed the line of the Obama administration, describing the
overthrow of Egypt’s government not as a coup, but as “military muscle
saddled on top of this popular uprising.”

Warning that using terms like “coup” could lead to a reduction in U.S. aid to
Egypt, where the military controls about one-third of the country’s economy,
Mattis warned, “We have to be very careful about passing laws with certain
words when the reality of the world won’t allow you to.”

Wolf Blitzer mentioned that Egypt’s new military-imposed foreign minister,
Nabil Fahmy, had been a fixture in Washington during the Mubarak days. “These
are people the West knows, the U.S. knows,” he said of the new cabinet in
Cairo. “I assume from the U.S. perspective, the United States is so much more
happy with this.”

Later, one of the few Arab participants in the forum, Al Jazeera DC bureau
chief Abderrahim Foukara, claimed that the Arab revolts were inspired by the
U.S. invasion of Iraq. “The iconic image of Saddam being pulled out of a hole
did something to the dynamic between ruler and ruled in the Arab world,”
Foukara claimed.

With the revolts blurring the old boundaries imposed on the Arab world during
the late colonial era, former CIA director John McLaughlin rose from the
audience to call for the U.S. to form a secret, Sikes-Picot-style commission
to draw up a new set of borders.

“The American government should now have such a group asking how we should
manage those lines and what should those lines be,” McLaughlin told the
panelists, who dismissed the idea of a new Great Game even as they discussed
tactics for preserving U.S. dominance in the Middle East.

ABC’s Chris Isham asked Jim Jeffrey, the former U.S. ambassador to Iraq, why,
with a recession on its hands and Middle Eastern societies spiraling out of
control, should the U.S. remain militarily involved in the region. Without
hesitation, Jeffrey rattled off the reasons: Saudi Arabia, Turkey, Israel,
and “world oil markets.”

“What could we have done better?” Isham asked the ambassador.

“Probably not too much.”

NSA Heroes, Saving Lives of Potential Consumers

While participants in the Security Forum expressed total confidence in
American empire, they could not contain their panic, outrage, and fear at the
mere mention of Snowden.

“Make no mistake about it: These are great people who we’re slamming and
tarnishing and it’s wrong. They’re the heroes, not this other and these
leakers!” NSA chief General Keith Alexander proclaimed, earning raucous
applause from the crowd.

Snowden’s leaks had prompted a rare public appearance from Alexander, forcing
the normally imperious spy chief into the spotlight to defend his agency’s
Panopticon-style programs and its dubious mechanisms of legal review.
Fortunately for him, NBC’s Pete Williams offered him the opportunity to lash
out at Snowden and the media that reported the leaks, asking whether the
"terrorists” (who presumably already knew they were being spied on) had
changed their behavior as a result of the leaks.

“We have concrete proof that terrorists are taking action, making changes,
and it’s gonna make our job harder,” Alexander declared, offering nothing to
support his claim.

Alexander appeared in full military regalia, with colorful decorations and
medallions covering his left breast. Casting himself as a stern but caring
father who has the best interests of all Americans at heart, even if he can't
fully disclose his methods, he turned to the crowd and explained, “The bad
guys…hide amongst us to kill our people. Our job is to stop them without
impacting your civil liberties and privacy and these programs are set up to
do that.”

“The reason we use secrecy is not to hide it from the American people, but to
hide it from the people who walk among you and are trying to kill you,”
Alexander insisted.

Corporations like AT&T, Google and Microsoft that had been compelled to hand
over customer data to the NSA “know that we’re saving lives,” the general
claimed. With a straight face, he continued, “And that’s good for business
because there’s more people out there who can buy their products.”

Self-Reporting

So who were the "bad guys” who “walk among us,” and how could Americans be
sure they had not been ensnared by the NSA’s all-encompassing spying regime,
either inadvertently or intentionally? Nearly all the Security Forum
participants involved in domestic surveillance responded to this question by
insisting that the NSA had the world’s most rigorous program of oversight,
pointing to Congress and the Foreign Intelligence Surveillance Act (FISA)
courts as the best and only means of ensuring that “mistakes” are corrected.

“We have more oversight on this [PRISM] program than any other program in any
government that I’m aware of,” Alexander proclaimed, ramming home a talking
point repeated throughout the forum.

“I can assure these are some of the judges who are renowned for holding the
government to a very high standard,” John Carlin, the Assistant US Attorney
General for National Security, stated.

But in the last year, FISA courts received 1,856 applications for
surveillance from the government. In 100 percent of cases, they were
approved. As for Congress, only two senators, Ron Wyden and Mark Udall,
demanded the NSA explain why PRISM was necessary or questioned its legality.
Despite the fact that the entire regime of oversight was a rubber stamp, or
perhaps because of it, none of those who appeared at the Security Forum to
defend it were willing to consider any forum of independent civilian review.

“You have to do [domestic surveillance] within a closed bubble in order to do
it effectively,” Dennis Blair, the director of National Intelligence conceded
under sustained grilling from the Washington Post’s Barton Gellman, one of
the reporters who broke Snowden’s leaks and perhaps the only journalist at
the Security Forum who subjected participants to tough scrutiny.

When Gellman reminded Alexander that none of the oversight mechanisms
currently in place could determine if the NSA had improperly targeted
American citizens with no involvement in terror-related activity, the general
declared, “we self-report those mistakes.”

“It can't be, let's just stop doing it, cause we know, that doesn't work,”
Alexander maintained. “We've got to have some program like [PRISM].”

The wars would go on, and so would the spying.

Reinstituting Public Confidence

During a panel on inter-agency coordination of counter-terror efforts, Mike
Leiter, the former director of the National Counterterrorism Center (NCC),
suggested that one of the best means of preserving America’s vast and
constantly expanding spying apparatus was “by reinstituting faith among the
public in our oversight.”

Even as current NCC director Matthew Olsen conceded, “There really are limits
in how transparent we can be,” Leiter demanded that the government “give the
public confidence that there’s oversight.

Since leaving the NCC, Leiter has become the senior counsel of Palantir
Technologies, a private security contractor that conducts espionage on behalf
of the FBI, CIA, financial institutions, the LAPD and the NYPD, among others.
In 2011, Palantir spearheaded a dirty tricks campaign against critics of the
U.S. Chamber of Commerce, including journalists, compiling electronic
dossiers intended to smear them. Palantir’s target list included progressive
groups like Think Progress, SEIU and U.S. Chamber Watch.

In the friendly confines of the Aspen Institute’s Security Forum, Leiter did
his best to burnish his company’s tarnished image, and do some damage control
on behalf of the national security apparatus it depends on for contracts.
Like most other participants, Leiter appeared in smart casual dress, with an
open collar, loafers, a loose-fitting jacket and slacks.

“Just seeing us here,” he said, “that inspires [public] confidence, because
we’re not a bunch of ogres.”

Max Blumenthal is the author of Republican Gomorrah (Basic/Nation Books,
2009). Twitter at @MaxBlumenthal.




From grarpamp at gmail.com  Tue Jul 30 13:24:57 2013
From: grarpamp at gmail.com (grarpamp)
Date: Tue, 30 Jul 2013 16:24:57 -0400
Subject: [tor-talk] BitMail 0.1 - p2p Email
In-Reply-To: <CAAS2fgTnEkg4nQzTL0kXj5z0LZdniGyDK1RZCeGoxn4nFnjX-g@mail.gmail.com>
References: <CAPHRpdVPjcG806e-SyHthwyE2-Yghu9m-CwAnrxkGF8Lkkx3XQ@mail.gmail.com>
 <51F7BAA9.9080802@cyblings.on.ca>
 <CAAS2fgTnEkg4nQzTL0kXj5z0LZdniGyDK1RZCeGoxn4nFnjX-g@mail.gmail.com>
Message-ID: <CAD2Ti2-ZALgx-adnDm8PnBkrazTSYT_pQ=7ReeYtGZvmCJosMA@mail.gmail.com>

On Tue, Jul 30, 2013 at 9:48 AM, Gregory Maxwell <gmaxwell at gmail.com> wrote:
> On Tue, Jul 30, 2013 at 6:07 AM, krishna e bera <keb at cyblings.on.ca> wrote:
>> On 13-07-30 12:47 AM, Thomas Asta wrote:
>>> http://bitmail.sourceforge.net/
>>
>> No design, no specs, no discussion, no docs.
>> A feature list that looks remarkably like GoldBug,
>> minus the fraudulent EFF endorsement.
>>
>> Is this a sneaky attempt to catch "darknet" users with a weak email and
>> messaging client/service?  Or just an early launch to attract people who
>> can fill in the gaps...
>>
>> Perhaps more relevantly, does it work with Tor out of the box?
>
> And source code that looks remarkably like GoldBug.
>
> Also being promoted on various list for crypto/privacy minded people
> by parties who seem to be pretending that they just "found" it and are
> curious about it.


Sending this thread over to cypherpunks for now as it no longer
has any relevance to Tor.

Apparently we have some new friends with various projects in mind...

http://mikeweber.users.sourceforge.net/
Thomas Asta <thomasasta at googlemail.com>
Randolph D <rdohm321 at gmail.com>


> Perhaps more relevantly, does it work with Tor out of the box?

At some point these people will stand up and start acting right,
some respected member will evaluate it (including the binaries),
or some respected group will fork and adopt it... or not. Until then,
it's demonstrated itself as being mud, so who cares.
People would be nuts to trust it, let alone play with it outside
of a sandbox.




From sina at redteam.io  Tue Jul 30 16:35:21 2013
From: sina at redteam.io (SiNA Rabbani)
Date: Tue, 30 Jul 2013 16:35:21 -0700
Subject: Getting started
In-Reply-To: <CAOFDsm06znhBkO3NYOBdLPcGjDc9DvcDO8-AXkr+e+wO5mg5WQ@mail.gmail.com>
References: <51F8427E.1070206@lavabit.com>
 <CAOFDsm06znhBkO3NYOBdLPcGjDc9DvcDO8-AXkr+e+wO5mg5WQ@mail.gmail.com>
Message-ID: <CAA8U0RTwSBOQFOZZFekSbS0KAj80hrgCqMkO3vXaqo5d8NPH3Q@mail.gmail.com>

http://cypherpunks.io

I'm hoping to collect a good collection of cypherpunks material in time.
Suggestions are appreciated.

--SiNA
On Jul 30, 2013 4:23 PM, "Steve Furlong" <demonfighter at gmail.com> wrote:

> Search for the writings of Tim May.
>
>
> On Tue, Jul 30, 2013 at 6:47 PM, stakewinner00 <stakewinner00 at lavabit.com>wrote:
>
>> Hi, I'm 16 years old and I was searching in duckduckgo and Google for
>> some material about cypherpunks but I not find nothing more than this
>> mailing list and some deserted website.
>>
>> If someone can give me some more information, I would be very grateful.
>>
>> Sorry for my bad English and for the spam.
>>
>>
>
>
> --
> Neca eos omnes. Deus suos agnoscet. -- Arnaud-Amaury, 1209
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 1372 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20130730/eb58e6ff/attachment.txt>

From maxrp at lavabit.com  Tue Jul 30 16:56:56 2013
From: maxrp at lavabit.com (Max R.D. Parmer)
Date: Tue, 30 Jul 2013 16:56:56 -0700
Subject: Getting started
In-Reply-To: <51F8427E.1070206@lavabit.com>
References: <51F8427E.1070206@lavabit.com>
Message-ID: <51F852C8.3070304@lavabit.com>

On 07/30/2013 03:47 PM, stakewinner00 wrote:
> Hi, I'm 16 years old and I was searching in duckduckgo and Google for
> some material about cypherpunks but I not find nothing more than this
> mailing list and some deserted website.
> 
> If someone can give me some more information, I would be very grateful.
> 
> Sorry for my bad English and for the spam.

Have you read "Cypherpunks: Freedom and the Future of the Internet" yet?
Helpful for getting a good chunk of the contemporary and historical context.

-- 
http://twitter.com/maximus_freeman
260D 9167 F8D9 3913 3564  E571 7D96 4D33 6114 2ACF

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1031 bytes
Desc: OpenPGP digital signature
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20130730/20e90f2c/attachment.sig>

From rick at linuxmafia.com  Tue Jul 30 17:07:50 2013
From: rick at linuxmafia.com (Rick Moen)
Date: Tue, 30 Jul 2013 17:07:50 -0700
Subject: [linux-elitists] Evil in certain broadband marketsa isn't really evil
Message-ID: <mailman.4389.1575949048.62801.testlist@lists.cpunks.org>

(As Nixon's press secretary Ron Ziegler used to say, 'That statement is
no longer operative at this time.']


http://www.wired.com/threatlevel/2013/07/google-neutrality/
Now That It's in the Broadband Game, Google Flip-Flops on Network Neutrality

By Ryan Singel
07.30.13
1:55 PM

In a dramatic about-face on a key internet issue yesterday, Google told
the FCC that the network neutrality rules Google once championed
don't give citizens the right to run servers on their home broadband
connections, and that the Google Fiber network is perfectly within its
rights to prohibit customers from attaching the legal devices of their
choice to its network.

At issue is Google Fiber's Terms of Service, which contains a broad
prohibition against customers attaching "servers" to its ultrafast 1
Gbps network in Kansas City.

Google wants to ban the use of servers because it plans to offer a
business class offering in the future.
[...]


_______________________________________________
Do not Cc: anyone else on mail sent to this list.  The list server is set for maximum one recipient.
linux-elitists mailing list
linux-elitists at zgp.org
http://zgp.org/cgi-bin/mailman/listinfo/linux-elitists

----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B  47EE F46E 3489 AC89 4EC5




From demonfighter at gmail.com  Tue Jul 30 16:16:44 2013
From: demonfighter at gmail.com (Steve Furlong)
Date: Tue, 30 Jul 2013 19:16:44 -0400
Subject: Getting started
In-Reply-To: <51F8427E.1070206@lavabit.com>
References: <51F8427E.1070206@lavabit.com>
Message-ID: <CAOFDsm06znhBkO3NYOBdLPcGjDc9DvcDO8-AXkr+e+wO5mg5WQ@mail.gmail.com>

Search for the writings of Tim May.


On Tue, Jul 30, 2013 at 6:47 PM, stakewinner00 <stakewinner00 at lavabit.com>wrote:

> Hi, I'm 16 years old and I was searching in duckduckgo and Google for some
> material about cypherpunks but I not find nothing more than this mailing
> list and some deserted website.
>
> If someone can give me some more information, I would be very grateful.
>
> Sorry for my bad English and for the spam.
>
>


-- 
Neca eos omnes. Deus suos agnoscet. -- Arnaud-Amaury, 1209
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 845 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20130730/2cff9700/attachment.txt>

From sandyinchina at gmail.com  Tue Jul 30 16:57:52 2013
From: sandyinchina at gmail.com (Sandy Harris)
Date: Tue, 30 Jul 2013 19:57:52 -0400
Subject: Getting started
In-Reply-To: <51F8427E.1070206@lavabit.com>
References: <51F8427E.1070206@lavabit.com>
Message-ID: <CACXcFm=6TGUpvRPAJCyZ6LE4C+jnL6RCo6AyhL_=AuW158vDiQ@mail.gmail.com>

stakewinner00 <stakewinner00 at lavabit.com> wrote:

> Hi, I'm 16 years old and I was searching in duckduckgo and Google for some
> material about cypherpunks ...
>
> If someone can give me some more information, I would be very grateful.

One reference is:
http://en.citizendium.org/wiki/Cypherpunk

Wikipedia, largely copied from the above:
http://en.wikipedia.org/wiki/Cypherpunk

Links in those articles will give you more.




From njloof at gmail.com  Tue Jul 30 20:07:03 2013
From: njloof at gmail.com (Nathan Loofbourrow)
Date: Tue, 30 Jul 2013 20:07:03 -0700
Subject: Getting started
In-Reply-To: <51F87A7C.70204@headstrong.de>
References: <51F8427E.1070206@lavabit.com> <51F852C8.3070304@lavabit.com>
 <51F87A7C.70204@headstrong.de>
Message-ID: <B03ED342-88DA-482B-8856-3D502EBB62C4@gmail.com>

You left out "Assassination Politics" by Jim Bell.




From eugen at leitl.org  Tue Jul 30 12:40:00 2013
From: eugen at leitl.org (Eugen Leitl)
Date: Tue, 30 Jul 2013 21:40:00 +0200
Subject: Python Random Number Generator for OTP
In-Reply-To: <65EAF83B-9F83-42B1-B636-975086A82DC3@callas.org>
References: <alpine.DEB.2.00.1307221647450.28426@neptune.sinister.com>
 <20130722214614.GF25759@hexapodia.org>
 <51EE318C.9070309@mehnert.org>
 <CAK9dnSzFnchEDs-rs7rCvgrdq5TFDWAA98keTobS3OdzAX7bbA@mail.gmail.com>
 <20130723222446.98325D061@a-pb-sasl-quonix.pobox.com>
 <20130724172706.GL27178@hexapodia.org>
 <CAGFRu2mdK3wLGqe86dNW8DUi8NU9G333xwqMW5U1KpPmrK_XdQ@mail.gmail.com>
 <20130724215618.BIAM3897.eastrmfepo102.cox.net@eastrmimpo210>
 <CAFDBa1UZZEAi7akEJf2XUE=sGgXr+hA9fKPFko_cipuocZPf=w@mail.gmail.com>
 <65EAF83B-9F83-42B1-B636-975086A82DC3@callas.org>
Message-ID: <20130730194000.GP29404@leitl.org>

On Tue, Jul 30, 2013 at 10:28:46AM -0700, Jon Callas wrote:

> This entropy broker strikes me as exactly the same sort of understanding.

I don't see how one couldn't prime the kernel entropy pool from
a high-quality high-rate entropy source on a trusted local,
physical network. As long as multiple machines are guaranteed 
not to share the same entropy bits I don't see an attack angle there.




From stakewinner00 at lavabit.com  Tue Jul 30 15:47:26 2013
From: stakewinner00 at lavabit.com (stakewinner00)
Date: Wed, 31 Jul 2013 00:47:26 +0200
Subject: Getting started
Message-ID: <51F8427E.1070206@lavabit.com>

Hi, I'm 16 years old and I was searching in duckduckgo and Google for 
some material about cypherpunks but I not find nothing more than this 
mailing list and some deserted website.

If someone can give me some more information, I would be very grateful.

Sorry for my bad English and for the spam.




From moritz at headstrong.de  Tue Jul 30 19:46:20 2013
From: moritz at headstrong.de (Moritz)
Date: Wed, 31 Jul 2013 04:46:20 +0200
Subject: Getting started
In-Reply-To: <51F852C8.3070304@lavabit.com>
References: <51F8427E.1070206@lavabit.com> <51F852C8.3070304@lavabit.com>
Message-ID: <51F87A7C.70204@headstrong.de>

On 31.07.2013 01:56, Max R.D. Parmer wrote:
> Have you read "Cypherpunks: Freedom and the Future of the Internet" yet?
> Helpful for getting a good chunk of the contemporary and historical context.

You might also like:

Crypto Anarchy, Cyberstates, and Pirate Utopias
Peter Ludloff
http://www.amazon.com/books/dp/0262621517

What the Dormouse Said: How the Sixties Counterculture Shaped the
Personal Computer Industry
John Markoff
http://www.amazon.com/What-Dormouse-Said-Counterculture-Personal/dp/0143036769

Some random reading list on the broader spectrum:

  * Scott Adams: Dilbert
  * Mitch Albom: Tuesdays with Morrie
  * Saul Alinsky: Rules for Radicals
  * Günther Andreas: Die molussische Katakombe (1933), Die
Antiquiertheit des Menschen
  * Charles Babbage: On the Mental Division of Labour
  * Jasper Becker: Hungry Ghosts
  * Frederico Biancuzzi, Shane Warden: Masterminds of Programming (2009)
  * Jorge Luís Borges: Any short story collection you want
  * John Brunner: The Shockwave Rider (1975)
  * Mikhail Bulgakov: The Master and Margarita
  * Anthony Burgess
  * Vanevar Bush: "As We May Think"
  * Italo Calvino: Invisible Cities, Cosmicomics, Marcovaldo
  * E.R. Carmin: Das schwarze Reich (2002)
  * C. J. Cherryh: Cyteen
  * Arthur C. Clark: A Meeting With Medusa (1972)
  * Anton Chekhov: "The Lady With the Little Dog"
  * The Dark Mountain Project: Dark Mountain Volume 2 (2011)
  * Guy Debord: Society of the Spectacle
  * Frederick Douglass: Collected Autobiographies
  * Umberto Eco: Foucault's Pendulum
  * Warren Ellis: Transmetropolitan
  * Ralph Ellison: Invisible Man
  * Georgina Ferry: A Computer called LEO (2004)
  * Jasper Fforde: Shades of Gray
  * Illiad Frazer: User Friendly
  * Neil Gaiman: Sandman
  * Garner: A Dictionary of Modern English Usage
  * Emma Goldman: Anarchism and Other Essays, My Disillusionment in Russia
  * Gandhi: Autobiography
  * Gene Sharp
  * William Gibson
  * Hackerbibel 1+2
  * Robert Heinlein: The Moon is a Harsh Mistress
  * Douglas R. Hofstadter: Gödel, Escher, Bach: An Eternal Golden Braid
(1999)
  * Andrew Hunt: The Pragmatic Programmer (1999)
  * Orlando Figes: A People's Tragedy
  * Sho Fumimura and Ryoichi Ikegami: Sanctuary
  * Erich Jantsch: The self-organising Universe (1979)
  * Robert Jungk
  * David Kahn: "The Codebreakers"
  * Paul Lafargue: Das Recht auf Faulheit. Widerlegung des Rechtes auf
Arbeit. (1883)
  * Steven Levy: Hackers: Heroes of the Computer Revolution
  * David Lewis: Counterfactuals (2001)
  * Johnny Long: Stealing the Network (2009)
  * Peter Ludlow: Crypto Anarchy, Cyberstates, and Pirate Utopias (2001)
  * Ernest Mandell
  * John Markoff: What the Dormouse Said: How the Sixties Counterculture
Shaped the Personal Computer Industry (2006)
  * Werner Mayer-Eppler: Grundlagen und Anwendungen der
Informationstheorie (1959)
  * Mandela: The Long Walk To Freedom (Autobiography)
  * Mondo 2000 - A User's Guide to the New Edge (1992)
  * [[http://monochrom.at/mono/|monochrom print]]
  * Jenna Moran: Hitherby Dragons (online only; a book is coming out soon)
  * Grant Morrison: The Invisibles
  * Günter Myrell: Daten-Schatten
  * Theodor Nelson: Computer Lib/Dream Machines (1974)
  * Tsugumi Ohba and Takeshi Obata: Death Note
  * Manfred Osten: Das geraubte Gedächtnis (2004)
  * P.M.: Bolo Bolo (1983), Subcoma (2000)
  * [[http://www.gruenekraft.com/|Werner Pieper and the Grüne Kraft]]
  * Milorad Pavić: Dictionary of the Khazars
  * Victor Pelevin: The Yellow Arrow, The Helmet of Horror, anything you
can find in English (or Russian, if you can read that)
  * Tim Powers: Last Call
  * Thomas Pynchon: The Crying of Lot 49
  * Bertrand Russell: In Praise of Idleness (1935)
  * Mark Russinovich: Windows Internals, Zero Day
  * Melissa Scott: Trouble and her Friends (or anything else, really)
  * Vikram Seth: The Golden Gate
  * Carla Speed McNeil: Finder
  * Oswald Spengler: Untergang des Abendlandes
  * Karl Steinbruch: Falsch programmiert. Über das Versagen unserer
Gesellschaft... (1968)
  * Neal Stephenson
  * Daniel Suarez: Daemon, Freedom
  * Andrew S. Tanenbaum
  * Thoreau: Civil Disobedience
  * Tad Tuleja: The Catalog of Lost Books
  * Sherry Turkle: The Second Self
  * Vernor Vinge: "True Names", "A Deepness in the Sky", "A Fire Upon
the Deep"
  * Norbert Wiener: Cybernetics or Control and Communication in the
Animal and the Machine (1948)
  * Theodore J. Kaczynski
  * David Foster Wallace: Infinite Jest
  * Bill Watterson: Calvin & Hobbes
  * Donald Westlake: Under an English Heaven
  * Robert Anton Wilson: The Illuminatus
  * Tom Wolfe: The Electronic Cool-Aid Acid Test (1968)
  * Malaclypse The Younger: Principia Discordia: Or "How I Found
Goddess, and What I Did to Her When I Found Her" (1965-1991)




From dmarti at zgp.org  Wed Jul 31 05:38:11 2013
From: dmarti at zgp.org (Don Marti)
Date: Wed, 31 Jul 2013 05:38:11 -0700
Subject: [linux-elitists] Evil in certain broadband marketsa isn't really evil
Message-ID: <mailman.4390.1575949049.62801.testlist@lists.cpunks.org>

begin Rick Moen quotation of Tue, Jul 30, 2013 at 05:07:50PM -0700:

> http://www.wired.com/threatlevel/2013/07/google-neutrality/
> Now That It's in the Broadband Game, Google Flip-Flops on Network Neutrality

Douglas McClendon sounds like our kind of people.
  http://cloudsession.com/dawg/downloads/misc/kag-draft-2k121024.pdf
  http://cloudsession.com/dawg/profile/

I posted this in a thread on this topic on another
mailing list where some relevant Google people are
also active:

Thanks to the CFAA, violating your ToS is a _felony_.

I understand that you want to use plain language, and
not be "lawyerly", but if you're a ToS writer, Federal
law has been outsourced to you, and you have to deal
with it.  (CFAA reform is a separate issue--I'm just
talking about the law as it stands now.)

How can you tell people, "you're party to a legally
binding contract that can put you in Federal prison
if you violate it, but go ahead and break it, off
the record we're fine with that"?

It's as if someone interrupted the office Nerf gun
wars to take your Nerf pistol and hand you a real
gun -- and you kept playing.

-- 
Don Marti                      +1-510-332-1587 (mobile)
http://zgp.org/~dmarti/        Alameda, California, USA
dmarti at zgp.org
_______________________________________________
Do not Cc: anyone else on mail sent to this list.  The list server is set for maximum one recipient.
linux-elitists mailing list
linux-elitists at zgp.org
http://zgp.org/cgi-bin/mailman/listinfo/linux-elitists

----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B  47EE F46E 3489 AC89 4EC5




From zooko at leastauthority.com  Wed Jul 31 04:36:52 2013
From: zooko at leastauthority.com (Zooko Wilcox-OHearn)
Date: Wed, 31 Jul 2013 11:36:52 +0000
Subject: [tahoe-dev] press release: LeastAuthority.com announces Spy-Proof Backup
Message-ID: <mailman.4391.1575949049.62801.testlist@lists.cpunks.org>

Folks:

We're really happy to be offering our LAFS-based ciphertext storage
service to the public! Please spread the word. Thank you very much to
everyone in our little community for making things like this possible.

Regards,

Zooko Wilcox-O'Hearn

Founder, CEO, and Customer Support Rep

https://LeastAuthority.com

            LeastAuthority.com Announces A Spy-Proof Storage Service

   Wednesday, July 31, 2013

   [1]LeastAuthority.com today announced “Simple Secure Storage Service
   (S4)”, a backup service that encrypts your files to protect them from the
   prying eyes of spies and criminals.

   “People deserve privacy and security in the digital data that make up our
   daily lives.” said the company's founder and CEO, Zooko Wilcox-O'Hearn.
   “As an individual or a business, you shouldn't have to give up control
   over your data in order to get the benefits of cloud storage.”

                         verifiable end-to-end security

   The Simple Secure Storage Service offers verifiable end-to-end security.

   It offers “end-to-end security” because all of the customer's data is
   encrypted locally — on the customer's own personal computer — before it is
   uploaded to the cloud. During its stay in the cloud, it cannot be
   decrypted by LeastAuthority.com, nor by anyone else, without the
   decryption key which is held only by the customer.

   S4 offers “verifiable end-to-end security” because all of the source code
   that makes up the Simple Secure Storage Service is published for everyone
   to see. Not only is the source code publicly visible, but it also comes
   with Free (Libre) and Open Source rights granted to the public allowing
   anyone to inspect the source code, experiment on it, alter it, and even to
   distribute their own version of it and to sell commercial services.

   Wilcox-O'Hearn says “If you rely on closed-source, proprietary software,
   then you're just taking the vendor's word for it that it actually provides
   the end-to-end security that they claim. As the PRISM scandal shows, that
   claim is sometimes a lie.”

   The web site of LeastAuthority.com proudly states “We can never see your
   data, and you can always see our code.”.

                               trusted by experts

   The Simple Secure Storage Service is built on a technology named
   “Least-Authority File System (LAFS)”. LAFS has been studied and used by
   computer scientists, hackers, Free and Open Source software developers,
   activists, the U.S. Defense Advanced Research Projects Agency, and the
   U.S. National Security Agency.

   The design has been published in a peer-reviewed scientific workshop:
   Wilcox-O'Hearn, Zooko, and Brian Warner. “Tahoe: the least-authority
   filesystem.” Proceedings of the 4th ACM international workshop on Storage
   security and survivability. ACM, 2008.
   [2]http://eprint.iacr.org/2012/524.pdf

   It has been cited in more than 50 scientific research papers, and has
   received plaudits from the U.S. Comprehensive National Cybersecurity
   Initiative, which stated: “Systems like Least-Authority File System are
   making these methods immediately usable for securely and availably storing
   files at rest; we propose that the methods be further reviewed, written
   up, and strongly evangelized as best practices in both government and
   industry.”

   Dr. Richard Stallman, President of the Free Software Foundation
   ([3]https://fsf.org/) said “Free/Libre software is software that the users
   control. If you use only free/libre software, you control your local
   computing — but using the Internet raises other issues of freedom and
   privacy, which many network services don't respect. The Simple Secure
   Storage Service (S4) is an example of a network service that does respect
   your freedom and privacy.”

   Jacob Appelbaum, Tor project developer ([4]https://www.torproject.org/)
   and WikiLeaks volunteer ([5]http://wikileaks.org/), said “LAFS's design
   acknowledges the importance of verifiable end-to-end security through
   cryptography, Free/Libre release of software and transparent peer-reviewed
   system design.”

   The LAFS software is already packaged in several widely-used operating
   systems such as Debian GNU/Linux and Ubuntu.

   [6]https://LeastAuthority.com

References

   Visible links
   1. https://leastauthority.com/
   2. http://eprint.iacr.org/2012/524.pdf
   3. https://fsf.org/
   4. https://www.torproject.org/
   5. http://wikileaks.org/
   6. https://leastauthority.com/

_______________________________________________
tahoe-dev mailing list
tahoe-dev at tahoe-lafs.org
https://tahoe-lafs.org/cgi-bin/mailman/listinfo/tahoe-dev


----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B  47EE F46E 3489 AC89 4EC5




From jya at pipeline.com  Wed Jul 31 08:39:19 2013
From: jya at pipeline.com (John Young)
Date: Wed, 31 Jul 2013 11:39:19 -0400
Subject: XKeyscore: More fun with NSA
In-Reply-To: <CAGUkT8Y6=10KR=MC6cPABAgtAkzYLOOjd=naBzkvqdVqRH6Vqg@mail.g
 mail.com>
References: <CAGUkT8Y6=10KR=MC6cPABAgtAkzYLOOjd=naBzkvqdVqRH6Vqg@mail.gmail.com>
Message-ID: <E1V4YSj-00079z-8o@elasmtp-spurfowl.atl.sa.earthlink.net>

Thanks for the links. Great to see Guardian is again releasing
a full document rather than editorial blather.



At 10:01 AM 7/31/2013, you wrote:
>http://www.theguardian.com/world/2013/jul/31/nsa-top-secret-program-online-data
>
>http://www.theguardian.com/world/interactive/2013/jul/31/nsa-xkeyscore-program-full-presentation
>
>(adding some keywords for NSA and the link to the latest issue
>Al-Qaeda Inspire magazine for good measure)
>
>Bin Laden
>ÃÓÇãÉ Èä ãÍãÏ Èä ÚæÖ Èä áÇÏä
>Al-Qaeda
>ÇáÞÇÚÏÉ
>Jihad
>ÌåÇÏý
>Boston marathon
>ÊÝÌíÑÇ ãÇÑÇËæä
>Hamas
>ÍãÇÓý
>Hezbollah
>ÍÒÈ Çááå
>
>http://azelin.files.wordpress.com/2013/05/inspire-magazine-issue-11.pdf
>http://azelin.files.wordpress.com/2013/05/inspire-magazine-issue-11-ar.pdf






From joseph.g.tag at gmail.com  Wed Jul 31 09:26:44 2013
From: joseph.g.tag at gmail.com (Joseph Tag)
Date: Wed, 31 Jul 2013 12:26:44 -0400
Subject: cypherpunks Digest, Vol 1, Issue 20
In-Reply-To: <mailman.23.1375283782.29000.cypherpunks@cpunks.org>
References: <mailman.23.1375283782.29000.cypherpunks@cpunks.org>
Message-ID: <CAEy+Hk-xm4q9k4G4ezLpqwJprPZ6rtxEOH0ec-V=098oF7JuQg@mail.gmail.com>

Best "intro" of CypherPunks I found was in The New York Times magazine
( mentioned PGP too ) .




From rich at openwatch.net  Wed Jul 31 09:33:12 2013
From: rich at openwatch.net (Rich Jones)
Date: Wed, 31 Jul 2013 12:33:12 -0400
Subject: XKeyscore: More fun with NSA
In-Reply-To: <CAGUkT8YbVhZ-HagHSsO0L3Sp5kHOex7GKi4w5Jo3_Ok3J9jJXA@mail.gmail.com>
References: <CAGUkT8Y6=10KR=MC6cPABAgtAkzYLOOjd=naBzkvqdVqRH6Vqg@mail.gmail.com>
 <E1V4YSj-00079z-8o@elasmtp-spurfowl.atl.sa.earthlink.net>
 <CAGUkT8YbVhZ-HagHSsO0L3Sp5kHOex7GKi4w5Jo3_Ok3J9jJXA@mail.gmail.com>
Message-ID: <CADJYzx++rrsvSLNKpcLSC591H3+vectAABvLW2T8okCHRgfmgQ@mail.gmail.com>

3 deleted pages, and there are screen shots of the interface (looks kind of
like Burp Suite!) in the article not included in the PDF. Those screen
shots include some blurring, not sure if done by Guardian or not).


On Wed, Jul 31, 2013 at 12:09 PM, Karel Bílek <kb at karelbilek.com> wrote:

> They deleted some "success stories" though. But I don't think those
> matter that much.
>
> On Wed, Jul 31, 2013 at 4:39 PM, John Young <jya at pipeline.com> wrote:
> > Thanks for the links. Great to see Guardian is again releasing
> > a full document rather than editorial blather.
> >
> >
> >
> >
> > At 10:01 AM 7/31/2013, you wrote:
> >>
> >>
> >>
> http://www.theguardian.com/world/2013/jul/31/nsa-top-secret-program-online-data
> >>
> >>
> >>
> http://www.theguardian.com/world/interactive/2013/jul/31/nsa-xkeyscore-program-full-presentation
> >>
> >> (adding some keywords for NSA and the link to the latest issue
> >> Al-Qaeda Inspire magazine for good measure)
> >>
> >> Bin Laden
> >> أسامة بن محمد بن عوض بن لادن
> >> Al-Qaeda
> >> القاعدة
> >> Jihad
> >> جهاد‎
> >> Boston marathon
> >> تفجيرا ماراثون
> >> Hamas
> >> حماس‎
> >> Hezbollah
> >> حزب الله
> >>
> >> http://azelin.files.wordpress.com/2013/05/inspire-magazine-issue-11.pdf
> >>
> http://azelin.files.wordpress.com/2013/05/inspire-magazine-issue-11-ar.pdf
> >
> >
> >
> >
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 2509 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20130731/2b541d1b/attachment.txt>

From kb at karelbilek.com  Wed Jul 31 07:01:22 2013
From: kb at karelbilek.com (=?ISO-8859-1?Q?Karel_B=EDlek?=)
Date: Wed, 31 Jul 2013 15:01:22 +0100
Subject: XKeyscore: More fun with NSA
Message-ID: <CAGUkT8Y6=10KR=MC6cPABAgtAkzYLOOjd=naBzkvqdVqRH6Vqg@mail.gmail.com>

http://www.theguardian.com/world/2013/jul/31/nsa-top-secret-program-online-data

http://www.theguardian.com/world/interactive/2013/jul/31/nsa-xkeyscore-program-full-presentation

(adding some keywords for NSA and the link to the latest issue
Al-Qaeda Inspire magazine for good measure)

Bin Laden
أسامة بن محمد بن عوض بن لادن
Al-Qaeda
القاعدة
Jihad
جهاد‎
Boston marathon
تفجيرا ماراثون
Hamas
حماس‎
Hezbollah
حزب الله

http://azelin.files.wordpress.com/2013/05/inspire-magazine-issue-11.pdf
http://azelin.files.wordpress.com/2013/05/inspire-magazine-issue-11-ar.pdf




From otr at riseup.net  Wed Jul 31 12:24:22 2013
From: otr at riseup.net (OTR)
Date: Wed, 31 Jul 2013 15:24:22 -0400
Subject: Max Blumenthal on Security Forum (Eugen Leitl)
In-Reply-To: <mailman.1.1375200002.16509.cypherpunks@cpunks.org>
References: <mailman.1.1375200002.16509.cypherpunks@cpunks.org>
Message-ID: <51F96466.1020503@riseup.net>

First, glad to be here. Missed the cypherpunks the first time around.
I'm going to want to get to know you folks for my ongoing coverage of --
and book project on -- Snowden, NSA and the surveillance-industrial
revolution.

Second, while it's nice (and rather unexpected) to get a shout-out from
Alternet, I wouldn't agree that every other journalist at Aspen was an
acolyte. Michael Isikoff did a good job of pushing his panel, especially
U.S. Attorney Neil MacBride, who is Snowden's designated prosecutor (and
is trying to jail James Risen to force testimony in the Sterling leak
case). Pete Williams is also a terrific reporter. He met charm with
charm but gently walked Keith Alexander into a corner, eliciting
unambiguous statements that the NSA will have to defend as time goes on.
Plus, he called on people he knew would ask tough questions.

Oh, and yes, Aspen covered my travel costs. I assume it did the same for
others. No speaker fee was offered or requested.


On 7/30/13 12:00 PM, Eugen Leitl <eugen at leitl.org>  wrote:

Subject: Max Blumenthal on Security Forum

(it's Alternet, so caveat lector)

http://www.alternet.org/tea-party-and-right/shocking-extermination-fantasies-people-running-americas-empire-full-display?paging=off

[...]

With perhaps one notable exception, none of the high-flying reporters
junketed to Aspen to act as interlocutors seemed terribly interested in
interrogating the logic of the war on terror. The spectacle was a perfect
window into the world of access journalism, with media professionals
brown-nosing national security elites committed to secrecy and surveillance,
avoiding overly adversarial questions but making sure to ask the requisite
question about how much Snowden has caused terrorists to change their
behavior.

Jeff Harris, the communications director for the Aspen Institute, did not
respond to questions I submitted about whether the journalists who
participated in the Security Forum accepted fees. (It is likely that all
relied on Aspen to at least cover lodging and travel costs).

[...]

"You have to do [domestic surveillance] within a closed bubble in order to do
it effectively," Dennis Blair, the director of National Intelligence conceded
under sustained grilling from the Washington Post's Barton Gellman, one of
the reporters who broke Snowden's leaks and perhaps the only journalist at
the Security Forum who subjected participants to tough scrutiny.

When Gellman reminded Alexander that none of the oversight mechanisms
currently in place could determine if the NSA had improperly targeted
American citizens with no involvement in terror-related activity, the general
declared, "we self-report those mistakes."


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4207 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20130731/27cabeee/attachment.bin>

From eugen at leitl.org  Wed Jul 31 06:46:39 2013
From: eugen at leitl.org (Eugen Leitl)
Date: Wed, 31 Jul 2013 15:46:39 +0200
Subject: [linux-elitists] Evil in certain broadband marketsa isn't really evil
Message-ID: <20130731134639.GY29404@leitl.org>

----- Forwarded message from Rick Moen <rick at linuxmafia.com> -----


From eugen at leitl.org  Wed Jul 31 06:47:16 2013
From: eugen at leitl.org (Eugen Leitl)
Date: Wed, 31 Jul 2013 15:47:16 +0200
Subject: [linux-elitists] Evil in certain broadband marketsa isn't really
 evil
Message-ID: <20130731134716.GZ29404@leitl.org>

----- Forwarded message from Don Marti <dmarti at zgp.org> -----


From eugen at leitl.org  Wed Jul 31 06:49:23 2013
From: eugen at leitl.org (Eugen Leitl)
Date: Wed, 31 Jul 2013 15:49:23 +0200
Subject: [tahoe-dev] press release: LeastAuthority.com announces Spy-Proof
 Backup
Message-ID: <20130731134923.GA29404@leitl.org>

----- Forwarded message from Zooko Wilcox-OHearn <zooko at leastauthority.com> -----


From eugen at leitl.org  Wed Jul 31 06:51:21 2013
From: eugen at leitl.org (Eugen Leitl)
Date: Wed, 31 Jul 2013 15:51:21 +0200
Subject: [FoRK] Functional encryption, or "Computer scientists develop
 'mathematical jigsaw puzzles' to encrypt software"
Message-ID: <20130731135121.GB29404@leitl.org>

----- Forwarded message from Noon Silk <noonslists at gmail.com> -----


From eugen at leitl.org  Wed Jul 31 07:23:15 2013
From: eugen at leitl.org (Eugen Leitl)
Date: Wed, 31 Jul 2013 16:23:15 +0200
Subject: Radiation Emission Controls
In-Reply-To: <20130730191851.GA21042@jfet.org>
References: <E1V49uL-0003Rj-HH@elasmtp-curtail.atl.sa.earthlink.net>
 <20130730191851.GA21042@jfet.org>
Message-ID: <20130731142315.GC29404@leitl.org>

On Tue, Jul 30, 2013 at 03:18:51PM -0400, Riad S. Wahby wrote:
> John Young <jya at pipeline.com> wrote:
> > Since nearly all government and commercial data centers
> > have generator back-ups, how are emissions from generators
> > controlled?
> 
> On assumes that transient emissions, e.g., from a starter motor, follow
> less stringent guidelines. And if the generators are diesel, they also
> don't use spark plugs.
> 
> This is also consistent with having some urea on site for treating
> diesel exhaust.

Is there any RF sigint at all done at the Utah site? It could
all well be just a big crunch and storage facility. It would
help if we had a good fiber map of the general area.

I suspect that the NSA is doing a lot of decentral signal
prefiltering and processing at the network edge, and only uses 
large central facilities if they're unavoidable.




From kb at karelbilek.com  Wed Jul 31 09:09:51 2013
From: kb at karelbilek.com (=?ISO-8859-1?Q?Karel_B=EDlek?=)
Date: Wed, 31 Jul 2013 17:09:51 +0100
Subject: XKeyscore: More fun with NSA
In-Reply-To: <E1V4YSj-00079z-8o@elasmtp-spurfowl.atl.sa.earthlink.net>
References: <CAGUkT8Y6=10KR=MC6cPABAgtAkzYLOOjd=naBzkvqdVqRH6Vqg@mail.gmail.com>
 <E1V4YSj-00079z-8o@elasmtp-spurfowl.atl.sa.earthlink.net>
Message-ID: <CAGUkT8YbVhZ-HagHSsO0L3Sp5kHOex7GKi4w5Jo3_Ok3J9jJXA@mail.gmail.com>

They deleted some "success stories" though. But I don't think those
matter that much.

On Wed, Jul 31, 2013 at 4:39 PM, John Young <jya at pipeline.com> wrote:
> Thanks for the links. Great to see Guardian is again releasing
> a full document rather than editorial blather.
>
>
>
>
> At 10:01 AM 7/31/2013, you wrote:
>>
>>
>> http://www.theguardian.com/world/2013/jul/31/nsa-top-secret-program-online-data
>>
>>
>> http://www.theguardian.com/world/interactive/2013/jul/31/nsa-xkeyscore-program-full-presentation
>>
>> (adding some keywords for NSA and the link to the latest issue
>> Al-Qaeda Inspire magazine for good measure)
>>
>> Bin Laden
>> أسامة بن محمد بن عوض بن لادن
>> Al-Qaeda
>> القاعدة
>> Jihad
>> جهاد‎
>> Boston marathon
>> تفجيرا ماراثون
>> Hamas
>> حماس‎
>> Hezbollah
>> حزب الله
>>
>> http://azelin.files.wordpress.com/2013/05/inspire-magazine-issue-11.pdf
>> http://azelin.files.wordpress.com/2013/05/inspire-magazine-issue-11-ar.pdf
>
>
>
>




From eugen at leitl.org  Wed Jul 31 08:16:17 2013
From: eugen at leitl.org (Eugen Leitl)
Date: Wed, 31 Jul 2013 17:16:17 +0200
Subject: XKeyscore: NSA tool collects 'nearly everything a user does on the
 internet'
Message-ID: <20130731151617.GE29404@leitl.org>


http://www.theguardian.com/world/2013/jul/31/nsa-top-secret-program-online-data

XKeyscore: NSA tool collects 'nearly everything a user does on the internet'

• XKeyscore gives 'widest-reaching' collection of online data

• NSA analysts require no prior authorization for searches

• Sweeps up emails, social media activity and browsing history

• NSA's XKeyscore program – read one of the presentations

Glenn Greenwald

theguardian.com, Wednesday 31 July 2013 13.56 BST

XKeyscore map

One presentation claims the XKeyscore program covers 'nearly everything a
typical user does on the internet'

A top secret National Security Agency program allows analysts to search with
no prior authorization through vast databases containing emails, online chats
and the browsing histories of millions of individuals, according to documents
provided by whistleblower Edward Snowden.

The NSA boasts in training materials that the program, called XKeyscore, is
its "widest-reaching" system for developing intelligence from the internet.

The latest revelations will add to the intense public and congressional
debate around the extent of NSA surveillance programs. They come as senior
intelligence officials testify to the Senate judiciary committee on
Wednesday, releasing classified documents in response to the Guardian's
earlier stories on bulk collection of phone records and Fisa surveillance
court oversight.

The files shed light on one of Snowden's most controversial statements, made
in his first video interview published by the Guardian on June 10.

"I, sitting at my desk," said Snowden, could "wiretap anyone, from you or
your accountant, to a federal judge or even the president, if I had a
personal email".

US officials vehemently denied this specific claim. Mike Rogers, the
Republican chairman of the House intelligence committee, said of Snowden's
assertion: "He's lying. It's impossible for him to do what he was saying he
could do."

But training materials for XKeyscore detail how analysts can use it and other
systems to mine enormous agency databases by filling in a simple on-screen
form giving only a broad justification for the search. The request is not
reviewed by a court or any NSA personnel before it is processed.

XKeyscore, the documents boast, is the NSA's "widest reaching" system
developing intelligence from computer networks – what the agency calls
Digital Network Intelligence (DNI). One presentation claims the program
covers "nearly everything a typical user does on the internet", including the
content of emails, websites visited and searches, as well as their metadata.

Analysts can also use XKeyscore and other NSA systems to obtain ongoing
"real-time" interception of an individual's internet activity.

Under US law, the NSA is required to obtain an individualized Fisa warrant
only if the target of their surveillance is a 'US person', though no such
warrant is required for intercepting the communications of Americans with
foreign targets. But XKeyscore provides the technological capability, if not
the legal authority, to target even US persons for extensive electronic
surveillance without a warrant provided that some identifying information,
such as their email or IP address, is known to the analyst.

One training slide illustrates the digital activity constantly being
collected by XKeyscore and the analyst's ability to query the databases at
any time.

KS1

The purpose of XKeyscore is to allow analysts to search the metadata as well
as the content of emails and other internet activity, such as browser
history, even when there is no known email account (a "selector" in NSA
parlance) associated with the individual being targeted.

Analysts can also search by name, telephone number, IP address, keywords, the
language in which the internet activity was conducted or the type of browser
used.

One document notes that this is because "strong selection [search by email
address] itself gives us only a very limited capability" because "a large
amount of time spent on the web is performing actions that are anonymous."

The NSA documents assert that by 2008, 300 terrorists had been captured using
intelligence from XKeyscore.

Analysts are warned that searching the full database for content will yield
too many results to sift through. Instead they are advised to use the
metadata also stored in the databases to narrow down what to review.

A slide entitled "plug-ins" in a December 2012 document describes the various
fields of information that can be searched. It includes "every email address
seen in a session by both username and domain", "every phone number seen in a
session (eg address book entries or signature block)" and user activity –
"the webmail and chat activity to include username, buddylist, machine
specific cookies etc".

Email monitoring

In a second Guardian interview in June, Snowden elaborated on his statement
about being able to read any individual's email if he had their email
address. He said the claim was based in part on the email search capabilities
of XKeyscore, which Snowden says he was authorized to use while working as a
Booz Allen contractor for the NSA.

One top-secret document describes how the program "searches within bodies of
emails, webpages and documents", including the "To, From, CC, BCC lines" and
the 'Contact Us' pages on websites".

To search for emails, an analyst using XKS enters the individual's email
address into a simple online search form, along with the "justification" for
the search and the time period for which the emails are sought.

KS2

KS3edit

The analyst then selects which of those returned emails they want to read by
opening them in NSA reading software.

The system is similar to the way in which NSA analysts generally can
intercept the communications of anyone they select, including, as one NSA
document put it, "communications that transit the United States and
communications that terminate in the United States".

One document, a top secret 2010 guide describing the training received by NSA
analysts for general surveillance under the Fisa Amendments Act of 2008,
explains that analysts can begin surveillance on anyone by clicking a few
simple pull-down menus designed to provide both legal and targeting
justifications. Once options on the pull-down menus are selected, their
target is marked for electronic surveillance and the analyst is able to
review the content of their communications:

KS4

Chats, browsing history and other internet activity

Beyond emails, the XKeyscore system allows analysts to monitor a virtually
unlimited array of other internet activities, including those within social
media.

An NSA tool called DNI Presenter, used to read the content of stored emails,
also enables an analyst using XKeyscore to read the content of Facebook chats
or private messages.

KS5

An analyst can monitor such Facebook chats by entering the Facebook user name
and a date range into a simple search screen.

KS6

Analysts can search for internet browsing activities using a wide range of
information, including search terms entered by the user or the websites
viewed.

KS7

As one slide indicates, the ability to search HTTP activity by keyword
permits the analyst access to what the NSA calls "nearly everything a typical
user does on the internet".

KS8

The XKeyscore program also allows an analyst to learn the IP addresses of
every person who visits any website the analyst specifies.

KS9

The quantity of communications accessible through programs such as XKeyscore
is staggeringly large. One NSA report from 2007 estimated that there were
850bn "call events" collected and stored in the NSA databases, and close to
150bn internet records. Each day, the document says, 1-2bn records were
added.

William Binney, a former NSA mathematician, said last year that the agency
had "assembled on the order of 20tn transactions about US citizens with other
US citizens", an estimate, he said, that "only was involving phone calls and
emails". A 2010 Washington Post article reported that "every day, collection
systems at the [NSA] intercept and store 1.7bn emails, phone calls and other
type of communications."

The XKeyscore system is continuously collecting so much internet data that it
can be stored only for short periods of time. Content remains on the system
for only three to five days, while metadata is stored for 30 days. One
document explains: "At some sites, the amount of data we receive per day (20+
terabytes) can only be stored for as little as 24 hours."

To solve this problem, the NSA has created a multi-tiered system that allows
analysts to store "interesting" content in other databases, such as one named
Pinwale which can store material for up to five years. 

It is the databases of XKeyscore, one document shows, that now contain the
greatest amount of communications data collected by the NSA.

KS10

In 2012, there were at least 41 billion total records collected and stored in
XKeyscore for a single 30-day period.

KS11

Legal v technical restrictions

While the Fisa Amendments Act of 2008 requires an individualized warrant for
the targeting of US persons, NSA analysts are permitted to intercept the
communications of such individuals without a warrant if they are in contact
with one of the NSA's foreign targets.

The ACLU's deputy legal director, Jameel Jaffer, told the Guardian last month
that national security officials expressly said that a primary purpose of the
new law was to enable them to collect large amounts of Americans'
communications without individualized warrants.

"The government doesn't need to 'target' Americans in order to collect huge
volumes of their communications," said Jaffer. "The government inevitably
sweeps up the communications of many Americans" when targeting foreign
nationals for surveillance.

An example is provided by one XKeyscore document showing an NSA target in
Tehran communicating with people in Frankfurt, Amsterdam and New York.

KS12

In recent years, the NSA has attempted to segregate exclusively domestic US
communications in separate databases. But even NSA documents acknowledge that
such efforts are imperfect, as even purely domestic communications can travel
on foreign systems, and NSA tools are sometimes unable to identify the
national origins of communications.

Moreover, all communications between Americans and someone on foreign soil
are included in the same databases as foreign-to-foreign communications,
making them readily searchable without warrants.

Some searches conducted by NSA analysts are periodically reviewed by their
supervisors within the NSA. "It's very rare to be questioned on our
searches," Snowden told the Guardian in June, "and even when we are, it's
usually along the lines of: 'let's bulk up the justification'."

In a letter this week to senator Ron Wyden, director of national intelligence
James Clapper acknowledged that NSA analysts have exceeded even legal limits
as interpreted by the NSA in domestic surveillance.

Acknowledging what he called "a number of compliance problems", Clapper
attributed them to "human error" or "highly sophisticated technology issues"
rather than "bad faith".

However, Wyden said on the Senate floor on Tuesday: "These violations are
more serious than those stated by the intelligence community, and are
troubling."

In a statement to the Guardian, the NSA said: "NSA's activities are focused
and specifically deployed against – and only against – legitimate foreign
intelligence targets in response to requirements that our leaders need for
information necessary to protect our nation and its interests.

"XKeyscore is used as a part of NSA's lawful foreign signals intelligence
collection system.

"Allegations of widespread, unchecked analyst access to NSA collection data
are simply not true. Access to XKeyscore, as well as all of NSA's analytic
tools, is limited to only those personnel who require access for their
assigned tasks … In addition, there are multiple technical, manual and
supervisory checks and balances within the system to prevent deliberate
misuse from occurring."

"Every search by an NSA analyst is fully auditable, to ensure that they are
proper and within the law.

"These types of programs allow us to collect the information that enables us
to perform our missions successfully – to defend the nation and to protect US
and allied troops abroad."




From tbiehn at gmail.com  Wed Jul 31 14:21:58 2013
From: tbiehn at gmail.com (Travis Biehn)
Date: Wed, 31 Jul 2013 17:21:58 -0400
Subject: Getting started
In-Reply-To: <B03ED342-88DA-482B-8856-3D502EBB62C4@gmail.com>
References: <51F8427E.1070206@lavabit.com> <51F852C8.3070304@lavabit.com>
 <51F87A7C.70204@headstrong.de>
 <B03ED342-88DA-482B-8856-3D502EBB62C4@gmail.com>
Message-ID: <CAKtE3zea80n+Gm-4DKYWE+k8fcgpg+EkXzHSbk+cBgg3SmR0yw@mail.gmail.com>

All hail Eris!

-Travis
On Jul 30, 2013 11:12 PM, "Nathan Loofbourrow" <njloof at gmail.com> wrote:

> You left out "Assassination Politics" by Jim Bell.
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 419 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20130731/6ae4ddae/attachment.txt>

From eugen at leitl.org  Wed Jul 31 09:04:08 2013
From: eugen at leitl.org (Eugen Leitl)
Date: Wed, 31 Jul 2013 18:04:08 +0200
Subject: Again, federal court finds =?utf-8?Q?cops_?=
 =?utf-8?B?ZG9u4oCZdA==?= need a warrant for cellphone location data
Message-ID: <20130731160408.GI29404@leitl.org>


http://arstechnica.com/tech-policy/2013/07/again-federal-court-finds-cops-dont-need-a-warrant-for-cellphone-location-data/

Again, federal court finds cops don’t need a warrant for cellphone location
data

If you want your records anonymized, tell "the market or the political
process."

by Cyrus Farivar - July 31 2013, 1:17am WEDT

GOVERNMENT LAWSUITS

In a new 2-1 decision published (PDF) Tuesday, the Fifth Circuit Court of
Appeals has held that law enforcement does not need a warrant to obtain
cell-site location information (CSLI) from a mobile phone, falling in line
with other recent high-level federal court decisions.

In July, however, the New Jersey Supreme Court ruled unanimously that cops do
not have this right (at least in the Garden State), setting up a situation
where the Supreme Court could rule to settle the debate once and for all.

The Fifth Circuit’s majority judges cited the Stored Communications Act (also
known as a 2703(d) order) as grounds to allow CSLI to law enforcement. Under
that federal statute, authorities can’t retrieve the contents of electronic
communication, but they can find out where and to whom electronic
communication was sent. In contemporary cases within the last decade, law
enforcement and judges have increasingly used this reasoning to obtain
extensive location data that can effectively turn the phone into a tracking
device. Such information previously would have required a much higher legal
threshold like a probable cause-driven warrant.

In the majority decision, the judges wrote (PDF) that cell site information
was nothing more than a business record, which "the Government has neither
'required [n]or persuaded' providers to keep."

"In the case of such historical cell site information, the Government merely
comes in after the fact and asks a provider to turn over records the provider
has already created," the judges continued. "Moreover, these are the
providers’ own records of transactions to which it is a party. The caller is
not conveying location information to anyone other than his service provider.
He is sending information so that the provider can perform the service for
which he pays it: to connect his call."

Not surprisingly, civil libertarians decried the Fifth Circuit's decision. As
the American Civil Liberties Union's Catherine Crump wrote:

This ruling is troubling because, as we and the Electronic Frontier
Foundation (EFF) argued, only a warrant standard fully protects Americans'
privacy interests in their locations and movements over time. Cell phone
companies store records on where each of us have been, often stretching back
for years. That location information is sensitive and can reveal a great
deal—what doctors people visit, where they spend the night, who their friends
are, and where they worship. Given the sensitivity of these facts, law
enforcement agents should have to demonstrate to a judge that they have a
good reason to believe that they will turn up evidence of wrongdoing before
gaining access to information that can paint a detailed picture of where a
person has been over time.

Still, the Fifth Circuit judges did have one more remedy for mobile phone
users who want to keep their location private: just, y'know, "demand" it from
your mobile carrier. As they wrote:

We understand that cell phone users may reasonably want their location
information to remain private, just as they may want their trash, placed
curbside in opaque bags, Greenwood, 486 U.S. at 40-41, or the view of their
property from 400 feet above the ground, Florida v. Riley, 488 U.S. 445, 451
(1989), to remain so. But the recourse for these desires is in the market or
the political process: in demanding that service providers do away with such
records (or anonymize them) or in lobbying elected representatives to enact
statutory protections. The Fourth Amendment, safeguarded by the courts,
protects only reasonable expectations of privacy.




From pete at petertodd.org  Wed Jul 31 15:11:10 2013
From: pete at petertodd.org (Peter Todd)
Date: Wed, 31 Jul 2013 18:11:10 -0400
Subject: [Bitcoin-development] Litecoin v0.8.3.7 audit report
Message-ID: <mailman.4392.1575949049.62801.testlist@lists.cpunks.org>

https://s3.amazonaws.com/peter.todd/litecoin-v0.8.3.7-audit-report.tar.bz2

I thought this may be of interest to Bitcoin as well as an example.

-- 
'peter'[:-1]@petertodd.org



------------------------------------------------------------------------------
Get your SQL database under version control now!
Version control is standard for application code, but databases havent 
caught up. So what steps can you take to put your SQL databases under 
version control? Why should you start doing it? Read more to find out.
http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk

_______________________________________________
Bitcoin-development mailing list
Bitcoin-development at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bitcoin-development


----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B  47EE F46E 3489 AC89 4EC5




From europus at gmail.com  Wed Jul 31 15:31:53 2013
From: europus at gmail.com (Ulex Europae)
Date: Wed, 31 Jul 2013 18:31:53 -0400
Subject: Getting started
In-Reply-To: <51F852C8.3070304@lavabit.com>
References: <51F8427E.1070206@lavabit.com>
 <51F852C8.3070304@lavabit.com>
Message-ID: <51f9905c.a9f2440a.0fd5.1936@mx.google.com>

At 07:56 PM 7/30/2013, Max R.D. Parmer wrote:
>On 07/30/2013 03:47 PM, stakewinner00 wrote:
> > Hi, I'm 16 years old and I was searching in duckduckgo and Google for
> > some material about cypherpunks but I not find nothing more than this
> > mailing list and some deserted website.
> >
> > If someone can give me some more information, I would be very grateful.
> >
> > Sorry for my bad English and for the spam.
>
>Have you read "Cypherpunks: Freedom and the Future of the Internet" yet?
>Helpful for getting a good chunk of the contemporary and historical context.


Also Cyphernomicon, by Timmmmaaayyyyyy!!!!!!11ONE before he put a
figurative barrel to his head and became a full-bore racist troll.





From noonslists at gmail.com  Wed Jul 31 04:18:45 2013
From: noonslists at gmail.com (Noon Silk)
Date: Wed, 31 Jul 2013 21:18:45 +1000
Subject: [FoRK] Functional encryption, or "Computer scientists develop 'mathematical jigsaw puzzles' to encrypt software"
Message-ID: <mailman.4393.1575949049.62801.testlist@lists.cpunks.org>

http://newsroom.ucla.edu/portal/ucla/ucla-computer-scientists-develop-247527.aspx

Looks interesting.

--
UCLA computer science professor Amit Sahai and a team of researchers have
designed a system to encrypt software so that it only allows someone to use
a program as intended while preventing any deciphering of the code behind
it. This is known in computer science as "software obfuscation," and it is
the first time it has been accomplished.

[...]

"You can inspect everything, you can turn it upside-down, you can look at
it from different angles and you still won't have any idea what it's
doing," he added. "The only thing you can do with it is put it together the
way that it was meant to interlock. If you tried to do anything else — like
if you tried to bash this piece and put it in some other way — you'd just
end up with garbage."

*Functional encryption*

The new technique for software obfuscation paved the way for another
breakthrough called functional encryption. With functional encryption,
instead of sending an encrypted message, an encrypted function is sent in
its place. This offers a much more secure way to protect information, Sahai
said. Previous work on functional encryption was limited to supporting very
few functions; the new work can handle any computable function.

For example, a single message could be sent to a group of people in such a
way that each receiver would obtain different information, depending on
characteristics of that particular receiver. In another example, a hospital
could share the outcomes of treatment with researchers without revealing
details such as identifying patient information.

"Through functional encryption, you only get the specific answer, you don't
learn anything else," Sahai said.
--

-- 
Noon Silk

Fancy a quantum lunch? https://sites.google.com/site/quantumlunch/

"Every morning when I wake up, I experience an exquisite joy — the joy
of being this signature."
_______________________________________________
FoRK mailing list
http://xent.com/mailman/listinfo/fork

----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B  47EE F46E 3489 AC89 4EC5




From rich at openwatch.net  Wed Jul 31 22:50:25 2013
From: rich at openwatch.net (Rich Jones)
Date: Thu, 1 Aug 2013 01:50:25 -0400
Subject: Gen. Alexander @ Black Hat [Video]
Message-ID: <CADJYzxJiM8AsW=tfURuBMYnbNseWCb+KUx7SEMTpujfbk=VUYw@mail.gmail.com>

https://www.youtube.com/watch?v=xvVIZ4OyGnQ

Any attendees on list with on-the-ground perspective?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 210 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20130801/11034f90/attachment.txt>

From eugen at leitl.org  Wed Jul 31 23:37:44 2013
From: eugen at leitl.org (Eugen Leitl)
Date: Thu, 1 Aug 2013 08:37:44 +0200
Subject: [Bitcoin-development] Litecoin v0.8.3.7 audit report
Message-ID: <20130801063744.GT29404@leitl.org>

----- Forwarded message from Peter Todd <pete at petertodd.org> -----